1
Combating Fraud :Combating Fraud :Putting in Place an Effective Audit System to Putting in Place an Effective Audit System to
Detect and Prevent FraudDetect and Prevent Fraud
The 9th - Cyber Defense Initiative Conference 2009 - (CDIC 2009)
10th-11th November 2009 Queen Sirikit National Convention Center
By
Pairat Srivilairit, CIA, CISA, CBA, CCSA, CFSA, CISSP, CFE
Tuesday, 10 November 2009 15:15-16:00 hrs
2
About Speaker
Mr Pairat Srivilairit received a bachelor of engineering from Chulalongkorn University and a MBA from Thammasat University. He is a certified internal auditor (CIA), certified information systems auditor (CISA), certified bank auditor (CBA), holder of certification in control self-assessment (CCSA), certified financial service auditor (CFSA), certified information systems security professional (CISSP), and a certified fraud examiner (CFE).
He is chairman of the Bank and Financial Institution Internal Auditors Club (BFIA) and past director of ISACA Bangkok chapter. He is also a member of The Institute of Internal Auditors (IIA), The Association of Certified Fraud Examiners (ACFE), The Information Systems Audit and Control Association (ISACA), The International Information Systems Security Certification Consortium (ISC)² and The Institute of Internal Auditors of Thailand (IIAT).
He is a known lecturer on operational auditing and information system auditing courses at IIAT and ISACA Bangkok Chapter. He is also a special lecturer of the IIA’s Internal Auditing Education Partnership Program (IAEP) at Chulalongkorn University, and represented IIAT speaking to students at several universities to disseminate the internal auditing profession.
Mr Pairat Srivilairit is associated with finance and banking industry for over 18 years with rich experiences in the area of management consulting, planning, research, investment, operation and audit. He is now with TISCO Bank Public Company Limited as head of internal audit and secretary to the audit committee.
3
Outline
Combating Fraud: Putting in Place an Effective Audit System to Detect and Prevent Fraud
(45 min)
Key Indicators of Fraud Types of Fraud in Activities Reviewed Prevention Aids by Internal Auditors Detection and Investigation Techniques Summary
4
ตั�วอย่�างกรณี�ทุ�จร�ตั
โจรไฮเทคแฮกข้ อมู�ลเชิ�ด 200 ล าน– เด�อนสิ�งหาคมู 2548 ตั�วแทนผู้� ให บร�การเคร�อข้"าย
โทรศั�พท&เคล�'อนท(' สิ�งเกตัเหนความูผู้�ดปกตั�ใน traffic ข้องล�กค าประเภทบ�ตัรเตั�มูเง�น
– สิ�บพบรห�สิข้ อมู�ลข้องบร�ษั�ทถู�ก hack แล วน.าไป load เง�นจ.านวนเก�นจร�งใสิ"บ�ตัรเตั�มูเง�น เอาไปข้ายผู้"าน Internet ในราคาพ�เศัษั หร�อตั�/งโตั0ะให บร�การตัามูชิ1มูชิน
– บร�ษั�ทพยายามูบลอกรห�สิข้องบ�ตัรท('ผู้�ดปกตั� แตั"กย�งเสิ(ยหายเป2นค"าเสิ(ยโอกาสิรายได สิ�งถู3ง 200 ล านบาท
– จ�บก1มูผู้� ตั องหาได 4 คน เป2นพน�กงานข้องบร�ษั�ทเอง คด(ย�งอย�"ในระหว"างอ1ทธรณ์&.
(ผู้� จ�ดการ 27 สิ.ค.48)
5
ผู้(พน�นสิ�งหน1"มูแบงก&แสิบโกง 4 00 ล าน– เด�อนพฤษัภาคมู 2552 ธนาคารตัรวจพบสิมู1ห&บ�ญชิ(
สิาข้าหน3'งโอนเง�นจากบ�ญชิ(ดอกเบ(/ยท('ธนาคารเตัร(ยมูไว จ"ายล�กค า เข้ าบ�ญชิ(ตั�วเองตัามูธนาคารตั"าง ๆ
– ผู้� ตั องหาจนมู1มูคารถูข้ณ์ะก.าล�งหน(ไปเข้มูร สิารภาพท.ามูาตั"อเน�'องนานกว"า 1 ป9 เพราะท.าง"ายและไมู"เคยถู�กตัรวจสิอบ เง�นท('ย�กยอกน.าไปซื้�/อบ าน รถูยนตั& เคร�'องประด�บ ซื้�/อกองท1น เล"นพน�นฟุ1ตับอล ซื้�/อสิลากก�นแบ"ง รวมูกว"า 499 ล านบาท
– เร�'มูท.างานในธนาคารเมู�'อป9 2542 ได ร�บรางว�ลเป2นพน�กงานด(เด"น และไมู"เคยมู(ประว�ตั�การท1จร�ตั
– พบสิาเหตั1ระบบ Core Banking System มู(ข้ อบกพร"อง.
(ฐานเศัรษัฐก�จ 6 พ.ค.52)
ตั�วอย่�างกรณี�ทุ�จร�ตั
6
Occupational Fraud
“The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.”
All occupational fraud have 4 things in common– Clandestine– Violate the perpetrator’s fiduciary duties to the victim
organization– Committed for direct or indirect financial benefit to the
perpetrator, and– Cost the employer assets, revenue or reserves
7
How Fraud is Committed
Three categories of occupational frauds :
Asset Misappropriations Involve theft or misuse of organization’s assets i.e. skimming revenues, stealing inventory and payroll fraud.
CorruptionWrongfully use influence to gain personal benefit contrary to duty to employer or the rights of another i.e. accepting kickbacks, conflicts of interest.
Fraudulent StatementsFalsification of organization’s financial statements i.e. overstating revenues and understating liabilities or expenses.
8
How Fraud is Committed
Asset misappropriations were most common but low loss. Fraudulent statements were least common with highest loss.
Breakdown of All Occupational Fraud Schemes — Median Loss
9
Greatest percentage (15%) of fraud occurred in banking and financial services sector.
Bank Most Common Fraud
10
How Fraud is Detected
It takes 24 months on average to catch employee fraud
Initial Detection of Occupational Frauds4
11
Key Indicators of Fraud
Tips / Complaints Missing / Alteration of documents Duplicate / Unreasonable expenses or reimbursements Failure of certain employees to take vacations Failure to follow up on past-due receivables Unusual write-offs of receivables Employees on the payroll not sign up for benefits Excessive purchase of products or services Common phone numbers / addresses of payees or
customers
12
Key Indicators of Fraud
(Continued) Cash shortages / overages Stale items on bank reconciliations Unexplained adjustments / Journal entries Unusual financial statement relationships i.e.
– Increased revenue vs. decreased receivable– Increased revenue vs. decreased inventory purchase– Increased inventory vs. decreased purchase or A/P
Significant increases or decreases in account balances Significant changes in liquidity, leverage,
profitability or turnover ratios
13
Limiting Fraud Losses
Surprise audit and job rotation are still overlooked by many organizations.
14
Limiting Fraud Losses
Surprise audit, job rotation, and anonymous reporting showed the greatest impact on fraud losses.
15
Bank Case Symptoms
Supervisory override, unusually large transactions or with no apparent business purpose
Journal voucher contain only one signature, containing incorrect information, fund transfer between different customers' accounts
Deposit slip with missing information, depositor names incomplete or not match with passbook or acct name.
Frequent, large deposit/withdrawal in Executive account Deposits and withdrawals on same account on same day
or in a short period of time Bank checks used to transfer between accounts /
checks with altered date.
16
Symptoms ... More
Purported customer signature on withdrawal voucher and checks
Large negative balances in slush accts or customer accts Deposit slip of customer funds between accts of different
customers Deposits of customer check where cash was received
back CDs closed prematurely with proceeds put into low
interest account, sometimes with penalty Customer not presented when account was opened,
closed or transacted Mailing of customer statement to Executive address
17
Bank Fraud Trend
Fraud financial cost may be three or more times the value of loss amount
Fraud is not static. It evolves with each new measures implemented
New opportunities for employee fraud are emerging Criminals thwart rules-based systems “Silo” mentality weakens fraud detection Top management are moving toward an enterprise
focus on anti-fraud systems Regulatory expectations are increasing Solutions require commitment, investment, and talent
18
Insider Threat
“Deliberate misuse by those who are authorized to use computer and networks.”
Insiders include employees, contractors, consultants, temporary helper, personnel from third-party business partner, etc.
19
Facts about Insider Misuses
Most were not technically sophisticated or complex Most were thought out and planned in advance Most were motivated by financial gain Most perpetrators of banking and finance incidents
– Not hold technical position
– Never engage in technical attack or hacking
– Not necessarily perceived as problem employees
Executed at workplace during normal business hours
Detected by various channels and methods.
20
Misuse of ApplicationsApplications Legitimate Use Misuse
Client/Server Message exchange
Connectivity to server Execution of tasks
Unusual exchange to degrade performance
Exceedingly connection (DOS) Execute privileged procedure
Mail Clients Send and receive e-mails Illegal content / remote attack / private use / overload network
Browsers / Multimedia player
Browse Internet / play files View cached file and
history
View illegal content Display other users’ viewed files
and accesses
Programming Tools
Develop program Display memory segment
Create malware Access memory segment with
sensitive information
General-purpose Applications
Read / write
Input strings
Access temp file for sensitive information / modify temp file to change program flow
Buffer overflow
2110/04/23 21
Universal of Internal Computer Fraud
ComputerFraud
ComputerFraud
Billing SchemesBilling Schemes
Forged Endorsement
Forged Endorsement
Corruption & Price initiation
Corruption & Price initiation
Ghost Vendor
Ghost Vendor
Accomplice Vendor
Accomplice Vendor
Quid Pro Quo & Barter Schemes
Quid Pro Quo & Barter Schemes
PersonalPurchase
PersonalPurchase
Return & Voids
Return & Voids
Passing of Payment of Invoices for Non-existing Suppliers
Passing of Payment of Invoices for Non-existing Suppliers
Data CaptureData Capture
Spyware &Key loggers
Spyware &Key loggers
Fund TransferFund Transfer
Unauthorized Transfer of Funds
Unauthorized Transfer of Funds
ErrorsErrorsDuplicate Payments
Duplicate Payments
OverPayments
OverPayments
Early Payments
Early Payments
Missing or BadInformation
Missing or BadInformation
Payment to ErroneousEmployees& Vendors
Payment to ErroneousEmployees& Vendors
Duplicate InformationDuplicate Information
Program Altering SchemesProgram Altering Schemes
Changing Program and Data Ownership
Changing Program and Data Ownership
Setting ImproperParameter
Setting ImproperParameter
Use of Malware (e.g. Trojans)
Use of Malware (e.g. Trojans)
Alteration of Program and Data File
Alteration of Program and Data File
Forged EndorsementForged Endorsement
Check TamperingCheck Tampering
Forged ChecksForged ChecksSkimmingSkimming
Alter PayeeAlter Payee
Write-off of Money Due to Company
Write-off of Money Due to Company
Information Privacy RiskInformation Privacy Risk
Loss of Intellectual Property Through
Fraud
Loss of Intellectual Property Through
Fraud
Transmission of Confidential Data
(i.e. TCP/IP)
Transmission of Confidential Data
(i.e. TCP/IP)
Peer-to-peerFiling Sharing
Peer-to-peerFiling Sharing
Employee Posting
Confidential Company Information
Employee Posting
Confidential Company Information
Employee DownloadingHacker ToolsFor ID Theft
Purpose
Employee DownloadingHacker ToolsFor ID Theft
Purpose
Employee Downloads & Nefarious Applications
Employee Downloads & Nefarious Applications
Manipulation of Data InputManipulation of Data Input
Data Integrity Attack
Data Integrity Attack
Falsification of Stock Record to Cover Theft
of Stocks
Falsification of Stock Record to Cover Theft
of Stocks
DataSuppression
DataSuppression
Payroll SchemesPayroll Schemes
GhostEmployee
GhostEmployee
FalseCommunication
FalseCommunication
Worker’s Compensation
Scheme
Worker’s Compensation
Scheme
Falsified Wages
Falsified Wages
2210/04/23 22
Types of Application Controls
ApplicationControls
ApplicationControls
Ensure integrity of output and the correct and timely distribution of output produced
either in hardcopy, files to be used as input for other system, or information
available for online viewing
Ensure integrity of output and the correct and timely distribution of output produced
either in hardcopy, files to be used as input for other system, or information
available for online viewing
Output ControlOutput Control
Identification & Authentication
Identification & Authentication
AuthorizationAuthorization
Access ControlsAccess Controls
AccountabilityAccountability AuditAudit
Physical Devices (i.e. biometric scan, metal locks, hidden path, digital signatures, encryption,
social barriers, human and automated monitoring systems etc.),
Physical Devices (i.e. biometric scan, metal locks, hidden path, digital signatures, encryption,
social barriers, human and automated monitoring systems etc.),
Permit or deny use of an objectPermit or deny use of an object
Data Origination / Input ControlsData Origination / Input Controls
Check Integrity of Data enteredInto Business
Application
Check Integrity of Data enteredInto Business
Application
Check whether sources from staff direct input,
remote by business partner, or through web-enabled
application
Check whether sources from staff direct input,
remote by business partner, or through web-enabled
application
Ensure accuracy with optimum computerized validation
and editing,
Ensure accuracy with optimum computerized validation
and editing,
Check if data is within specified parameter
Check if data is within specified parameter
Error handling procedure facilitate timely
and accurate resubmission of all corrected data
Error handling procedure facilitate timely
and accurate resubmission of all corrected data
Ensure accuracy, completeness and timeliness of data during conversion from original sources into computer
data or entry to computer application either manual, online input or batch.
Ensure accuracy, completeness and timeliness of data during conversion from original sources into computer
data or entry to computer application either manual, online input or batch.
Data ProcessingData Processing
Ensure accuracy, completeness and timeliness of data during
either Batch or real-time processing by application.
Ensure accuracy, completeness and timeliness of data during
either Batch or real-time processing by application.
Ensure data is accurately processed through
the application
Ensure data is accurately processed through
the application
No data is added, lost or altered during processingNo data is added, lost or altered during processing
2310/04/23 23
Example of Detection System
SYSLOG
IDS
Firewall and Router Log
XBRL BusinessReport Engine
XBRL BusinessReport Engine
Business Report
General Ledger
WebServer
ApplicationServer
XMLdocument
XMLdocument
BranchBranch
Main OfficeMain Office
BranchBranch
Web BrowserWeb Browser
Loan ApplicationDataset
XSLTSpreadsheet
XMLKey Fraud Signature
Misuse detection data & metadataRules
Engine
Event Correlation Database
2410/04/23 24
Other Analytical Tools
Use of Benford's Law as fraud detection tool
Fre
qu
enci
es (
per
cen
t)
Theoretical Line Fraudulent
Transactions
25
Managing Insider Threat
Strong authentication / biometric technologies Role-based access granted on a need-to-have basis Rotate job function / event log reading Place server and sensitive equipment in secured area Restrict physical access / lock / alarm test Wear badge / background check Default password / unused port / log-off on absence Encrypt sensitive data stored on user hard drives Store sensitive document in secured space Never issue password over unsecured channels
26
Aware of Warning Signs
Rogue access point / wireless / remote
Disgruntled employee
A user accesses database or area of network they
have never accessed before
Download spike
27
Fraud Prevention Checklist
Good internal control Employee fraud awareness training / hotline Analytical review / surprise fraud audits Review company contracts Perception of detection / management oversight Proactive fraud policy and program / prosecution Mandatory vacations / periodic job rotation Screen job applicants Information security review / limit access / audit trail Management climate / employee support program
28
Summary
Auditor's roles in combating fraud
Promote culture of honesty and high ethics Assess and mitigate the risk of fraud Ensure control adequacy and effectiveness Use data mining and statistical analysis tools Analyze financial statements reports Being alert on predication of fraud Ensure investigations are properly conducted Ensure proper follow-up actions are taken Develop your anti-fraud knowledge and skills
29
About the ACFE
The Association of Certified Fraud Examiners Start 1988 Provide anti-fraud training and education Over 50,000 members in 125 countries Administrate the Certified Fraud Examiner (CFE)
designation- a certification program for fraud practitioners recognized by U.S. Department of Defense and FBI
More than 20,000 CFE’s worldwide (5 Thais)
$55 Membership Fee More information about ACFE
http://www.acfe.com
30
About CFE Exam
Covers 4 areas– Criminology & Ethics – Financial Transactions – Fraud Investigation – Legal Elements of Fraud
4 Exam sections of 125 questions each (75%) Administered via computer / must complete each
section in one sitting (2.6 hr) Complete all and return to ACFE in 30 days Must pass Qualifying Points System (40/50) $250 Application Fee
31
Q&A
Pairat SrivilairitCIA, CCSA, CFSA, CISA, CISSP, CBA, CFE
Internal Audit DepartmentTISCO Bank Public Company Limited
Mobile : +668 1903 1457Office : +66 2633 7821Email : [email protected]