It52015 slides

5/12/2015

1

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

AuditNet® Training without Travel™ IT Fraud and Countermeasures May 12 2015

Guest Presenter:Richard Cascarino,

MBA, CIA, CISM, CFERichard Cascarino &

Associates


Jim Kaplan CIA CFE

• President and Founder of AuditNet®, the global resource for auditors (now available on Apple and Android and Windows devices)

• Auditor, Web Site Guru,

• Internet for Auditors Pioneer

• Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.

• Author of “The Auditor’s Guide to Internet Resources” 2nd Edition

5/12/2015

2


Richard Cascarino MBA CIA CISM CFE

• Principal of Richard Cascarino & Associates based in Colorado USA

• Over 30 years experience in IT audit training and consultancy

• Past President of the Institute of Internal Auditors in South Africa

• Member of ISACA

• Member of Association of Certified Fraud Examiners

• Author of Auditor's Guide to IT Auditing


Webinar Housekeeping

• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

• Webinar recording link will be sent via email within 5-7 business days.• NASBA rules require us to ask polling questions during the Webinar and CPE

certificates will be sent via email to those who answer ALL the polling questions• The CPE certificates and link to the recording will be sent to the email address you

registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.

• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars

• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.

5/12/2015

3


• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant‐client relationship.

• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website

• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®


Today’s Agenda• The nature of computer fraud

• The Corporate risk profile

• Computer fraud techniques

• Why computer fraud and who commits it?

• Fraud auditing

• Fraud awareness

• EDI and fraud

• Forensic auditing

• Sources of evidence and audit tools

• Legal evidence

• Reporting sensitive issues

5/12/2015

4

Copyright © 2014 AuditNet® and Richard Cascarino & Associates 7

“Fraud and deceit abound in these days more than informer times”.

SIR EDWARD CODE (1602)


What is Fraud?

As a Crime"Fraud is a generic term, and embraces all the multifarious means which human ingenuity can devise, which are resorted to by one individual, to get an advantage over another by false representations. No definite and invariable rule can be laid down as a general proposition in defining fraud, as it includes surprise, trick, cunning, and unfair ways by which another is cheated. The only boundaries defining it are those which limit human knavery."

Michigan Criminal Law

5/12/2015

5


What is Fraud? IIA's Definition

Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organisation and by persons outside as well as inside the organisation - IIA

Why is Fraud Committed?Achieve a personal or organizational goalSatisfy a human need

Why by dishonest means?Keen and predatory competitionEconomic survival"All's fair in love and war""Business is amoral anyway""Because it's easy"


What is IT Fraud?

A fraud in which a computer is used to commit or abet the fraudA fraud in which the computer is itself

the victimIncludesEmbezzlementTheft of propertyTheft of proprietary informationForgeryCounterfeitingElectronic eavesdroppingExceeding the user's authorityImpersonation of a authorized user

5/12/2015

6


New Crime?

Changed form of older crimesElectronic entries in the booksAn occupational crime requiringSkillsKnowledgeAccess

Easier for the insider than the outsider


Nature of IT Fraud - 1

Changes to Source DocumentsPrior to Processing

Unauthorized On-line AccessPiggy BackingImpersonationFictitious TransactionsUnauthorized ProgramsUnauthorized Reports

Direct Changes to Programs, Data, OutputUsing Utilities or Special Programs

5/12/2015

7


Nature of IT Fraud - 2

Trojan Horse / Logic Bombs / Trap DoorsUse of Unauthorized Coding

Salami TechniquesA small amount from everyone

VirusesMainframe as well as Micro

Sabotage and Industrial EspionageDegrading Systems PerformanceLeaking Confidential Information

Management FraudCooked Books


MOMM ConceptMotivationEconomic - financial gainIdeological - normally revengeEgocentric - need to show offPsychotic - distorted sense of reality

OpportunitiesInadequate Systems ControlsAccounting ControlAccess Control

Inadequacy in Management ControlsReward SystemEthical ClimateClimate for Trust

MeansCompromising Controls / Personnel / Technology

MethodsInput Scams / Throughput Scams / Output Scams

5/12/2015

8


Polling Question 1


Knowledge of the organization's business and industryDetermination of the nature of the business and the way it is conductedIdentification of any special legal or commercial requirementsIdentification of any industry-specific accounting principles or policiesIdentification of any significant information relied upon by management in the control of the businessIdentification of high-level control and operating issues

Establishing the Corporate Risk Profile

5/12/2015

9


Areas to be Covered

Organizational structureKey executive responsibilitiesRole of the Board of Directors, Audit

Committee, Internal AuditorsManagement's judgments and integrityPerformance planning and monitoringPolicies and procedures for control and

accountabilityNature and organisation of

Computerized Information


Primary Objectives - 1

To determineLevel of risk inherent in the organization's business environmentAppropriateness of the organizational structureAppropriateness of levels of authority within the internal control structuresApparent quality of management's judgments and estimatesWhether the environment is likely to be conducive to maintaining reliable internal controls

5/12/2015

10


Primary Objectives - 2

Extent to which management decision making is influenced by Information SystemsExtent of asset control exercised by Information SystemsDegree of reliance on revenues recorded on Information SystemsDegree of reliance on expenses recorded on Information SystemsVolume and average value of transactions through Information Systems


Other Items to Determine

Quality of personnel recruitmentCorporate ethical climateSystems of authorityQuality of Internal ControlScope and skills of audit

5/12/2015

11


IT Risk Management

Accept the riskReduce the riskTransfer the riskNOTIgnore the riskKnowing the risk


Risk Profile Assessment

Must beSimplePracticalQuickCommon-senseBusiness orientedTechnically competent

5/12/2015

12


Establishing a Risk Profile

Involves Assessment ofPhysical securityPersonnel securityData securityApplications software securitySystems software securityTelecommunications securityOperations security

Quantification of the risk factors


Risk Ranking - 1Business RiskNature of TransactionsValue per transactionTotal daily value of transactionsTotal accountabilityLiquidityDataNature of Operating Environment Impact on usersPressureFunctional complexityProcessing sophistication

5/12/2015

13


Risk Ranking - 2Performance RiskControls and SecurityAccessEnvironmentalVerification of value of dataVerification of recordsSeparation / Rotation of dutiesCompleteness of recordsAccountabilityAccounting principlesExternal reviewsDocumentationContingency PlanningUse as Management Information


Most Common Frauds

False vendor, supplier or contractor invoiceFalse governmental claimFalse fringe benefit claimFalse refund or credit claimFalse payroll claimFalse expense claim

5/12/2015

14


Where are we Vulnerable?

Information Processing CenterNetworksInput OriginationInput EntryProcessingOutput HandlingOutput Disposal


Polling Question 2

5/12/2015

15


Fraud Symptoms, Red Flags and Fraud Indicators

Operating performance anomalies Organisational Structure Management characteristics Accounting anomalies Internal control weaknesses Analytical anomalies Unusual behaviour


Operating Performance Anomalies

Unexplained changes in Financial Statement balances.

Urgent need to report favourable earnings

High debt or interest burdens Cash flow problems Unusual or large and profitable

transactions near the end of accounting periods

5/12/2015

16


Accounting Anomalies

Missing documents. Excessive voids or credits. Increased reconciliation items. Alterations on documents. Duplicate payments. Common names or addresses of

payees or customers Increased past due accounts.


Internal Control Weaknesses

Lack of segregation of duties

Lack of physical safeguards

Lack of independent checks

Lack of proper authorisation

Lack of proper documents and records

Overriding of existing controls

5/12/2015

17


Common Data Fraud Areas

Corporate card fraud Invoicing for goods not delivered Duplicate Invoices Kickbacks / Bribes Increasing of Invoiced amounts and

splitting the monies Fictitious / Ghost employees Carrying Employees on payrolls beyond

actual severance dates Overtime fraud Cheque fraud


Common Mistakes• Failure to maintain proper documentation• Failure to notify decision makers• Failure to control digital evidence• Failure to report the incident in a timely manner• Underestimating the scope of the incident• No incident response plan in place• Technical mistakes

– Altering date and time stampson evidence systems before recording them

– Killing rogue processes– Patching the system back together before investigation– Not recording commands used– Using untrusted commands and tools– Overwriting evidence by installing tools

5/12/2015

18


Access to Records

Normal Input TransactionsChanges to Operating System SoftwareChanges to Application ProgramsPhysical Substitution of Stored DataUse of Unauthorized ProgramsChanges to / Substitutions of Output

Reports


Polling Question 3

5/12/2015

19


Who Commits Computer Fraud?

UsersManagementIT AuditorsIT StaffOutsidersCollusion


Users

Have access to assetsHave legitimate access to computer

systemsHave adequate (too much?) authority

levelsKnow the systems weaknessesMay be responsible for error handlingAccount for almost 50% of all computer

fraud

5/12/2015

20


Management

Also have access to assetsAlso have legitimate access to computer

systemsMay have override authoritiesKnow the systems weaknesses (Audit

told them)May be responsible for reconciliationsAre responsible for internal controlAccount for some 15% of computer

fraud


IT Auditors

May have access to assetsHave legitimate access to computer

systemsOften have too much authority within

systemsKnow the system weaknessesAccount for some 5% of computer fraud

5/12/2015

21


IT Staff

Usually do not have access to assets except where the data is itself the assetShould not have access to live systems

but often doMay be able to bypass system controlsMay not know of, or be able to affect

user controlsMay design / program in fraudAccount for some 3% of computer fraud


Outsiders

Usually have no access to assetsUsually do not know the systemsCause damage more than fraudHave the requisite skill levelsKnow the environmental weaknessesAccount for less than 1% of computer

fraudIs a potential growth area

5/12/2015

22


Collusion

Is the hardest to detect / prevent / proveAccess to assets is availableAccess to systems is availableWeaknesses are knownNeeded authorities are availableInternal control may be exercised by the

very perpetrators


What is Fraud Auditing?

Creation of an environment that encourages the detection and prevention of fraud in commercial transactionsCombination ofAudit skillsComputer skillsCriminal-investigative skills

Not a checklistIncludesHuman elementOrganizational behaviorKnowledge of fraudEvidence and standards of proof

5/12/2015

23


Principles of Fraud Auditing

Less a methodology, more an attitudeFocus is onExceptionsOdditiesAccounting irregularitiesPatterns of conduct

Primarily learned from experience (think like a thief)Materiality is not a major issueFraud may come at any stage (Input / Processing / Output)Most common schemes perpetrated by lower-level employeesMost common schemes involve disbursements


Most higher-level frauds involve "profit smoothing"Deferring expensesBooking sales too earlyOverstating inventoryKiting sales

Frauds are more often caused by the absence of controls than by loose controlsMost frauds are found by accidentFraud losses are growing exponentiallyMost effective prevention a combination of adequate Internal Controls and an ethical climate

Principles of Fraud Auditing

5/12/2015

24


Fraud Questions?

What is the nature of the system?Where are the weak links?What deviations are possible?Who can access?Who can authorize?What is the simplest way to compromise

the system?Who has bypass capability?


Fraud Auditor's Objective

To determine whether a fraud, theft or embezzlement has occurredIs there a criminal law?Was there an apparent breach of that

law?Who was the perpetrator?Who was the victim?How can it be proven?

5/12/2015

25


Detection Awareness for the Fraud Auditor

Invitations to theftHigh Fraud EnvironmentsLow Fraud EnvironmentsRed Flags and IndicatorsFraud DetectionControl and Overcontrol


Approaches to Fraud Detection

ReactiveAllegations and ComplaintsSuspicionsIntuitionProactiveAdequate Internal ControlsPeriodic AuditsIntelligence gatheringReview of VariancesLogging of ExceptionsControl and Overcontrol

5/12/2015

26


Polling Question 4


EDI and FraudWhat is Electronic Data InterchangeSystems allowing the movement of money with: Immediate / Same Day Value

- Transaction Immediate Advisement / Confirmation

- InformationOn-line Intra-day Monitoring / Credit

- CreditRemote, User-friendly Initiation / Reporting

- AccessFull Electronic Audit Trail

- ServiceEnhanced Data Security / Disaster Recovery

- Security

5/12/2015

27


What is Forensic Accounting

Forensic "belonging to, used in, or suitable to courts of judicature or to public discussion and debate" - WebsterNot always criminally relatedForensic Accounting relates to evidence

suitable for a court of law - either civil or criminalReactive rather than proactiveForensic accountant deals withCriminal ComplaintsCivil Statements of claimCorporate Rumors and inquiries


Required of the Forensic Computer Auditor - 1

A knowledge of accountingA knowledge of the business sectorA knowledge of the computer systemsHardwareSoftwareOperating environmentThreatsVulnerabilities

5/12/2015

28


Experience and judgmentA knowledge of investigative techniquesA knowledge of evidenceA knowledge of relevant statutes

Required of the Forensic Computer Auditor - 2


Scope of Forensic Auditing

Not restricted by materialityNot restricted by Generally Accepted

Accounting StandardsUse of sampling is not generally

acceptable in procuring evidenceAssumption of integrity of management

and documentationAn opinion on the findings may not be

requiredSearch for "Best Evidence"

5/12/2015

29


Evidence RequiredJob role of the suspectDegree of control normally exercised by the

suspectAccess rights (required and actual)Knowledge by the suspect of the computer systemExtent of the fraudSystematic pattern used in covering up the fraudFinancial position of the suspect (motive and

benefit) If in doubt err on the side of the suspect


Sources of Evidence and Audit Tools

Non-computer evidenceComputer evidenceNon-computer audit tools and

techniquesComputerized audit tools and

techniques

5/12/2015

30


Non-computer Evidence

System DocumentationInterviews with Users / IS staffProcedure ManualsJob DescriptionsAuthority MatricesSecurity Environment


System Documentation

FlowchartsRecord LayoutsError ListsInput DocumentsOutput ReportsNarrative DescriptionsClerical Instructions

5/12/2015

31


Additional Documentation

Data Retention RequirementsUser Procedure ManualsUser Override Authorities"UNOFFICIAL" DocumentationRun LogsRun SchedulesTimesheets


Interviews

Interviews reflect opinions not factsMany frauds are discovered by tip-offThe "Honest Broker"Non-verbal cluesDocument all Interviews immediately

5/12/2015

32


Polling Question 5


Computer Evidence

Input DocumentsRun LogsOutputs ProducedOutput from Audit TestsAccess LogsAuthority Lists

5/12/2015

33


Non-Computer Tools and Techniques

"ANY TANGIBLE AID" Tools to obtain information

InterviewsQuestionnairesAnalytical audit flowchartsFlowcharting softwareDocumentation review



"Tools to evaluate controlsApplication control cube IT areasComponentsThreats

Adequate Inadequate

5/12/2015

34



Tools to verify controlsAudit aroundTest dataReperformance of key functionsReprocess selected items


Computer Tools and Techniques

Automated tools (CAATS)Test data generatorsFlowcharting packagesSpecialized audit softwareGeneralized audit softwareUtility programs

Specialized Audit SoftwareCan accomplish any audit task butHigh development and maintenance costRequire specific I.S. SkillsMust be "verified" if not written by the auditorHigh degree of obsolescence

5/12/2015

35


Computer Tools and Techniques

Generalized Audit Software"Prefabricated" audit testsEach use is a one-offAuditor has direct controlLower development costFast to implement


Applications of Generalized Audit Software

Detective examination of filesVerification of processing controlsfile interrogationsManagement inquiriesTypes of audit softwareProgram generatorsMacrolanguagesAudit-specific toolsData downloadersMicro-based software

5/12/2015

36


Audit Software Functions

File accessFormat accessArithmetic operationsLogic operationsRecord handlingUpdate OutputStatisticalFile comparisonGraphics


Legal Evidence and Rules for Prosecution

What is Evidence?Rules of EvidenceLegal vs Audit EvidenceUse of Computer Evidence

5/12/2015

37


What is Evidence?

Something intended to prove or support a beliefEach piece may be flawedPersonal biasPotential error of measurementLess competent than desirableIn total the "body of evidence"Should provide a factual basis for audit

opinions


Standards of Audit Evidence

IIA Standards state that auditors“should collect, analyze, interpret and document information to support audit results"

Information should beRelated to the audit objectivesPertinent to the scope of workSystematically gathered

5/12/2015

38


Rules of Evidence

Primarily designed for legal evidenceMay have to be complied with in legal

casesEvidence whose value as proof is offset

by a prejudicial effect may be excludedThe auditor is not normally so restricted

Any evidenceProfessional judgmentUntil the auditor is satisfied


Legal vs Audit Evidence

Common objectiveProvide proofFoster an honest belief

Different focusLegalrelies heavily on oral evidenceAudit relies more on documentary evidence

Legal Evidence must be lawfully gathered

5/12/2015

39


Relevant EvidenceEvidence regardingMotive for the crimeAbility of defendant to commit the crimeOpportunity to commit the crimeThreats by the suspectMeans to commit the crimeEvidence linking the suspect to the actual crimeSuspect's conduct and comments at the time of arrestAttempt to conceal User identityAttempt to destroy evidenceValid confessions


Chain of Custody

Evidence obtained should beMarkedIdentifiedInventoriedPreserved

If gaps in the chain of custody occurEvidence may be ruled invalid

5/12/2015

40


Polling Question 6


Reporting Sensitive Issues

Internal Auditor "the eyes and ears of management"Reporting to legal authorities and media neither required nor encouraged by IIAWhere such reporting is required by law then IIA requires complianceCode of Ethics require loyalty in all matters pertaining to the operations of the employer except where in conflict with legal issuesMandated to report wrongdoings internally as a minimumState of Virginia has laws protecting Internal Auditors from firing for whistle-blowing

5/12/2015

41


From a US Survey of 8000 Employees - 1

Most employees believe reporting wrongdoing is ethical and morally rightMost employees who observe wrongdoing do not report it to anyoneInternal auditors whose job entails reporting are more likely to report wrongdoingEmployees who observe serious, well-documented, or frequent wrongdoings are more likely to report itEmployees who observe wrongdoings are more likely to report when their organization's policies encourage them to do so


A substantial number, though not a majority, of employees who report wrongdoing suffer retaliation of some sort, particularly when the reporting is externalizedRetaliation is more likely if the wrongdoing is seriousInternal Auditors suffer retaliation at about the same rate as other employees, even though they are mandated to report wrongdoing

From a US Survey of 8000 Employees - 2

5/12/2015

42


Steps in Deciding to Report

Did wrongdoing occur?Does the wrongdoing require action?Am I responsible for acting?What actions are available to me?Will the benefits of acting outweigh the

costs?Has previous action proved beneficial to

all parties?Was my action effective?


Questions?

• Any Questions?Don’t be Shy!

5/12/2015

43


Coming Up Next

IT AUDIT ADVANCED

1. Advanced IT Audit Risk Analysis for Auditors May 19

2. Advanced IT Audit Securing the Internet May 21

3. Advanced IT Audit IT Security Reviews May 26

4. Advanced IT Audit Performance Auditing of the IT Function May 28

5. Advanced IT Audit Managing the IT Audit Function June 2


Thank You!Richard Cascarino, MBA, CIA, CISM, CFE

Richard Cascarino & Associates970-291-1497

[email protected]

Jim KaplanAuditNet LLC®800-385-1625

[email protected]