Upload
jim-kaplan-cia-cfe
View
25
Download
0
Tags:
Embed Size (px)
Citation preview
5/12/2015
1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™ IT Fraud and Countermeasures May 12 2015
Guest Presenter:Richard Cascarino,
MBA, CIA, CISM, CFERichard Cascarino &
Associates
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Jim Kaplan CIA CFE
• President and Founder of AuditNet®, the global resource for auditors (now available on Apple and Android and Windows devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.
• Author of “The Auditor’s Guide to Internet Resources” 2nd Edition
5/12/2015
2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino & Associates based in Colorado USA
• Over 30 years experience in IT audit training and consultancy
• Past President of the Institute of Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified Fraud Examiners
• Author of Auditor's Guide to IT Auditing
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.• NASBA rules require us to ask polling questions during the Webinar and CPE
certificates will be sent via email to those who answer ALL the polling questions• The CPE certificates and link to the recording will be sent to the email address you
registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.
5/12/2015
3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant‐client relationship.
• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Today’s Agenda• The nature of computer fraud
• The Corporate risk profile
• Computer fraud techniques
• Why computer fraud and who commits it?
• Fraud auditing
• Fraud awareness
• EDI and fraud
• Forensic auditing
• Sources of evidence and audit tools
• Legal evidence
• Reporting sensitive issues
5/12/2015
4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates 7
“Fraud and deceit abound in these days more than informer times”.
SIR EDWARD CODE (1602)
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Fraud?
As a Crime"Fraud is a generic term, and embraces all the multifarious means which human ingenuity can devise, which are resorted to by one individual, to get an advantage over another by false representations. No definite and invariable rule can be laid down as a general proposition in defining fraud, as it includes surprise, trick, cunning, and unfair ways by which another is cheated. The only boundaries defining it are those which limit human knavery."
Michigan Criminal Law
5/12/2015
5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Fraud? IIA's Definition
Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organisation and by persons outside as well as inside the organisation - IIA
Why is Fraud Committed?Achieve a personal or organizational goalSatisfy a human need
Why by dishonest means?Keen and predatory competitionEconomic survival"All's fair in love and war""Business is amoral anyway""Because it's easy"
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is IT Fraud?
A fraud in which a computer is used to commit or abet the fraudA fraud in which the computer is itself
the victimIncludesEmbezzlementTheft of propertyTheft of proprietary informationForgeryCounterfeitingElectronic eavesdroppingExceeding the user's authorityImpersonation of a authorized user
5/12/2015
6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
New Crime?
Changed form of older crimesElectronic entries in the booksAn occupational crime requiringSkillsKnowledgeAccess
Easier for the insider than the outsider
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Nature of IT Fraud - 1
Changes to Source DocumentsPrior to Processing
Unauthorized On-line AccessPiggy BackingImpersonationFictitious TransactionsUnauthorized ProgramsUnauthorized Reports
Direct Changes to Programs, Data, OutputUsing Utilities or Special Programs
5/12/2015
7
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Nature of IT Fraud - 2
Trojan Horse / Logic Bombs / Trap DoorsUse of Unauthorized Coding
Salami TechniquesA small amount from everyone
VirusesMainframe as well as Micro
Sabotage and Industrial EspionageDegrading Systems PerformanceLeaking Confidential Information
Management FraudCooked Books
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
MOMM ConceptMotivationEconomic - financial gainIdeological - normally revengeEgocentric - need to show offPsychotic - distorted sense of reality
OpportunitiesInadequate Systems ControlsAccounting ControlAccess Control
Inadequacy in Management ControlsReward SystemEthical ClimateClimate for Trust
MeansCompromising Controls / Personnel / Technology
MethodsInput Scams / Throughput Scams / Output Scams
5/12/2015
8
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Knowledge of the organization's business and industryDetermination of the nature of the business and the way it is conductedIdentification of any special legal or commercial requirementsIdentification of any industry-specific accounting principles or policiesIdentification of any significant information relied upon by management in the control of the businessIdentification of high-level control and operating issues
Establishing the Corporate Risk Profile
5/12/2015
9
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Areas to be Covered
Organizational structureKey executive responsibilitiesRole of the Board of Directors, Audit
Committee, Internal AuditorsManagement's judgments and integrityPerformance planning and monitoringPolicies and procedures for control and
accountabilityNature and organisation of
Computerized Information
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Primary Objectives - 1
To determineLevel of risk inherent in the organization's business environmentAppropriateness of the organizational structureAppropriateness of levels of authority within the internal control structuresApparent quality of management's judgments and estimatesWhether the environment is likely to be conducive to maintaining reliable internal controls
5/12/2015
10
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Primary Objectives - 2
Extent to which management decision making is influenced by Information SystemsExtent of asset control exercised by Information SystemsDegree of reliance on revenues recorded on Information SystemsDegree of reliance on expenses recorded on Information SystemsVolume and average value of transactions through Information Systems
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Other Items to Determine
Quality of personnel recruitmentCorporate ethical climateSystems of authorityQuality of Internal ControlScope and skills of audit
5/12/2015
11
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
IT Risk Management
Accept the riskReduce the riskTransfer the riskNOTIgnore the riskKnowing the risk
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Profile Assessment
Must beSimplePracticalQuickCommon-senseBusiness orientedTechnically competent
5/12/2015
12
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Establishing a Risk Profile
Involves Assessment ofPhysical securityPersonnel securityData securityApplications software securitySystems software securityTelecommunications securityOperations security
Quantification of the risk factors
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Ranking - 1Business RiskNature of TransactionsValue per transactionTotal daily value of transactionsTotal accountabilityLiquidityDataNature of Operating Environment Impact on usersPressureFunctional complexityProcessing sophistication
5/12/2015
13
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Ranking - 2Performance RiskControls and SecurityAccessEnvironmentalVerification of value of dataVerification of recordsSeparation / Rotation of dutiesCompleteness of recordsAccountabilityAccounting principlesExternal reviewsDocumentationContingency PlanningUse as Management Information
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Most Common Frauds
False vendor, supplier or contractor invoiceFalse governmental claimFalse fringe benefit claimFalse refund or credit claimFalse payroll claimFalse expense claim
5/12/2015
14
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Where are we Vulnerable?
Information Processing CenterNetworksInput OriginationInput EntryProcessingOutput HandlingOutput Disposal
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 2
5/12/2015
15
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Fraud Symptoms, Red Flags and Fraud Indicators
Operating performance anomalies Organisational Structure Management characteristics Accounting anomalies Internal control weaknesses Analytical anomalies Unusual behaviour
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Operating Performance Anomalies
Unexplained changes in Financial Statement balances.
Urgent need to report favourable earnings
High debt or interest burdens Cash flow problems Unusual or large and profitable
transactions near the end of accounting periods
5/12/2015
16
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Accounting Anomalies
Missing documents. Excessive voids or credits. Increased reconciliation items. Alterations on documents. Duplicate payments. Common names or addresses of
payees or customers Increased past due accounts.
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Internal Control Weaknesses
Lack of segregation of duties
Lack of physical safeguards
Lack of independent checks
Lack of proper authorisation
Lack of proper documents and records
Overriding of existing controls
5/12/2015
17
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Common Data Fraud Areas
Corporate card fraud Invoicing for goods not delivered Duplicate Invoices Kickbacks / Bribes Increasing of Invoiced amounts and
splitting the monies Fictitious / Ghost employees Carrying Employees on payrolls beyond
actual severance dates Overtime fraud Cheque fraud
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Common Mistakes• Failure to maintain proper documentation• Failure to notify decision makers• Failure to control digital evidence• Failure to report the incident in a timely manner• Underestimating the scope of the incident• No incident response plan in place• Technical mistakes
– Altering date and time stampson evidence systems before recording them
– Killing rogue processes– Patching the system back together before investigation– Not recording commands used– Using untrusted commands and tools– Overwriting evidence by installing tools
5/12/2015
18
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Access to Records
Normal Input TransactionsChanges to Operating System SoftwareChanges to Application ProgramsPhysical Substitution of Stored DataUse of Unauthorized ProgramsChanges to / Substitutions of Output
Reports
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 3
5/12/2015
19
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Who Commits Computer Fraud?
UsersManagementIT AuditorsIT StaffOutsidersCollusion
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Users
Have access to assetsHave legitimate access to computer
systemsHave adequate (too much?) authority
levelsKnow the systems weaknessesMay be responsible for error handlingAccount for almost 50% of all computer
fraud
5/12/2015
20
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Management
Also have access to assetsAlso have legitimate access to computer
systemsMay have override authoritiesKnow the systems weaknesses (Audit
told them)May be responsible for reconciliationsAre responsible for internal controlAccount for some 15% of computer
fraud
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
IT Auditors
May have access to assetsHave legitimate access to computer
systemsOften have too much authority within
systemsKnow the system weaknessesAccount for some 5% of computer fraud
5/12/2015
21
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
IT Staff
Usually do not have access to assets except where the data is itself the assetShould not have access to live systems
but often doMay be able to bypass system controlsMay not know of, or be able to affect
user controlsMay design / program in fraudAccount for some 3% of computer fraud
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Outsiders
Usually have no access to assetsUsually do not know the systemsCause damage more than fraudHave the requisite skill levelsKnow the environmental weaknessesAccount for less than 1% of computer
fraudIs a potential growth area
5/12/2015
22
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Collusion
Is the hardest to detect / prevent / proveAccess to assets is availableAccess to systems is availableWeaknesses are knownNeeded authorities are availableInternal control may be exercised by the
very perpetrators
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Fraud Auditing?
Creation of an environment that encourages the detection and prevention of fraud in commercial transactionsCombination ofAudit skillsComputer skillsCriminal-investigative skills
Not a checklistIncludesHuman elementOrganizational behaviorKnowledge of fraudEvidence and standards of proof
5/12/2015
23
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Principles of Fraud Auditing
Less a methodology, more an attitudeFocus is onExceptionsOdditiesAccounting irregularitiesPatterns of conduct
Primarily learned from experience (think like a thief)Materiality is not a major issueFraud may come at any stage (Input / Processing / Output)Most common schemes perpetrated by lower-level employeesMost common schemes involve disbursements
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Most higher-level frauds involve "profit smoothing"Deferring expensesBooking sales too earlyOverstating inventoryKiting sales
Frauds are more often caused by the absence of controls than by loose controlsMost frauds are found by accidentFraud losses are growing exponentiallyMost effective prevention a combination of adequate Internal Controls and an ethical climate
Principles of Fraud Auditing
5/12/2015
24
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Fraud Questions?
What is the nature of the system?Where are the weak links?What deviations are possible?Who can access?Who can authorize?What is the simplest way to compromise
the system?Who has bypass capability?
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Fraud Auditor's Objective
To determine whether a fraud, theft or embezzlement has occurredIs there a criminal law?Was there an apparent breach of that
law?Who was the perpetrator?Who was the victim?How can it be proven?
5/12/2015
25
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Detection Awareness for the Fraud Auditor
Invitations to theftHigh Fraud EnvironmentsLow Fraud EnvironmentsRed Flags and IndicatorsFraud DetectionControl and Overcontrol
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Approaches to Fraud Detection
ReactiveAllegations and ComplaintsSuspicionsIntuitionProactiveAdequate Internal ControlsPeriodic AuditsIntelligence gatheringReview of VariancesLogging of ExceptionsControl and Overcontrol
5/12/2015
26
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
EDI and FraudWhat is Electronic Data InterchangeSystems allowing the movement of money with: Immediate / Same Day Value
- Transaction Immediate Advisement / Confirmation
- InformationOn-line Intra-day Monitoring / Credit
- CreditRemote, User-friendly Initiation / Reporting
- AccessFull Electronic Audit Trail
- ServiceEnhanced Data Security / Disaster Recovery
- Security
5/12/2015
27
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Forensic Accounting
Forensic "belonging to, used in, or suitable to courts of judicature or to public discussion and debate" - WebsterNot always criminally relatedForensic Accounting relates to evidence
suitable for a court of law - either civil or criminalReactive rather than proactiveForensic accountant deals withCriminal ComplaintsCivil Statements of claimCorporate Rumors and inquiries
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Required of the Forensic Computer Auditor - 1
A knowledge of accountingA knowledge of the business sectorA knowledge of the computer systemsHardwareSoftwareOperating environmentThreatsVulnerabilities
5/12/2015
28
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Experience and judgmentA knowledge of investigative techniquesA knowledge of evidenceA knowledge of relevant statutes
Required of the Forensic Computer Auditor - 2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Scope of Forensic Auditing
Not restricted by materialityNot restricted by Generally Accepted
Accounting StandardsUse of sampling is not generally
acceptable in procuring evidenceAssumption of integrity of management
and documentationAn opinion on the findings may not be
requiredSearch for "Best Evidence"
5/12/2015
29
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Evidence RequiredJob role of the suspectDegree of control normally exercised by the
suspectAccess rights (required and actual)Knowledge by the suspect of the computer systemExtent of the fraudSystematic pattern used in covering up the fraudFinancial position of the suspect (motive and
benefit) If in doubt err on the side of the suspect
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Sources of Evidence and Audit Tools
Non-computer evidenceComputer evidenceNon-computer audit tools and
techniquesComputerized audit tools and
techniques
5/12/2015
30
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-computer Evidence
System DocumentationInterviews with Users / IS staffProcedure ManualsJob DescriptionsAuthority MatricesSecurity Environment
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
System Documentation
FlowchartsRecord LayoutsError ListsInput DocumentsOutput ReportsNarrative DescriptionsClerical Instructions
5/12/2015
31
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Additional Documentation
Data Retention RequirementsUser Procedure ManualsUser Override Authorities"UNOFFICIAL" DocumentationRun LogsRun SchedulesTimesheets
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Interviews
Interviews reflect opinions not factsMany frauds are discovered by tip-offThe "Honest Broker"Non-verbal cluesDocument all Interviews immediately
5/12/2015
32
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Evidence
Input DocumentsRun LogsOutputs ProducedOutput from Audit TestsAccess LogsAuthority Lists
5/12/2015
33
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-Computer Tools and Techniques
"ANY TANGIBLE AID" Tools to obtain information
InterviewsQuestionnairesAnalytical audit flowchartsFlowcharting softwareDocumentation review
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-Computer Tools and Techniques
"Tools to evaluate controlsApplication control cube IT areasComponentsThreats
Adequate Inadequate
5/12/2015
34
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-Computer Tools and Techniques
Tools to verify controlsAudit aroundTest dataReperformance of key functionsReprocess selected items
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Tools and Techniques
Automated tools (CAATS)Test data generatorsFlowcharting packagesSpecialized audit softwareGeneralized audit softwareUtility programs
Specialized Audit SoftwareCan accomplish any audit task butHigh development and maintenance costRequire specific I.S. SkillsMust be "verified" if not written by the auditorHigh degree of obsolescence
5/12/2015
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Tools and Techniques
Generalized Audit Software"Prefabricated" audit testsEach use is a one-offAuditor has direct controlLower development costFast to implement
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Applications of Generalized Audit Software
Detective examination of filesVerification of processing controlsfile interrogationsManagement inquiriesTypes of audit softwareProgram generatorsMacrolanguagesAudit-specific toolsData downloadersMicro-based software
5/12/2015
36
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Audit Software Functions
File accessFormat accessArithmetic operationsLogic operationsRecord handlingUpdate OutputStatisticalFile comparisonGraphics
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Legal Evidence and Rules for Prosecution
What is Evidence?Rules of EvidenceLegal vs Audit EvidenceUse of Computer Evidence
5/12/2015
37
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Evidence?
Something intended to prove or support a beliefEach piece may be flawedPersonal biasPotential error of measurementLess competent than desirableIn total the "body of evidence"Should provide a factual basis for audit
opinions
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Standards of Audit Evidence
IIA Standards state that auditors“should collect, analyze, interpret and document information to support audit results"
Information should beRelated to the audit objectivesPertinent to the scope of workSystematically gathered
5/12/2015
38
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Rules of Evidence
Primarily designed for legal evidenceMay have to be complied with in legal
casesEvidence whose value as proof is offset
by a prejudicial effect may be excludedThe auditor is not normally so restricted
Any evidenceProfessional judgmentUntil the auditor is satisfied
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Legal vs Audit Evidence
Common objectiveProvide proofFoster an honest belief
Different focusLegalrelies heavily on oral evidenceAudit relies more on documentary evidence
Legal Evidence must be lawfully gathered
5/12/2015
39
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Relevant EvidenceEvidence regardingMotive for the crimeAbility of defendant to commit the crimeOpportunity to commit the crimeThreats by the suspectMeans to commit the crimeEvidence linking the suspect to the actual crimeSuspect's conduct and comments at the time of arrestAttempt to conceal User identityAttempt to destroy evidenceValid confessions
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Chain of Custody
Evidence obtained should beMarkedIdentifiedInventoriedPreserved
If gaps in the chain of custody occurEvidence may be ruled invalid
5/12/2015
40
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Reporting Sensitive Issues
Internal Auditor "the eyes and ears of management"Reporting to legal authorities and media neither required nor encouraged by IIAWhere such reporting is required by law then IIA requires complianceCode of Ethics require loyalty in all matters pertaining to the operations of the employer except where in conflict with legal issuesMandated to report wrongdoings internally as a minimumState of Virginia has laws protecting Internal Auditors from firing for whistle-blowing
5/12/2015
41
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
From a US Survey of 8000 Employees - 1
Most employees believe reporting wrongdoing is ethical and morally rightMost employees who observe wrongdoing do not report it to anyoneInternal auditors whose job entails reporting are more likely to report wrongdoingEmployees who observe serious, well-documented, or frequent wrongdoings are more likely to report itEmployees who observe wrongdoings are more likely to report when their organization's policies encourage them to do so
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
A substantial number, though not a majority, of employees who report wrongdoing suffer retaliation of some sort, particularly when the reporting is externalizedRetaliation is more likely if the wrongdoing is seriousInternal Auditors suffer retaliation at about the same rate as other employees, even though they are mandated to report wrongdoing
From a US Survey of 8000 Employees - 2
5/12/2015
42
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Steps in Deciding to Report
Did wrongdoing occur?Does the wrongdoing require action?Am I responsible for acting?What actions are available to me?Will the benefits of acting outweigh the
costs?Has previous action proved beneficial to
all parties?Was my action effective?
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Questions?
• Any Questions?Don’t be Shy!
5/12/2015
43
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Coming Up Next
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 19
2. Advanced IT Audit Securing the Internet May 21
3. Advanced IT Audit IT Security Reviews May 26
4. Advanced IT Audit Performance Auditing of the IT Function May 28
5. Advanced IT Audit Managing the IT Audit Function June 2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Thank You!Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates970-291-1497
Jim KaplanAuditNet LLC®800-385-1625