It52015 slides

5/12/2015
1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™
IT Fraud and Countermeasures May 12 2015
Guest Presenter:
Richard Cascarino,
MBA, CIA, CISM, CFE
Richard Cascarino &
Associates
Jim Kaplan CIA CFE
• President and Founder of
AuditNet®, the global resource
for auditors (now available on
Apple and Android and Windows
devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
• Author of “The Auditor’s Guide
to Internet Resources” 2nd
Edition

5/12/2015
2
Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 30 years experience in IT
audit training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Auditor's Guide to IT
Auditing
Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino
and Associates. Unauthorized usage or recording of this webinar or any of its material
is strictly forbidden. We are recording the webinar and you will be provided with a link
access to that recording as detailed below. Downloading or otherwise duplicating the
webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.
• NASBA rules require us to ask polling questions during the Webinar and CPE
certificates will be sent via email to those who answer ALL the polling questions
• The CPE certificates and link to the recording will be sent to the email address you
registered with in GTW. We are not responsible for delivery problems due to spam
filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either
during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please
complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and
listen and follow along with the handout.

5/12/2015
3
• The views expressed by the presenters do not necessarily represent the
views, positions, or opinions of AuditNet® or the presenters’ respective
organizations. These materials, and the oral presentation accompanying
them, are for educational purposes only and do not constitute accounting
or legal advice or create an accountant‐client relationship.
• While AuditNet® makes every effort to ensure information is accurate and
complete, AuditNet® makes no representations, guarantees, or warranties
as to the accuracy or completeness of the information provided via this
presentation. AuditNet® specifically disclaims all liability for any claims or
damages that may result from the information contained in this
presentation, including any websites maintained by third parties and
linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not
imply recommendation or endorsement by AuditNet®
Today’s Agenda
• The nature of computer fraud
• The Corporate risk profile
• Computer fraud techniques
• Why computer fraud and who commits it?
• Fraud auditing
• Fraud awareness
• EDI and fraud
• Forensic auditing
• Sources of evidence and audit tools
• Legal evidence
• Reporting sensitive issues

5/12/2015
4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates 7
“Fraud and deceit abound in
these days more than in
former times”.
SIR EDWARD CODE (1602)
What is Fraud?
As a Crime
"Fraud is a generic term, and embraces all the
multifarious means which human ingenuity can
devise, which are resorted to by one individual,
to get an advantage over another by false
representations. No definite and invariable rule
can be laid down as a general proposition in
defining fraud, as it includes surprise, trick,
cunning, and unfair ways by which another is
cheated. The only boundaries defining it are
those which limit human knavery."
Michigan Criminal Law

5/12/2015
5
What is Fraud?
IIA's Definition
Fraud encompasses an array of irregularities and illegal acts
characterized by intentional deception. It can be perpetrated for
the benefit of or to the detriment of the organisation and by
persons outside as well as inside the organisation - IIA
Why is Fraud Committed?
Achieve a personal or organizational goal
Satisfy a human need
Why by dishonest means?
Keen and predatory competition
Economic survival
"All's fair in love and war"
"Business is amoral anyway"
"Because it's easy"
What is IT Fraud?
A fraud in which a computer is used to
commit or abet the fraud
A fraud in which the computer is itself
the victim
Includes
Embezzlement
Theft of property
Theft of proprietary information
Forgery
Counterfeiting
Electronic eavesdropping
Exceeding the user's authority
Impersonation of a authorized user

5/12/2015
6
New Crime?
Changed form of older crimes
Electronic entries in the books
An occupational crime requiring
Skills
Knowledge
Access
Easier for the insider than the outsider
Nature of IT Fraud - 1
Changes to Source Documents
Prior to Processing
Unauthorized On-line Access
Piggy Backing
Impersonation
Fictitious Transactions
Unauthorized Programs
Unauthorized Reports
Direct Changes to Programs, Data,
Output
Using Utilities or Special Programs

5/12/2015
7
Nature of IT Fraud - 2
Trojan Horse / Logic Bombs / Trap Doors
Use of Unauthorized Coding
Salami Techniques
A small amount from everyone
Viruses
Mainframe as well as Micro
Sabotage and Industrial Espionage
Degrading Systems Performance
Leaking Confidential Information
Management Fraud
Cooked Books
MOMM Concept
Motivation
Economic - financial gain
Ideological - normally revenge
Egocentric - need to show off
Psychotic - distorted sense of reality
Opportunities
Inadequate Systems Controls
Accounting Control
Access Control
Inadequacy in Management Controls
Reward System
Ethical Climate
Climate for Trust
Means
Compromising Controls / Personnel / Technology
Methods
Input Scams / Throughput Scams / Output Scams

5/12/2015
8
Polling Question 1
Knowledge of the organization's business and
industry
Determination of the nature of the business and the
way it is conducted
Identification of any special legal or commercial
requirements
Identification of any industry-specific accounting
principles or policies
Identification of any significant information relied
upon by management in the control of the business
Identification of high-level control and operating
issues
Establishing the
Corporate Risk Profile

5/12/2015
9
Areas to be Covered
Organizational structure
Key executive responsibilities
Role of the Board of Directors, Audit
Committee, Internal Auditors
Management's judgments and integrity
Performance planning and monitoring
Policies and procedures for control and
accountability
Nature and organisation of
Computerized Information
Primary Objectives - 1
To determine
Level of risk inherent in the organization's
business environment
Appropriateness of the organizational structure
Appropriateness of levels of authority within
the internal control structures
Apparent quality of management's judgments
and estimates
Whether the environment is likely to be
conducive to maintaining reliable internal
controls

5/12/2015
10
Primary Objectives - 2
Extent to which management decision making is
influenced by Information Systems
Extent of asset control exercised by Information
Systems
Degree of reliance on revenues recorded on
Information Systems
Degree of reliance on expenses recorded on
Information Systems
Volume and average value of transactions
through Information Systems
Other Items to Determine
Quality of personnel recruitment
Corporate ethical climate
Systems of authority
Quality of Internal Control
Scope and skills of audit

5/12/2015
11
IT Risk Management
Accept the risk
Reduce the risk
Transfer the risk
NOT
Ignore the risk
Knowing the risk
Risk Profile Assessment
Must be
Simple
Practical
Quick
Common-sense
Business oriented
Technically competent

5/12/2015
12
Establishing a Risk Profile
Involves Assessment of
Physical security
Personnel security
Data security
Applications software security
Systems software security
Telecommunications security
Operations security
Quantification of the risk factors
Risk Ranking - 1
Business Risk
Nature of Transactions
Value per transaction
Total daily value of transactions
Total accountability
Liquidity
Data
Nature of Operating Environment
Impact on users
Pressure
Functional complexity
Processing sophistication

5/12/2015
13
Risk Ranking - 2
Performance Risk
Controls and Security
Access
Environmental
Verification of value of data
Verification of records
Separation / Rotation of duties
Completeness of records
Accountability
Accounting principles
External reviews
Documentation
Contingency Planning
Use as Management Information
Most Common Frauds
False vendor, supplier or contractor
invoice
False governmental claim
False fringe benefit claim
False refund or credit claim
False payroll claim
False expense claim

5/12/2015
14
Where are we Vulnerable?
Information Processing Center
Networks
Input Origination
Input Entry
Processing
Output Handling
Output Disposal
Polling Question 2

5/12/2015
15
Fraud Symptoms, Red Flags
and Fraud Indicators
 Operating performance anomalies
 Organisational Structure
 Management characteristics
 Accounting anomalies
 Internal control weaknesses
 Analytical anomalies
 Unusual behaviour
Operating Performance
Anomalies
 Unexplained changes in Financial
Statement balances.
 Urgent need to report favourable
earnings
 High debt or interest burdens
 Cash flow problems
 Unusual or large and profitable
transactions near the end of
accounting periods

5/12/2015
16
Accounting Anomalies
 Missing documents.
 Excessive voids or credits.
 Increased reconciliation items.
 Alterations on documents.
 Duplicate payments.
 Common names or addresses of
payees or customers
 Increased past due accounts.
Internal Control
Weaknesses
 Lack of segregation of duties
 Lack of physical safeguards
 Lack of independent checks
 Lack of proper authorisation
 Lack of proper documents and records
 Overriding of existing controls

5/12/2015
17
Common Data Fraud Areas
 Corporate card fraud
 Invoicing for goods not delivered
 Duplicate Invoices
 Kickbacks / Bribes
 Increasing of Invoiced amounts and
splitting the monies
 Fictitious / Ghost employees
 Carrying Employees on payrolls beyond
actual severance dates
 Overtime fraud
 Cheque fraud
Common Mistakes
• Failure to maintain proper documentation
• Failure to notify decision makers
• Failure to control digital evidence
• Failure to report the incident in a timely manner
• Underestimating the scope of the incident
• No incident response plan in place
• Technical mistakes
– Altering date and time stampson evidence systems before
recording them
– Killing rogue processes
– Patching the system back together before investigation
– Not recording commands used
– Using untrusted commands and tools
– Overwriting evidence by installing tools

5/12/2015
18
Access to Records
Normal Input Transactions
Changes to Operating System Software
Changes to Application Programs
Physical Substitution of Stored Data
Use of Unauthorized Programs
Changes to / Substitutions of Output
Reports
Polling Question 3

5/12/2015
19
Who Commits Computer
Fraud?
Users
Management
IT Auditors
IT Staff
Outsiders
Collusion
Users
Have access to assets
Have legitimate access to computer
systems
Have adequate (too much?) authority
levels
Know the systems weaknesses
May be responsible for error handling
Account for almost 50% of all computer
fraud

5/12/2015
20
Management
Also have access to assets
Also have legitimate access to computer
systems
May have override authorities
Know the systems weaknesses (Audit
told them)
May be responsible for reconciliations
Are responsible for internal control
Account for some 15% of computer
fraud
IT Auditors
May have access to assets
Have legitimate access to computer
systems
Often have too much authority within
systems
Know the system weaknesses
Account for some 5% of computer fraud

5/12/2015
21
IT Staff
Usually do not have access to assets
except where the data is itself the asset
Should not have access to live systems
but often do
May be able to bypass system controls
May not know of, or be able to affect
user controls
May design / program in fraud
Account for some 3% of computer fraud
Outsiders
Usually have no access to assets
Usually do not know the systems
Cause damage more than fraud
Have the requisite skill levels
Know the environmental weaknesses
Account for less than 1% of computer
fraud
Is a potential growth area

5/12/2015
22
Collusion
Is the hardest to detect / prevent / prove
Access to assets is available
Access to systems is available
Weaknesses are known
Needed authorities are available
Internal control may be exercised by the
very perpetrators
What is Fraud Auditing?
Creation of an environment that encourages the
detection and prevention of fraud in commercial
transactions
Combination of
Audit skills
Computer skills
Criminal-investigative skills
Not a checklist
Includes
Human element
Organizational behavior
Knowledge of fraud
Evidence and standards of proof

5/12/2015
23
Principles of Fraud
Auditing
Less a methodology, more an attitude
Focus is on
Exceptions
Oddities
Accounting irregularities
Patterns of conduct
Primarily learned from experience (think like a thief)
Materiality is not a major issue
Fraud may come at any stage (Input / Processing /
Output)
Most common schemes perpetrated by lower-level
employees
Most common schemes involve disbursements
Most higher-level frauds involve "profit
smoothing"
Deferring expenses
Booking sales too early
Overstating inventory
Kiting sales
Frauds are more often caused by the absence of
controls than by loose controls
Most frauds are found by accident
Fraud losses are growing exponentially
Most effective prevention a combination of
adequate Internal Controls and an ethical climate
Principles of Fraud
Auditing

5/12/2015
24
Fraud Questions?
What is the nature of the system?
Where are the weak links?
What deviations are possible?
Who can access?
Who can authorize?
What is the simplest way to compromise
the system?
Who has bypass capability?
Fraud Auditor's Objective
To determine whether a fraud, theft or
embezzlement has occurred
Is there a criminal law?
Was there an apparent breach of that
law?
Who was the perpetrator?
Who was the victim?
How can it be proven?

5/12/2015
25
Detection Awareness
for the Fraud Auditor
Invitations to theft
High Fraud Environments
Low Fraud Environments
Red Flags and Indicators
Fraud Detection
Control and Overcontrol
Approaches to Fraud
Detection
Reactive
Allegations and Complaints
Suspicions
Intuition
Proactive
Adequate Internal Controls
Periodic Audits
Intelligence gathering
Review of Variances
Logging of Exceptions
Control and Overcontrol

5/12/2015
26
Polling Question 4
EDI and Fraud
What is Electronic Data Interchange
Systems allowing the movement of money with:
Immediate / Same Day Value
- Transaction
Immediate Advisement / Confirmation
- Information
On-line Intra-day Monitoring / Credit
- Credit
Remote, User-friendly Initiation / Reporting
- Access
Full Electronic Audit Trail
- Service
Enhanced Data Security / Disaster Recovery
- Security

5/12/2015
27
What is Forensic Accounting
Forensic "belonging to, used in, or suitable
to courts of judicature or to public
discussion and debate" - Webster
Not always criminally related
Forensic Accounting relates to evidence
suitable for a court of law - either civil or
criminal
Reactive rather than proactive
Forensic accountant deals with
Criminal Complaints
Civil Statements of claim
Corporate Rumors and inquiries
Required of the Forensic
Computer Auditor - 1
A knowledge of accounting
A knowledge of the business sector
A knowledge of the computer systems
Hardware
Software
Operating environment
Threats
Vulnerabilities

5/12/2015
28
Experience and judgment
A knowledge of investigative techniques
A knowledge of evidence
A knowledge of relevant statutes
Required of the Forensic
Computer Auditor - 2
Scope of Forensic Auditing
Not restricted by materiality
Not restricted by Generally Accepted
Accounting Standards
Use of sampling is not generally
acceptable in procuring evidence
Assumption of integrity of management
and documentation
An opinion on the findings may not be
required
Search for "Best Evidence"

5/12/2015
29
Evidence Required
Job role of the suspect
Degree of control normally exercised by the
suspect
Access rights (required and actual)
Knowledge by the suspect of the computer system
Extent of the fraud
Systematic pattern used in covering up the fraud
Financial position of the suspect (motive and
benefit)
If in doubt err on the side of the suspect
Sources of Evidence
and Audit Tools
Non-computer evidence
Computer evidence
Non-computer audit tools and
techniques
Computerized audit tools and
techniques

5/12/2015
30
Non-computer Evidence
System Documentation
Interviews with Users / IS staff
Procedure Manuals
Job Descriptions
Authority Matrices
Security Environment
System Documentation
Flowcharts
Record Layouts
Error Lists
Input Documents
Output Reports
Narrative Descriptions
Clerical Instructions

5/12/2015
31
Additional Documentation
Data Retention Requirements
User Procedure Manuals
User Override Authorities
"UNOFFICIAL" Documentation
Run Logs
Run Schedules
Timesheets
Interviews
Interviews reflect opinions not facts
Many frauds are discovered by tip-off
The "Honest Broker"
Non-verbal clues
Document all Interviews immediately

5/12/2015
32
Polling Question 5
Computer Evidence
Input Documents
Run Logs
Outputs Produced
Output from Audit Tests
Access Logs
Authority Lists

5/12/2015
33
Non-Computer Tools and
Techniques
"ANY TANGIBLE AID"
Tools to obtain information
Interviews
Questionnaires
Analytical audit flowcharts
Flowcharting software
Documentation review
Techniques
"Tools to evaluate controls
Application control cube
IT areas
Components
Threats
Adequate
Inadequate

5/12/2015
34
Techniques
Tools to verify controls
Audit around
Test data
Reperformance of key functions
Reprocess selected items
Computer Tools and
Techniques
Automated tools (CAATS)
Test data generators
Flowcharting packages
Specialized audit software
Generalized audit software
Utility programs
Specialized Audit Software
Can accomplish any audit task but
High development and maintenance cost
Require specific I.S. Skills
Must be "verified" if not written by the auditor
High degree of obsolescence

5/12/2015
35
Computer Tools and
Techniques
Generalized Audit Software
"Prefabricated" audit tests
Each use is a one-off
Auditor has direct control
Lower development cost
Fast to implement
Applications of Generalized
Audit Software
Detective examination of files
Verification of processing controls
file interrogations
Management inquiries
Types of audit software
Program generators
Macrolanguages
Audit-specific tools
Data downloaders
Micro-based software

5/12/2015
36
Audit Software Functions
File access
Format access
Arithmetic operations
Logic operations
Record handling
Update
Output
Statistical
File comparison
Graphics
Legal Evidence and Rules
for Prosecution
What is Evidence?
Rules of Evidence
Legal vs Audit Evidence
Use of Computer Evidence

5/12/2015
37
What is Evidence?
Something intended to prove or support
a belief
Each piece may be flawed
Personal bias
Potential error of measurement
Less competent than desirable
In total the "body of evidence"
Should provide a factual basis for audit
opinions
Standards of Audit Evidence
IIA Standards state that auditors
“should collect, analyze, interpret and
document information to support audit
results"
Information should be
Related to the audit objectives
Pertinent to the scope of work
Systematically gathered

5/12/2015
38
Rules of Evidence
Primarily designed for legal evidence
May have to be complied with in legal
cases
Evidence whose value as proof is offset
by a prejudicial effect may be excluded
The auditor is not normally so restricted
Any evidence
Professional judgment
Until the auditor is satisfied
Legal vs Audit Evidence
Common objective
Provide proof
Foster an honest belief
Different focus
Legalrelies heavily on oral evidence
Auditrelies more on documentary evidence
Legal Evidence must be lawfully
gathered

5/12/2015
39
Relevant Evidence
Evidence regarding
Motive for the crime
Ability of defendant to commit the crime
Opportunity to commit the crime
Threats by the suspect
Means to commit the crime
Evidence linking the suspect to the actual
crime
Suspect's conduct and comments at the time of
arrest
Attempt to conceal User identity
Attempt to destroy evidence
Valid confessions
Chain of Custody
Evidence obtained should be
Marked
Identified
Inventoried
Preserved
If gaps in the chain of custody occur
Evidence may be ruled invalid

5/12/2015
40
Polling Question 6
Reporting Sensitive Issues
Internal Auditor "the eyes and ears of management"
Reporting to legal authorities and media neither
required nor encouraged by IIA
Where such reporting is required by law then IIA
requires compliance
Code of Ethics require loyalty in all matters
pertaining to the operations of the employer except
where in conflict with legal issues
Mandated to report wrongdoings internally as a
minimum
State of Virginia has laws protecting Internal
Auditors from firing for whistle-blowing

5/12/2015
41
From a US Survey of 8000
Employees - 1
Most employees believe reporting wrongdoing
is ethical and morally right
Most employees who observe wrongdoing do
not report it to anyone
Internal auditors whose job entails reporting are
more likely to report wrongdoing
Employees who observe serious, well-
documented, or frequent wrongdoings are
more likely to report it
Employees who observe wrongdoings are more
likely to report when their organization's policies
encourage them to do so
A substantial number, though not a majority, of
employees who report wrongdoing suffer
retaliation of some sort, particularly when the
reporting is externalized
Retaliation is more likely if the wrongdoing is
serious
Internal Auditors suffer retaliation at about the
same rate as other employees, even though they
are mandated to report wrongdoing
From a US Survey of 8000
Employees - 2

5/12/2015
42
Steps in Deciding to Report
Did wrongdoing occur?
Does the wrongdoing require action?
Am I responsible for acting?
What actions are available to me?
Will the benefits of acting outweigh the
costs?
Has previous action proved beneficial to
all parties?
Was my action effective?
Questions?
• Any Questions?
Don’t be Shy!

5/12/2015
43
Coming Up Next
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 19
2. Advanced IT Audit Securing the Internet May 21
3. Advanced IT Audit IT Security Reviews May 26
4. Advanced IT Audit Performance Auditing of the IT
Function May 28
5. Advanced IT Audit Managing the IT Audit Function June 2
Thank You!
Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates
970-291-1497
rcasc@rcascarino.com
Jim Kaplan
AuditNet LLC®
800-385-1625
www.auditnet.org
webinars@auditnet.org

It52015 slides

More Related Content

What's hot (20)

Similar to It52015 slides (20)

More from Jim Kaplan CIA CFE (20)

Recently uploaded (20)

It52015 slides