Twice this quarter I found 37 invoices from a single vendor at $9,950 — just under a $10k approval limit — which is classic split-billing. Beyond Benford checks, I trace same-day POs, duplicate descriptions, and shared approver IDs; that clustering can evidence intent and turn a control breach into a procurement fraud matter with false-statement or wire-fraud implications. How are you routing these — straight to counsel and preservation, or letting internal audit take first look?
I cross-check ‘shared approver IDs’ with reused bank accounts; $9,950 patterns pop fast, though phased milestones can be legit.
Quick win I’ve used: pull the original PDFs and compare their metadata (CreationDate/Producer) — batches of “$9,950” invoices often share the same timestamp or generator, which screams templated runs even when descriptions differ. exiftool makes this a 2‑minute check; just watch for AP imaging systems that re-render PDFs, or test with a few known originals before you flag it.
I’ve had good results tying invoice clusters to GR/IR and delivery tickets — if a batch of “just under $10k” invoices all point to the same receiver ID or a single delivery date, it’s tough to argue they weren’t split to skirt the $10k limit. Quick SQL join on SAP GR/IR and service entry sheets surfaces it fast. Small caveat: I always check the SOW lines first, since genuinely separate acceptances on different dates can look similar.
Caught one by comparing unit-price consistency across a batch of “$9,950” invoices — same SKU and price, but quantities and a tiny freight line flipped to dodge the $10k limit. Joining invoice_number prefixes with vendor master change logs (who edited remit-to/terms that week) surfaced the requester–approver pair and tipped intent. Worth a try, @OP, but watch for legit milestones; ACFE flags this pattern: 404.
Seen this when I mined AP workflow/audit logs: a batch just under the approval limit all “submitted” within 8–12 minutes from the same machine/user agent, even with “shared approver IDs” muddying the trail. If it’s a shared-services desk the IP can be noisy, so I key on SSO subject + session IDs and cross-check for recent vendor bank-change tickets to firm up intent.
Agree with @a_roberts78 on clustering — I fingerprint the PDFs: identical XMP CreateDate/Producer and repeated image hashes across a burst, even when amounts sit just under the approval ceiling. If those timestamps bunch within minutes, pairing that with your same-day PO/approver clustering helps show intent vs a simple control miss. Small caveat: some MFDs stamp the same metadata, so I confirm with PO change logs or a vendor bank-field edit within 24–48 hours of the burst.