​​​Use of the Luhn Algorithm in IT Audit and Fraud Detection​​​

By doing a little online research, an internal auditor discovered the Luhn algorithm, a simple redundancy check that can be used to validate different identification numbers during fraud and IT audit investigations.​​​​

Comments Views

​IT audits and fraud detection efforts are becoming more complex and challenging due to rapid changes in the technology arena. To add more fuel on the fire, many white-collar criminals are learning​ how to spot internal control limitations and exploit them with more ease, thus enabling them to prepare for audits and fraud investigations. Given the nature of today's high technology crimes, using routine audit or forensic investigation methods may not be enough to detect fraud. As a result, internal auditors need to find and try new or innovative scientific methods that can help them in their quest for truth. The following case study is an example of how an auditor discovered the Luhn algorithm, which enabled him to expose the deceit and wrongdoing of a hotel manager.​

The Situation

The board of directors of a hotel chain was ecstatic. One of their hotels at a distant hill station miraculously started showing astonishing profits after years of continuous losses. This particular hotel was on the brink of closure because the hill station had become a poorly visited tourist destination as the result of nearby terrorist activity. Room occupancy and food and beverage sales had dropped significantly, and projected future profits were dismal — the hotel was not expected to reach a break-even point. Due to the lack of profit and sales, the board decided to close the hotel.

Prior to closing the hotel, the board appointed a temporary manager with limited hotel staff to run the hotel because local statutory and bank loan clearance procedures had to be completed first. This manager turned out to be a magician — within a couple of months, the hotel started making a profit and the local manager asked the directors for more funds to renovate and expand the hotel.

The internal auditor, however, was skeptical about the hotel's miraculous recovery due to certain observations in his audit report, which prompted the board to discuss the positive turn of events with the hotel chain's audit committee. To make sure fraud was not taking place, and because all profit collections were deposited in a bank and sales did not appear to be inflated or fictitious, the audit committee asked the internal auditor to conduct a quick investigation of the reported sales.

The Audit

The internal auditor did not believe the hotel was making any profits because this was contrary to the local business scenario and projected sales income: The hill station was situated in a politically turbulent area with a lot of terrorist activity and was occupied by more military personnel than tourists. Therefore, the auditor was skeptical the hotel could make a profit or break-even.

After the internal auditor arrived at the hotel, his suspicions where partially confirmed; the auditor immediately observed that hotel activity was low and there were virtually no guests. The hotel's restaurants also were deserted. The hotel manager explained that this was typical for a few days out of the month when military activity was high. On these days only, sales were low. The manager then explained these phases were few and were gradually tapering off.

The auditor was not convinced. He continued to believe the sales reported by the hotel manager were fictitious or inflated. To obtain proof, he reviewed the sales numbers again and noticed that a large part of the sales were credit card sales. The auditor tried to verify the credit card transactions but couldn't because many of the bank statements were missing.

When asked about the missing statements, the manager told the auditor he didn't know what happened to the statements because their regular accountant had quit. The manager did reassure the auditor the credit card sales were real as evidenced by the growing account balances in the bank statements. After making inquiries with the bank regarding the account balances over the last six months, the manager's statements seemed to be true: Regular deposits were made, which were reflected by healthy account balances. However, this finding did not change the internal auditor's opinion. Because the hotel did not seem to have any sales potential, he wondered where all these credit card holders were coming from. Were some of the credit card sales fictitious and a front for a clandestine source of income? If so, the missing bank statements could be the perfect camouflage. The more the auditor thought about the situation, the more he was convinced the sales were inflated.

What Is the Luhn Algorithm?

The Luhn algorithm, also known as "mod 10" algorithm, is a checksum formula used to verify the authenticity of a variety of identification numbers. The algorithm was developed by scientist Hans Peter Luhn in the 1960s as a tool to validate unique numbers. Besides credit card numbers, the Luhn formula also is used to check the validity of Canadian Social Insurance numbers. In fact, the formula is used widely to generate the check digits of different primary account numbers. For example, cards issued by hotels for their guests, frequent flyer cards issued by airlines, or employee identification numbers can be validated during online transactions by applying the algorithm.

Almost all institutions that create and require unique account or identification numbers use the mod 10 algorithm. This file provides an illustration of how the Luhn algorithm can detect invalid credit card numbers. Simply enter any credit card number in cell C8. If the number is genuine, the spreadsheet will display a valid result. If it is not, the spreadsheet will show an invalid response. Here's how the algorithm works when verifying credit cards:

  • Starting with the second to last digit and moving left, double the value of all the alternating digits.
  • Take all the unaffected digits starting from the left and add them to the results of all the individual digits from step 1. If the results from any of the numbers from step 1 are double digits, make sure to add the two numbers first (i.e., 18 would yield 1+8). Basically, the equation looks like a regular addition problem that adds every single digit.
  • The total from step 2 must end in zero for the credit card number to be valid.
  • The algorithm can be used in many applications and is in the public domain — internal auditors can find the formula's source code on the Internet in C#, Visual Basic, and Java. The algorithm is also a standard used by the International Standards Organization (ISO) and International Electrotechnical Commission (IEC) — ISO/IEC 7812-1:1993 Standard — and the American National Standards Institute — ANSI X4.13 Standard.

Luhn's Algorithm to the Rescue

The auditor felt that the solution to the problem was in examining the credit card sales, which represented a large part of the hotel's total revenue. The auditor simply needed to ascertain whether all the credit card sales were valid. He conducted some research on the Internet and came across the Luhn algorithm, a simple checksum formula or redundancy check used to validate a variety of identification numbers, such as credit card numbers.

The algorithm was the perfect fit for his problem because it could help the auditor reveal whether a credit card number was invalid with a reasonable degree of accuracy. After studying the algorithm, the auditor developed an Excel spreadsheet using the algorithm's formula and tested all the credit card numbers on the hotel's sales slips. His effort paid off quickly. After applying the algorithm, the auditor found that 80 percent of the sales were done with invalid credit card numbers. The manager had been deceiving the directors by showing huge sales when in fact, there were none. He confirmed this finding by checking a sample of credit card sales with the appropriate banks.

Although the auditor had been able to prove that the credit cards were invalid, he still had to find out the nature of the clandestine source of the collections. Another investigation was launched that revealed how the fraud was committed.

How the Fraud Took Place

When the hotel manager was appointed, he was in charge of overseeing the entire hotel with only a handful of staff. As a result, he was able to start selling the hotel's expensive assets, such as the hotel's teakwood furniture, paintings, chandeliers, cutlery, and electronic items. A large portion of these earnings were deposited in the bank to impress the directors and "show" the hotel was making a profit. He derived two benefits from this. Not only did he get a bonus for being able to turn things around, he retained a part of the earnings that were not deposited in the bank. He also was able to convince the directors to give him more funds for future renovation and expansion. Many of the hotel's expensive assets, such as the hotel's furniture, paintings, and cutlery sold by him were replaced by cheap ordinary ones to avoid suspicion. After six months of committing the fraud, the total amount of money stolen was US $200,000.

Looking Forward

The internal auditor's research enabled him to discover the Luhn algorithm and determine the sales were indeed fictitious. To stay up-to-date with other fraud detection methods, auditors should conduct continuous online research. Besides finding newer and more advanced fraud detection tools to sharpen their skills, continuous research can help auditors detect fraud, no matter how skillful the perpetrator is.​



Comment on this article

comments powered by Disqus
  • TeamMate_Prem 1
  • RSM_Prem 2
  • IIA Sydney Conf_Prem 3