Internal fraud: red flags your audit team should watch for

We recently uncovered an internal fraud case where an employee was manipulating expense reports over 18 months. It made me realize our internal controls have gaps.

What are the top behavioral and transactional red flags for internal fraud that audit and compliance teams should be monitoring?

Data analytics can be incredibly powerful for detecting internal fraud. We run monthly scripts that check for:

• Benford's Law analysis on expense amounts (natural distribution of leading digits — manufactured numbers often fail this test)
• Duplicate detection across vendors, invoice numbers, and amounts
• Ghost employee checks (comparing payroll to badge access and system login data)

These automated checks catch things that manual review would miss.

Based on the ACFE's research and our own experience, these are the highest-value red flags:

Behavioral:

• Employee living beyond their apparent means
• Reluctance to share duties or take vacation (afraid someone else will discover the scheme)
• Unusually close relationships with vendors
• Defensiveness when questioned about their area of responsibility

Transactional:

• Round-number transactions just below approval thresholds
• Duplicate payments to the same vendor
• Vendors with addresses matching employee addresses
• Sequential invoice numbers from the same vendor
• Journal entries posted at unusual times (late night, weekends)
• Unexplained increases in budget line items

Internal fraud is often the most damaging type because the perpetrator has inside access and knowledge of the controls. The classic red flags still hold true — lifestyle inconsistencies, reluctance to take vacation, resistance to job rotation, unusual override patterns. But there are some newer indicators worth watching:

Data access patterns — Employees accessing customer records outside their normal portfolio or role. This is detectable with good logging and increasingly with UEBA (User and Entity Behavior Analytics) tools. An analyst who suddenly starts pulling reports on high-net-worth accounts they don't manage deserves scrutiny.

After-hours system access — Particularly for roles that don't typically require evening or weekend work. Correlate with building access logs if available.

Unusual vendor or account activity — Look for new vendors set up by a single employee, or dormant accounts that suddenly become active with that employee as the only point of contact.

Behavioral shifts — This is harder to systematize but important. Sudden financial stress (divorce, medical bills, gambling), increased conflict with colleagues, or withdrawal from team activities can precede fraudulent behavior. This isn't about surveillance — it's about managers being attentive enough to notice changes and escalate concerns through appropriate channels.

The most effective internal fraud detection programs combine preventive controls (segregation of duties, approval limits, mandatory vacations) with detective analytics (exception reporting, trend analysis, anonymous whistleblower channels). Neither alone is sufficient.