Fraud & Anomaly Detection (Audit Shield)

1. Goal: The "Sleep at Night" Factor

Problem: Fraud and errors are usually detected after the money is gone (or during the annual audit 12 months later). Solution: A forensic analysis layer that scans every invoice/payment before it leaves the building.

2. Core Value Proposition

• Prevention: Catches "Structuring" (Splitting invoices) and "Duplicate Payments" in real-time.
• Compliance: Ensures no payments to sanctioned entities or risky bank accounts.

3. Data Model

AnomalyFlag

• flag_id
• invoice_id
• risk_type: DUPLICATE_SUSPICION | BENFORD_ANOMALY | SPLIT_INVOICE | WEEKEND_POSTING | NEW_BANK_DETAILS
• severity: INFO | WARNING | CRITICAL (Block Payment)
• explanation: "Vendor posted 3 invoices of $4,900 today. Approval limit is $5,000."

VendorRiskProfile

• vendor_id
• risk_score: 0-100
• average_invoice_amount
• typical_posting_days: e.g., Mon-Fri.
• iban_history: List of known safe bank accounts.

4. Key Logic & Engines

4.1 Benford’s Law Analysis

• Concept: In natural financial data, the leading digit '1' appears ~30% of the time. If a vendor's invoices have leading digit '9' 50% of the time (e.g., $9,999), they are likely fabricating numbers to stay under a limit.
• Action: Alert Internal Audit to review this vendor.

4.2 The "Split Invoice" Detector

• Scenario: Manager has a $5,000 approval limit. They want to buy a $12,000 item. They ask the vendor to send three $4,000 invoices.
• Detection: "3 invoices from same vendor, same day/week, totaling > Limit." -> BLOCK.

4.3 IBAN Guard

• Scenario: CEO Fraud / Business Email Compromise. Hacker emails "Please update our bank details."
• Detection: "Invoice contains a Bank Account (IBAN) never seen before for this vendor."
• Action: Hard Stop. Require phone verification confirmation log before releasing payment.

5. UX/UI: The Risk Cockpit

• "The Red Queue": A special inbox for the Controller/CFO containing only High-Risk items.
• Vendor Audit View: "Show me every time Vendor X changed their address or bank details in the last 2 years."

6. Integration

• Inputs: Invoice Data, Vendor Master Data, User Approval Limits.
• Outputs: Blocking flags on the PaymentRun.