The Better Way of Applying Benford’s Law for Fraud Detection

Applying Benford’s Law on large collections of data is an effective way of detecting fraud. In this article, we?ll introduce you to Benford’s Law, talk about how auditors are employing it in fraud detection, and introduce you to a more effective way of integrating it into an IT solution.

Benford’s Law in a nutshell

Benford’s Law states that certain data sets – including certain accounting numbers – exhibit a non-uniform distribution of first digits. Simply put, if you gather all the first digits (e.g. 8 is the first digit of ?814 and 1 is the first digit of ?1768) of all the numbers that make up one of these data sets, the smallest digits will appear more frequently than the larger ones.

That is, according to Benford’s Law,

1 should comprise roughly 30.1% of all first digits;
2 should be 17.6%;
3 should be 12.5%;
4 should be 9.7%, and so on.

Notice that the 1s (ones) occur far more frequently than the rest. Those who are not familiar with Benford’s Law tend to assume that all digits should be distributed uniformly. So when fraudulent individuals tinker with accounting data, they may end up putting in more 9s or 8s than there actually should be.

Once an accounting data set is found to show a large deviation from this distribution, then auditors move in to make a closer inspection.

Benford’s Law spreadsheets and templates

Because Benford’s Law has been proven to be effective in discovering unnaturally-behaving data sets (such as those manipulated by fraudsters), many auditors have created simple software solutions that apply this law. Most of these solutions, owing to the fact that a large majority of accounting departments use spreadsheets, come in the form of spreadsheet templates.

You can easily find free downloadable spreadsheet templates that apply Benford’s Law as well as simple How-To articles that can help you to implement the law on your own existing spreadsheets. Just Google “Benford’s law template” or “Benford’s law spreadsheet”.

I suggest you try out some of them yourself to get a feel on how they work.

The problem with Benford’s Law when used on spreadsheets

There’s actually another reason why I wanted you to try those spreadsheet templates and How-To’s yourself. I wanted you to see how susceptible these solutions are to trivial errors. Whenever you work on these spreadsheet templates – or your own spreadsheets for that matter – when implementing Benford’s Law, you can commit mistakes when copy-pasting values, specifying ranges, entering formulas, and so on.

Furthermore, some of the data might be located in different spreadsheets, which can likewise by found in different departments and have to be emailed for consolidation. The departments who own this data will have to extract the needed data from their own spreadsheets, transfer them to another spreadsheet, and send them to the person in-charge of consolidation.

These activities can introduce errors as well. That’s why we think that, while Benford’s Law can be an effective tool for detecting fraud, spreadsheet-based working environments can taint the entire fraud detection process.

There?s actually a better IT solution where you can use Benford’s Law.

Why a server-based solution works better

In order to apply Benford’s Law more effectively, you need to use it in an environment that implements better controls than what spreadsheets can offer. What we propose is a server-based system.

In a server-based system, your data is placed in a secure database. People who want to input data or access existing data will have to go through access controls such as login procedures. These systems also have features that log access history so that you can trace who accessed which and when.

If Benford’s Law is integrated into such a system, there would be no need for any error-prone copy-pasting activities because all the data is stored in one place. Thus, fraud detection initiatives can be much faster and more reliable.

You can get more information on this site regarding the disadvantages of spreadsheets. We can also tell you more about the advantages of server application solutions.

Check our similar posts

9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Disaster Recovery

Because information technology is now integrated in most businesses, a business continuity plan (BCP) cannot be complete without a corresponding disaster recovery plan (DRP). While a BCP encompasses everything needed – personnel, facilities, communications, processes and IT infrastructure – for a continuous delivery of products and services, a DRP is more focused on the IT aspects of the plan.

If you’re still not sure how big an impact loss of data can have, it’s time you pondered on the survival statistics of companies that incurred data losses after getting hit by a major disaster: 46% never recovered and 51% eventually folded after only two years.

Realising how damaging data loss can be to their entire business, most large enterprises allocate no less than 2% of their IT budget to disaster recovery planning. Those with more sensitive data apportion twice more than that.

A sound disaster recovery plan is hinged on the principles of business continuity. As such, our DRP (Disaster Recovery Plan) blueprints are aimed at getting your IT system up and running in no time. Here’s what we can do for you:

  • Since the number one turn-off against BCPs and DRPs are their price tags, we’ll make a thorough and realistic assessment of possible risks to determine what specific methods need to be applied to your organisation and make sure you don’t spend more than you should.
  • Provide an option for virtualisation to enjoy substantial savings on disaster recovery costs.
  • Provide various backup options and suggest schedules and practices most suitable for your daily transactions.
  • Offer data replication to help you achieve business continuity with the shortest allowable downtime.
  • Refer to your overall BCP to determine your organisation’s critical functions, services, and products as well as their respective priority rankings to know what corresponding IT processes need to be in place first.
  • Implement IT Security to your system to reduce the risks associated with malware and hackers.
  • Introduce best practices to make future disaster recovery efforts as seamless as possible.

We can also assist you with the following:

Web Analytics

There’s a vast ocean of raw customer data on the Web. Ever thought of the implications if somehow you could harness all that data and transform it into useful information? Information that perhaps you can use in your SEO (Search Engine Optimisation) and conversion optimisation?

There are web analytics tools you can employ for these purposes. But using web analytics tools will only win you half the battle. You’ll have to be proficient in configuring these tools to generate insightful and actionable results out of them. A poorly configured tool can produce confusing or even misleading information.

Our web analysts possess the expertise to configure and use web analytics tools, as well as analyse results and leverage information obtained from them.

These are the things we can do to help you take advantage of web analytics.

  • Discuss with your managers to establish your specific goals, to determine what specific data we have to collect/analyse and to plan out how to go about with the entire process.
  • Help you select an appropriate tool, install it and set optimal configurations including page tags, filters, funnels, reports and others.
  • Wield the full force of your analytics tool(s) to make sound business decisions.
  • Monitor the entire web analytics system and implement adjustments when needed.

Ready to work with Denizon?