Fraud - Do the math

Chetan Dalal reveals how an auditor exposed a sales fraud using Luhn's algorithm.

Auditors use various audit procedures - physical inspection, vouching, ratio analyses, inference from trends, documentary checks, third-party verifications and so on - to find and establish the truth in any given audit situation, and each of these methods has a place and importance in given audit situations. However, it is important for an auditor not to stagnate, and it is advisable to do constant research and discover newer and more penetrative methods of auditing.

In this regard, using any mathematical theorem in applying audit tests, wherever possible, is one of the most scientific and reliable methods of establishing the truth. The following is an example of where an auditor did extensive research and discovered an algorithm, called the Luhn's algorithm, which got fantastic results. The actual algorithm has not been reproduced here because it would be too technical, but it can be obtained by emailing A strange observation

The auditor of a company with an entertainment centre had just reviewed its credit card sales and the relevant bank reconciliation statements. He came across a letter in the file, from the bank, stating that a few credit card transactions from the entertainment centre could not be credited because those credit card numbers were invalid.

The auditor enquired about this with the entertain-ment centre accountant. The accountant explained that this letter was received from the bank in response to an earlier letter from the entertainment centre enquiring about certain credit card transactions that had not been credited by the bank. However, subsequently, the bank had admitted that it had been mistaken about the credit cards' validity, and immediately thereafter, the bank had given full credit for all those credit card transactions. He was able to prove this to the auditor by showing him the relevant subsequent credits.

However, the auditor remained puzzled; a mistake of one or two credit card numbers was understandable, but a bank committing such a mistake about several credit cards' validity and then later crediting the proceeds seemed incredible. The auditor was further convinced that something was wrong, because the initial reaction and the body language of the accountant indicated that something was amiss.

Facts of the case

To understand this auditor's dilemma, consider the backdrop and the facts of this interesting case. A few months before, a client of the auditor had sought his advice about investing in the company with the entertainment centre. The centre was situated in a resort hill station and had apparently been doing very well. The owner of the company wanted to sell off the entertainment centre because he was emigrating from India. He had approached several potential investors, one of whom was the auditor's client. An investment of about Rs 2 crores (£23,500) was expected by the owner by way of purchase consideration for this entertainment centre.

The auditor had then advised the client to appoint an agency to carry out a background check of the owner and to get a business intelligence report. It was essential to determine whether the owner had a good reputation, and to ensure that the entertainment centre was not affected by any undisclosed local problems. Once these two issues were clarified, then a financial review would make more sense. Thus, a due diligence check was recommended before taking any decision to invest.

The client accordingly asked a local investigation agency to attain this information. Based on some surveillance work and neighbourhood enquiries, the agency reported that the owner was not that well-known locally. He hailed from Bhopal, a distant city from the resort, and had come to the hill station resort about three years before to develop some old ancestral property and establish the entertainment centre.

However, reports indicated that the entertainment centre was not doing too well. It was not very popular and the food in its food courts was not selling even up to a break-even point. Even enquiries with suppliers revealed that they were paid very late and sluggishly, and that the entertainment centre seemed to have severe cashflow problems.

The client was still not inclined to reject the investment proposal outright, because he was very keen to have an entertainment centre at that hill station. Therefore, he had asked the auditor to audit the accounts to see whether the agency's report could be mistaken. There was some resistance to the idea of the audit from the owner, but the client was firm, and eventually he conceded.

Considering that his client was interested in long-term business prospects, the auditor concentrated on the sales and the reliability of the operating results. His main aim was to determine whether the entertainment centre really did have such good sales as claimed by the owner. The auditor had, therefore, carried out a detailed audit of sales of all rides and facilities at the centre, including the food and beverage sales. He also reviewed the reconciliation statements and had been browsing through the bank statement file when he had spotted the letter from the bank relating to the invalid credit cards.

Big question mark

The question that came to his mind was: is there a method to validate credit numbers and distinguish genuine ones from invalid numbers?

The auditor re-examined the sales in greater detail, and observed that most of them were credit card sales. A very small percentage of sales were realised in cash. He further observed that credit card collections were credited by the bank rather slowly. There were occasions when collections from the concerned banks took even three months to be credited to the account of the entertainment centre. This was strange because they should have been credited to the entertainment centre within a week, except perhaps in rare cases where there was a dispute in a specific transaction. However, even in this regard he could not raise any serious query, because although there were delays, the bank had eventually given credit for all the credit card sales.

Nevertheless, instinctively he felt that the credit card numbers were invalid. He was convinced that so many credit cards could not be flippantly termed invalid by the bank. There was something more to it. He could not make direct enquiries with the bank because he knew that the owner, already agitated about the very audit itself, was bound to protest. Was there another method of determining whether a credit card number was invalid?

The auditor decided to do research using the internet. After a whole day of painstakingly browsing through websites on credit card fraud, the chartered accountant was successful. He came up with a tool to address this issue: the Luhn's algorithm.

This algorithm can, to a certain extent, validate credit card numbers. The algorithm is a simple method of distinguishing valid numbers from collections of random digits. It verifies a number against its own check digit. Essentially it is a simple checksum formula to validate various identification numbers such as credit card numbers. It was created in 1960 by Hans Peter Luhn and is used by many credit card companies.

The algorithm cannot help if a credit card holder lacks credit balance, or if the card is lost or stolen and in the wrong hands, or if it has some other defect, but it can ascertain whether the credit card number itself is genuine and valid.

The auditor tried out the algorithm on the credit cards that were rejected as invalid by the entertainment centre's bank in its letter - and it worked. The credit card numbers were invalidated by Luhn's algorithm. The bank's letter was thus justified and there was no mistake about the invalidity of the credit cards.

The logical question therefore was: how did the sales proceeds get realised if they were effected through invalid credit cards?

What was the fraud?

The auditor uploaded Luhn's algorithm in an Excel spreadsheet and checked the credit card number validity of all the entertainment centre's credit card sales in the entire three-year period. About 87% of the credit card numbers were thrown out as invalid numbers in this exercise. Obviously, all those sales and credit card numbers were fictitious or artificial sales deliberately set up by the owner himself.

The deception was now clear to him. The entertainment centre owner had set up the centre with an intention to sell it after a few years. To be able to get a good price, he had to show that the entertainment centre was making good profits and huge sales. Since, in truth, the entertainment centre sales were not picking up, he artificially inflated room sales and food and beverage sales by showing sales through credit cards that never existed. As and when he was able to get money from other independent sources, he would deposit those amounts in the bank and these were palmed off as credit card collections credited by the bank. In this way, over a period of three years, he built up a good sales chart for the entertainment centre. He was thus able to project greater sales in future years and this enabled him to hike his goodwill value and purchase consideration to potential buyers.

He would have got away with this, but unfortunately, once during the three-year period when his regular accountant was on sudden sick leave, a temporary accountant was hired. This accountant, who was not aware of these artificial credit card sales, wrote a letter to the bank when several credit card transactions were not credited by it. Naturally the bank reverted, stating that the credit card numbers were invalid. When the temporary accountant reported this to the owner, he was immediately transferred to some other duty and eventually dismissed. However, the audit trail was left behind and the bank's letter fell into the auditor's hands, who in turn discovered the truth.

The client obviously was now wiser and did not invest in the entertainment centre.

Chetan Dalal is a Mumbai-based chartered accountant specialising in fraud detection and investigative audits. He served on the board of the India Chapter of the Association of Certified Fraud Examiners during 2000-2004, and is also on the editorial board of the UK-based magazine Inside Fraud. He provides training for fraud detection and investigation.

Be the first to vote

Rate this article

Related Articles