See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/257866207

Excel file financial fraud forensic analysis - Case study

Article  in  Metalurgia International · January 2013

CITATION READS

1 7,621

4 authors:

Gojko Milan Grubor Kosana Vićentijević

Sinergija University Akademija strukovnih studija Zapadna Srbija odsek Valjevo
35 PUBLICATIONS   74 CITATIONS    93 PUBLICATIONS   85 CITATIONS   

SEE PROFILE SEE PROFILE

Zoran Petrovic Nataša Simeunović

24 PUBLICATIONS   29 CITATIONS   
College of Finance and Accounting FINra
20 PUBLICATIONS   51 CITATIONS   
SEE PROFILE
SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Stanje i perspektive konjičke industrije u Republici Srbiji View project

FINIZ 2016 View project

All content following this page was uploaded by Nataša Simeunović on 22 May 2014.

The user has requested enhancement of the downloaded file.

METALURGIA INTERNATIONAL vol. XVIII no. 10 (2013) 87

EXCEL FILE FINANCIAL FRAUD FORENSIC ANALYSIS – CASE STUDY

Gojko GRUBOR1, Kosana VIĆENTIJEVIĆ1, Zoran PETROVIĆ1, Nataša SIMEUNOVIĆ1

1
Singidunum University, Belgrade, Serbia
==============================================================================================
Key words: fraud, financial accounting, financial fraud, forensic accounting, forensic investigation

Prof. Ph.D. Prof. Ph.D. Prof. Ph.D. Ph.D. student,

Gojko GRUBOR Kosana VIĆENTIJEVIĆ Zoran PETROVIĆ Nataša SIMEUNOVIĆ

Abstract: As current business practices are changing, leaving more room for fraudulent activity, the new field of forensic accounting emerged. Fraud
is growing and can be a huge problem for a business or a government entity. Most frauds involve financial matters, so accountants are the most
useful people to investigate them. Forensic accountants are specially trained to investigate and report fraud in courtroom. For this reason, forensic
accountants are often called fraud investigators or fraud examiners. Despite the fraud takes many forms, usually it is theft of funds or information or
misuse of someone's assets. In this paper, we detailed a case of Excel file financial fraud forensic analysis. We outline some of the difficulties involved
in tracing a fraudster by using some different approach than those well described in classic forensic examination such as postmortem, data mining
and other techniques  5, 8, 20, 4. In forensic examination step we used open sourced Deft 7.1 Digital Evidence & Forensic Toolkit 22 and verified
results by another forensic tool, Meld - a visual diff and merge tool for compare files and directories. We refer to our process as combined digital
forensic and accountant investigation. We conclude by discussing some future work that needs to be done before this approach can be properly
evaluated.

1. INTRODUCTION forensic process [5, 20]. Employing forensic, accounting and

Generally, fraud includes wide range of illegal acts mainly
based on intentional deception. Despite fraud takes many forms, it is
always theft of funds or information or misuse of someone's assets
that can cause loss of money, legal costs, investor confidence, and
reputational damage The fraud includes two subcategories: most
significant - financial and fairly insignificant - nonfinancial.
Financial fraud related to receivables, vendor, payroll and expense
has become a common phenomenon inside many companies [6].
Most of the financial statement scandals involve some kind of
revenue manipulation that is usually occurring in the client’s books.
The most common financial fraud is related to revenue
overstatement. Companies simply invent revenues, as a credit or
debit, producing faults balance sheet and income statement 9, 23.
So, an accountant and auditor have to look for this type of
fraud throughout the internal control and audit processes. In this
context, forensic accounting plays an important role in detecting
these frauds that are not discovered in internal auditing process.
Sometimes, forensic accounting is called as forensic analytics,
meaning the analysis of digital data in order to detect, recover and
reconstruct them or otherwise support or denied a claim of financial
fraud. The main steps in forensic analytics are data collection,
preparation, analysis and reporting [17].
2. FINANCIAL AUDITING AND FORENSIC ACCOUNTING
In internal auditing process the basic objective is a regular
audit focused on a sample of transactions, and checks whether the
information disclosed by the financial statements is supported by
adequate material, and makes remark in audit report in case of any
deviation, error, exaggerated assertions etc. 23. Some auditing
tools, such as CAATs (Computer Assisted Auditing Tools) 10, are
currently used to deal with big financial data sets, process complex
transactions and help auditor in implementing auditing procedures,
such as 23:
a) Testing details of transactions and balances,
b) Identifying inconsistencies and transaction’s fluctuations,
c) Sampling programs to extract data for audit testing,
D) Testing general and application control of computer, and
e) Redoing calculations performed by the accounting systems.
Forensic accounting differs from regular financial auditing,
searching only for suspicious transactions, using a strict digital
auditing investigative skills, the forensic accountant’s job consists of
identifying, recording, settling, extracting, sorting and reporting
exceptions, oddities, irregularities and suspicious transactions, and
verifying digital financial data and other accounting activities, with
the purpose to make evidence for legal process [1]. Unfortunately,
there is no standard procedure to discover these frauds, as each fraud
is a specific case. So, forensic accountant or fraud investigators or
fraud examiners 17 can be defined as an accountant who assists
with the financial fraud, prepared for, or heard in court. Sometimes
he may be referred to as a litigation support accountant and act as an
expert witness at trial [2, 13]. If an accountant wants to become
forensic accountant he must take a variety of courses in financial and
advanced accounting, and one or two courses in auditing and some
other courses such as 2, 23]:
 Forensic accounting: Applied digital forensic to the
accounting.
 Computers: Including accounting software (such as
QuickBooks, SAP, Oracle…)
 Law: Basics of business, civil and criminal law as well.
 Statistics: The principles of chance or odds in the examined
transactions.
 Economics: Behavioral economics for quantifying damages in
litigation.
 Psychology: How to handle people, as an advisor?
 Ethics: If someone's acts within the limits of the law but is
still wrong.
 Languages: If a criminal speaks a different language.
 Criminology: To understand how the fraudsters work.
To become a forensic accountant, someone needs to have a
forensic accounting and fraud investigation certificate, issued by one
of several professional associations such as Certified Public
Accountant (CPA) or Certified Forensic Examiner (CFE) or Certified
Forensic Financial Analyst (CFFA) etc. [2]. The Network of
Independent Forensic Accountants (NIFA) is a grouping of qualified
forensic accountants [1].
3. FINANCIAL FRAUD FORENSIC ACCOUNTING
Fraud can be manifested as a crime, corporate, management
and occupational fraud, person’s dishonesty and intentional

These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
88 vol. XVIII no. 10 (2013)
deception etc. Therefore, fraud, theft, irregularities, white-collar
crime and embezzlement are almost synonyms 23. The main factors
that influence someone to commit a fraud are shown in the Figure 1.
Figure 1: The fraud triangle 23
Pressure or motivation refers to something from the
fraudster’s personal life that motivates him/her to steal.
Rationalization is how do fraudsters justify their criminal actions?
Opportunity is perpetrator’s position of trust or a weakness in, or
absence of internal controls that provides the circumstances for
fraudster to commit a crime 23.
4. REVIEW OF SOME KNOWN FORENSIC ACCOUNTING
APPROACHES
Forensic accountants can uses some mathematical models,
such as Benford’s Law and Relative Size Factor (RSF), as well as
data mining techniques 4.
The Benford's Law, as a duplication program, runs using
Microsoft Excel 2007 on Windows XP. The basis of this law is that
fabricated figures (an indicator of fraud) possess a different pattern
from random (or valid) figures 4. Despite of having few
advantages, the Benford’s law has many limitations. The detailed
description is done in book 16. The Relative Size Factor (RSF)
detects unusual data that may be caused by errors or frauds 4.
The exponential growth of big data and technology 11,
complex financial transactions and smarter fraudsters pose huge
problems to the forensic accounting technique. So, some advanced
techniques such as data mining can help forensic accountants, to 4.
Some of the general characteristics of fraudulent data transactions
patterns that can be discovered by specific data mining tools are as
follow 4:
a) Unusual variables or entries of transactions.
b) Unusually high or low value of a variable.
c) Accounting transactions are maintained in various files.
d) Unexplained values of two or more unrelated records.
4. FORENSIC ACCOUNTING CASE EXAMINATION
As the most frauds involve financial matters, so the most
logical people to investigate them are accountants. However,
sometimes fraud can be very complex and a digital forensic examiner
has to be involved in investigation. Otherwise, accountants have to
be specially trained for digital forensic.
The very first task in forensic accounting is to apply digital
forensic procedures for collection, preservation, acquisition, analysis
and reporting digital evidences in courtroom 5, 8, 15, 19, 20.
However, financial fraud involves deliberately overstating assets,
revenues and profits or understating liabilities, expenses, and losses,
in such way that the forensic examiner can’t understand properly. So
expertise of the professional accountant could be inevitable. When
forensic examiner and accountant together investigate financial
fraud, they should go into digital and other evidences and look for so
called red flags or accounting warning signs from all of the data
sources, such as [7, 12]:
Figure 2: Files comparison using MD 5 hash values
The hash values prove that those files are not the same, as
shown in Figure 2. Checking percentage of the files similarities,
using technique of homogenous files discovery by segmented hashing
These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
METALURGIA INTERNATIONAL
 Revenue recognition earlier than a product was sold;
 Unusually high revenues and low expenses at the balance;
 Growth in inventory that does not match growth in sales;
 Capitalization of expenses in excess of industry norms;
 Reported growing earnings as cash flow is declining;
 Far greater growth in revenues than in other companies;
 Gross margins out of line with peer companies;
 Unusual increases in the book value of assets;
 Impossible to determine the transaction actual nature;
 Changed or deleted invoices in the financial books;
 Written off loans to executives or other related parties etc.
Following a standard investigative methodology is crucial to
successful and effective computer forensic 5, 8, 23.
1. Protect authenticity of the data sources.
2. Discover and recover all files needed for investigation.
3. Analyze the collected data and create the chain of custody.
4. Summarize findings, and make a log of all extracted data.
In typical financial fraud crime case, forensic examiner need
to take forensic image of the accounting computer and software, and
keep one copy as reference and other one as working copy [19, 20].
So, forensic examiner can parsed information from the user’s
RecentDocs Registry key, and the key that listed Excel spreadsheet
from the Outlook temporarily file (.pst) and other file server where
users could possibly store data in regular backup process. In next step
he can extract metadata and see recent modification dates and who
has opened or edited or printed spreadsheet. These metadata includes
time stamps correlated to file system and Registry time stamps, too
[17]. The following data can be saved as hidden information inside
MS Excel documents metadata [3, 14]:
• The names/initials of user, computer and company
• The name of the server or HD where user saved data
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• The names of previous authors and document revisions
• Hidden text and hidden cells
• Globally Unique Identifiers (GUIDs), etc.
Unfortunately, according to Microsoft’s Knowledge Base [18]
it is too difficult (if not impossible) to prove when an individual cell
or sheet has been modified in a MS Excel file, especially if the track
changes are not enabled previously.
But sometimes forensic accountant could be given Excel or
another spreadsheet file to be examined. So, document analysis must
be involved to find out how many times the file has been "revised",
and when the last editing occurred, and the name of the user account
that performed the last editing, as well as the last time it was printed
etc. 14, 17].
In this case, the main accountant from the company “X” has
given to the forensic examiner two MS Office Excel files, only - one
from the ledger at the time of auditing, and the other one from the
backup copy file. The forensic requirements did not include Excel
metadata analysis. Also, software forensic, that can be used to
identify its author [6], can’t be easily applied to Excel, as financial
fraud could include only one number. So, the forensic examiner
regularly checked size of both files and realized that they were the
same. Then he used open sourced DEFT 7.1 digital evidence and
forensic toolkit 22, verified file signature and applied file
comparison technique. Applying these techniques on the sheets with
the thousands of entries is very useful, because it reports on the
differences between the cells on separate sheets. The forensic
examiner compared both Excel files without metadata (.csv format);
using their MD 5 hash values (Figure 2).
method initiated with content (Figure 3), was the next step 21.
METALURGIA INTERNATIONAL vol. XVIII no. 10 (2013) 89

Figure 3: Homogenous files identification by segmented hashing initiated with content method

So, 99% of the two files similarities are identified, suggesting displays differences between the two files, made per line for text files
that a small change has been made in one of the two files. (Figure 4) 22.
The forensic examiner used Diff file comparison utility that

Figure 4: Application of Diff utility to find out differences between the two files

Results of the Diff tool application are shown in the Figure
4. The two differences, identified in the rows no. 5020 and 5022,
have been changed (red arrows) in the backup file. The forensic
examiner verified the proof using another forensic tool, Meld. This
tool, using a GUI interface, verified differences among files and
displayed discovered ones. Despite it is slower than Diff tool; it
displays more clear results (Figure 5). As shown in Figure 5 the two
changes are displayed and the number of 1,000 000 has been
changed with 100 000 one. So, main accountant accepted these
evidences as a proof that the suspected accountant has made these
changes.

Figure 5: Files comparison using Meld tool

5. FORENSIC ACCOUNTING CASE RECONSTRUCTION forensic examination, the main accountant of the company “X” took
over this forensic report in order to reconstruct the case. According to
As it was case of internal corporate investigation, after the internal audit in the company “X” at the end of 2012 year,

These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
 90 vol. XVIII no. 10 (2013)
financial auditor realized some differences between two financial
reports - one reported as half year balance and another one as final
financial report. Thus, for the first half of year (2012) the company’s
recently employed accountant has already made the financial records
that have been approved by internal auditor. Meantime, the main
accountant has become suspicious about some activities of the
recently transferred and employed accountant. Therefore, he ordered
taking backup of ledger as mandatory at the time of final report. In
accordance with company’s backup rule - to keep backup files
outside of the company, the related accountant copied the ledger in
Excel file onto his removable hard drive and he brought it to his
house. Later on, the accountant changed, at the same time, some data
on the backup file and replaces them instead of already reviewed
ledger files. Since these data have been already approved at the first
half of year (2012) and the changes decreased greatly debts of the
company „F“, the accountant has received some money from the
debtor. When he bought a new car, manager of the company “X” has
become suspicious and ordered internal investigation by main
accountant who hired forensic examiner as a consultant to help them.
6. CONCLUSION
Forensic accountants and fraud auditors must know the fraud
process very well. They must know how perpetrators are doing fraud
and the characteristics of the various fraud schemes. This
information enables them to perform effectively their investigation or
fraud prevention programs. These fraud schemes are a major part of
the critical knowledge it takes for fraud auditors and forensic
accountants to do an effective job. Another major part is the
understanding of the red flags associated with these fraud schemes.
Forensic accounting is the better way to protect accounting
files or logs unchanged than just audit them. It can prove which users
accessed what files, which changed or deleted them, who copied
what and where? File integrity is paramount for every governing
regulation and is part of every company security or digital forensic
policy.
In this paper forensic examination of financial fraud is proved
by use of the two forensic tools, Diff and Meld. In this fraud
examination two problems are identified. First, accounting Excel
files did not have Track changes activated, and, second, accountant’s
database server wasn’t available to the examiner. This case of the
corporate fraud investigation proved that both forensic examiner and
financial accountant together give the best results in financial fraud
examination. Forensic examiner followed strict forensic investigation
procedure, as the case could ends in the courtroom. Financial
accountant performed analysis of forensic examination results,
reconstructed fraud case and proved main accountant’s suspicious.
For confirmation of the financial accountant and digital
forensic examiner preferable team work, much more financial fraud
cases should be investigated and analyzed in future. According to the
authors opinions, both digital forensic examination and financial
accounting are quite complex to be investigated by the same person.
Probably, very few people could do alone any typical financial fraud
investigation properly.
7. REFERENCES
[1] B. K B Kwok, Forensic Accountancy, 2nd editions,
LexisNexis, 2008.
[2] D. Winch, Finding and using a forensic accountant,
http://www.accountingevidence. com/documents/
articles/Forensic%20accountant1.pdf , October 2007.
[3] D. Kernan, Hidden Data in Electronic Documents, GIAC
GSEC Practical (v.1.4b, Option 1), SANS Institute InfoSec Reading
Room, 2004.
[4] Dr. P.K. Panigrahi, Discovering Fraud in Forensic
Accounting Using Data Mining Techniques, 1426 The Chartered
Accountant, April 2006.
These journals are included on ISI Web of knowledge regional Journal Expansion European Union 2010, multidisciplinary fields
http://isiwebofknowledge.com/products_tools/multidisciplinary/webofscience/contentexp/eu/
View publication stats
METALURGIA INTERNATIONAL
[5] E. Casey, Digital Evidence and Computer Crime, Third
Edition: Forensic Science, Computers and the Internet, ISBN-10:
0123742684, Academic Press,2006.
[6] E. H. Spafford, S. A. Weeber, Software Forensics: Can We
Track Code to its Authors?, Purdue Technical Report CSD–TR 92–
010, SERC Technical Report SERC–TR 110–P, Department of
Computer Sciences, 1398 Computer Science Building, Purdue
University, West Lafayette, IN 47907–1398, 19 February 1992.
[7] F. Kass-Shraibman, Vijay S. Sampath, Forensic Accounting
For Dummies, 2009.
[8] H. Carvey, Windows Forensic Analysis DVD Toolkit, Ch. 8,
pg. 411, Syngress Publishing. Inc. ISBN 13: 978-1-597-422—9,
2009.
[9] http://en.wikipedia.org, Forensic accountant, (accessed at 10
of May 2013)
[10] http://en.wikipedia.org/wiki/Computer-aided_audit_ tools
CAATs (Accessed 20.02.2013)
[11] IBM, Big data at the speed of business, http://www-
01.ibm.com/software/data/bigdata, (accessed at May 2013)
[12] J. Seward, R.Winters, Forensic Accounting - the recorded
electronic data found on Computer Hard Disk Drives, PDAs and
numerous other Digital Devices, LLC NY 10016,
JSeward@RWCPAs.com, 2013.
[13] J. R King, Document Production in Litigation: Use an Excel-
Based Control Sheet, National Association of Valuation Analysts,
March 4, 2009.
[14] J. R. Jones, Document Metadata and Computer Forensics,
James Madison University Infosec Techreport, Department of
Computer Science, JMU-INFOSEC-TR-2006-003, 2006.
[15] Jones, J. K., Bejtlich, R., Rose, W. C., Real Digital Forensics
- Computer security and incident response, Addison‐Wesley, 2008.
[16] M. Nigrini, Benford's Law : Applications for Forensic
Accounting, Auditing, and Fraud Detection, ISBN: 978-1-118-
15285-0, John Wiley & Sons, Inc., 2012.
[17] M. Nigrini, Forensic Analytics: Methods and Techniques for
Forensic Accounting Investigations, ISBN: 978-0-470-89046-2,
Wiley and Sons, 2011.
[18] Microsoft Knowledge Base, How to minimize metadata in
Microsoft Excel workbooks, Article ID: 223789, Revision: 5.1, 2007.
[19] M. Milosavljević, G. Grubor, Computer Crime Investigation,
University Singidunum, 2010.
[20] M. Milosavljević, G. Grubor, Computer System Digital
Forensic, University Singidunum, 2009.
[21] N. Ristić, A Jevremović, M Veinović, Homogenous files
identification by segmented hashing initiated with content,
Telecommunications forum TELFOR 2012, 20-1665-1668.
[22] S. Fratepietro & all, DEFT 7 Manual,
http://en.wikipedia.org/wiki/Diff, 2013.
[23] T. W. Singleton, A. J. Singleto, Fraud Auditing and Forensic
Accounting, Fourth Edition, John Wiley & Sons, Inc., 2010.
Correspondence to:
Gojko GRUBOR,
ggrubor@singidunum.ac.rs, Department of Informatics and
Computing, Singidunum University Belgrade, Serbia
Kosana VIĆENTIJEVIĆ,
kvicentijevic@singidunum.ac.rs, Department of Business
Economics, Singidunum University, Belgrade, Serbia
Zoran PETROVIĆ,
zpetrovic@singidunum.ac.rs, Department of Business Economics,
Singidunum University, Belgrade, Serbia
Nataša SIMEUNOVIĆ,
nsimeunovic@sinergija.edu.ba, Department of Business
Economics, Ph.D student, Singidunum University, Belgrade,
Serbia.