1

Combating Fraud :Combating Fraud :Putting in Place an Effective Audit System to Putting in Place an Effective Audit System to

Detect and Prevent FraudDetect and Prevent Fraud

The 9th - Cyber Defense Initiative Conference 2009 - (CDIC 2009)

10th-11th November 2009 Queen Sirikit National Convention Center

By

Pairat Srivilairit, CIA, CISA, CBA, CCSA, CFSA, CISSP, CFE

Tuesday, 10 November 2009 15:15-16:00 hrs

2

About Speaker

Mr Pairat Srivilairit received a bachelor of engineering from Chulalongkorn University and a MBA from Thammasat University. He is a certified internal auditor (CIA), certified information systems auditor (CISA), certified bank auditor (CBA), holder of certification in control self-assessment (CCSA), certified financial service auditor (CFSA), certified information systems security professional (CISSP), and a certified fraud examiner (CFE).

He is chairman of the Bank and Financial Institution Internal Auditors Club (BFIA) and past director of ISACA Bangkok chapter. He is also a member of The Institute of Internal Auditors (IIA), The Association of Certified Fraud Examiners (ACFE), The Information Systems Audit and Control Association (ISACA), The International Information Systems Security Certification Consortium (ISC)² and The Institute of Internal Auditors of Thailand (IIAT).

He is a known lecturer on operational auditing and information system auditing courses at IIAT and ISACA Bangkok Chapter. He is also a special lecturer of the IIA’s Internal Auditing Education Partnership Program (IAEP) at Chulalongkorn University, and represented IIAT speaking to students at several universities to disseminate the internal auditing profession.

Mr Pairat Srivilairit is associated with finance and banking industry for over 18 years with rich experiences in the area of management consulting, planning, research, investment, operation and audit. He is now with TISCO Bank Public Company Limited as head of internal audit and secretary to the audit committee.

3

Outline

Combating Fraud: Putting in Place an Effective Audit System to Detect and Prevent Fraud

(45 min)

Key Indicators of Fraud Types of Fraud in Activities Reviewed Prevention Aids by Internal Auditors Detection and Investigation Techniques Summary

4

ตั�วอย่�างกรณี�ทุ�จร�ตั

โจรไฮเทคแฮกข้ อมู�ลเชิ�ด 200 ล าน– เด�อนสิ�งหาคมู 2548 ตั�วแทนผู้� ให บร�การเคร�อข้"าย

โทรศั�พท&เคล�'อนท(' สิ�งเกตัเหนความูผู้�ดปกตั�ใน traffic ข้องล�กค าประเภทบ�ตัรเตั�มูเง�น

– สิ�บพบรห�สิข้ อมู�ลข้องบร�ษั�ทถู�ก hack แล วน.าไป load เง�นจ.านวนเก�นจร�งใสิ"บ�ตัรเตั�มูเง�น เอาไปข้ายผู้"าน Internet ในราคาพ�เศัษั หร�อตั�/งโตั0ะให บร�การตัามูชิ1มูชิน

– บร�ษั�ทพยายามูบลอกรห�สิข้องบ�ตัรท('ผู้�ดปกตั� แตั"กย�งเสิ(ยหายเป2นค"าเสิ(ยโอกาสิรายได สิ�งถู3ง 200 ล านบาท

– จ�บก1มูผู้� ตั องหาได 4 คน เป2นพน�กงานข้องบร�ษั�ทเอง คด(ย�งอย�"ในระหว"างอ1ทธรณ์&.

(ผู้� จ�ดการ 27 สิ.ค.48)

5

ผู้(พน�นสิ�งหน1"มูแบงก&แสิบโกง 4 00 ล าน– เด�อนพฤษัภาคมู 2552 ธนาคารตัรวจพบสิมู1ห&บ�ญชิ(

สิาข้าหน3'งโอนเง�นจากบ�ญชิ(ดอกเบ(/ยท('ธนาคารเตัร(ยมูไว จ"ายล�กค า เข้ าบ�ญชิ(ตั�วเองตัามูธนาคารตั"าง ๆ

– ผู้� ตั องหาจนมู1มูคารถูข้ณ์ะก.าล�งหน(ไปเข้มูร สิารภาพท.ามูาตั"อเน�'องนานกว"า 1 ป9 เพราะท.าง"ายและไมู"เคยถู�กตัรวจสิอบ เง�นท('ย�กยอกน.าไปซื้�/อบ าน รถูยนตั& เคร�'องประด�บ ซื้�/อกองท1น เล"นพน�นฟุ1ตับอล ซื้�/อสิลากก�นแบ"ง รวมูกว"า 499 ล านบาท

– เร�'มูท.างานในธนาคารเมู�'อป9 2542 ได ร�บรางว�ลเป2นพน�กงานด(เด"น และไมู"เคยมู(ประว�ตั�การท1จร�ตั

– พบสิาเหตั1ระบบ Core Banking System มู(ข้ อบกพร"อง.

(ฐานเศัรษัฐก�จ 6 พ.ค.52)

ตั�วอย่�างกรณี�ทุ�จร�ตั

6

Occupational Fraud

“The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.”

All occupational fraud have 4 things in common– Clandestine– Violate the perpetrator’s fiduciary duties to the victim

organization– Committed for direct or indirect financial benefit to the

perpetrator, and– Cost the employer assets, revenue or reserves

7

How Fraud is Committed

Three categories of occupational frauds :

Asset Misappropriations Involve theft or misuse of organization’s assets i.e. skimming revenues, stealing inventory and payroll fraud.

CorruptionWrongfully use influence to gain personal benefit contrary to duty to employer or the rights of another i.e. accepting kickbacks, conflicts of interest.

Fraudulent StatementsFalsification of organization’s financial statements i.e. overstating revenues and understating liabilities or expenses.

8

How Fraud is Committed

Asset misappropriations were most common but low loss. Fraudulent statements were least common with highest loss.

Breakdown of All Occupational Fraud Schemes — Median Loss

9

Greatest percentage (15%) of fraud occurred in banking and financial services sector.

Bank Most Common Fraud

10

How Fraud is Detected

It takes 24 months on average to catch employee fraud

Initial Detection of Occupational Frauds4

11

Key Indicators of Fraud

Tips / Complaints Missing / Alteration of documents Duplicate / Unreasonable expenses or reimbursements Failure of certain employees to take vacations Failure to follow up on past-due receivables Unusual write-offs of receivables Employees on the payroll not sign up for benefits Excessive purchase of products or services Common phone numbers / addresses of payees or

customers

12

Key Indicators of Fraud

(Continued) Cash shortages / overages Stale items on bank reconciliations Unexplained adjustments / Journal entries Unusual financial statement relationships i.e.

– Increased revenue vs. decreased receivable– Increased revenue vs. decreased inventory purchase– Increased inventory vs. decreased purchase or A/P

Significant increases or decreases in account balances Significant changes in liquidity, leverage,

profitability or turnover ratios

13

Limiting Fraud Losses

Surprise audit and job rotation are still overlooked by many organizations.

14

Limiting Fraud Losses

Surprise audit, job rotation, and anonymous reporting showed the greatest impact on fraud losses.

15

Bank Case Symptoms

Supervisory override, unusually large transactions or with no apparent business purpose

Journal voucher contain only one signature, containing incorrect information, fund transfer between different customers' accounts

Deposit slip with missing information, depositor names incomplete or not match with passbook or acct name.

Frequent, large deposit/withdrawal in Executive account Deposits and withdrawals on same account on same day

or in a short period of time Bank checks used to transfer between accounts /

checks with altered date.

16

Symptoms ... More

Purported customer signature on withdrawal voucher and checks

Large negative balances in slush accts or customer accts Deposit slip of customer funds between accts of different

customers Deposits of customer check where cash was received

back CDs closed prematurely with proceeds put into low

interest account, sometimes with penalty Customer not presented when account was opened,

closed or transacted Mailing of customer statement to Executive address

17

Bank Fraud Trend

Fraud financial cost may be three or more times the value of loss amount

Fraud is not static. It evolves with each new measures implemented

New opportunities for employee fraud are emerging Criminals thwart rules-based systems “Silo” mentality weakens fraud detection Top management are moving toward an enterprise

focus on anti-fraud systems Regulatory expectations are increasing Solutions require commitment, investment, and talent

18

Insider Threat

“Deliberate misuse by those who are authorized to use computer and networks.”

Insiders include employees, contractors, consultants, temporary helper, personnel from third-party business partner, etc.

19

Facts about Insider Misuses

Most were not technically sophisticated or complex Most were thought out and planned in advance Most were motivated by financial gain Most perpetrators of banking and finance incidents

– Not hold technical position

– Never engage in technical attack or hacking

– Not necessarily perceived as problem employees

Executed at workplace during normal business hours

Detected by various channels and methods.

20

Misuse of ApplicationsApplications Legitimate Use Misuse

Client/Server Message exchange

Connectivity to server Execution of tasks

Unusual exchange to degrade performance

Exceedingly connection (DOS) Execute privileged procedure

Mail Clients Send and receive e-mails Illegal content / remote attack / private use / overload network

Browsers / Multimedia player

Browse Internet / play files View cached file and

history

View illegal content Display other users’ viewed files

and accesses

Programming Tools

Develop program Display memory segment

Create malware Access memory segment with

sensitive information

General-purpose Applications

Read / write

Input strings

Access temp file for sensitive information / modify temp file to change program flow

Buffer overflow

2110/04/23 21

Universal of Internal Computer Fraud

ComputerFraud

ComputerFraud

Billing SchemesBilling Schemes

Forged Endorsement

Forged Endorsement

Corruption & Price initiation

Corruption & Price initiation

Ghost Vendor

Ghost Vendor

Accomplice Vendor

Accomplice Vendor

Quid Pro Quo & Barter Schemes

Quid Pro Quo & Barter Schemes

PersonalPurchase

PersonalPurchase

Return & Voids

Return & Voids

Passing of Payment of Invoices for Non-existing Suppliers

Passing of Payment of Invoices for Non-existing Suppliers

Data CaptureData Capture

Spyware &Key loggers

Spyware &Key loggers

Fund TransferFund Transfer

Unauthorized Transfer of Funds

Unauthorized Transfer of Funds

ErrorsErrorsDuplicate Payments

Duplicate Payments

OverPayments

OverPayments

Early Payments

Early Payments

Missing or BadInformation

Missing or BadInformation

Payment to ErroneousEmployees& Vendors

Payment to ErroneousEmployees& Vendors

Duplicate InformationDuplicate Information

Program Altering SchemesProgram Altering Schemes

Changing Program and Data Ownership

Changing Program and Data Ownership

Setting ImproperParameter

Setting ImproperParameter

Use of Malware (e.g. Trojans)

Use of Malware (e.g. Trojans)

Alteration of Program and Data File

Alteration of Program and Data File

Forged EndorsementForged Endorsement

Check TamperingCheck Tampering

Forged ChecksForged ChecksSkimmingSkimming

Alter PayeeAlter Payee

Write-off of Money Due to Company

Write-off of Money Due to Company

Information Privacy RiskInformation Privacy Risk

Loss of Intellectual Property Through

Fraud

Loss of Intellectual Property Through

Fraud

Transmission of Confidential Data

(i.e. TCP/IP)

Transmission of Confidential Data

(i.e. TCP/IP)

Peer-to-peerFiling Sharing

Peer-to-peerFiling Sharing

Employee Posting

Confidential Company Information

Employee Posting

Confidential Company Information

Employee DownloadingHacker ToolsFor ID Theft

Purpose

Employee DownloadingHacker ToolsFor ID Theft

Purpose

Employee Downloads & Nefarious Applications

Employee Downloads & Nefarious Applications

Manipulation of Data InputManipulation of Data Input

Data Integrity Attack

Data Integrity Attack

Falsification of Stock Record to Cover Theft

of Stocks

Falsification of Stock Record to Cover Theft

of Stocks

DataSuppression

DataSuppression

Payroll SchemesPayroll Schemes

GhostEmployee

GhostEmployee

FalseCommunication

FalseCommunication

Worker’s Compensation

Scheme

Worker’s Compensation

Scheme

Falsified Wages

Falsified Wages

2210/04/23 22

Types of Application Controls

ApplicationControls

ApplicationControls

Ensure integrity of output and the correct and timely distribution of output produced

either in hardcopy, files to be used as input for other system, or information

available for online viewing

Ensure integrity of output and the correct and timely distribution of output produced

either in hardcopy, files to be used as input for other system, or information

available for online viewing

Output ControlOutput Control

Identification & Authentication

Identification & Authentication

AuthorizationAuthorization

Access ControlsAccess Controls

AccountabilityAccountability AuditAudit

Physical Devices (i.e. biometric scan, metal locks, hidden path, digital signatures, encryption,

social barriers, human and automated monitoring systems etc.),

Physical Devices (i.e. biometric scan, metal locks, hidden path, digital signatures, encryption,

social barriers, human and automated monitoring systems etc.),

Permit or deny use of an objectPermit or deny use of an object

Data Origination / Input ControlsData Origination / Input Controls

Check Integrity of Data enteredInto Business

Application

Check Integrity of Data enteredInto Business

Application

Check whether sources from staff direct input,

remote by business partner, or through web-enabled

application

Check whether sources from staff direct input,

remote by business partner, or through web-enabled

application

Ensure accuracy with optimum computerized validation

and editing,

Ensure accuracy with optimum computerized validation

and editing,

Check if data is within specified parameter

Check if data is within specified parameter

Error handling procedure facilitate timely

and accurate resubmission of all corrected data

Error handling procedure facilitate timely

and accurate resubmission of all corrected data

Ensure accuracy, completeness and timeliness of data during conversion from original sources into computer

data or entry to computer application either manual, online input or batch.

Ensure accuracy, completeness and timeliness of data during conversion from original sources into computer

data or entry to computer application either manual, online input or batch.

Data ProcessingData Processing

Ensure accuracy, completeness and timeliness of data during

either Batch or real-time processing by application.

Ensure accuracy, completeness and timeliness of data during

either Batch or real-time processing by application.

Ensure data is accurately processed through

the application

Ensure data is accurately processed through

the application

No data is added, lost or altered during processingNo data is added, lost or altered during processing

2310/04/23 23

Example of Detection System

SYSLOG

IDS

Firewall and Router Log

XBRL BusinessReport Engine

XBRL BusinessReport Engine

Business Report

General Ledger

WebServer

ApplicationServer

XMLdocument

XMLdocument

BranchBranch

Main OfficeMain Office

BranchBranch

Web BrowserWeb Browser

Loan ApplicationDataset

XSLTSpreadsheet

XMLKey Fraud Signature

Misuse detection data & metadataRules

Engine

Event Correlation Database

2410/04/23 24

Other Analytical Tools

Use of Benford's Law as fraud detection tool

Fre

qu

enci

es (

per

cen

t)

Theoretical Line Fraudulent

Transactions

25

Managing Insider Threat

Strong authentication / biometric technologies Role-based access granted on a need-to-have basis Rotate job function / event log reading Place server and sensitive equipment in secured area Restrict physical access / lock / alarm test Wear badge / background check Default password / unused port / log-off on absence Encrypt sensitive data stored on user hard drives Store sensitive document in secured space Never issue password over unsecured channels

26

Aware of Warning Signs

Rogue access point / wireless / remote

Disgruntled employee

A user accesses database or area of network they

have never accessed before

Download spike

27

Fraud Prevention Checklist

Good internal control Employee fraud awareness training / hotline Analytical review / surprise fraud audits Review company contracts Perception of detection / management oversight Proactive fraud policy and program / prosecution Mandatory vacations / periodic job rotation Screen job applicants Information security review / limit access / audit trail Management climate / employee support program

28

Summary

Auditor's roles in combating fraud

Promote culture of honesty and high ethics Assess and mitigate the risk of fraud Ensure control adequacy and effectiveness Use data mining and statistical analysis tools Analyze financial statements reports Being alert on predication of fraud Ensure investigations are properly conducted Ensure proper follow-up actions are taken Develop your anti-fraud knowledge and skills

29

About the ACFE

The Association of Certified Fraud Examiners Start 1988 Provide anti-fraud training and education Over 50,000 members in 125 countries Administrate the Certified Fraud Examiner (CFE)

designation- a certification program for fraud practitioners recognized by U.S. Department of Defense and FBI

More than 20,000 CFE’s worldwide (5 Thais)

$55 Membership Fee More information about ACFE

http://www.acfe.com

30

About CFE Exam

Covers 4 areas– Criminology & Ethics – Financial Transactions – Fraud Investigation – Legal Elements of Fraud

4 Exam sections of 125 questions each (75%) Administered via computer / must complete each

section in one sitting (2.6 hr) Complete all and return to ACFE in 30 days Must pass Qualifying Points System (40/50) $250 Application Fee

31

Q&A

Pairat SrivilairitCIA, CCSA, CFSA, CISA, CISSP, CBA, CFE

Internal Audit DepartmentTISCO Bank Public Company Limited

Mobile : +668 1903 1457Office : +66 2633 7821Email : pairat@tisco.co.th