Professional Documents
Culture Documents
net/publication/257866207
CITATION READS
1 7,621
4 authors:
24 PUBLICATIONS 29 CITATIONS
College of Finance and Accounting FINra
20 PUBLICATIONS 51 CITATIONS
SEE PROFILE
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Nataša Simeunović on 22 May 2014.
Abstract: As current business practices are changing, leaving more room for fraudulent activity, the new field of forensic accounting emerged. Fraud
is growing and can be a huge problem for a business or a government entity. Most frauds involve financial matters, so accountants are the most
useful people to investigate them. Forensic accountants are specially trained to investigate and report fraud in courtroom. For this reason, forensic
accountants are often called fraud investigators or fraud examiners. Despite the fraud takes many forms, usually it is theft of funds or information or
misuse of someone's assets. In this paper, we detailed a case of Excel file financial fraud forensic analysis. We outline some of the difficulties involved
in tracing a fraudster by using some different approach than those well described in classic forensic examination such as postmortem, data mining
and other techniques 5, 8, 20, 4. In forensic examination step we used open sourced Deft 7.1 Digital Evidence & Forensic Toolkit 22 and verified
results by another forensic tool, Meld - a visual diff and merge tool for compare files and directories. We refer to our process as combined digital
forensic and accountant investigation. We conclude by discussing some future work that needs to be done before this approach can be properly
evaluated.
These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
88 vol. XVIII no. 10 (2013) METALURGIA INTERNATIONAL
deception etc. Therefore, fraud, theft, irregularities, white-collar Revenue recognition earlier than a product was sold;
crime and embezzlement are almost synonyms 23. The main factors
that influence someone to commit a fraud are shown in the Figure 1.
Unusually high revenues and low expenses at the balance;
Growth in inventory that does not match growth in sales;
Capitalization of expenses in excess of industry norms;
Reported growing earnings as cash flow is declining;
Far greater growth in revenues than in other companies;
Gross margins out of line with peer companies;
Unusual increases in the book value of assets;
Impossible to determine the transaction actual nature;
Changed or deleted invoices in the financial books;
Figure 1: The fraud triangle 23 Written off loans to executives or other related parties etc.
Following a standard investigative methodology is crucial to
Pressure or motivation refers to something from the successful and effective computer forensic 5, 8, 23.
fraudster’s personal life that motivates him/her to steal. 1. Protect authenticity of the data sources.
Rationalization is how do fraudsters justify their criminal actions? 2. Discover and recover all files needed for investigation.
Opportunity is perpetrator’s position of trust or a weakness in, or 3. Analyze the collected data and create the chain of custody.
absence of internal controls that provides the circumstances for 4. Summarize findings, and make a log of all extracted data.
fraudster to commit a crime 23. In typical financial fraud crime case, forensic examiner need
to take forensic image of the accounting computer and software, and
4. REVIEW OF SOME KNOWN FORENSIC ACCOUNTING keep one copy as reference and other one as working copy [19, 20].
APPROACHES So, forensic examiner can parsed information from the user’s
RecentDocs Registry key, and the key that listed Excel spreadsheet
Forensic accountants can uses some mathematical models, from the Outlook temporarily file (.pst) and other file server where
such as Benford’s Law and Relative Size Factor (RSF), as well as users could possibly store data in regular backup process. In next step
data mining techniques 4. he can extract metadata and see recent modification dates and who
The Benford's Law, as a duplication program, runs using has opened or edited or printed spreadsheet. These metadata includes
Microsoft Excel 2007 on Windows XP. The basis of this law is that time stamps correlated to file system and Registry time stamps, too
fabricated figures (an indicator of fraud) possess a different pattern [17]. The following data can be saved as hidden information inside
from random (or valid) figures 4. Despite of having few MS Excel documents metadata [3, 14]:
advantages, the Benford’s law has many limitations. The detailed • The names/initials of user, computer and company
description is done in book 16. The Relative Size Factor (RSF) • The name of the server or HD where user saved data
detects unusual data that may be caused by errors or frauds 4. • Other file properties and summary information
The exponential growth of big data and technology 11, • Non-visible portions of embedded OLE objects
complex financial transactions and smarter fraudsters pose huge • The names of previous authors and document revisions
problems to the forensic accounting technique. So, some advanced • Hidden text and hidden cells
techniques such as data mining can help forensic accountants, to 4. • Globally Unique Identifiers (GUIDs), etc.
Some of the general characteristics of fraudulent data transactions Unfortunately, according to Microsoft’s Knowledge Base [18]
patterns that can be discovered by specific data mining tools are as it is too difficult (if not impossible) to prove when an individual cell
follow 4: or sheet has been modified in a MS Excel file, especially if the track
a) Unusual variables or entries of transactions. changes are not enabled previously.
b) Unusually high or low value of a variable. But sometimes forensic accountant could be given Excel or
c) Accounting transactions are maintained in various files. another spreadsheet file to be examined. So, document analysis must
d) Unexplained values of two or more unrelated records. be involved to find out how many times the file has been "revised",
and when the last editing occurred, and the name of the user account
4. FORENSIC ACCOUNTING CASE EXAMINATION that performed the last editing, as well as the last time it was printed
As the most frauds involve financial matters, so the most etc. 14, 17].
logical people to investigate them are accountants. However, In this case, the main accountant from the company “X” has
sometimes fraud can be very complex and a digital forensic examiner given to the forensic examiner two MS Office Excel files, only - one
has to be involved in investigation. Otherwise, accountants have to from the ledger at the time of auditing, and the other one from the
be specially trained for digital forensic. backup copy file. The forensic requirements did not include Excel
The very first task in forensic accounting is to apply digital metadata analysis. Also, software forensic, that can be used to
forensic procedures for collection, preservation, acquisition, analysis identify its author [6], can’t be easily applied to Excel, as financial
and reporting digital evidences in courtroom 5, 8, 15, 19, 20. fraud could include only one number. So, the forensic examiner
However, financial fraud involves deliberately overstating assets, regularly checked size of both files and realized that they were the
revenues and profits or understating liabilities, expenses, and losses, same. Then he used open sourced DEFT 7.1 digital evidence and
in such way that the forensic examiner can’t understand properly. So forensic toolkit 22, verified file signature and applied file
expertise of the professional accountant could be inevitable. When comparison technique. Applying these techniques on the sheets with
forensic examiner and accountant together investigate financial the thousands of entries is very useful, because it reports on the
fraud, they should go into digital and other evidences and look for so differences between the cells on separate sheets. The forensic
called red flags or accounting warning signs from all of the data examiner compared both Excel files without metadata (.csv format);
sources, such as [7, 12]: using their MD 5 hash values (Figure 2).
The hash values prove that those files are not the same, as method initiated with content (Figure 3), was the next step 21.
shown in Figure 2. Checking percentage of the files similarities,
using technique of homogenous files discovery by segmented hashing
These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
METALURGIA INTERNATIONAL vol. XVIII no. 10 (2013) 89
Figure 3: Homogenous files identification by segmented hashing initiated with content method
So, 99% of the two files similarities are identified, suggesting displays differences between the two files, made per line for text files
that a small change has been made in one of the two files. (Figure 4) 22.
The forensic examiner used Diff file comparison utility that
Figure 4: Application of Diff utility to find out differences between the two files
Results of the Diff tool application are shown in the Figure displays more clear results (Figure 5). As shown in Figure 5 the two
4. The two differences, identified in the rows no. 5020 and 5022, changes are displayed and the number of 1,000 000 has been
have been changed (red arrows) in the backup file. The forensic changed with 100 000 one. So, main accountant accepted these
examiner verified the proof using another forensic tool, Meld. This evidences as a proof that the suspected accountant has made these
tool, using a GUI interface, verified differences among files and changes.
displayed discovered ones. Despite it is slower than Diff tool; it
5. FORENSIC ACCOUNTING CASE RECONSTRUCTION forensic examination, the main accountant of the company “X” took
over this forensic report in order to reconstruct the case. According to
As it was case of internal corporate investigation, after the internal audit in the company “X” at the end of 2012 year,
These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
90 vol. XVIII no. 10 (2013) METALURGIA INTERNATIONAL
financial auditor realized some differences between two financial [5] E. Casey, Digital Evidence and Computer Crime, Third
reports - one reported as half year balance and another one as final Edition: Forensic Science, Computers and the Internet, ISBN-10:
financial report. Thus, for the first half of year (2012) the company’s 0123742684, Academic Press,2006.
recently employed accountant has already made the financial records [6] E. H. Spafford, S. A. Weeber, Software Forensics: Can We
that have been approved by internal auditor. Meantime, the main Track Code to its Authors?, Purdue Technical Report CSD–TR 92–
accountant has become suspicious about some activities of the 010, SERC Technical Report SERC–TR 110–P, Department of
recently transferred and employed accountant. Therefore, he ordered Computer Sciences, 1398 Computer Science Building, Purdue
taking backup of ledger as mandatory at the time of final report. In University, West Lafayette, IN 47907–1398, 19 February 1992.
accordance with company’s backup rule - to keep backup files [7] F. Kass-Shraibman, Vijay S. Sampath, Forensic Accounting
outside of the company, the related accountant copied the ledger in For Dummies, 2009.
Excel file onto his removable hard drive and he brought it to his [8] H. Carvey, Windows Forensic Analysis DVD Toolkit, Ch. 8,
house. Later on, the accountant changed, at the same time, some data pg. 411, Syngress Publishing. Inc. ISBN 13: 978-1-597-422—9,
on the backup file and replaces them instead of already reviewed 2009.
ledger files. Since these data have been already approved at the first [9] http://en.wikipedia.org, Forensic accountant, (accessed at 10
half of year (2012) and the changes decreased greatly debts of the of May 2013)
company „F“, the accountant has received some money from the [10] http://en.wikipedia.org/wiki/Computer-aided_audit_ tools
debtor. When he bought a new car, manager of the company “X” has CAATs (Accessed 20.02.2013)
become suspicious and ordered internal investigation by main [11] IBM, Big data at the speed of business, http://www-
accountant who hired forensic examiner as a consultant to help them. 01.ibm.com/software/data/bigdata, (accessed at May 2013)
[12] J. Seward, R.Winters, Forensic Accounting - the recorded
6. CONCLUSION electronic data found on Computer Hard Disk Drives, PDAs and
numerous other Digital Devices, LLC NY 10016,
Forensic accountants and fraud auditors must know the fraud JSeward@RWCPAs.com, 2013.
process very well. They must know how perpetrators are doing fraud [13] J. R King, Document Production in Litigation: Use an Excel-
and the characteristics of the various fraud schemes. This Based Control Sheet, National Association of Valuation Analysts,
information enables them to perform effectively their investigation or March 4, 2009.
fraud prevention programs. These fraud schemes are a major part of [14] J. R. Jones, Document Metadata and Computer Forensics,
the critical knowledge it takes for fraud auditors and forensic James Madison University Infosec Techreport, Department of
accountants to do an effective job. Another major part is the Computer Science, JMU-INFOSEC-TR-2006-003, 2006.
understanding of the red flags associated with these fraud schemes. [15] Jones, J. K., Bejtlich, R., Rose, W. C., Real Digital Forensics
Forensic accounting is the better way to protect accounting - Computer security and incident response, Addison‐Wesley, 2008.
files or logs unchanged than just audit them. It can prove which users [16] M. Nigrini, Benford's Law : Applications for Forensic
accessed what files, which changed or deleted them, who copied Accounting, Auditing, and Fraud Detection, ISBN: 978-1-118-
what and where? File integrity is paramount for every governing 15285-0, John Wiley & Sons, Inc., 2012.
regulation and is part of every company security or digital forensic [17] M. Nigrini, Forensic Analytics: Methods and Techniques for
policy. Forensic Accounting Investigations, ISBN: 978-0-470-89046-2,
In this paper forensic examination of financial fraud is proved Wiley and Sons, 2011.
by use of the two forensic tools, Diff and Meld. In this fraud [18] Microsoft Knowledge Base, How to minimize metadata in
examination two problems are identified. First, accounting Excel Microsoft Excel workbooks, Article ID: 223789, Revision: 5.1, 2007.
files did not have Track changes activated, and, second, accountant’s [19] M. Milosavljević, G. Grubor, Computer Crime Investigation,
database server wasn’t available to the examiner. This case of the University Singidunum, 2010.
corporate fraud investigation proved that both forensic examiner and [20] M. Milosavljević, G. Grubor, Computer System Digital
financial accountant together give the best results in financial fraud Forensic, University Singidunum, 2009.
examination. Forensic examiner followed strict forensic investigation [21] N. Ristić, A Jevremović, M Veinović, Homogenous files
procedure, as the case could ends in the courtroom. Financial identification by segmented hashing initiated with content,
accountant performed analysis of forensic examination results, Telecommunications forum TELFOR 2012, 20-1665-1668.
reconstructed fraud case and proved main accountant’s suspicious. [22] S. Fratepietro & all, DEFT 7 Manual,
For confirmation of the financial accountant and digital http://en.wikipedia.org/wiki/Diff, 2013.
forensic examiner preferable team work, much more financial fraud [23] T. W. Singleton, A. J. Singleto, Fraud Auditing and Forensic
cases should be investigated and analyzed in future. According to the Accounting, Fourth Edition, John Wiley & Sons, Inc., 2010.
authors opinions, both digital forensic examination and financial
accounting are quite complex to be investigated by the same person. Correspondence to:
Probably, very few people could do alone any typical financial fraud Gojko GRUBOR,
investigation properly. ggrubor@singidunum.ac.rs, Department of Informatics and
Computing, Singidunum University Belgrade, Serbia
7. REFERENCES Kosana VIĆENTIJEVIĆ,
kvicentijevic@singidunum.ac.rs, Department of Business
[1] B. K B Kwok, Forensic Accountancy, 2nd editions, Economics, Singidunum University, Belgrade, Serbia
LexisNexis, 2008. Zoran PETROVIĆ,
[2] D. Winch, Finding and using a forensic accountant, zpetrovic@singidunum.ac.rs, Department of Business Economics,
http://www.accountingevidence. com/documents/ Singidunum University, Belgrade, Serbia
articles/Forensic%20accountant1.pdf , October 2007. Nataša SIMEUNOVIĆ,
[3] D. Kernan, Hidden Data in Electronic Documents, GIAC nsimeunovic@sinergija.edu.ba, Department of Business
GSEC Practical (v.1.4b, Option 1), SANS Institute InfoSec Reading Economics, Ph.D student, Singidunum University, Belgrade,
Room, 2004. Serbia.
[4] Dr. P.K. Panigrahi, Discovering Fraud in Forensic
Accounting Using Data Mining Techniques, 1426 The Chartered
Accountant, April 2006.
These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/