Detecting accounting fraud: AI and weak signals

Quick answer. Detecting accounting fraud internally starts with securing internal control (segregation of duties, authorisations, reconciliations), then watching weak signals in entries: amounts just below a threshold, fictitious suppliers, changed bank details, duplicates. AI helps analyse all entries and score risk, but remains a support tool under human supervision, never proof.

Internal accounting fraud rarely announces itself. It hides in operations that look like routine: one more payment, one supplier too many, an entry posted on the last day of the month. For a business owner, this is not theoretical: a misappropriation undetected for months drains cash, distorts the accounts shown to the bank, and exposes the company to a tax adjustment if the return becomes inconsistent.

This article addresses internal accounting fraud and its detection: how to build resilient internal control, read weak signals in entries, and use data analysis and AI as decision support. It does not cover external impersonation scams (fake transfer orders, deepfakes), which we address in a dedicated article on CEO fraud and deepfakes.

Before AI, before any dashboard, comes internal control. It is what makes fraud hard to commit and easy to spot. Its central principle is segregation of duties: the person who commits an expense must be neither the one who pays nor the one who records the entry. As soon as these three roles concentrate in one person, the risk climbs, especially in small structures where the owner delegates on trust.

Internal control rests on four concrete pillars:

• segregation of duties between commitment, payment and accounting entry;
• clear authorisations and thresholds (who can approve what, up to which amount);
• regular reconciliations: bank, suppliers, and account matching;
• a reliable audit trail, meaning the ability to link each entry to a supporting document and an authorisation.

Internal fraud almost always exploits a gap in this setup: a threshold never reviewed, a bank reconciliation done once a quarter, a person combining entry and payment approval. Detecting means first mapping these weaknesses.

A weak signal is an isolated, unremarkable anomaly that proves nothing but deserves checking. Taken alone, each has a possible legitimate explanation. It is their accumulation, or their repetition, that should raise the alarm.

None of these signals is proof. A supplier may genuinely be new, bank details may change for a legitimate reason. The method is to treat each alert as a question to investigate, not as an accusation.

In many accounting datasets, the frequency of the first digit of amounts follows a decreasing distribution: 1 appears more often than 2, which appears more often than 9. This is Benford's law. When the actual distribution of a set of entries departs markedly from this expected curve, it can signal mass manual entry or fabricated amounts.

Let us be clear: Benford's law is an alert indicator, never proof of fraud. A deviation may stem from the nature of the data (amounts constrained by price lists, for example). It helps steer the review toward areas to examine, not to conclude.

The contribution of data analysis and AI is real but precise: where traditional control works on a sample, algorithmic analysis can review all entries. It detects anomalies, assigns a risk score, cross-references criteria that a human eye does not spontaneously connect.

The main point of caution: AI produces false positives. It flags cases that, once checked, are perfectly regular. Confusing the alert with the verdict wastes time, wrongly accuses, and eventually leads to ignoring the alarms. AI shifts human work toward investigating cases; it does not remove it.

Here is the order in which we approach a file where the risk of internal fraud is at stake:

1. Map the internal control: who commits, who pays, who records, which thresholds, which reconciliations.
2. Identify role concentrations and missing or unapplied controls.
3. Extract and analyse the data (entries, suppliers, payments, expense claims) over the whole financial year.
4. List the weak signals and anomalies, for example via anomaly tests and a Benford-type indicator.
5. Investigate each alert one by one: supporting document, authorisation, consistency with the business.
6. Document findings and corrections, and durably strengthen the failing controls.

This approach applies both to a one-off review and to setting up a recurring system within an outsourced financial management engagement.

• The person committing an expense is different from the one who pays and the one who records.
• Authorisation thresholds exist, are written down and actually applied.
• Bank reconciliation is done at least monthly.
• Any change to supplier bank details goes through independent validation (call-back to the supplier, dual signature).
• Creating a supplier follows a validation circuit with verification of details.
• Accounts are matched regularly and discrepancies explained.
• Each entry is traceable to a supporting document (reliable audit trail).
• Expense claims are checked by a third party, not self-approved.

In files where internal fraud was eventually uncovered, the common factor is almost never the absence of a tool, but the concentration of roles: one person enters, approves and pays, and the owner trusts. AI and data analysis do not fix this structural flaw. They speed up detection once segregation of duties exists. Our priority, in growth files, is therefore to lay the basic controls first, then to tool up. The reverse gives a false sense of security.

A tool such as Pennylane eases the audit trail and reconciliation by centralising documents and entries; it supports internal control, it does not replace it.

The risk owners most underestimate is not the spectacular misappropriation, it is the slow erosion: modest amounts, just below the vigilance threshold, repeated over months. Taken one by one, they draw no attention. This is exactly the profile that analysing all entries reveals, where sample-based control misses it. The other underestimated risk: believing an AI alert amounts to a conclusion, and triggering HR decisions or accusations on a mere false positive.

Detecting fraud involves processing sensitive data. Payroll and HR data are personal data: their analysis falls under the GDPR (purpose, minimisation, information, retention period). Professional secrecy governs what the firm may process and disclose. The use of AI models is governed by the AI Act (EU Regulation 2024/1689), with particular vigilance on bias and explainability: one must be able to understand why a case was flagged.

We detail these issues in our articles on AI and professional secrecy and on the company AI charter.

A pattern we regularly encounter: in a growing SME, the same person handles supplier invoice entry and the preparation of transfers. A recent supplier, with sketchy details, appears with a few invoices for round amounts, just below the dual-validation threshold. No element, on its own, is alarming. It is the cross-analysis (recent supplier + amounts below threshold + missing detailed document) that turns a routine into an alert to investigate. What follows is documentary verification, then, if needed, legal advice.

• Do not deploy an AI detection tool without a GDPR framework and without informing the people concerned.
• Keep human supervision over every alert: AI proposes, the human investigates and decides.
• Check the explainability of the models used, in light of the AI Act.
• Do not confuse an indicator (Benford's law, risk score) with proof.
• Document the audit trail: it is what allows tracing from an alert back to a decision.

For the statutory auditor, taking the fraud risk into account in the audit of the accounts is governed by the professional standards (NEP 240). The auditor's primary mission is not to root out every fraud, but to assess the risk that fraud leads to material misstatements in the accounts, and to adapt controls accordingly.

On the criminal side, internal fraud may fall under qualifications such as breach of trust or forgery. These qualifications, and their consequences, fall to a lawyer's analysis: the role of the chartered accountant and statutory auditor is to identify, document and alert, within the scope of their engagement.