INTOSAI EDP

IntoIT! Issue 8August 1998

Contents

EditorialCountry Focus - BrazilCountry Focus - SloveniaAuditing and Computerisation in New Zealand - Part 2Modernisation and Development at the Court of Auditors of PortugalMillennium updateUsing IT Techniques in Forensic AuditTackling Public Sector FraudNews from around the World

IntoIT is the IT journal of the INTOSAI EDP Committee. The journal is normallypublished twice a year, and aims to provide an interesting mix of news, views andcomments on the use of IT in SAIs around the world.Material in the journal is not copyrighted for members of INTOSAI. Articles fromintoIT can be copied freely for distribution within SAIs, or reproduced in internalmagazines, or for use on training courses.The Editor welcomes unsolicited articles on relevant topics, preferably accompaniedby a photograph and short biography of the author, and short news items, for inclusionin future issues.Contributions should be sent to The Editor of intoIT, National Audit Office, 157-197Buckingham Palace Road, London SW1W 9SP, United Kingdom. E-mailintoIT@nao.gsi.gov.uk.

Editorial

The Chairman of the INTOSAI EDP Committee, Mr V K Shunglu reports on thework of the Committee and introduces this issue.

This issue of IntoIT follows the 7th meeting of the INTOSAI Standing Committee onEDP Audit held in Stockholm in May 1998. The meeting reviewed the progress ofwork in relation to envisaged outputs. The Committee agreed that the Reference list ofMaterials on IT Performance Auditing needed to be kept up-to-date and felt thatIntoIT would (along with the proposed Committee webpage) be the best mechanismto publicise updates. The INTOSAI IT Audit Training courseware has been circulatedin both hard copy and electronic version to the Regional Working Groups ofINTOSAI, the INTOSAI Secretariat and the INTOSAI Development Initiative. Themeeting approved a proposal for hosting a web site on the Internet by the Committeewhich, among other information, would feature the latest and back issues of IntoIT.This would augment the awareness of this journal among SAIs. A CD-ROMcontaining an electronic compilation of the mandates and statutes governing 87 SAIswas presented. Member SAIs are requested to send the latest version of their statutes,preferably in English, to the Comptroller and Auditor General of India, to enable thecompilation to be as comprehensive as possible.

Another important event was the 2nd Working Seminar on IT Performance Auditingwhich was held on May 12th and 13th in Stockholm and was attended by thirtyparticipants from twenty SAIs. The seminar covered themes in diverse areas ofperformance auditing of IT Systems.

In this issue, the regular country focus article is on Brazil which outlines the SAIsEDP audit procedures and its EDP audit programme. We continue with an article onNew Zealand’s experience with IT the focus this time being on the use of IT Auditmethods. The features on modernisation and development at the Court of Auditors ofPortugal elucidates the development and use of IT in the Court of Auditors ofPortugal. The story on the millennium problem continues with an update (also calledthe Year 2000 or Y2K issue).

Two contributions relate to the use of IT in Forensic Audit. The first is an elaborationby SAI-UK of IT based technologies that can be used in the fight against fraud andthe second, by SAI-India, presents a case study where IT was used to analyse andinvestigate a large volume of fraudulent transactions.

As we are all aware, the major objective of the INTOSAI EDP Committee is tosupport SAI in developing knowledge and skills in the field of EDP audit byproviding information and facilities for exchange of experiences. I am sure thatcontributions from readers would continue to flow in, enhancing the role of IntoIT asa facilitator of exchange of information and experiences among SAIs in the field ofEDP Audit.

Country Focus – Brazil

Minister Carlos Atila alvares da Silva writes about information technology and EDPaudit in the Brazilian Court of Audit

Minister Carlos Atila alvares da Silva is a member of the Tribunal de Contas da Uniao -TCU - (Brazilian Court of Audit) since 1985 and was its President during the 1992/1993term. Now he is Supervisor of the TCU's EDP Committee.

Background

Since the beginning of the decade, the Brazilian Court of Audit - TCU - has tried todevelop its EDP Audit area. The efforts were co-ordinated by the EDP Audit andAudit Planning Division of Saudi, the Inspections and Audit Department of TCU. In1996, this division began focusing, exclusively, on EDP audit, computer-assistedauditing techniques and tools, and information gathering and consolidation forauditing purposes.

Training programme

TCU has a permanent training programme for its staff, who have access to regular andrefresher courses in EDP Audit. The discipline "EDP Audit" has been included in theprogramme for training new auditors. EDP specialists have participated in severalcourses and events abroad for the purpose of acquiring new knowledge andtechniques that they will later disseminate among TCU personnel. Seven TCUauditors participated in the last four courses on computer-assisted auditing offered bythe Latin American and Caribbean Organisation of Supreme Audit Institutions(Olacefs), in Santiago-Chile. Three other staff members concluded a month-longcourse on computer-assisted auditing at the Chartered Institute of Public Finance andAccountancy (CIPFA), in London. At the same time, aiming to keep the technicalstaff up-to-date on world trends and new releases in data processing, TCU has sentstaff members to the recent conferences of the National EDP Audit and ComputerSecurity (CNASI) and Comdex Fall, the world's largest Information Technologyevent.

EDP audit procedures

In 1992, an Audit Procedures Manual was developed for the purpose of disseminatingknowledge and making a new EDP auditing tool available to other TCU performanceaudit works. This manual, including control objectives and audit procedures, wasthoroughly overhauled in March 1997 and now covers controls in many areas, likegeneral data processing, physical and logical security, application systems, databaseenvironment, operations, network, microcomputer systems development and disasterrecovery planning. It intends to provide standardised audit procedures for internalcontrol of every government agency, in a new vision of relationship between auditorand audited agency.

Some Audit procedures are available on Internet athtt://www.TCU.gov.br/novidades/downloadpa.html.

EDP audit undertaken to date

TCU's EDP audit is carried out at three levels of complexity. First level audit isconducted by any auditor using EDP auditing procedures. At the second level audit isconducted by Saudi auditors who are well trained in EDP auditing techniques, and thethird level is conducted by Information Systems (IS) specialists from Seinf(Information Technology Department of TCU), who keep themselves permanently upto date in computer technologies and trends. Audit team composition depends on thedefined objectives and time of execution.

Five EDP audit investigations were carried out in federal agencies over the last fouryears. In 1994, an EDP audit was conducted in the Federal Internal Revenue Service.The following year, Saudi carried out an audit survey of the Federal ReserveInformation System - Sisbacen. There were two jobs in 1996: an audit survey of theIntegrated Human Resources Management System - Siape - and an EDP audit on theWorkers' Reserve Fund-FGTS. Last year, Saudi performed an audit survey on theIntegrated Foreign Trade System-Siscomex.

EDP audits planned

Audits are planned for other systems like Siape, the Integrated FinancialAdministration System and Siafi the EDP systems environment of the BrazilianAgricultural Research Company-Embrapa.

Last year, the EDP Audit and Audit Planning Division decided to conduct a survey onInformation Systems in Brazilian federal agencies in order to create an informationdatabase for its work. With this database which includes information on year 2000subjects, contact persons and computer resources (hardware, software, networks,Internet and application systems), the division will be able to plan its future auditwork in a more realistic way. The division expects to organise all the information bythe middle of this year and envisages that this database will be continuously updatedby its staff. The first result of this survey will take place this year, when we intend tocheck through a short preventative audit, year 2000 strategies and currentimplementations in different government agencies.

Systems used in EDP audit

TCU has a wide area network (WAN) interconnecting all local area networks (LAN)of state representations to the central site. On this central site, there is a 2Mbpsconnection to the Internet protected by a firewall. There are about 860 desktopcomputers and 250 notebooks, most of them connected to the network . Today, thereare some systems running on an IBM mainframe, but downsizing will be completedby July'98.

Some systems provided by Seinf support EDP auditing activities. Audit planning andits follow-up are processed by SPA. Common data analysis requirements are met byMS-Access or TabWin (data tabulator from Datasus/Health Ministry). In special casesID specialists develop analysis routines for both mainframe and microcomputerenvironments. Most recently, Proaud, installed on notebooks, can be used on locationfor data entry of standardised audit procedures.Communication with central databaseswill be available in 1998, via the Internet.

Some systems have been developed to meet specific auditing needs, including SCP(created to control government concessions and permissions) and SCN (to follow upNational Congress requirements for TCU). A system called Sainco supports accountanalysis' procedures, providing electronic document storage and workflow.

Country Focus – Slovenia

Although the Court of Audit of the Republic of Slovene is rather young the role andimportance of information technology is evident as Dr. Franci Zibert, advisor to thePresident explains.

Historical background

Establishment of the Court of Audit

The Court of Audit of the Republic of Slovenia has been operational for about twoand half years. Established by the Law on the Court of Audit in January 1995 itformally began to work in September 1995 - after getting premises, staff and otherresources. The Court of Audit is an independent supreme audit institution coveringGovernment accounts, the State Budget and resources expended for public purposes(Constitutional law).

The Rules and Procedures, confirmed by Parliament of the Republic of Slovenia inFebruary 1995, regulate the organisation and work of the Court of Audit. It isindependent in the performance of its functions and subject to the Constitution andlaw. The Court of Audit uses international audit standards and the President of theCourt is required to issue auditing standards on the basis of internationally acceptedauditing standards (article 20 of Law of Court of Audit).

Scope of Competence of the Court of Audit

The Court of Audit examines the business operations of:

• public-law entities,• private-law entities, receiving funds from the State Budget,• other private-law entities, receiving funds from Budgets or from other sources of

public finance and• other entities on which the State holds an interest or is part-owner.

Each year these entities submit, to the Court of Audit, annual business reports withtheir budget plans and other information determined by the Court of Audit.

The Court of Audit undertakes:

• control of regularity to ensure the economic and effective use of public funds,• controlling the regularity of individual enactment's on the execution of budgets

and financial plans,• pre-audit and audit of financial statements of budgets and other users of public

funds, control of the collection of public revenues,• advising public administration,• other tasks, provided for by other acts.

The Financial statements of the State Budget, Funds established by the Republic ofSlovenia, the Pension and Disability Insurance Agency of Slovenia, the EmploymentOffice of Slovenia and the Health Insurance Agency of Slovenia must all be auditedannually.

The Court of Audit's Reports

The Court of Audit shall at least once yearly present the National Assembly with areport on its work. There were more than one hundred audit reports produced in theyears 1995 and 1996 and presented to the National Assembly, to the Government andto competent ministries or local government bodies. The reports were on internalcontrol auditing, the financial statement audit and some performance audits wereincluded. The limited time and lack of auditing skills, experienced auditors andsupporting personnel, resulted in the available auditing time being predominantlyspent on auditing wages, salaries and other personnel expenditures' controls.

"... although the audit results show first signs of improvement... the Court ofAudit will give greater emphasis to Value for Money audit."

We are not satisfied with the impact of these reports yet, although the audit resultsshow first signs of improvement in regularity, legality and effective use of publicfunds. In future the Court of Audit will give greater emphasis to Value for Moneyaudit.

Organisation and composition of the Court of Audit

The Court of Audit has nine Members and is organised according to function.Members are appointed on the proposal of the President of the Republic for a nineyear term. The National Assembly appointed the President of the Court of Audit, theVice President and other members by secret ballot on a majority of votes of allDeputies. It is required that at least one third of the members shall be CertifiedAuditors. Each Member organises and guides the work of individual Sections.

In addition to the Members, the Court has 70 other employees at present, the majorityof them auditors. The auditors are assigned to one of four grades according to theirqualifications and/or experience; trainee, assistant auditor, auditor and senior auditor.All auditors must have acquired a tertiary level of education. To improve audit skills

the Court organises seminars (case - studies training) in co-operation with SAIs fromAustria, Germany and Great Britain.

Other Court staff belong to an administrative department that perform legal, advisory,administrative, personnel, accounting and computer technical services for all auditSections.

Goals and objectives of computerisation

In the Court of Audit the "IT" section is part of the administrative section. IT serviceshelp ensure that the Court of Audit performs its work more economically, efficientlyand effectively. The IT services covers two main areas; automation of the auditprocess and automation of the administration and accounting functions.

The main objectives of audit automation are:

• performing better quality audits,• performing audits and performance reports in less time,• increasing audit coverage.

The principle objectives of the administration and accounting procedure automationare:

• assure timely and accurate information for management and decision making,• prepare reports needed in time,• carry out work using the minimum resources necessary.

In the Republic of Slovene the Government is responsible for the computerisation ofbudget users. Budgets for information technology, software and hardware, equipmentmaintenance and personnel training are all centrally planed. IT budgets should beused in accordance with the Government plan of providing information links for allusers. Proposals for IT budgets are prepared by the Government InformationTechnology Centre. They also enhance the IT plans of the Ministries, Agencies,National Assembly, National Council, The Constitutional Court, the Court of Auditand the Ombudsman.

Based on the individual information technology programmes the GovernmentInformation Technology Centre prepares an annual budget. For the year 1996 about0.4 per cent of the funds for central budget expenditures was provided for informationtechnology, while the Court of Audit destined 3.7 per cent of its expenses forcomputerisation.

The diagram opposite presents the structure of information technology in the Court ofAudit of the Republic of Slovene.

The "IT" strategy

Computerisation in the Court of Audit started in mid-1995s, initially with assistanceof external consultants and with in-house IT specialist. On May 1995 "The TechnicalRequirements for Local Computer Network in the Court of Audit" was createdconsisting of the following steps:

• development plans strategy• hardware definition (DOS-based IBM-compatible PCs),• software definition (MS office -Word 6, Excel 5, Lotus Notes),• procurement strategy for hardware and software,• training strategy.

The importance of training was recognised and two fundamental principles wereaccepted:

• in-house training for implementation of software packages,• External training courses lasting from 2 to 5 days for small groups of trainees.

At the Court of Audit every employee is using Microsoft Office for task processing,this includes Word, Excel, Power Point, Data Analyser. Lotus Notes is used forelectronic Mail.

The software package IDEA is currently in testing phase. Using this tools in auditingcould increase the quality and the effectiveness of our work.

Lotus Notes application Project management (in implementation phase) enabled thestandardisation of audit project planning, budgeting, reporting and monitoring theauditing process.

The Court of Audit has an Internet connection and a homepage is in preparation.

Auditing and Computerisation in New Zealand (Part 2)

Mark O'Conner Director of Information Systems Audit

This is the second of two articles (the first appeared in Edition 6 of intoIT) whereMark O’Conner - Director of Information Systems Audit looks at computerisation ofpublic sector organisations audited by the Office of the Auditor General of NewZealand. This article focuses on the use of Computer Assisted Audit Techniques(CAATs) and auditing of information systems. It identifies some key areas whereimprovements to EDP/IT auditing may benefit other SAIs.

CAATs and Auditing of Information Systems

Current status and importance of CAATs and audit of IS

During the course of the attest audit, there may be areas identified where theinterrogation of client data produces benefits to the audit. These are usually in theareas of financial accounting however there are situations such as the Inland RevenueDepartment where the CAATs we have developed and run are of benefit to theauditee.

The computer based tools available to our auditors for performing CAATs arespreadsheets (Lotus 123, Excel and Quattro Pro), flowcharts (ABC Flowcharter) andstatistical packages (SAS). Attest auditors make extensive use of spreadsheets in theanalytical review of client financial data and flowcharts in the documentation ofsignificant applications. The use of SAS as an interrogation tool has generally beenconfined to IS Audit Specialists, who develop, test and run CAAT programmes underthe direction of attest audit supervisors. However responsibility for CAATs isprogressively being transferred to operational auditors with support and qualityassurance being provided by IS Audit.

Frequently used CAATs

The following is a list of the types of CAATs we have developed to assist our attestauditors. They have for the most part been developed in SAS and libraries of allprograms are maintained for future use.

General

Key item selectionRe-calculate totals and sub-totalsSummarise by category/type etc and reconcile to the General LedgerTest for unusually large amounts or unusual classifications etc.MUS, systematic, stratified, random sampling

Cash Receipts/Disbursements

Test for missing and duplicate cheque numbersTest for duplicate payments

Payroll

Test for salary changes, ex-gratia payments, overtime etc.Test for new employees and terminations

Sales and Debtors

Test for debtors exceeding their credit limitTest for new large volume accountsExtract accounts with large overdue amountsCheck debtors ageingTest for missing or duplicate invoice numbersTest for unusual discounts etc.Sort and summarise by type of account, type of security etc.Extract accounts with credit balances

Inventory

Extract obsolete or slow moving itemsTest for duplicate stock itemsRe-calculate stock values by multiplying unit price by quantity

Fixed Assets

Re-calculate depreciationExtract purchases and disposalsTest for write-offs and revaluations

General Ledger

Re-perform/re-calculate Income Statement, Balance Sheet etc.Test for unusual and/or large journal entriesSummarise by output code

Recommendations for better EDP/IT Auditing

Improving Account Balance Verification

The audit approach we have adopted facilitates effective and efficient delivery of highquality services to auditee organisations. It provides a framework so that a consistentprocess is applied to all audits. The approach encourages flexibility and innovation inorder that the most effective and efficient audit approach is developed and applied.This is based on timely Director involvement, professional judgement and audit teaminput. The approach is a means to an end and not a set of rigid instructions that shouldbe followed without the use of judgement. As such our approach is evolving all thetime to ensure it remains effective and efficient in order to satisfy the core auditobjectives. Account balance verification procedures therefore are also changing overtime.

The key features of our approach are:

• an emphasis on obtaining a thorough, up-to-date understanding of the auditee'sbusiness and sector and of its management control environment (including theinformation system environment). This helps to identify potential areas of risk,

• an account balance and performance measure focus that enables quickidentification of significant accounts, significant performance measures and high-risk business activity areas,

• integration of the impact of information systems in recognition of their use inmost businesses today by involving Information Systems Audit in the auditplanning process a risk assessment process that provides the basis for planningand selection of appropriate audit procedures.

Wider use of CAATs

Greater and more innovative use of CAATs is considered critical to realise auditefficiencies. In organisations that develop enterprise-wide open systems or utiliseadvanced technology the use of CAATs could be the only way to maintainsatisfactory coverage where it is increasingly harder to identify boundaries. As a

result it will become more cost effective to invest in the development of CAATprograms as a means of identifying and assessing risk. It is essential that gooddocumentation is created for all CAATs developed as significant benefit can generallybe obtained from their use in subsequent years. Standards need to be developed andobserved to ensure CAATs can be used efficiently in the future.

Specialist CAAT development applications such as ACL and IDEA, along with moregeneral interrogation tools such as SAS will be essential. The investment in thedevelopment of in-house CAATs applications is not a cost effective or practicalalternative as risks such as obsolescence, unwarranted reliance, and ongoingmaintenance and support issues are presented. Packaged applications are viewed asthe only solution for CAAT development. "Greater and more innovative use of CAATs is considered critical to realiseaudit efficiencies."

In order to extend the use of CAATs the responsibility for their development needs tobe moved from being seen as belonging to IS Audit to being owned by the audit teamsthemselves. The teams are in the best position to identify potential audit risks and thusareas where the wider use of CAATs could be of assistance. It would be logical forthe audit teams to take responsibility for CAAT development as long as appropriateinstruction and guidance is provided. IS Audit could then concentrate on providingtraining and support, quality control, and undertake specialist/complex assignments.IS auditors are limited in their ability to identify where CAATs could be beneficial ifthey are only seen as an expert resource that is called upon to give assurance in adefined area.

Auditing Information Systems

Rapid change and continuous improvement are daily challenges to all organisations.Advances in technology are having, and will continue to have a significant influenceon business activities. In order to react quickly and compete in this dynamicenvironment, organisations are pursuing comprehensive, flexible systems andprocesses. Information needs to be freely available and accessible on a timely basis.These issues consequently will have some impact upon audit procedures, particularlyin regard to information systems.

Changes to auditee information systems environments will be progressive, so theaudit approach adopted will need to be progressively modified to ensure adequatecoverage of the risks presented by these changes. The changes in audit approach arelikely to be small in nature but occur at regular intervals. One area of the approachthat is likely to change is from auditing at a point in time to establishing regularmonitoring routines that enable ongoing analysis of key audit objectives and businesschanges. The use of CAATs could assist the auditor with this continuous auditingapproach.

Modernisation and Development at the Court of Auditors of Portugal

The Court of Auditors (COA) is a century-old institution where modernisation anddevelopment are terms that still have a strange ring to some ears. A few years ago, theCOA and state-of-the-art computer technology were in fact incompatible. Howevertoday… well, today even writing about ourselves seems to be a thankless task, notbecause we dislike sharing our experiences but because the enthusiasm shown innarrating our achievements always incurs the risk of sounding pretentious.For thisreason we have produced this simple testimonial of the short but arduous journey wehave been undertaking.

"Greater and more innovative use of CAATs is considered critical to realiseaudit efficiencies."

From the modern typewriter...

"Sir! I've got the most modern electric typewriter in the Directorate General! I lovetyping with it! Please don't take it away from me!"

This was one of the first reactions to the change, when only 10 years ago, a plan tointroduce modern computer technology into the COA was implemented! Thisexample does however introduce false generalisations. There was, in fact, already apatently obvious desire for technological (and organisational) modernisation at thetime. This desire has continued since then, together with an active and generalisedsearch for, and acceptance of, computerised tools.

The example does, however illustrate another truth. Electric typewriters were a rarecommodity within the Directorate General of the COA at the outset of 1987.Mainframes, minis, micros, terminals and printers, not to mention word processors,represented another entirely unknown and uncharted world. And remember that weare talking about one of the oldest State bodies in Portugal, where in 1987 like today,hundreds of files and processes are analysed daily.

From a situation of such clamorous technological backwardness in 1987, to one of thelargest computer networks in the public administrative sector in 1997, is certainly afeat and a wealth of learning experiences which are modestly and briefly described asfollows.

...to computerised audits

No, we are not yet equipped either with tools or sufficient know-how to carry outcomputerised audits of public accounts. Even less so, to audit the computer systemswhich support them. The very methods used by the technicians of the COA SupportServices in the implementation of audits are themselves undergoing development andare still under experimentation. The use of computer technology has so far beenlimited to productivity tools (that is, word processors, spreadsheets etc.) installed inportable PCs.

However, the possibility of computerised audits does loom on the horizon of realpossibilities as a result of the enormous technological infrastructure and noteworthyhuman assets with their accumulated knowledge, both computer and audit wise withinCOA.

There is still a long way to go. But we cannot, nor do we wish to, make the journeyalone. We thus sincerely wish that the Reform of the Financial Administration of theState currently underway, as well as the computerisation of the budget managementinformation system which supports it, will provide one of those privileged occasionsfor technological modernisation and co-operation among the agents interested in the"public thing".

A Computer Park without a Computer Centre?

Well, yes! With a Computer Park which will make all the Technological InformationManagers of Public Administration writhe with pure green envy (4 departmentalsystems, 3 Unix and 1 Windows NT, 441 microcomputers, 155 laser printers, amongother units, all connected through a local network and exploring data bases withhundreds of thousands of entries), our centre is not quite a Centre nor a Service. Withone single appointed Management position, but with no appointed Systems norNetwork nor Communications nor Data Base Managers but with 9 senior computertechnicians, 3 systems operators and 13 non-computer personnel (that is, notintegrated into information technology careers but carrying out responsibilities in theareas of application development and technical support for users). It happens!

Development of Information Systems 3 Senior IT Advisors 1 IT Advisor 3 Assistant IT Technician Systems Administration 1 Assistant IT Technician 1 System Operator 3 Administration Clerks Technical Support for Users 1 IT Advisor 3 Administration Clerks________________________________________________ Never mind the numbers, it's the team's quality that counts1

The efforts made by the COA over the last 10 years and especially over the last 5years in the acquisition of computerised equipment for its Park is noteworthy. It isfirst and foremost a notable financial effort (involving hundreds of millions ofescudos), but it means above all that there is an accelerated absorption of technologyby an institutional environment, which is itself undergoing a process of change andmutation.

Changes which, over the last ten years, have witnessed the substitution, of practicallyall of the Judges (a normal process), a new organic law of the Court (that of 1989, the1997 law published just published on the 26th August...), the eternal wait for a re-structuring of the Support Services (for over 20 years no changes have been made inca-reer structures nor in the legal organisation of departments, but this law is alwaysalmost, almost ready...), the establishment and implementation of the RegionalDepartments of the Azores and Madeira...the move and expansion of the Headquartersof the Court and, above all the consolidation of new control methods, especially foraudit.

This means, in fact that there has been an accelerated increase in the capabilities andautonomy of automatic data processing - an increase which, while notable forhardware, is still more so for software which is licensed, studied and applied by overfour hundred users.

Software which is not limited to mere micro-computer programs for Windows 95 withOffice 95 and Unix with Oracle, evolving this year to Windows NT and Office 97, butalso covers a whole series of applications within the realm of case monitoring anddata processing of legal information, as well as the management of human, financialand material resources and the planning and control of activities.

The software has mostly been developed in-house, is tailor-made and subject to an on-going evolution in compliance with the needs of the users. This represents a source oftechnical autonomy for the Court in such a highly sensitive area as that of informationand communication technology.

It must be stressed that it was only as recently as five years ago that informationtechnology at the COA began to pass the phase of mere micro-information solutions(isolated PCs), destined for integration into a network of the said solutions, as well asexplore centralised or client/server solutions provided by data bases connected toUNIX servers which had in the meantime been ac-quired.

Nowadays the IT park has the problem of being almost obsolete in view of theunstoppable technological progress of equipment and the ever increasing demands oflogistic support. This obsolescence will nevertheless be "naturally" overcome, giventhe high level of commitment on the part of all those responsible and the healthy levelof demands from the IT users, which will oblige the computer park to continuouslyrenovate and expand.

On the other hand, the high level of comput-erisation of work stations (at a rate ofover 80%) has produced an effective computerisation of the Court's informationsystems. With all operational or organisational areas using applications or an intensiveuse of productivity tools, irrespective of their coverage or responsibility for theirdevelopment (computer technicians, users or external suppliers).

We thus have considerable computer resources and computer personnel qualified inthe development of data base applications for different environments, includingCASE tools; we directly manage an enormous and complex computer park; werespond to many users on a daily basis, in addition to guaranteeing their training in the

field of computers - yet the Diário da República as yet makes no mention of theexistence of an organisational unit responsible for such tasks!

How do we do it? Simply because the pressing needs imposed by the modernisationand development of the Court of Auditors are superior to those political and legalomissions for the restructuring of its Support Services? Simply because there is astrong commitment on the part of those responsible to maximise the Court and itsDirectorate General? Simply because we have highly motivated computer techniciansand users?

Well, let's see!

Developing Information Technology without computer technicians?

Such tremendous development could certainly not have taken place without theexistence of a minimum organisation of the computer function! In 1986, at the outsetof the studies on computerisation, the Court established a small Organisation andComputerisation Nucleus, comprising three requested technicians whom, on 12 July1991, the General Plenary of the Court of Auditors later recognised internally as theOrganisation and Information Technology Service (SOI). Devoid of a formalorganisational structure but with senior computer technicians and systems operatorson the staff and legally approved in 1987, the SOI has progressively been reinforcedin human resources, particularly over the last seven years. During this time it has notlost one single member, a rare thing indeed, and now boasts 9 senior technicians and 3systems operators.

While it did not exist as a legally recognised organisational unit, the SOI did notprovide any Senior management position until 1995, (it now has one), nor specific jobcategories such as those of Systems or Data Base Management and so thesepositions and the ensuing obviously indispensable responsibilities, were informallytaken on by computer technicians who received no benefits in return.

With the additional aggravation that the operating systems and the programs whichwere originally installed (the computer network became operational on 2 July 1992)and developed over the last five years were, until then practically unknown with verylittle practical know-how on the part of the computer technicians. Implying theadditional efforts and responsibilities they contributed!

The least one can say about such a team is, and this must be admitted, that they aresimply fantastic!

User's support by...users

When about six years ago various measures were implemented with an aim ofrevitalising the information technology process, one of the questions raised whichmost worried those responsible was precisely how to reconcile the need for anincrease in the rate of application development, the number of computerised workstations and the training and direct support for users of those applications including

the use of word processing programs, spreadsheets and data bases on micro-computers with the reduced number of computer technicians at that time who carriedout those tasks.

The idea was for SOI to recruit those users who, in addition to some knowledge andexperience of programs in use, showed a strong interest in computer tools and werehighly motivated to continue further professional development in this field.

This experience still continues today and has even been reinforced as it is deemed tobe highly positive. As a result the SOI now has 12 permanent non-computer staff(considered as a sort of super-users), who, in addition to providing technical supportfor other users, also co-operate in the installation and configuration of PCs, printersand programs, thus substituting or complementing almost totally the work of thesenior technicians in the field of micro-technology. Such is the level of experienceand the know-how they have acquired they also help in configuration and installationof network adapters, memory, detection of breakdowns, macros and applicationdevelopment.

From one extreme to the other...

no Plan!

One of the reasons then, why the COA has become computerised at such a speedy rateis because it was capable of concentrating (centralising) a reasonable number ofhuman resources exclusively focused on the computerisation development of theservices!

This substantial concentration and effort must be highlighted. The number of SOIstaff members has almost tripled over the last seven years, although some werealready employees of the Support Services (representing a type of "recycling ofhousehold goods") and ten members are employed on temporary contracts.

But in addition to people, who are the main resource, one must also know what to dowith them, how to organise them and how to fit them into the objectives of theorganisation they are part of.

Well, in this case... we have in fact had a mid-term plan in the past, ostentatiouslyentitled the Plan for the Organisational Information System of the Court of Auditors1987/89.

For various reasons, perhaps the same as always everywhere, the said document didnot come to be the guideline for computerisation at that time, but continues to be, inspite of everything, the framework for the development of the information systemsarchitecture as originally outlined!

After this no more strategic plans were produced but there have been ideas! Ideassuch as how to integrate the development of information systems. Ideas as to thepriority of the development of applications. Ideas as to the informal organisation ofSOI. Ideas which have been carried out! In fact the projects (and there are many) have

advanced at a hallucinating pace, which although not fast enough for the users (itnever is...) have nevertheless certainly kept all SOI human resources effectivelyactive.

Information Systems of the Court of Auditors Resource Management Systems Human Financial Material and Property Bibliography and Documentation Legal information Procedural Management Systems Seal Accounts General___________________________________________________________________ All of the Court's Information Systems will be wholly integrated and computerised in essence by theend of 1998. Most of the development of these systems took place internally. This is in itself aguarantee for the COA that it is completely autonomous in this area, which allows for fruitful futureinteraction between the tools and audits themselves.

A risky conclusion: major elaborate plans may not be necessary for such complexprojects as that of the Court of Auditors, if there are responsible people and highlycommitted technicians, who know the organisation of which they are a part and arecapable of developing partial solutions which do not challenge a global solution. Thatis, when the maxim of "think global, act local", is applied with some commitment,method and structure. But is this the best way?

Methods: Don't adopt, adapt them!

What if we don't even adapt them?

We are precisely the people who a few years ago defended the imperative need forstrategical planning of organisations, of systems and technologies for the support ofthe said strategies, the adoption of discerning methods for the management anddevelopment of computerisation projects. Nowadays, without defending the contrary,we find ourselves unable to answer the question as to what methodology we used inthis or that phase of development of everything we have done over the last few years!We have the sensation that the method used was certainly one that involved anamalgamation of everything that we had learnt along the way as we were subjected tothe various methodologies, fashions and trends.

Only a few certainties remain from our COA experience: user and managementparticipation and responsibility from the very outset, in the conception anddevelopment of applications; the quickest possible development of partial prototypes

of the applications so that requirements can be tested; the use of sampling techniquesand methods which lead to quicker palpable results for the user; a certain amount ofcare in elaborating the documentation (which is essential when the user begins toexplore the application). To summarise in just a few words - before, during, after andalways the user first!

Suppliers: the bad guys…

or business partners?

Between "inventing the wheel" and outsourcing of IT solutions we opted toexperiment with intermediary options.

Generally speaking all the applications in use at the COA are similar to manyavailable on the market or within the Administration itself (resource management,case monitoring, legislation and jurisprudence). However, there are many differencesfrom one audit department to another (our basic organisational unit) and the concreteinformation needs are so dynamic that we were quickly convinced that adaptating,configuring and updating any already market-available program whatsoever wouldnever fully meet our needs, besides which it would place us in a situation ofdependence or give us less flexibility (we had in fact some less positive experienceswith the external acquisition of software).

On the other hand, the limited or non-existent experience of relational data bases andthe respective development tools of the computer personnel (in 1992), raised delicateproblems of compatibility between the training needs for all the technicians and thenecessary experience, and the pressing needs of some application developmentprojects and the personnel already available at the time.

Given that the best way to learn and use the new tools was to use them, the strategyadopted was that of "inventing the wheel", or rather, applying the know-how obtainedin the basic training provided by suppliers, and developing projects which were of aconcrete interest, even though they might be applications which the market wouldprobably be able to provide or develop faster, although with less flexibility, in thenear future.

This resulted in the accumulation of knowledge and experience to such an extent thatat this moment the COA is endowed with a remarkable technical autonomy in thedevelopment of its own information systems.

But we did not aspire to inventing the wheel completely on our own! And this iswhere our suppliers play an irreplaceable role. On one hand they supplied the basictraining, on the other they actively participated in some projects. Not with the intentof doing it all themselves, but rather side by side with the Court techniciansresponsible for the project in question. With only a few days of consultancy, some ofthe projects progressed in leaps and bounds, resulting in the production of prototypesthat were then used as a basis for the independent development of applications. Theresult was an unparalleled level of know-how and, at the same time, co-responsibilityof the supplier in the quality of the application.

This idea of our suppliers as "business partners" had been a dominant requisite laidout in the Requirements that served as a basis for the Public Procurement 1/91 (for theacquisition of a computer network), sharing the responsibility for the success of thecomputerisation project.

Procedures of change: Changes of procedure

How many times have we heard it said that procedures must be rationalised beforethey are computerised? But if we computerise them rapidly, almost as they are, wouldit not then be easier to convince the users (better yet, its managers) to re-think certainprocedures and tasks in light of the technical evidence that they can be carried out in atotally different way?

The COA's experience in this field is rather distorted, in that the subject ofreorganisation and the restructuring of the Support Services have been ratherdependent on other external variables.

It can be said however, that the change in procedures which is underway, far frombeing imposed, has been happening almost naturally, either on the suggestion of thecomputer personnel with the desire to rationalise situations, or by insistence of theusers themselves when they realise that their own work can be greatly simplified.

The involvement of the users and the respective managers in the development of theapplications thus results in a privileged opportunity to rationalise methods andprocedures, in that it is much preferable for the process of change to originate fromthose who are most interested in the change!

The good relations established between the computer technician and the future userhas led to the situation where, what is ready to change, changes, and what isn't ready...well... (better days will come!)

Of course we are talking about small changes in procedures, not about global andintentional changes in the organisational culture! In the case of the latter,technological solutions may prove to be just one more of the problems rather than asolution.

But changes will come... so they will!

The future: everything... has yet to be done!

By the end of 1998 practically 90% of all of the COA's information systems will becomputerised. What then does the future hold? Everything!

The development of new far more integrated versions of existing programs and thearticulation of the various information systems (Legislation, Jurisprudence andDoctrine, Management Planning and Assessment and Procedural Management, forexample).

Automatic settlement of Management Accounts, the Consolidation of the GeneralState Account and the Social Security, Expert Systems of legal analysis onadministrative acts, etc.

And what about technical co-operation between all the public and private bodies,whether in the realm of information technology or the realm of public state audit(internal and external) or whether still, in the field of production and distribution oflegal information and jurisprudence?

And when will electronic mail and EDI start being officially used at PublicAdministration level?

We will certainly not be short of work nor co-operation opportunities... until the nextcentury!

Millennium Update

John Thurley from the UK National Audit Office discusses the growing awareness byGovernment and the business community of the potential problems of the"Millennium Bug".

John Thurley has worked with Computers for 18 years, building NAO Systems,reviewing client systems, reviewing client systems and training users. He hasbeen fascinated by data communications since 1979 when the NAO installed itsfirst LAN and WAN

Perceptions of the problem are changing

The Millennium Threat is no longer regarded by most people as purely an IT problemand increasingly there is much more focus on the "business problem". People in boththe public and private sector recognise that the date change may impact areas of thebusiness well outside the traditional IT departments. There are two major areas here:

• Embedded systems. Many pieces of equipment in everyday use, vital to thedelivery of business objectives, contain microprocessors which may not workaccurately. For example medical equipment, weapons systems, safety equipmentand manufacturing process control systems may all be affected.

• Third parties. Most organisations depend on uninterrupted supply of goods andservices. Ensuring that your own systems are compliant is not enough, failures inbusiness partners whose systems fail may have a serious impact. For examplemost organisations depend on suppliers of electricity, telephone and bankingservices, as well as on their customers to maintain a cash flow.

UK government at its highest levels is beginning to take a holistic view of theproblem, the impact it might have on the UK as a whole and what should be done tominimise that impact. They have commissioned a report which will take a view of keysectors of the economy and national life, including power generation & distribution,communications, public safety, health, tax gathering and welfare benefits.

NAO Report

The NAO published its second report in May 1998 - Managing the Millennium ThreatII. This was a traditional audit report aimed at informing the UK parliament andcitizens on the state of preparedness of the NAO's client base. It looked at progress:

• Across the UK central government as a whole and• In two branches in particular - The Department of Social Security (DSS) and

National Health Service (NHS).

The report concluded that:

The costs are growing slowly as managers understand the scope of the problem. Therewas a 6% increase in estimated costs in 6 months,

Deadlines are lengthening - an increasing number of government bodies expect tofinish their work later than June 1999 (and how much time does that allow them tocorrect any unexpected problems?)

There is only patchy monitoring of the public sector as a whole. As yet there is neitheran assessment of the likely impact of failure of key elements of public service, norany action plans to cope with such failure.

Work on embedded systems, and interfaces with suppliers and customers is fallingbehind work on IT systems.

There is only a little evidence of resource or skill shortage, contrary to expectations. Alot of reprioritising is going on however.

Not all departments recognise the need for robust contingency plans, and few havesuch plans in place yet.

Strong project management is essential to meet the tight deadlines.

Progress in the NHS (a highly decentralised organisation) has been slower than in theDSS (a centralised one). The NHS was slower to institute strong project managementtechniques and now faces a challenging task to ensure that health services are capableof continuing over the millennium.

The report made a number of recommendations to improve performance andminimise risk.

For departments and agencies as a whole:

• Ensure the scope of their projects includes all business risks• Take account of risk factors, such as shortage of skilled staff• Prioritise action according to the impact of failure on critical business functions• Draw up contingency plans

For the centre of government, where there is a monitoring and advisoryfunction:

• Improve monitoring• Target contingency planning

For the National Health Service:

• Maintain close monitoring by the central bodies• Put in extra effort to ensure family doctor services are not disrupted• Regularly review resource needs

Work of other SAIs

At the time of writing (June 1998) we know of six Supreme Audit Institutions whichhave published reports and other material on this subject. The complete list is alreadytoo long to publish here, but some summary details are detailed below.

Just when you thought it was safe to go back in the water…

In the course of researching the NAO report, we came across an interesting paperfrom Dr DM Foreman, a Senior Lecturer in Psychiatry. In this he argues that the year2000 is a cultural as well as a technological event. The millennium has a culturalimportance across the Western world, and the year 2000 is seen if not as "the end oftime" then at least as somehow special even to the most rational of people. He warnsof two categories of problems:

• Deliberately fomented millennium problems such as computer viruses and otherattacks on computers by people who think that technology ought to fail at themillennium or by people with their own political or religious agendas who wish tostir up and / or take advantage of turmoil. Groups who expect the world to end (insome way) are at the extreme fringes of this group.

• Expectations that any problems occurring over the century date change must havebeen caused by the Millennium Threat. He warns that health services may well bestretched by sincerely made but mistaken claims that normal tragedies have beencaused or worsened by the failure of health care management to take appropriatesteps to "deal with the problem".

You have been warned!

National Audit Office Australia Report December 1997"Managing the Year 2000 Problem -Risk Assessment and Management inCommonwealth Agencies"

Office of the Auditor General Canada Report October 1997"Information Technology: Preparednessfor Year 2000"

National Audit Office New Zealand Report December 1997"Is The Public Sector Ready For TheYear 2000?"

Auditor General South Africa Report March 1998"Impact of the Year 2000 on ComputerSystems in National Departments andProvincial Administrations"

National Audit Office United Kingdom 2 Reports May 1997 & May 1998"Managing the Millennium Threat"

General Accounting Office United States of America40+ reports, testimonies and evidence.2 Guides"Year 2000 Computing Crisis: AnAssessment Guide""Year 2000 Computing Crisis: A TestingGuide"

If the work of any SAI has been overlooked here the author would be happy toapologise and grateful for the chance to update his list of publications.

Using IT Techniques in Forensic Audit

In a recent case of fraudulent transactions in a government department of nearlySeven thousand million Rupees, the author of this paper and his team were calledupon to verify, and analyse a large volume of information and subsequently toinvestigate and establish the fraudulent nature of certain transactions. This paperdiscusses under the following main sections how a breakthrough was achieved in thisaudit by the use of information technology though there was no EDP environment inthe auditee units.

1. Nature of the fraud and its concealment.2. Audit in the absence of EDP environment.3. Creation of a database and its use.4. Results of audit of various aspects of the fraud based on the database.

The fraud and its concealment

Designated officers of a department called Drawing and Disbursing officers (DDO)who are authorised to draw funds from the government treasury for budgetedactivities withdrew huge amounts of public funds on the basis of fake claims (Bills)for fictitious supply of medicines, animal feed, medical equipment and sundry otherarticles. Treasury officers did not check budget provisions or the authenticity of theBills before payment. Budget controlling officer of the Department provided cover tothe fraudulent withdrawals by under-reporting and misrepresenting the volume ofexpenditure. The head of the Department concerned facilitated the illegal withdrawalof funds by persistently failing to investigate the huge excess withdrawals over budgetallotment.

The treasuries used various pretexts to avoid sending the vouchers (paid Bills) forseveral years to the office of the Accountant General who compiled the accounts. As aresult, the payments by the department concerned were not included in compiledaccounts of the Government for many years. Records in the DDOs offices could notbe audited by the Accountant General as they did not provide records to the auditors.

Task before audit

When the vouchers were obtained from treasuries for compilation of theappropriations under the budget heads, it was discovered that significant withdrawalsover the budget provision of the department were made by DDOs over several years.

Preliminary scrutiny suggested that various levels of government had facilitated theillegal withdrawals of funds by DDOs and the Treasury Officers had overlooked allprescribed checks and concealed information from the accounting and audit offices.

Hence an investigation into the subversion of the financial and administrative controlsand systems at several levels of government DDO's offices and treasuries wasnecessary. This called for detailed scrutiny of transactions in the treasuries located at

District Headquarters throughout the province and over many years. The followinginformation was also required:

a) Analysing how suppliers obtained payments without supplying goods and howmuch was paid to them.b) Documenting the subversion in the system of approval of supplier's Bills by theDDOs and payments in the treasuries.c) Analysing the nature of manipulation of accounts and budgetary controlmechanism and reporting system to conceal the fraudulent transactions.

CAG decided to create a database

Records and accounts in the treasuries and offices of the DDOs were manuallymaintained. The Accountant General compiled accounts from the vouchers receivedfrom the treasuries, but supplier's invoices were not compiled in accounts. The formatof accounts exhibited expenditure according to budget heads but did not include DDOdetails of withdrawal of funds. Since the information of withdrawal of funds by DDOswas essential for understanding the extent of involvement of each DDO in thefraudulent transactions, examination of very large number of paid bills (vouchers) andsupporting invoices relating to each DDO was essential.

It was in this context that this innovative application of information technologyassumed importance. As a number of personal computers were available within theoffice, C&AG of India decided to create a database by capturing informationcontained in the vouchers. Based on a careful study of the information contained inthe supplier's invoices (sub vouchers) and the paid bills (vouchers), their relevanceand utility for possible audit inquiry, a team of officers selected various fields forcreating a record. A database with 3.05 million records each with 22 fields wasprepared in the office of the Accountant General who compiled the accounts of thestate and thus had all the vouchers under his custody. The database contained in acombined form financial and other statistical information on which application ofcomputerised auditing techniques was possible.

Financial information

The vouchers i.e. the bills of DDOs yielded information about who was withdrawingthe bill, the amount of withdrawal, allotment of funds, mode of payment,classification of the expenditure as per the accounts and the budget head, treasuryfrom where paid, the date of the submission of the bill and the date of payment. Thishelped in segregating DDO information of withdrawals, period and quantum ofwithdrawals.

Statistical information

The sub-vouchers, i.e. suppliers invoices attached to the vouchers, yielded statisticaldata showing: rate, total price, quantity, item, date and mode of supply and theconsignees who supposedly received the goods, a profile of the supplier's turnover for

several years, details of the payments received by him on a day to day basis againsteach item of supply and the order numbers against which the fake supplies weresupposedly effected. They also yielded data about the address of the suppliersshowing the location of their offices and the details of their registration with theincome tax and sales tax authorities.

Getting data to the auditor

Thus a limited but very useful EDP environment was created in the Audit Office onthe basis of the vouchers available. The auditors now had unfettered access to adatabase exclusively at their disposal. The database was accessible on a DOSoperating system and could be transported on floppy disks to locations required by theauditors. The auditors could access the database through specific but simpleapplications. The creation of the database overcame the difficulty caused by theabsence of mechanised accounts or computerised records in the auditee offices andenabled the extraction and analysis of data in a confidential and interactiveenvironment by the auditor.

Critical points of investigation

The database provided an opportunity for conducting various substantive testsincluding totalling the whole population, selecting and testing a sample of transactionsand testing routine and exceptional transactions such as excessive amounts. Thesetests enabled audit to establish the critical points for detailed scrutiny and fieldinvestigation of records other than vouchers to arrive at various conclusions.

Database tests yielded dramatic results

Substantive Test of the database provided dramatic results. In conducting tests ofreasonableness, the auditors benefited from the quantities and other informationcontained in the database. Compliance test of proportional distortions such as thewithdrawal of huge funds from a small office or consumption of huge quantities offodder and medicines by the animals revealed the breakdown and subversion ofapproval and payment systems. Many interim reports were generated by manipulatingvarious fields of the database either individually or in combination with other fieldsusing simple query designs such as:

i. Yearly, monthly and date wise withdrawals of funds by DDOs from eachtreasury against fake supply bills and

ii. Monthly withdrawals of funds by each DDO analysed by scheme and object.

These tests yielded information depicting alarmingly large and frequent withdrawal offunds in a span of only a few days against relatively small schemes and programmes.When matched with the orders for fund flow arrangements and the budget allotments,the database results pointed to the enormity of the illegal withdrawal of funds and thecomplete flouting of existing instructions.

Other reports indicated:

i. Huge purchases of medicines, feed/fodder and artificial inseminationequipment etc. were incongruous with the population of animal farms of thedepartment.

ii. Grouping of withdrawals by category i.e. feed, medicines, equipment andother contingent expenditure showed enormous distortions against theproportional allotment of funds against these items.

Results of these tests were examined against the norms of expenditure for variousitems like feed, fodder medicines etc and the delegated power of purchase of theDDOs. The results showed total subversion of all internal controls and procedures inrespect of payments, expenditure control, purchase of stores and maintenance ofaccounts.

Fraudulent Allotments

The fraudulent transactions were facilitated by use of fictitious allotments in the Billspresented to the treasury. The database provided detailed information aboutallotments quoted in the bills enabling the following analyses:

• Maximum and minimum ranges helped to locate very large figures of allotmentand indicated the fictitious nature of such allotments.

• Linking of allotment figures by voucher and date revealed how one allotment wasused for multiple withdrawals of funds and highlighted the absence of check ofallotment figures in the treasuries when allowing withdrawals.

• Pattern of expenditure against allotments showed that these fictitious allotmentswere a mutually worked out limit of withdrawals by the suppliers in collusionwith DDOs.

Cross checks of these findings with the departmental records established that suchallotments were either not issued at all or were issued for a lesser amount but werewrongly quoted by the DDOs. Access to the total population of allotments through thedatabase made audit conclusions concrete and fully evidenced.

Breakdown of cash flow management

Information in the database regarding the time and frequency of withdrawals of fundsfrom treasuries by the DDOs were considered critically. Historical comparison andtrend of the monthly cash outflow from treasuries for the department concerned over3 years were compared with the total outflow of cash from the treasuries. This showedthat the treasuries made unreasonably large payments to one department.

Exceptionally heavy total payments from some treasuries in particular months whichwere inconsistent with their average outflow of funds prompted inquiry into theiroccurrence.

Comparison of the total withdrawals with those of the department concerned revealedthat the withdrawals by this department were exceptionally heavy compared to thetotal withdrawals and total budget provision of the government for the year.

This analysis highlighted the need to review the cash flow management of thegovernment. Cash outflow figures obtained from the database helped to establish thatthe cash flow managers of the government ignored clear signals coming from themonthly cash outflow reports of the Reserve Bank. These showed unacceptable levelof cash outgoings in some of the treasuries.

Identification of irregular appointments by analysis of payroll database

Serious irregularity in staff payments and appointments in the department concernedwere also suspected. To examine this, a database was created from the staff paymentvouchers for 3 years for selected districts. Components of salary including basic pay,various allowances and deductions for contributions to provident funds, groupinsurance and income-tax available from pay roll vouchers were entered onto adatabase.

A study of this information revealed that there were an unusually large number ofstaff-in-post compared to the normal staff strength in a particular grade. Theproportion drawing pay at the minimum of the scale or with only one or twoincrements was excessive. A crosscheck of the payroll data in the staff records and thesanctioned strength confirmed that fresh recruitment had been made to the grade eventhough power for recruitment was withdrawn by the government.

The new appointments therefore indicated irregular appointments in violation ofprocedures and policies.

Using the database to identify the units where irregular appointments took place led toan analysis of the circumstances of system breakdown. Further scrutiny helped inpinpointing persons who appointed them in violation of the policy of the Department.

Income tax audit through the database

A team of officers carried out a separate investigation using the same database intothe evasion of taxes and the failures in the revenue authorities. The database provideddetailed information on the suppliers from the information derived from the invoices(sub vouchers). This helped in pinpointing a wide range of information regarding thelocation of the suppliers, their identity and culpability in the fraudulent transactions.While identifying many large suppliers, the database helped in establishing therelationship between DDOs and suppliers. The large payments for fictitious supplieshelped in the audit of Income Tax and Sales Tax evasion.

The address of suppliers and payments made to individual suppliers helped inidentifying and locating their assessment files.

The database helped in selecting samples of assessment records for detailed scrutinyand ultimately to examine the weaknesses and failures of the survey and investigationwork of the Income-Tax department. Scrutiny of assessments also helped to checkwhether the suppliers disclosed complete information about income in their taxreturns. Leads provided by the database, helped inquiries into the assessees accountsto show whether any expenses were booked for purchase of materials supplied and ifso, to trace the original supplier and to see whether his records indicated any receiptagainst the suppliers. This helped in checking evasions of tax. The mode of paymentheld on the database helped in tracing the banks where the Bank Drafts and chequeswere cashed.

Audit of Sales tax through the database

The database provided information about the potential dealers of certain commoditiesand the possible amounts of unassessed and uncollected sales tax. The informationcollected through the suppliers invoices indicated the volume of supply of taxablecommodities and helped in assessing the turnover of dealers. A cross-check of theinformation in the database with the assessees records in the Sales Tax office revealedsuppression of taxable turnover and the failure of the Sales Tax Department toproperly check the assessment records.

The identity of suppliers obtained from the database helped in checking theirregistration for the purposes of levy State Sales Tax and the Central Sales Tax. Thenumber of unregistered dealers located as a result of this search indicated failures inthe survey and investigation work by the Sales Tax authorities.

Tackling Public Sector Fraud

Notes from a seminar on "Tackling Public Sector Fraud" presented jointly by the UKNAO and H M Treasury in London, England in February 1998.

Glenis Bevan audit Manager, Audit of Department of Social Security Fraud andAbuses

Glenis is currently on secondment to that department seeing how it all worksfrom the inside

Introduction

This seminar, chaired jointly by Martin Pfleger of the NAO and Andrew Likierman ofH M Treasury, addressed growing concerns about the scale of public sector fraudestimated to cost in the region of £4 billion in social security expenditure alone.

The seminar was aimed at public sector finance staff and those developing andmanaging anti-fraud strategies and was attended by some 150 staff from over 60Government departments and agencies.

The seminar speakers considered the key issues facing the public sector, best practicein developing anti-fraud strategies and counter-measures and gave practical examplesof how IT based technologies can be used in the fight against fraud.

IT Based Techniques

This article gives an overview of those IT based technologies that can be used in thefight against fraud in the public sector. Some are already successfully in use in thepublic sector. Others can be adopted and adapted from private sector applications.

The technologies touched upon in this article are:

• Case Based Reasoning Tools - which can be used to assess the risks of fraud bothfor organisations and transactions;

• Data Matching and Data Mining - effective in the prevention and detection offraud

• Support Tools for Evidence Logging and Analysis - designed to assist theinvestigation of fraud.

The article is rounded off with a look at emerging and more futuristic technologiesthat might be used in the fight against fraud particularly in terms of building defencesinto systems of control to prevent fraud or deter fraudsters at the gateway.

Case Based Reasoning Tools

Case Based Reasoning (CBR) tools can be used to identify and assess existing andemerging risks and vulnerabilities to fraud. The technique essentially involves thediagnostic benchmarking of an organisation or transactions against collatedknowledge of other comparable sectors using "near neighbour" matches and"inductive" analysis.

Details of organisational characteristics, for example, can be collected byquestionnaire and maintained in a database. Strengths, weaknesses and best practicecan be identified from past experiences of fraud, control frameworks and financialperformance, to rate and compare organisations. This is a powerful counter-fraudtechnique which can answer questions such as: what made company 'X' vulnerable tofraud? what good practice tools from company 'Y' can be put in place to mitigate theconsequences of fraud? are these characteristics evident in company 'Z'?

This technique was used to demonstrable effect in the UK NAO when (Deloitle andTouche) undertook a forensic audit examination in the UK Government HighwaysAgency. Of the 10 nearest matches, against over 120 indicator questions from a poolof several hundred organisations, 8 had suffered from actual or investigated fraud.Although no serious matters had occurred in the Agency the results of the exercisewere indicative of opportunities for fraud. An action plan was consequentlyimplemented to minimise the vulnerability of the Agency to fraud.

Data Matching

Data matching can be described as the crosschecking of data, either concurrently orretrospectively, looking for duplication and/or inconsistencies between data streams.It can be used to detect transactions which match all or part of existing transactions. Itis used widely in the private sector to detect, for instance, duplicate insurance claims,multiple share applications and mortgage fraud.

The General Matching Service (GMS) within the UK Department of Social Securityis one of the largest matching systems in Europe. The technique has also been used togood effect by the Audit Commission, responsible for auditing all Health and LocalAuthorities in the UK.

Taking data from client local authorities and using Housing Benefit payments as itshub, claimant details can be cross-matched with for example pensioners, students,employers and registered traders. Data matching for duplicates occurs by data source(eg local authorities) and by data content (eg National Insurance Number, Name,Address, Date of Birth).

The health authority matching service considers such activities as inflated doctors'lists, dentists paid twice, doctors' working as locums and nurses working for agencieswhile off sick from their regular jobs. Data matching is a particularly powerful tool ifit can make use of 3rd party data but there are constraints with regard to the DataProtection Act in the UK.

Data Mining

Data mining is quickly becoming a generic term encompassing a variety oftechniques. It uses advanced software tools to identify links, relationships, patternsand trends in data and can produce graphics to help show what that means. It usesknowledge based or rule based systems for modelling databases to identifytransactions with pre-defined characteristics, or transactions that deviate from thenorm.

Intelligent systems have developed as a spin-off from academic research usingcomputers to simulate the workings of the human brain. They allow computerseffectively to "learn" from experience using sample data to build up models withclassificational or predictive ability. Neural networks and genetic algorithms are twotools used to detect anomalies in data.

In simple terms they work by showing the system a number of transactions withknown characteristics, training with this known set allows the system to learn whichsubsequent transactions contain those characteristics. These systems can learn, adapt,explain and can even discover previously unknown patterns of fraud.

A good example is the profile matching system used by credit card companies todetect fraud retrospectively or at point of sale. It uses artificial intelligence to spotunusual changes in cardholders spending patterns.

"The significant challenges we face today cannot be resolved by the same level ofthinking that created them"Albert Einstein.

Support Tools For Evidence Investigation

The most obvious support tools for gathering and reviewing evidence to enable fraudinvestigations are probably familiar to readers of this article. Tools to analysenetworks logs, keystroke logs, telephone logs and Audit Trails allow evidence to beretrieved and reviewed both during and after suspision of fraud. They can help tosupport the investigation of fraud and can be built into the system architecture.

Emerging Techniques

Technologies are moving apace and research into advanced counter-fraud techniquesis mushrooming. The development of data warehouses and networks allowing thestorage and sharing of data on a massive scale present their own problems. Butperhaps the most exciting developments are occurring in the field of preventing fraudbefore it occurs.

We all use plastic cards on a daily basis in every aspect of our life but technology ismaking it possible to do more than ever with cards and a number of trials of new cardtechnology are underway in many parts of the UK. Some recent developmentsinclude:

• Smart Cards - a tiny electronic chip is the brain that puts smart into Smart cards.This allows double - checking of customer and retailer details at the point of sale.They have the capability of storing more than just financial data eg name, address,identity number and medical details but do give obvious concerns for civilliberties groups.

• Watermark Cards - the magnetic stripe on the back of the plastic card has anadditional "wash" of particles which forms a particular unique pattern that can beread at point of sale terminals. When this pattern is matched to the individual cardnumber it will create a unique identity code.

In conjunction with current technologies a number of biometric techniques are beingdeveloped to identify behaviour traits or personal characteristics uniquely associatedwith card owners. These techniques include signature verification, finger scanning,retina scanning and of course DNA. These are replacing the less popular PIN numbersand less foolproof picture cards.

Implications For Audit

Auditors have traditionally used Computer Assisted Audit Techniques (CAATs) tomanipulate volumes of data for audit purposes. These mainly identify outliers in dataor reperform mathematical computations for reconciliation purposes - and are basedon simple analytical techniques, where known parameters, variables and amounts aretested on limited volumes of data.

The rapid growth of technology means that companies are increasingly storingmassive volumes of data in data warehouses and this has encouraged InformationSystems (IS) auditors to rethink their approach for effectively using these volumes ofdata for audit purposes. Data mining, which practitioners are already using to discoverpreviously hidden patterns and attributes in data, pointing not only to fraudulenttransactions but to new markets and products, is the new challenge for IS auditors.

CAATs have traditionally been limited to performing data interrogation using simpletools nd techniques. IS auditors now have the opportunity of analysing massive databanks using advanced tools and techniques. Data mining should be considered as partof the battery of techniques available in the CAAT approach to audit of client datastores.

Conclusion

I hope this article gave you a taste of the IT technologies available to you for use inthe fight against fraud. There are obvious cost and confidentiality considerationsinvolved with these developing technologies but investment in sophisticatedtechniques is necessary to keep one step ahead of the fraudster.

References

There are many practitioners and professionals in the fields of forensic audit andcounter fraud technology and their work has been drawn upon for this article. As astarting point for further research the following sources may be of use to the reader.

Internet: www.computists.com

Journal: IS Audit and Control Journal of the IS Audit and Control Association

Organisations UK: Audit Conferences Europe Limited

Network Security Management Limited

News from around the World

The International Training Center of the Office of the Comptroller & Auditor Generalof India conducted an International Training Programme on :Auditing InformationTechnology - Challenges for SAI's from 20th November 1997 to 19th December1997. This is the third programme on EDP Auditing conducted by SAI India as part ofthe series of International Training Programmes in different areas of audit andaccounting, for the benefit of staff from SAI's in the Asian, Pacific, African andCaribbean regions.

The programme was attended by 18 participants from 15 SAI's and covered audit ofIT systems under development, review of general and applications controls, ITsecurity and Business Continuity Plans, Performance Audit of IT systems and use ofComputer Assisted Audit Techniques (CAATs).