Books AutomatorBefore You Start
This guide assumes you have administrator access to Xero with an Adviser role and full permissions to all financial functions.
Overview
What You’ll Learn
- How to effectively use Xero’s History and Notes report
- Identifying unusual transaction modifications or deletions
- Tracing user activity for suspicious entries or changes
- Spotting common red flags indicative of potential fraud
1. The Power of Xero’s Audit Trail
Xero provides robust tools to track changes, user activity, and transaction history. Leveraging these can be critical in forensic investigations:
Key Reports for Forensics
- History and Notes Activity Report
- Account Transactions Report (filtered)
- Bank Reconciliation Report
- Users Activity Report (under Settings)
Critical Data Points to Look For
- Exact user and timestamp of changes
- Original vs. modified values for transactions
- Records of deleted or voided transactions
- Changes in payment methods or bank accounts
2. Common Fraud Scenarios & Detection Methods
You have two main types of internal fraud, each requiring a different approach.
Scenario A: Unauthorized Expense Claims
This often involves inflating legitimate expenses or creating fictitious ones.
- Duplicate expenses or invoices.
- Unusual vendor names or addresses.
- Rapid increases in specific expense categories.
- Can be hidden in high-volume transactions.
- Requires external verification of receipts.
- Often involves small, recurring amounts.
Scenario B: Manipulated Sales or Purchase Orders
This includes altering invoices, credit notes, or purchase orders to divert funds or goods.
Expert Tip: Focus on changes to previously reconciled transactions or approved invoices. These are often harder to detect and can indicate deliberate obfuscation.
3. Step-by-Step: Investigating with History & Notes
The History and Notes Activity Report is your primary tool. Access it via Accounting > Reports > History and Notes Activity.
Here is a sample of an audit entry you might find:
{
"transaction_id": "GUID12345",
"type": "invoice",
"action": "modified",
"user": "jane.doe@example.com",
"timestamp": "2025-01-15T10:30:00Z",
"details": {
"field": "line_item.description",
"old_value": "Consulting Services Q4",
"new_value": "Consulting Services Q4 - Adjusted"
}
}4. Advanced Detection Techniques
- 1
Export & Analyze Data Off-Platform
For large datasets, export the History and Notes report to a spreadsheet. Use pivot tables and conditional formatting to highlight anomalies. Look for patterns in user activity, timing (e.g., after hours), or types of changes.
- 2
Identify Irregular Patterns
Search for multiple small adjustments that cumulatively add up, or sudden, large changes to old transactions. Pay attention to changes in bank account details on supplier invoices or employee reimbursement requests.
- 3
Cross-Reference with External Evidence
Always compare your Xero findings with external documents like bank statements, vendor contracts, physical inventory counts, and employee expense reports to confirm or refute suspicious entries.
Common Error: Overlooking User Permissions
Fraud often exploits weak internal controls. Ensure only authorized personnel have access to sensitive financial functions (e.g., approving payments, reconciling bank accounts). Regular review of user roles and permissions can prevent many issues.
5. Best Practices for Prevention
Internal Controls Checklist
- Implement strong segregation of duties
- Conduct regular, independent internal audits
- Require two-factor authentication for all Xero users
- Regularly review and update user access permissions
- Train staff on fraud awareness and reporting procedures
Need Help?
Expert Forensic Review
Suspect fraudulent activity or need an in-depth forensic analysis of your Xero data? Our specialists can provide a thorough investigation and actionable insights.
Contact Us