r abel 230 carter FRAU@ANR HAREM MFHT UNDERSTANDING FRAUD — to obtal Froud is broadly dotinad as “ay aot val he sé of eee Fraud is a hot advantage” (ISACA eagta iis at ilapad Acts Gitideline a rats filures such as top te, ponmasty be ae eink FEEL HiseiV® COTTE oe pigheprofile Biron, Gilets! Crasene, Avetyhia, WHIKIU HA, TYed, a4 MMT a oct result of a frond paces Lagictaeny teh a8 The RavvaneeeOley Act of 2002 orate fraud. crackdown oo eegianatinne Ath @N6E audi urtherimave, (So ann sone to detect fad ne beet bea ei re stangants that rogolte aunts hy esten HEHE effet fo detect fraud. TI 7 imal ead the IT aniage are mnipenen Nat only niet TP afiditors be knowledgeable ai andl feo, bot they moun sh tv tn ty ent the ut to provide reasonable 2S of detecting font tor’ thas cAapsoe, you tant ont vations types of aud, wha the auditor’s eer 4 SSBIRY Sed Geneerg Hewes, nnd how Mhienese attditors use electronic tools to uncover the , nature ant canst af Saunt that has alieady ecotiited. Why Fraud Occurs lay between three factors: Experts agres that Sead govars as a result of the interp ort ion. These factors are collectively ith Goethe or presers, and attitade or rationalizat referred te as the “Fevad THengle.”! See Figure‘10-1. ‘ (Oppermnty cxsss when intemal controls are not sufficient or when collusion exists sso Sixt pecpeemers om concemvent the controls. Opportunity is the most important of the tree Sscuors, sampiy becease even the greediest or neediest employee cannot carry outa Seat weheut eppocamity ___ laseitne ar pressare ppicelly comes from personal circumstances. For example, let's suppose a lingam feithful employee suddenly has a personal financial crisis. Pechape 1 chili & sick and the employee doesn’t have insurance to cover medical care. Under cemmal corzumezcces, the employee might not be tempted to steal from the ccopleyer Hur under dasse extvaordinary circumstances, even ‘a scrupulously honest camploye migic 4 vsesize to situational pressures, Thee tinal Saezor tae is woully present when fraud is committed is attitude or ration alization. Ticks rueams te employee finds a way within his or her conscience to justify the theft. Perhaps te exuployer believes he or she is underpaid, The employee might then rationalize tas he or the i svoyly wetting money owed anyway. This has been referred y J Pressure Aivtionisliaation Hk i ad Abed BY HRI T Wl, Obaidian Putsiening co, 190%" agget misappropriatiort (12 percent), al ‘ol $100: jon in assets in the yeat lit ton fraud st Ge ios ag i to the employes, Wages i yee's 1 Kiga uses motivatig, Md wii ‘iN AVM BF fatieniali¢ation will contribute eM Mon ths eiplyek Cnesin-Point 10-1 dis- UNBERSTAABING FRAUD 234 Rasertt-Point 10.4 Usually assooia No fray over, cl yw foryennovees Will sont tar a AiHY AF Nasty Ariglayeas, Oconsionally, how. TRI SE PIOVOO of tf ALU TAANN ake ths baee af Inoqueline Meet, a MecTair res 2nd tEpeoIO4 empiaem Chane A 65, By all accounts Ms, MoTair was steal the mer eed 84.8 inition gE lisa lissovared, however, that Ms. NOY fOr hor {HO he havik, Interestingly, Mis, McTair didn’t thought that the Money or Wilaad, aie didi’ Kase cont, She mistakenly WAS GOING to funds that Nee BMNDe%Alne Atl depositing in various accounts YERES O14, recently received Nae! Holonauist viotirs, is. MeTaie, who is 70 must 8 sentanoe af save jail, and Pay four milion dolar nahn fava 819 aid three months jal a Major Fraud Studies eae or ae Soaducted many studies and surveys to determine the nature and extent about. The e.. can only study fraud that has been detected and is therefore known © hature of fraud is unknown, since much fraud goes undetected. re ieee that only about 20 percent of fraud has been detected and is known Major fraud studies include the landmark 1987 Committee of Sponsoring Organizations (COSO) fraud study, the 1996 study published by the Association of Certified Fraud Examiners, the 1998 KPMG fraud study,S the 1999 follow-up COSO fraud study, and the 2002 follow-up to the Association of Certified Fraud Examiners 1996 fraud report. Additionally, the Computer Security Institute, in conjunction with the FBL, has published a computer crime survey annually since 1996.$ All of these studies attempt to discover trends in occupational (j.e., conumitted in the workplace) fraud, such. as what Kinds of fraud are most likely to be perpetrated, who the most likely perpetrators are, what methods are used, and 20 on, Let's take a closct look at two major studies, the 1999 COSO study, and the 2002 Association of Certified Fraud Bvaminers study, STUDY: “FRAUDULENT FINANCIAL REPORTING: Nee 1007, AN ANALYSIS OF U.8. PUBLIC COMPANIES” The 1999 COS0 # tds focuses rnainly on finaiial Hatenent Tans convnitted over an cleven-year period. This sty revealed threw hundred eases of alleged fraustutent reporting by Securities ind Exchange Commission (SLC) ‘delalianls aint analyaent QWo huustrest randomly selected a jnoat COMIHNL Hello Used goNDNK fuangial statement cases Tn the cass nal Oe ee bi (MPRA. Oke weds inte fraud was some fype Oso perce), Uiultotiteei @t eQpaios tables (AS percent, nt of asset Hi Per UF TNAPAROPKAR financial statement dis note HAN OE Flt a Rad oe Hill BAREE CALS (@ Ligh: Ror instance, the ve: anni ta Be Velativedys sayall, Wilh less than, ly pecan he weeigrenes ofthe ftand The ut hid ABER Hvagenaing akention With, the losures 6)7 Some cxises tvol¥ BE iocrestng characteristles o bi wnies analyzed in the oso still ) study also ightigtited « prot ZzFe 232 CHAPTER AQ Ana FaREelr AUBIN fio qualifications of the ate t si dollars in compensation) on wate andes puvetnatio®, That 18, via! current rash af gap, individuals wha seays (ates (eushytip tev OF HHbisdtlds of doll i it a 84V. (ATEN (BHA 6 ity individuals with coxparate toate! sy Ml Hl bets ete bye ie expe- Pash A Hi aN = anid y reheat ies it amily ox @ateual ies she Nts a HL Gale, Were PORT Tes iavolved Tience as Coupiate tueehite bunthet, fH i6fe Hiatt 20 percent! in fravctuteat fail apaitiip, sittedts Held fieottpatible Job functions, such as serving as both the CEQ at OSE ol Ose Nabors Sheek avenniite thal wete Fequently involved in fraudulent nae Tepevting HANAHAN WHE He Hoel EnHMMOAly Hated account. Accounts receC™ Mi fonns/notes receivable. not far Dodok Ghana hy pinpatiy, plant aitd Equipment, and I ; CBO ANBAL HS @HFANE th KavoW Which indtibtties Were more prevalent in ee cas Figure 102 chews (hat einsiter coinyinies ahd iaufacturing companies had the igh- Hewdaleat Hnanetal teporting TRE “2002 REPORT TO THE NATION ON OCCUPATIONAL FRAUD AND ABUSES ALSO KNOWN AS THE "2002 WELLS REPORT” While the COSO aly Qoasee on Aandulent financial teporting, the National Association of CerbSad Poot S\aiminois fiand report is not limited to one type of fraud. Instead, it is desad on SHE Keown ceonnpational finnd oases reported by certified fraud examiners who investigated Shas oases, This report is particularly instructive in noting trends in fraud becuase & communes the 1995 reported statistics with the 2002 statistics. The report dis- cases axcas relevant to fraud: the costs associated with fraud, the methods for commiting the Suns, who the victims are, who the perpetrators are, and the legal aspects and cuteness of the SE3 cases. Costs Associeted with Fraud Fraud in 2002 was estimated at $600 billion, ‘$200 billion in 1996. Over half of the frauds in the study resulted in a loss 1 ‘Sixteen percent resulted in a loss of at least $1 million, and 3.2 per- cent ( respect to which measures are most helpful in preventing fraud, survey respon- eats viewed a strong system of internal controls as the most effective anti-fraud measure by 2 wide margin, followed by background checks on new employees, regular fraud audit, estabfexiued frend policies, willingness of companies to prosecute, ethics training for employees, znonymous fraud reporting mechanisms, end workplace surveillance. Wh Within an organization two categories of fraud per- Te Por vgs and manage ‘The survey found that; of the occu- noe ‘38,1. percent was committed by employees, 35.9 open eran and 6 percent was committed by man- percent Wes fe jt Joyees. Interestingly, while employees were more agersfenecittves in 2 Hemme ‘managers or executives resulted in a signi key to perpen oss ($20,000 median cost as compared with $70,000 median per icantly greater deli . cenniphoyes fraud eiratars are shown in Figure 10-7. Those who com- fraud for hianncnsriot ee Fa aed ini wih shige dation Big dtr nite frauds (rid 10 DEM uy mdde-aged or older individuals with college - jksly 19 be comme frayds were committed by individuals over ant of frauds were ‘Almost 70 percent of frauds were committed in ar convicted of prior crimes. ‘The veR jcates that, of the syd found to have da sn vitine Men ne eT! Pw 4 dative x Fy sea, the tl if 2B.SAO CHARTER 8 FRALIB ANID FORENSIC AUDITING Charastertstig Gonder, i Nab 3.3% Fanaa 8.6% Age fia vents) >a 28% aye 4.8% ea 50.7% ote 5.0% Ravan Rashnloye Ragin’ 32.7% Rashadnnte tegite 10.4% SEN BAT OF Hee 56.9% Oomnw seen Neve) ayenved oF convicted 68.6% Renee 21.3% SPS BHOL ConviCtIONS: 6.9% Srerees but not oonvleted 2.9% RGURE TOT Cherecteristics of Fraud Parpetrators Sseon. Renocietion of Oovtfied Fraud Examiners (Austin, Texes) 2002 Report to the Nation Seomenons Seve one buen” page 14-16; wwrw.cfenet.com/media/2002RtN/; Used with permission. pabcly Saded companies victims 30.0 percent of the time, Not-for-profit organizations 4 percent of the losses, while government agencies were fraud victims in 24.7 ‘she cases, Companies with less than one hundred employees suffered higher csSinn losses then the largest organizations (those with more than ten thousand employ- cx). Thr separ speculates that this may be because many small companies often have a smgis mtividuel in charge of the entire bookkeeping process. In these situations, the shccuce cf segregation of duties creates opportunity that when combined with situational possures and rationalization on the part-of the perpetrator may be impossible to resist. Figure UG-4£ shows losses by size of organization (e.g., number of employees). Legel Aspects and Outcomes This section of the study examined whether an cepeecsticn's wsti-Lrend measures were effective in deterring fraud, whether internal con- role coniié theve prevented the fraud, and whether the companies pursued legal action septs ee peryetretors, Tur ache nt Aeand mscones insliciksbectegrciand checks, snosymons reporting mechaneerns, wernt’ eudils, and external audits, Figure 10-9 shows that all of these meas- ures, whey proses, Gcverred fraud to some degree, Further, companies with a given anti- fran Gover 2) coves suftered lower median losses, One A ios pp, Sippifican\ tindings of the study is that 46,2 percent of respondents indicates Geet voouffivent internal controls contributed to the ability to perpetrate the Numnbor of Berghuypses! Porcont fee 7 AUN at Median Loss 198 (9) Oe ". $1a7800 ed (05%y 6,000, 000-9,99 108 Ahh 53,000 Yoa0oe (115% i AOR FIGURE 46-8 (48968 by lumber Af Empl Source: “Asaaetationn Of Cari By ie gears inn Occupational Fraud arid Abliser pega 1B wiHvi-HfenRb een 3) 2002 Raport to the Nation, lla/2002RUN/; Used with permission.AntlF coakgrea nate han NG You honk nbensvanonc FRAUD 239 "Witt acs A i Anonymous Topo Ay Yer PON Neatly BLE tig, Internal auraiyyy ay § AN axa & ee, External autly oe 1 Ade ge 18.0% ($100, ____ 0h fea. Pe $40,000) asures ‘Austin, Texas) 2002 Report to the Nation * wow étenet.comimedia/zoaene Used with permission. aid ite von pn Sgn indicated that Controls existed but were ignored. Thus, in over Finally, wat, ‘mal controls either did not exist or were not followed. viet he me di n of the fraud cases, in most cases (61.1 percent) insurance paid for at least ispositior convicted, either through a at trial (14 percent). For those cases where no legal action was ‘ken against the offender, the fear of negative publicity (cited 30.6 percent of the time) ‘was the primary reason for taking no legal action, follow ed by a private settlement being reached between the employer and dishonest employee (cited 26.6 percent of the time). IT Fraud ri 2 ina broad sense, while the focus of this book ‘The discussion 50 far ts ere fraud fits into the picture. 1 LT sie Te vod ge fad Gate trough the se of compttied technol- It fraud vn be if the categories of fad outlined inthe “2002 Wells Report” can ogy. Sirus, almost any 0! ud, ‘That's why it's important for IT auditors to understand all be connmnitied ws an IT a 1F auditors myst be proficient at using sophisticated technol- types of fraud, Additionally, 8 cavers this fgpic and presents specific types of computer ony to detet Sud. hints (C AAT) that ean be used to detest frauds by functional area. assisted auditing wehnl4 { Cybercrime 4) Chapter 2: Broadly speaking, cybercrime can refer to any discussed it CAPIET oe ea computer netwotk and the Intemes Cobererimie i Cred Ma tigiing unauthorized and/or illegal access tog type of pri egivns BONES down fil viy can be a government agency, not-for. ‘Typically, cyb ff pork: The amypany: Once the eyber criminal gains access, he third party's re puiblig Ot BI Wale Fralains monmalicious activities such a esp er nay engage 18 UN, a RSE Lu of ome, Metods for age, noi, cme Mgznaed IRE NARS & SpeEHTG pes re sees acoess to n1etW6 : gaining til i CE?=a 240 Geer aa HNAvis ANE RiEtieIC AUBITING RESPONSIBILITIES TO DETECT FRAUD ASK any custinaiy Widividal Ott the sleet; “Wiose joi is it to detect fraud?” and er "The audit, oF entise,” However, the auditor will beg to oe veibiit ta datect find fies th the company. From an audit profes- NAN, Hho ation intel design the atudit with the reasonable assurance of detect- (\Nhse panjsake of an andit is not fo detect fraud (unless of course it is a special \). Rathoks the punsose of af Aidit is to determine whether the company . Lev’s Jook a little closer at what the company’s responsibility is, and then ns responsibility is regarding fraud deterrence and detection. Corporate Responsibility POSITIVE VERSUS NEGATIVE SECURITY MODEL First and foremost, should strive to maintain a positive, proactive security model. This means they ics end threats and seek proactively to identify their vulnerabilities where ‘scmrsian technology is concerned. They don’t wait until something happens to jump on she seca bencwagon. In contrast, a negative security model is a reactionary model. e cluding secutity breaches, are handled as they arise. Little attempt is made to wlmte z troad, forward-looking plan for security. The positive security model includes scorn & ethical atmosphere, maintaining corporate policies on computer use and mis- caccting the computer system through appropriate security measures, and maintain- fog coxporsce security incident response plan, ETHICS Eeice, covered in detail in Chapter 2, is probably the most important factor & tee eryseste ecelsn where Sraud is concerned. Management's “tone at the top” sets the wampect ox te elise company. If management takes the issue of ethics lightly, you can A Got exsshoyees Will be: quick to follow management's lead. Therefore, it is soca pins tuesiopennent to lead by example. Aisyrs ed, wud adhesea-o corporate code of ethics is one way management can, Gomeroetreie # vowmspitinent to ethics, Many corporations publish their code of ethics 6 he Irerne’ 1y Oesnnnsiole No customers and employees that they are fully committed fo running on ethivw busitieas. The Cenler for the Study of Ethics in the Professions (CSEP) at tie Mints Institue of Yeohnology has developed an extensive database of mone thieni & Ay cenmpaniies thal ajntain codes Of conduct on the Tnternet.!) Figure 10-10 shows thé Setter Buoiniges Bureay Af Canada’s cade of conduct, which can be viewed on the Internet at ww/wdddivan.aw/abaulbbb/prog. services/codeethics. html, COMPUTEH USE AHL ABUSE Companies also should have policies governing the proper and iinpedpér uve AF company leehnology, including computers. Some exam- ples of isotes that sheild He spegiligally asldpessedl include: 1. Whether of Hot erwiluyece ban uke Japlops hayue oF on vacation; 2. The leneitig UE Lajvtape ta etlienes a"ltt SS Equal Meter tan AeSrotisibiiniesto oerect FRauo 241 SEAN We oy sa Jan AN Keg ike aeale = Sate ha Indian 8 Matatana Bitch Columbia SHV ep ELMAN ae PET Rig ita pelts oF att in edtite A AKA SHEN hig 6 and métribars of the community in a teedoms, and display 4 fair sonse of justice. LAO ‘s te) ‘ te WOR EEN neg tet Ot LNs ue ony competent testonials, and wseeteye ye nN rN tae oft tee We ote. evs We sh) ot by Bly aha bo vg uct which has pat ‘ ae 0 viilant against conduc ae WANN my Sid by ane towards our customors. Jaw ina toch ‘ but will strive to serve our COOP eat enagg, We 1N8 ON dvieon nn soxea ay ut prey on human Igno- SES, iW Shall gy Secsetah PHN, RO hy Seif Regebatian: SEERA UR UN TNS oe SARE fe Pabhe) ay BRAUER irketplace for all through cooperation with 10 Would benefit from an ethical, free-mar- Mt regutath ‘telah May Rontt8s We will honor all commitments including any benny rn NOFA of our marchasdiov or orien wine bo ‘yay tien, AN4 Seek to resolve, in a fair and expeditious manner, FIGURE WR quate oe Te Code of Ethics Ore mbout rembouttbhiprog.serviesleodeothies.html, Used with permission. ” Ospring software owned by the (Giapany: ‘The use of unauthorized software on an employee's desktop computer; ‘The use of company time to surf the Intemet or conduct personal business on ‘She Internet (for example, making plane reservations for a vacation); E-mnsil dos and don'ts; Password protocols such as requiring passwords to be changed at regular intervals; ‘Views protection updating; and ‘Sharing of files and disks. pm ae ¥ POLICIES ON SECURING THE CORPORATE NETWORK Ths company nee kee 2 reaponsbbility intain a ate security measures to protect the corporate n¢ wal This sertoden cal corel both atthe network level and the application level to canttcah, whi foxs aovess to the corporate network (j.e., authentication), and to which appli- ‘she Jaws access, Firewall protection should be in place, and a system of intru- cations fe oF Soe bit constantly in use, Bryption of doctments and e-mail should be wean Jute and where cost-beneficial. Virus protection should be in place and a ote iy pateies, should be downloaded daily by network administra- tors, Alt of thes: eave should be slated explicitly as a matter of policy. / One policy that is typically separated from a gen- ConPoRATE FRAUD POUGY | ae companies maintain a separaée corporate ; nent CON ily slaes What coslttes fraud, to whom the polices 2 Aad “this paliey iy ‘ll be deat wih, and possibly any whistle-blower protec- apy, or te pep apie] the City of Toronto, as shown in ty ths y F ons, é is vital that the company engage in incident nent that details what procedures are appro- cayjntered, Much like a national defense oper- pil atc what to do in the event of a security breach, pies ‘wsitlen stepFe ~ SUS Ee SN oe 242 CHAPTER 19 FRAUO.ANO FORENSIC ANAITING ccprscerniteners cota RHE Fraud ana caver Binuttar eramilasttia’ Statement of Policy Principles to foarriaa ed iit Tho City of Toronto is commnitodt to puntodting He fayanus, properly, lnfermatton a devs om any stom sitet Wy meets He pe wa raeters, Sub eontaetors, agents, intermediaries ov is own einokwere bs ANN HY BERN, fiscal BF other baitils This policy sets out swagitio yihtahines aii REBAR ibIINEs regarding appropriate actions that must be fodlowved for tho javastiaatian al faite Alte dtliat elfnillar Irregtiarities, Definitions. Froud and other simi tiopotaritian tnehntoe, Hit aL hited to: Forgery oF attaratian at cheques, diate, protitesury Hotes Arid securities, Any minaosoncinn al fund Seeiiti, euippline OF any other asset, Any iregulonty in the Nenana of epoiting of mnenéy transsetions. Misaonroosianon of fuvoityies fixture and ealipnient ‘Seeking o* aoogosing soything. of material vale from vanidors, consultants or contrac Sos Gong Seems woth he Oy in Violation of the City’s Cont of Interest policy LUnnuthorizas vse or nvisse ot City property, equipment, materials or records. Acy computer eeiatas activity involving the alteration, dastruction, forgery or manip- Uwlation of Gate for feasalant purposes oF misappropriation of City-owned software. Any stain for peimbursement of expenses that aro not mada for the exclusive bene- fof the On S. Any similar or relesed iregularty. Mm he I employees of the City of Toronto and to employees ions over which Council has authority to require gen- General Policy and Responsibilities = the City's intane to fully ievestigate any suspected acts of fraud, misappropriation or ‘er Similar eragularity An chjective and impartial investigation will be conducted reqardiess cf tie positier, te, tength of service or relationship with the City of any party whe might be or becomes invéived in or becomesiis the subject of such investigation. L Each Comenissionsr is resporsitie for instituting and maintaining a system of internat control te peovide reastrache esesrence for the prevention and detection of fraud, mis- aecrocriatiane and ether inezaularities. Management should be familiar with the types of improprieties that rrighe coeur within their area of responsibility and be alert for any indications of auch. concurs 2. The Cisy Auer, in ezmmvatation with thy Chy Solicltor, hos the primary responsi the ievestgztin of al. aezelty ws deAinisi in this policy. 4 The Clg hustitar wht ncrihy tte Chet oA te fidil Commiitge and the Chiet Adeninisteacrs Meer of & togemiol ehieyeiion of (raiitulant or irregular conduct upon the commencarnent ¢f the irvestiyation t» tho oalant practical, Throughout the investiga- tion these cfficia's sheni ta indtanted of paoninent Investigative findings 5. In all reurassarices, whos thin oft roasrnalio grounds 10 indicate that a fraud may have occurred, the Cay hatter, ogo 4 Hue advien at he City Solicitor, will contact the Toronto Poficn Service, Upon exclusion oft iret hy vais bx art to the Chale of tho Audit Committee, the Ciel Admdidettalive Olllesr and tha Cammiasioner. ronbdstiatle ell, Ineluding eaurt ardaras| restitution, to obtain ity For 1. The City will pursue every. rectvvory of the City lesot froen thio clone HF Hib AppHApAts sauce), Procedures AIL Employees Any employes who has knowlecliiy tf an HbCUrHilbl i pect that a fraud has occurred, steal irtiresmelietol/ fest iat quent {Whe employee has reason to boli@ve that the erriplayne’s suntan fidy HH HvHlvAY; Ihe BiAlayeR shall imamedti- ately notify the Commissioner and the Cley Audi oly, if (continued) regu Falidlieh ar has reasan to sus- i FIGURE 10-11 Sathple Corporate Froud Policy; Elly Ht iHpanta (1 af Source: www.city.toronta.of.ca/auditifaild policy qiay@silnl: Heed Wilh BALTVREI AN i icoma Sy cies RESPONSisLmesto DETECT FRAUD 243 ome will Bathe iy AGL Ao Steen a hts e 2. Managorg Sahel iM {ith ahyohe other than hisher suporvisor, the Upon ‘® and igcgROSHees who tnoninaly ako fae aoge- a de post aN AEN fray, , niseal, Ah oh City Auditor gee NE MRIS NAR af on 4 the: atch NeW Naay nt nah ANeger shag aud, OF if the martager has reason to sus- I immediately notify the Commissioner and the he nereon tla vestgae te saptets find or to aisaee the A ‘e Yom the t DOAN fe fraud was reported, the City Auditor and Se ENRON hes Ses eH einphoye SO Aes the Nr hes ARR ot uence au othe Commoner has SES OS MARR UA ge Ne! shall not geal’ Commissioner shall Immediately contact the cap anher *AVOhe other than the cia, Investigate the suspected fraud or to dis- \uditor, City Solicitor and the polica. Overy of & susp ee Sroomerances, eathe fraud, the City Auditor will promptly investigate Seren ETAT ee Te iy a RDN be anagram for suspeng In consultation with the City Solicitor, will contact a determination, ‘that the sus ve 7 % Gry Avatar wh pected fraud warrants addtional inves Bair of the Aas Comma Ratify the Chief ative Officer, t Of ane Chie Administrative Officer, the City Solicitor and the Scr aii Sh aeronriate aw enforcement oeions coy eater shal coordinate the investiga: © Semin of Erisence SEE SPESES revs is reported, the City Auditor, in consultation wit ity Soli itor, in consultation with the City Solicitor, shall Bis Extrisslete ection to prevent the thet alteration, or destruction of relovart records, Such sctens incite, bet are not necessarily limited to, remnovi 1g them in a ‘secure liscatiion, limiting access to the location where the records currently exist, and prevent- ing the imudiviidue! suspected of committing the fraud from having access to the records. The records mans be acequately secured until the City Auditor obtains the records to begin the audit investigation. bl 7 Conficteetictiy 3 Aa in # Sreusd investigation shall keep the details and results of the inve: Concent tromorer the Chy bustoy,Ineoneutaion wth the Corperate Acsoos ad Privacy Cee ito Pollee Service, may disclose particulars of the investigation ONE oe Ot eeecoe i ouch declosure mosl further the nverigation, ; 8. Per scnish PUOUS eh Ws siwoplchon ch faut ie wubsteniated by Ine ee ge enacomany Inconeunelon ane a ‘ioe i vorasn by the eppropeiat f ing disenissst, Divisign, the City Auditor and the City Solicitor, in conformance with the Hurnen Rescues 14 Py ouedures. City Perec Hones HF tances exis, @ person under {wesdiavon for fraud shall be Unless /A Ine der tia} particulars of the allegations following the conclusion of given nection i) orig 1A Wie BPETITT A iscjplinary action baing taken, Where notice is given, the aught iearoatgatn id BHO! 81s cing mada may suibmlt a written explanation to the ae at nett ga ar days after the notice js received. This requirement is thesporkon aati tha er Hasionsrespestng tho (Qhts of employees during act to atr/ often ; plinary proceeds: caution i i: ec omen an eae i eae of mia ‘es Mriscpline or svepend an employ lite OF om ase porate Fu (continued) a ae liey Gity af Toronto (2 94 8) Sartifle © pigune: 10-11244 curren a FRAUD ANG FaRENIE ANAITING B impose any penalty wean an ennlaveR: AF © intimidate or cosres an anyphey e% because the empoves has acted fa aeoortanen Nth ip (AquiianTianld of ta foley. tion of this section wall easy, to cise Vi 4 AN INEIIHTind MlaH i AAA 10, Media tssu6s jet to a Audit investigation ‘Sipaiaie PARR eatin l# oF dBshatats. Pah FARO iy baa ai th through the Shaeimnates i ennelitatian dtl te City Aaditor. sited by UNA Radia faaatdtig ati alleged fraud of audit oc by Oa rt iHé Ditector of Corporate rd viola shall refer the eacka to the DREAM § CF audit Investigation shal nat he Director of tine investigation, the City Avon cs selanale WHE EnAUME wll Wrenteaton'ss aaah ane be tage ts Boge Tospmitng 16a di fomuoet for Infor mation or interview imiedia mes- The City Ausinar ond Qveeter af Oayparata Cnminuntéations will determine ssapes and iSonaihy an aowwouvtene CTW RAMEE OHA, AG sete. Th Documentesion At the conctusion of the investigation, the City Auditor will documiait the results in a confidens ial memorandums reneet te Me Ona oF the AudiT Convllles With a copy to the Chief Adminisoatve OMe and te Convinesionel, Ifthe report conchides that the allegations are founded, he report mitt be Keowee to the Tovonte Polioe Sarvics. The Oay Avcior wi aise he regulted 19 make recommendations to the appropriate Commvssigney which wil assiat im the prevention of future similar occurrences. Competon of investigation: Upon comsiation of the investigation documenss and other evidentiary materiel will be returne 8 Sepetmert 1. Reporting to Extemal Ausiitors ‘The City Auditor wll report te the extemel auditors of the City all information relating to fewestigations. including all legal and personnal actions, any records, xd by the City Auditor to the appropri- 14, Annus! Report As directed by Council, the City Auditor will report, on an annual basis, information related to investigations conducted during the yeer. Approved by City Council at the meeting of May 21, 2002. FIGURE 16-11 Semple Corporate Freud Polley, City of Toronto (3 of 3) the compeny should eve « similar ection plan, It also involves documenting incidents as they occur, including: 1. How te incident was trenughit to Nuhty 2. Which systems wore penetrated and spoolfivally how they Were accessed; 3. “When (date and tine) the fraud ovourred 4. Who the perpetrators were (ur ax niuch information as is Known); 5. How the incident was resolved; 6. Costs attributable to this incident; wnid 7. Modifications t6 existing security needed Wy prevent aimilar ineigenges in the future, The Auditor's Responsibility Professional Guidance the ater of fraud detedtidil sleibis (Hiin Ihe AICRA'S Professional S No. I and SAS No; 89: Adulitivial suidanie is provided by Professional guidance ‘Standards, includinsGuideline 39, e 0, Audit and Cong SHlailiies RestOtisiniirtiesto berect RAUD 245 we refer tue NOt Ata SA Waar yet wear Atl featiuig ‘ AAC! " Information Systems ute, IN Hn wn lr 1 liars Caden 30, Therefore Hiplete sitninary of this standard and how it applies to Vp. SAS No, yo PROCEDURE ys “OMEGA . SA / Th anatitay met Tel ef Auattina STANDARDS AND NANO abaya eM DY SAS 82) states: Wissatanane Ne Ss hae “Cit Aid perform the audit to obtain rea- ULL idan NRE enitead fy iiancial statements are free of material weaseane S ANN tha chante oF find, Because ofthe nature of detected, ae WoL soit at ies of fat, the auditor is able to obtain tharos RONAN Nn Hg ened that material misstatements are SONADNE ARaAHEAHC® that sibility to plan and perform the audit to NALS HO Hater misstatements, whether caused by errors or The concept ote “ial tothe financial statement ae detected. 12 accident, The aay way ae AS8IIEAHC* and “material misstatement” are not used by audit every: single 8 could be certain thete is not material misstatement is to . ‘transnoti ing fad And even eee hs af eos, ant a cose benefcialsluion a atack- feud trough cothision very SL ingle transaction is audited, there is still the possibility that Games to provide feancnabe \d go undetected. Instead, auditors rely on sampling proce- misstatement The die ons wuanee thatthe financial statements are fre from material Hal misstatement: 't oPinion reflects these concepts of reasonable assurance and mate- eek Having seid thatthe auditor ‘cannot audit every single transaction, we should point out a me stase, ‘computer assisted audit tools such as ACL allow for “virtual” examination of whole populations of transactions, For example, the IT auditor might be interested in Getemmining whether there is riepotism in the company. He or she might initiate a test using ACL to search for all employees with the same address. This test might or might not be successful in exposing nepotism in the company, as some addresses might be apartment complexes, etc. The point is, that in this example, every employee record can be exam- ined through the use of ACL. SAS NO. 99, “CONSIDERATION OF FRAUD IN A FINANCIAL STATEMENT AUDIT” The Auditing Standards Board recently issued SAS 99,13 ich zsehes SAS 82, The standard is effective for audits performed after December 15, 2062, This new standard provides enhanced guidance to auditors on fraud topics including an expanded definition of fraud, guidance on team diseussions, professional bs or enn inquiries of management, a broader range of risk factors to consider, skepticistr, ion, evaluation oF interal controls, an the auditor's response to the risk eon ‘dented uring te risk nbsessment process. sties SAS 82 recognized two main categories ¢ Fraud Doll iter SO eaten financial statements, The new standard of. fraud: asset nie 7 piled in BAB 82 and incorporates the Fraud, Triangle (see the defini wit ‘ak tue inyportane of consileting opportunity, ineentive/pres- i e 10-1) in ect al ation ANE alt af aN audit, Res 1 has consistently sure, and site ai cu Miese QLONS (8 InstrUMMERAL in i environments the con wae a might bs na a viak of materiat my Dien 99 eee aveurlngi AN a88e8siNg the rk to'desiga thé au ‘ nent due to fraud and Misstatement, Pi= VER 10 FRAUD AND FORENSIC AUDITING i ‘i ” ined in the standard. AGO Were fegu ifically consider “isk factors” as outlined in the st Ais Ne veut apeiehly conde? ae foto ot co dering what nally, auditors ate required to exercise professional ju Ade i \ ; ‘ci sk ASS Pots may he esent and o mnintsin an atte of professional skepticism. ee feetors, chavcerized using the Fraud Tring, are divided into risk factors for ‘rauduient findiciet reporting and risk fctors for misappropriation of assets. The following ri ‘Sontime td be important: 1, Management's altitude toward control; 2. Industry conditions; and 5. Operating characteristics and financial stability of the company. Mehegement’s Attitude toward Control As previously mentioned, manage- men's altitude toward control is often referred to as the “tone at the top.” It means look- ‘ng. how management perceives security and control. Are there policies such as a code ‘oPethies, a mission statement and statement of Values, and a corporate fraud policy? The presence of such policies is indicative of a management team that cares about ethics and propriety of behavior, . Specific Industry Conditions Companies that operate in difficult economic and ‘vegulatory environments are susceptible to external pressures that may create opportunity fraud. The telecommunications industry, for example, has experienced many of the it high-profile business failures. An auditor working in this industry should be aware ‘o” this situation and consider how a current engagement may be affected. Opereting Characteristics and Financial Stability Operating characteristics ‘end financial stability refer to company-specific items. Has the company experienced sev- ‘years of declining profits? Has there been a significant turnover of key employees? Is there 2 large loan coming due for which cash is not available? Items such as.these would ally be red flags to an auditor, who may or may not modify the audit procedures, depending on his or her professional judgment, SAS 99 also requires the auditor to ask management directly if he or she is aware of any type of fraud within the company. Interestingly, some frauds that have later come to ‘ightwere known or suspected by company employees. In many cages employees who are ssiedling dom the company arouse suspicion by noticeable lifestyle changes and the anyexxance of living beyond their means. When asked why the employees didn’t report tus suspecied fraud, they responded, “Because no one asked!” 3 Further Risk Assessment SAS 99 requires extensive documentation of the audi- ors risk essessment, understanding of the controls, and how risk factors were considered ‘ive couciuct of the audit, The auditor is charged with continually monitoring and assess- ‘ing de risk of material misstatement due to fraud throughout the audit. The auditor’s risk sssessinee may affect the following elements of the audit 4, Professional skepticism. In assessing tisk, the auditor should maintain an atti- (oud of professional skepticism. That is, the auditor should not assume manage- arent is dishonest, nor does the auditor assume unquestioned honesty; rather, the eydityr should keep in mind that fraud is always a possibility and he should epndel the audit accordingly. 2, Assiyyment af personnel. The auditor's assessment of the risk of material mis- eialsmep! ohould also affect how the audit company decides to staff an auditenga, 3 : taint Wate AesRbharteSt6 berzer HAVO 247 cline a ung mn Onses, nie atid biisinsases require highly Wing Daten CM Pally 108 ray Alek th the ; ohio Ne is stent imanagennent’s choice of MITOIS TC co LANE In Rye tito nay ned vo Further exam Contributing Tha han's His) r VOLE HA tha janes Cites agape 4 o iat fo be deficient and thus a ‘ollanon oy van ee Hy ‘ fratid, thie auditor must, of course, lower OF fethape 4 Ot Aub stAntiy fin fiot rely on those controls at all an NO® of bore out by en alana 5 qualified persorinel to: an audit team was © Manager dOubtedly, ons of the contributing factors to Special purpose entition si Nt FraUld at Enron was'the technical nature of the that a firstyear auditor ca hed to hide rriuch of Enron's debt. It is unlikely ing would understand the N 0 bachelor’s (or sven raster’s) dearse in account- Transactions. One mighy comptes inhorant in such a technical series of grasp the intricacies ra po Aiae even a fairly experienced auditor may not eotperiente anaes, actions like these. Only an auditor with specialized 2 ing in SPEs wo 7 this complex topie. ld be likely to have @ full understanding of Case-in-Point 10-3 One of the contributing factors to WorldCom’s recent bankruptey was its choice to. capitalize expenditures that should have rightfully been expensed, When the cor~ rections were eventually made, WorldCom's assets and equities: were so sig! cantly affected that bankruptoy was the only alternative. Team Discussions While SAS 82 required a consideration of the possibility of material misstatement due to fraud, SAS 99 expands that consideration to include audit team discussions during planning to discuss the possibility of fraud. Experienced audit team members are expected (o share their opinions as to the likelihood of fraud, based on their experience both with that client and with other clients. agement and Others The now standard requires Een ot Hata aul others within the company as to the auditors 10 pga. Adil Ne aloe 0 Query the audit commit ips ding of te rab Foy Haw! within the company. Bor those companies tee as to its tinder ori, the external anwtitor is charged with querying the internal wth ftennal uit fae se WL es Ra sleding asking them em wh 1 ly at aware OF ay’ Ht With the company. directly whethe tan ‘You Ni ‘yeueubey Ahoy eaniey im the chapter that the Revenue rovogull intent tratielal ROTA Taund that revenge xecognition was at 1999 CSO st 0 yee he Nt1998 paced This tend the root of 50 ft a ay Ae KAW! BRS Vang IMpIOPE revenue itis ¥ appears to be cont recognition: See Case-itiPatitt JedSHS Ginbien td PRAUD AND FoReNsIc AUDITING ane 4 Pomme 10-4 Recently Qwest Communications came under fire for improperly recognizing ee ‘Ne bilffon Gollars in revenue. As a result, the company expects to restate HAA AO! ebrnings aceordinaly."® ‘The Hew standard requites auditors to specifically consider risks related to vata “Sovehition, Hhetnding performing analytical procedures to identify any potential problem ‘ieee in how the client recognizes revenue. Evaluation of Management's Programs and Controls SAS 82 required the *ntitor Yo consider management’s programs and controls in place to prevent, deter, or detect ‘fens. The new standard enhances this requirement by mandating that auditors consider ‘ohethes these programs have been adequately designed and placed in operation, ‘The existence of management override is explicitly stated as a consideration in the °s tisk assessment, As even a novice accounting student or auditor knows, the best ‘controls become essentially worthless if a member of management exercises his or her ‘authority to circumvent those controls. (See Case-in-Point 10-5.) candi Gase-in-Point 10-5 “Iwo middie-level executives at WorldCom were not comfortable with their boss’ | imstructions to capitalize certain expenditures that they knew should be expensed | according to GAAR In fact, one of them gave serious consideration to resigning overthe issue, But they did it anyway, After all, their boss was the CFO of a major multinational corporation! As a result, these two midlevel executives are facing ‘substantial jail time and millions of dollars in fines. If only the external auditors tac @sked these two employees about the existence of management override, haps the employees would not be facing jail today.16 Technology Implications The new standard also notes the importance of tech- aiogy in the conduct of an audit, including the appropriate use of computer assisted audit dools aud sechniques (covered in the detail in Chapter 8). The standard also provides ecnaneplics ang commentary to guide the auditor in this area,~~ ” a Srelvetion of Audit Tests Once the audit has been conducted, the auditor must cruise dae vst results again and consider whether the evidence gathered in aggregate ttioeis fae jwitial assessment of the tisk of material misstatement, According to the stan- dad, tos prowenure is: J, Povermine whether any misstatements identified in the conduct of the audit are ixely 10 be @ result of fraud. 2 PHecrypine y/hether de misstatement is material, If so, or if the auditor cannot ats [pis determination, he or she should; 4. Cyusider the implications for the audit as a whole; W, {7ise85 the situation with senior management and with management at 1446! ns evel eboye those suspected to be involyed and with senior man- s4stien #94 the audit committee, If the fraud involves senior manage- sth, it shoisIA be reported directly fo the audit committee;& fy v RESPONSIBILITIesto DETECT FRAUD 249 tO Bates Additional Weiits wa : Wel to paltne fs to determine if material fraud has Weave long ete and the eect onthe Sinai sate he ©, SNE peat thas isha that the tient consutt with legal cousiel. AVR HU is not tater, SSstifn net bHemn ay exist, ah the auditor should still consider whether a Jatehdae. ne eM bloyee(s) sn it Particular, the auditor should consider the AOEAE Withavng to Ped to be involved inthe fraud. ratios anna saith nee is engagement ifthe fraud is pervasive and the DONS, the muaite Shontd 1 OF herself as to overall audit risk. If this hap- ‘SSSALY. The itor may etl Adit committee why the withdrawal was nec- BAe, Seek legal advice when considering withdrawing, from She additor a : ompeM, Noweven ie og AMY ditcone the existence of faud to others outside the WRRSAS 84, Communion nee 4 Stlcessor auditor makes inquiries in accordance reations Between Predecessor and Successor Auditors, the auditor an auditor responding to a 4 etare Plans by the Accounting Profession Regarding Fraud ‘Soe ATORA is eager to help the accounting profession regain some ofits lost credibility ‘ane estore its reputation, To this end, AICPA president Bary Melancon in late 2002 ‘sunaunced the creation of the Institute for Fraud Studies, to be established in conjunction ‘with che University of Texas at Austin and ‘the Association of Certified Fraud Examiners. ‘Ths institute will assist investors in protecting themselves against fraud. The AICPA also ‘has 2 aumiber of other initiatives on the forefront, including the design of anti-fraud crite- ie and controls for public corporations, and training for students and professionals (both ‘accountants and corporate America) on anti-fraud measures.!7 The Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002 (Sarbanes-Oxley Act) ihe Gatoanes-Oxley Act was signed into law by President George W. Bush on July 30, 2WZ22 Toe low instituted sweeping changes in the accounting profession, which, until tat point, aad been Jargely a self-regulating profession. This law created new tesponsi- Wiles for both the accounting profession and corporate America. }OARD Under Sarbanes-Oxley, the Public Company pate OVER SIO ar ces to regulate the accounting profession. Public Aeon Over auditors are required to register with the board and pay registration oonngassiss ond thelr id the board’s operations. The board, composed of five independent av aon tf ee adopt standards set by the AICRA and other standard-setting bod- H bers and discipline those found to be in vi , inyestigate mem ne thos vio- in is fhe pi reaches, a eorapotendy considerations. 8 yy oe EE RESPONSIBILITIES | Audit committees j AUDIT BON EE eee tom the audit process Under the neve ; the auditors work as opposed to the auditor250 cHarren so pAAUGANA RARENSYE ANDTHE e all audit and reporting mana Hii ANGIE eeipHHittees nittst preapprov ; i etween nonaudit servi ‘lost hv dhe ainttiat ANd the Aliditor must FepIort disagreements bets the auxtitor anal aanngoanon Ail vito SANA Coimitiedtios Co the audit commies- independenice has long been @ con: jonaudit services that ionial generic service: SPECIFICALLY PROMIBITER AGT Wities eeion, The law lists eight nm fiom providing, phis one additi eiby and ftiplementation; je vavatinn services, ites opinions, oF confribution-in-kind reports; Apywai Eyal SOIVRE, snd Duman reRoNTCES SeFVICES; a Investment advisor; oe) or exgeet services wivelated to audit services; and seovioes the Pulie Company Accounting Oversight Board deems to rahi. som as to what “expert services” exactly refers to in item number eparetion of the client's tax return? Such work has been standard mr st has been considered part of the audit engagement in many lew is so new, these nuances will be worked out over time. coaame CONDUCT AND ADMINISTRATION OF THE AUDIT Many audit failures 2 feilure of the auditor to maintain professional skepticism. This seme euéit team is in charge year after year and establishes an almost the client. Under these circumstances, the auditor’s objectivity capromised. The new law is designed to prevent this type of rela~ requiring mandatory lead audit partner rotation every five <2 ead audit partner, audits will require a thorough review by slse now required to assess the company’s system of internal control ts the womtucs of toe wadit. The auditor attests to the accuracy of management’s ‘he auditor is required to thoroughly document testing done “¢ assertions on the effectiveness of the company’s internal CRIMINAL SANCTIONS AND WHISTLE-BLOWER PROTECTION Largely as fallout fromm th Hur fiaud and subsequent collapse of its auditor, Arthur Andersen, auditors nv fox orimingl penalties including up to ten years in prison for willfully failing to reaintain audit vorkpapers for a minimum of five years. Likewise, destroying docurmens relovuil to # federal investigation can cost the perpetrator twenty years in prison. Persil Ignis Io exgoulives, such as the $400 million in per- sonal Joans Tyco made ta ig CHO, Dennis Kozlowski, are pow prohibited. And the statute of limitations on securities fimud claims will now run the lesser of five years from the fraud occurrence or twu years allel the fraud was discoyered. Finally, whistle- blowers such as/Sherron Walking al Huron ave extended protection against companiesthat Way Y AANE § 251 a 8 Fetalia UDITING an a ran Alot again th FORENSIC At N tes, Nat sespsetbliteg # Additionally, they are granted special damages i comiitea and what the auditor and corporate FORENGIG A biting led “forensic auditing.” hilitieg ie ne With OT ARERHON H6 8 ei i re Of atiditing Aiditing What ta Compu me frat 4 SpEct 4, eet to fa ‘vention, deterrence, and detection, let’s tum Called in St Foretiss SYPOR Yon, ANS thy rs ate store. You have a trusted bookkeeper Who wah bala eat ‘The problem is, while the inventory balance is SSRN the it diving g ew BMW ui, OU hate to think the bookkeeper might be dishon- Soapiotons ike thes While cottecting a modest salary. NS DOW Honest the booklet Heed You fo contact a specieice in Rrensie auditing tosee SAP a flan hag beurre bs 's.A forensic accountant is hired by a company that either Pea but doesn’t know ho ‘ut doesn’t Have proof or that knows a fraud has been per- tions mh Hike a detective nu sitensivg the loss is. Thus, the forensic accountant func- Was perpetrated, and he Met Boal to find out who perpetrated the fraud, how aresult of the fiend » nd how much. Money or other assets the company has lost as He accountants actually do many other types of services, including reviewing a aca ue = Petols conducting. penetration testing, ‘performing background os Surrent or prospective employees, or providing litigation support such as serv- SSE SS Expert witnesses in criminal or civil court proceedings. Because this book is writ- ten mainly for IT auditors, we will focus on computer forensics. What Can Computer Forensics Do? ‘Computer forensics involves the discovery and retrieval of electronic data on a computer & Sectronic media suchas tape, CD, DVD, oF disks. Many times these files have been Geletc4. In the case of fraud, they are usually purposefully deleted. What the individual woually doesn’t know, however, is that deleted files are not really deleted. They are stored ix@ch in a different place on the computer's hard drive (or other electronic media). They cam Stay there for several years, assuming the computer’s hard drive doesn’t fill upvand overwpte the files, Byen if the hard drive is reformatted, the information can be retrieved. Most forensic experts say that a disk wiping utility would | need to wipe the hard drive Geven times before one could be assured that no data is retrievable, , oon to recovering deleted files, a forensic accountant ‘Can recover works in Fe eee aay that oR individual is constructing a phony invoice. No ei irs several steps, teuding making the invoice temp Pe this proses req Jogo, and filing inthe invoice. Bach ofthese steps might be ? Ns ope eg evidenoe ina cdiminal investigation, d retrieved as evidence ; rately ad Ferra caled into investigate an employee's inappropriate use § AGGOUNIANIS ATO isa soytve of great interest in many erieniney investi- at, Hor examples TN llr Uo recovering deleted files. Most deleted e- - Recovering deleted & ong with fils that might have been originally attached, yg recuversd intach al y Internet sites the employee has visited, way late, copy- of, can algo sliscayer Which Int : a yantante €00 AO ns se else 4 into 8 chawniaaded, and 10 ~" 4282 CHARGER WA /HMOI AIS EoHEnisIC AUDITING Conducting the Falsiste Investigation DEVELORING A FRAUD THEORY Usually the forensic accountant walks no 8 OMAN WE Which he oe she lite to prior ktowledge. The first order of Dea a esos salient with the company—from the employees to the jobs they Pe nf idler stigpicion, the accountant has a starting point. So Assonovent inl stint front square ohte-—the Fraud Triangle. | p the chapter that the Fraud Triangle involves consid- «jive, md rationalization, Opportunity is the most important piece of Seaple. Withont oppottunity, frauid cannot occur, So, who has the opportunity eoiimiy? Once you identify the possible perpetrators, who might be under Jseeonie>. And thin, ho might be prone to justifying or rationalizing a theft? Uinse pieces together will often lead the forensic accountant fo one oF joovis nnd the formation of a working hypothesis. The hypothesis is then tested ne evMence and refined as needed, wh jssaienlay enslave is Yoo wail sanseniber thant eattie ys GATNESING EVIDENCE When a suspect is identified and a working hypothesis dus Theor Sevelapad, the next step is to begin the arduous process of obtaining evidence. a ess doesn’t happen without extremely careful planning and execution Decause evidence is the foundation of the legal case against the per- zing of the evidence either as it is collected or while it is in custody can jaamissible in court. The Rules of Evidence require that a strict chain of *: be maimteined for the forensic investigator. This means a written log is kept of “dence gathered. Figure 10-12 shows a sample chain of custody form. In cout meucesding, this form will be subpoenaed and come under scrutiny, so the investi- ke great pains to comply meticulously with this requirement. Evidence is .erwise. The investigator must be able to explain where the evidence was changed bands, who authorized the change in custody, and what types performed on the evidence, sie investigation begins, itis essential for the auditor to “freeze” the audit ‘ies system logs, access logs, firewall logs, backup logs, and any other logs the uses so monitor its systems, Freezing the logs means making an immediate copy as cons lis casures that a clear record exists up to the moment the investigation begins. eiihenex, ns A kY dence Gothereds L | crane Gahan Gathered Uf. ohne Se Namie of — | Fypnnse fol Pate and time Tests or Change in custodian =| BGA I af change procedures custody | euetaay, in sustady performed authorized by: FIGURE 14d Satie Hliain af Buptady ReeertFORENSIC AUDITING 253 TEnecessary, the Ys forensic in i wen fraudster, assuming investigator may be empowered to seize the computer of the Ould not violate a person's iputer is on company premises. If it is, this seizure Seizure, A search wares Fount Amendment rights agninst unlawful search and the computes Novena snot needed sine the company, and not the employee, owns Would be protected andlor the 7 that a person working at home on a company computer ler the Fourth Amendment, and a search warrant would be needed. INTERVIE ‘ F Se view indy Desig the evidence-gathering phase, the investigator will likely ig led anny Cote ee company These include perhaps someone suspected of fraud, tar pen orore Perpberl to the spect The value of a “tip” cannot be underesti- ee aaa percent ofall frauds are discovered through tips.!? Rea eee cen ill involved in approaching this interview. For example, the kitemnore likel vi try to project a nonthreatening image. The more relaxed the suspect is, feoea. The im ly he or she is to let their guard down. An icebreaker is a good way to pro- pert, The investigator should have a planned list of questions, tailored to the individual cing interviewed. Questioas such as, “Do you know of anyone in the company, who might be committing fraud?” seem almost too direct to work, but they often do. Many times employees are just waiting to be asked! Interviewing the suspect requies a great deal of finesse and patience. And it requires Knowing what kinds of verbal and nonverbal eues to look for ‘Verbal cues include changes in speech pattern, using oaths or swearing, sudden selective memory, and feigned uncer em (a classic symptom of dishonesty). Nonverbal cues include breaking eye contact shift ing body positions, crossing and recrossing arms and legs, ‘and removing eyeglasses.” Experts also note other interesting characteristics of dishonesty. For example, people who fre being dishonest don't use contractions in their speech. They tend to speak very | Qdamantly, Further, someone under a great deal of stress will often keep their arms and legs Grossed for long periods. In other words, they will maintain a very closed body position. "Experts note that confessions rarely, if ever, come from an individual in this body position. ique for gathering evidence is invigilation. This tech- ‘ct internal controls as to completely eliminate any lation is to eliminate fraud for a period of when the controls were not in effect. The INVIGILATION Another techn nique involves imposing such stri ‘chance for fraud to occur. The purpose of invigil | time and then compare that period with a time w Key question: What’s different? (OOF | The evidence that has been mentioned so far, thods of proof. That is, you're seizing computers, ina copies of hard drives, interviewing employees, and perhaps employing tech- ‘on. There are indirect methods of gathering evi- the suspect's financial profile, including his or fe sources, and expenses and expenditures. A formation such as liens or judgments against DIRECT METHODS OF PR ‘been concemed with direct met mi jiques such as surveillance and invigilati ~ dence as well. These include looking at her assets, debts, salary and other revenu credit report will often tum up financial in! > an individual. ‘Looking at the individua’s lifestyle is also an easy and useful technique Like the - pookkeeper earlier, is the suspect earning $20,000 per year and driving a new BMW? Does the individual take expensive vacations and wear expensive clothes and jewelry? Does he or she own an expensive home that appears beyond his or her fixiancial means? ~ Of course, just because someone makes '$20,000 per year and drives a BMW and lives in ‘ js a crook. There are other legitimate reasons this per- ‘a mansion doesn’t mean he or she There a "son might be able to afford that lifestyle. But it certainly is worth looking atr 254 CHAPTER 1 FRAUOOAND FONENGIO AUINTINA een tee Prosecution Itis the cliont's decision whether or nol 19 placenta an avriplayee wtio has Committed occupational fraud. While sane companies da fat fascist Of Feat of embarrassment or negative publicity, most (about 25 penal) do jrnigsnits the parson suspected of fraud. Acctiminal case has the heaviest tnirdon af pean heya a renectinble doribt. This is often practically translated into a OS parent assitalige alandarl, IF that buitden is not met, the company may scek juntioinl veliet in a civil prieweiting, Mere the binrden of proof is con- siderably less. Guilt nvust be proved hy a féadanablé “prepiotidersincs of the evidence.” Practically speaking, this tanslates into» $1 pergent stanidaed, Fora fraud convietion to oot, the commians|aw "fraud stati” requires the presence of four elements: 1. Misrepresentation ofa moterial fot, What is “material” is often decided by the “reasonable man” standard, That is, fa reasonable man would have acted dif- ferently had the fact been correctly kftown, it will be deemed to be material. 2. Intent to defraud This is often the most difficult component of the fraud statute to prove. The “it was an accident” defense is vitiated by repetition of the act. 3. Justificble reliance. The victim must have relied on the misrepresentation. 4. Rerulting in an injury. The injury must be quantifiable in economic terms; for ‘exemple, lost wages or lost revenue. The Forensic Auditor's Tool Kit Obtaining electronic evidence will involve the use of special forensic tools and utility pro- grams to either recover data from the hard drive or make an image of the suspect’s hard Grive. Figure 10-13 shows a list of the tools that might be considered the essential toolkit for 5 forensic anditor.2! A screwdriver and pliers ere needed if the computer case must be disassembled. Once you have access to the computer's hard drive, you must use some type of archive media to dump the contents of the drives being copied, Another hard drive is an option, but this, can become expensive quickly, Tape is a practical medium due to its affordability. A recordsble CD-ROM. doesn’t have the high eupacity usually needed. A recordable DVD. has the highest cepecity, at 4.7 gigabytes A digital camera is « must for photographing the exact condition of the computer, in case the consputer must be reaswembled in exnolly the same way. You also want to photo- graph what's on the munitor The other iterns listed in Vigune 10-19 aie ioatly applications that forensic auditors use to gather electronic evidenue, Invluiny disk wiping, disk imaging, hash calculating, search, file and data recérvery, nnd panied ei aching wuilivies. | Disk wiping, is wsed to otis tial th urd drives ant removable ryedtia are thoroughly cleaned prior to provessiiny evidence “Fie wiphng pneees avenwrites all data with binary information. Disk imaging is a rewl-vily jndcess tive! 18 ereale aN image of the computer's hard drive. The operatiig systern is nut lnvilved I illak Imaging. The process creates a bit- stream backup that preserves every bit of Infuttiin(ton dit {Ihe saree eoynputsr’s bard drive, To verify that the source aritl destinativtt (ilee die exaelly (he same, Wash calvulations are used. A hashing algorithm cniculntés n 42-bic Hall Vale (oy bath the sores aul destina tion computers. If even a single bit is canted te (V0 Hah Vale Wl Wok mated, Search lilities allow forensic auditors to sentch fut lekt atthe WE AFBITARAN (49 Hard tives. fieliedl (hibtisl # MHBIAH SAleH AS EQCase. BoCuse, File and data recovery is comp! wads Oh Guidanée Software, tins gained! figildibaiit Weepeetel HN 1 the Rurensig arcounting:ny bistussion questions 285 SEs ate bi Disk Sere Privacy (PGP) Notwork Associates, Ine. Stour Newtechnotogies, Ine. Sate a NowTechnologies, Inc. Case” NewTechnologies, Inc. Satoback Guidance Software Encase” Now Technologies, Inc. Disks) Guidance Software ches NewTechnologies, Inc. Ehcas New Technologies, Inc. Disk Guidance Software Textseane pre NewTechnologies, Inc. tea New Technologies, Inc. rite Guidance Software Recneee UCTechnology Getsioce” LCTechnology _ Gotr NewTechnologies, Inc. Unu New Technologies, Inc. Ste WRowing tities Nona ettetor WetStone Technologies 2 i lorton Utiities Symantec Corporation au ae Cerious Software aye Jase Software Pessword, Roe Guidance Soft ‘ ‘eradking softwar we agron BreakPoint Software, Inc. 7 Advanced Password lecovery Software Kit Password Recovery Toolkit 123 Password Recovery e Hard drive, tape backup, recordable CD-ROM, Sige camere recordable DVD s | FIGWRE 45-12 The Forensic Auditor's Essential Toolki ‘Ssunze: information Provided by JANUS Associates, Inc. Used with perr world, mucivly because the software has repeatedly held up under rigorous court scrutiny. EixGese can also handle the needs of most routine forensic accountants, some of whom will fet ExxCase is the only forensic tool one really needs, vp ‘Conmputer assisted audit tools such as ACL can be invaluable in helping the IT audi- tox Gotect fraud, This topic is covered in detail in Chapter 8, SUMMARY ‘ous problem. This chapter has presented statistics showing the nature and ontene oF ee bs pasts ei Both corporate America and the auditing profession have ret jaud prevention, deterrence, and detection. Recent legislation, the Sarbanes- oy ed th result of numeray high-profile fraud cases over the recent past. This Ones bh h WIL, BINS ations fas both corporate America and the auditing profession. Forensic lao hs fons unph ) vetyieve deleted data anid files, even after those files have been deleted, avin SHAPE IO. followedy inching the chain of custody requirements. Tools for the Lads sensed The IP autor shouldbe aware ofthe various types jay chapter: ri