In a Q4 vendor spend review, Benford testing flagged 137 invoices clustered at $4,950–$4,999. How do you decide when to open a formal forensic review versus tightening approval thresholds and standing up continuous monitoring, and what risk-based criteria or tolerances have proved defensible in your reporting?
In my last review we used a simple tripwire: if the <$5k cluster was >“3-sigma” over Benford expectation for two consecutive periods and >1% of vendor spend, we opened a formal review; otherwise we lowered the auto-approve limit and turned on continuous monitoring around the requestor/approver pair. Caveat: quarter-end AP batching can mimic this pattern. Are your 137 hits concentrated by one vendor or requestor?
I escalate when the <$5k spike looks like splits rather than drift… Compute the “split-pair rate”: the share of $4,950–$4,999 invoices with a same-vendor/requester sibling within 7 days whose combined total exceeds the approval cap; if that’s ≥15% or any requester has 3+ pairs, I open a formal review, otherwise I tighten thresholds and stand up continuous monitoring. Small caveat: exclude catalog SKUs or contract-priced items sitting at $4,9xx so you’re not chasing noise; use item master or contract flags to filter those out.
I’d set a vendor/requester “just-below-cap rate” and trigger an investigation when a vendor is >4x the portfolio baseline and the hits span 3+ requesters. Caveat: per‑diem or freight caps can cause harmless clustering — sanity‑check with month‑end/day‑of‑week heatmaps and description n‑grams; Nigrini’s primer helps: https://www.nigrini.com/benfordslaw. Do you have requester IDs and timestamps to test for “batching” — if it all lands at 4:58 p.m., that’s cookie‑cutter, not Benford.
Q4 muddies this, so I gate on intent: if >35% of the 137 ‘just under $5k’ hits land within 3 days of month-end and terminal-digit 9/0 is >2x baseline, I open a case; otherwise I nudge the cap and watch next period — if the cluster slides to ~$4.8k, , that’s your tell. Is $5k an approval cliff for non-POs?