Date post: | 29-May-2018 |
Category: |
Documents |
Upload: | henry-hardoon |
View: | 224 times |
Download: | 0 times |
of 98
8/9/2019 Computer Auditing(6) Final(3)
1/98
Paul Lower and Henry Hardoon 2010
FRAUD DETECTION & CONTROL
COMPUTER BASED FRAUDS
8/9/2019 Computer Auditing(6) Final(3)
2/98
Computer Fraud
Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT
Chartered Accountant & Chartered Management Consultant
8/9/2019 Computer Auditing(6) Final(3)
3/98
8/9/2019 Computer Auditing(6) Final(3)
4/98
COMPUTER BASED FRAUD -CBF
By
Henry Hardoon
8/9/2019 Computer Auditing(6) Final(3)
5/98
Computer fraud is a fraud related to information technology,
electronic commerce, etc. Computer fraud also known ascyber fraud, is increasing rapidly with the increase in use ofinternet by the people.
CBF - Intro
8/9/2019 Computer Auditing(6) Final(3)
6/98
Top Ten Countries By Count (Perpetrators)in 2009
United States 66.1%; United Kingdom 10.5%; Nigeria 7.5%
Canada 3.1%; China 1.6%; South Africa 0.7%; Ghana 0.6%
Spain 0.6%; Italy 0.5%; Romania 0.5%
CBF - statistics
8/9/2019 Computer Auditing(6) Final(3)
7/98
CBF - statistics
8/9/2019 Computer Auditing(6) Final(3)
8/98
CBF - statistics
Complaint Type Percentage of Reported Total
Loss
Of those who reported a loss theAverage (median) $ Loss per
Complaint
Check Fraud 7.8% $3,000.00
Confidence Fraud 14.4% $2,000.00
Nigerian Letter Fraud 5.2% $1,650.00
Computer Fraud 3.8% $1,000.00
Non-delivery (merchandise andpayment)
28.6% $800.00
Auction Fraud 16.3% $610.00
Credit/Debit Card Fraud 4.7% $223.00
Amount Lost by Selected Fraud Type forIndividualsReporting Monetary Loss 2009
8/9/2019 Computer Auditing(6) Final(3)
9/98
CBF perpetrators - statistics
77.4% were male and50% resided in one of the following states: California, NewYork, Florida, Texas, District of Columbia, and Washington.The majority of reported perpetrators(66.1%) were from the United States;
however, a significant number of perpetrators where alsolocated in the United Kingdom , Nigeria , Canada , China,and South Africa.
8/9/2019 Computer Auditing(6) Final(3)
10/98
CBF targets - statistics
55.4% were male, nearly half were between the ages of 30and 50 and one-third resided in one of the four mostpopulated states: California, Florida, Texas, and New York.
A number of complaints from Canada, United Kingdom,
Australia, India, and France.
Males lost more money than females (ratio of $1.69 dollarslost per male to every $1.00 dollar lost per female). Thismay be a function of both online purchasing differences bygender and the type of fraudulent schemes by which theindividuals were victimized.E-mail (74.0%) and web pages (28.9%) were the twoprimary mechanisms by which the fraudulent contact tookplace.
8/9/2019 Computer Auditing(6) Final(3)
11/98
NFA reveals true cost of fraud in UK is30bn a year
The figures issued by the NFA equate to 621 for every adultin the UK. The report from the agency set up in October 2008to take charge of fighting fraud, is the UK's first comprehensive
survey into the crime.
CBF Cost to Economy
8/9/2019 Computer Auditing(6) Final(3)
12/98
Computer fraud is any dishonest misrepresentation of fact
intended to let another to do or refrain from doing somethingwhich causes loss.[citation needed] In this context, the fraud willresult in obtaining a benefit by:
altering computer input in an unauthorized way. This requireslittle technical expertise and is not an uncommon form of theftby employees altering the data before entry or entering falsedata, or by entering unauthorized instructions or usingunauthorized processes;
CBF - Intro
8/9/2019 Computer Auditing(6) Final(3)
13/98
altering or deleting stored data;
altering or misusing existing system tools or softwarepackages, or altering or writing code for fraudulent purposes.This requires real programming skills and is not common.
Other forms of fraud may be facilitated using computer
systems, including bank fraud, identity theft, extortion,and theft of classified information.
CBF - Intro
8/9/2019 Computer Auditing(6) Final(3)
14/98
Common types of computer fraud include:
Establishing phony accounts.
Draining established accounts.
Changing ownership of assets or shipping assets to falseaddresses.
Purchasing assets for private use,
Creating phantom sales transactions,
Giving individuals personal credentials or rewards, they have
not earned.
CBF - examples
8/9/2019 Computer Auditing(6) Final(3)
15/98
CBF types
There are various types of computer frauds [also known ascyber frauds] which are follows:
Hackers [Hacking].
Viruses.
Fraud.
Phreakers.
Data fiddling
Crackers
Violation of privacy, etc.
8/9/2019 Computer Auditing(6) Final(3)
16/98
Every year, huge amounts of funds are generated fromillegal activities. These funds are mostly in the form ofcash. Section 66 Clause (1) of the Information Technology
Act, 2000 defines hacking as follows:
Whoever with the intent to cause or knowing that he is likelyto cause wrongful loss or damage to the public or anyperson destroys or deletes or alters any informationresiding in a computer resource or diminishes its value orutility or affects it injurious by any means, commits
hacking.
Hacking
8/9/2019 Computer Auditing(6) Final(3)
17/98
Presently, the most notorious type of computer fraud iscreation of computer viruses.
A virus usually affects numerous computer systems andusually is transferred from one system to another.
A virus may occur through transfer of disks or any otherkind of storage devices.
A virus can be in variety of forms. One of the less harmful
types others are of dangerous kinds which can corruptdata.
Viruses
8/9/2019 Computer Auditing(6) Final(3)
18/98
Use antivirus software
Use alerts to tell you when antivirus software is out of date
Ensure users are vigilant in downloading files
Prevent users from downloading files
Only load CDs and DVDs from a reputable source orcheck them on a standalone machine first
Update personnel skills
Viruses- What to do?
8/9/2019 Computer Auditing(6) Final(3)
19/98
Malware, short for malicious software, is software designedto infiltrate a computer system without the owner's informedconsent.
Examples- infections that install key-loggers on the PCs ofwebsite visitors
Financial institutions are particularly susceptible tokeylogging attacks as account numbers and passwordsentered at banks' websites can immediately be captured by
a keylogger. You tube video key logger scam
Malware
8/9/2019 Computer Auditing(6) Final(3)
20/98
Configure computers correctly
Prepare for the impact of third party application exploits
Maintenance of default configurations
Update personnel skills
Malware What to do?
8/9/2019 Computer Auditing(6) Final(3)
21/98
Fraud is defined as any behavior by which one personintends to gain a dishonest advantage over another. Inother words fraud is an act or omission which is intended tocause wrongful gain to one person & wrongful loss to theother either by way of concealment of facts or otherwise.
Fraud
8/9/2019 Computer Auditing(6) Final(3)
22/98
Phreaking is a slang term coined to describe the activity ofa subculture of people who study, experiment with, orexplore telecommunication systems; such as equipmentand systems connected to public telephone networks. Astelephone networks have become computerised, phreakinghas become closely linked with computer hacking. This issometimes called the H/P culture (with H standing forHacking and P standing forPhreaking).
The term "phreak" is a portmanteau of the words "phone"
and "freak", and may also refer to the use of various audiofrequencies to manipulate a phone system.
Phreaking
8/9/2019 Computer Auditing(6) Final(3)
23/98
Harassment covers a wide range of offensive behavior. It iscommonly understood as behavior intended to disturb orupset. In the legal sense, it is behavior which is foundthreatening or disturbing. Harassment is words, conduct, oractions directed at a specific person that annoys, alarms, orcauses a lot of emotional distress for no legitimate purpose.
Harassment
8/9/2019 Computer Auditing(6) Final(3)
24/98
Data Fiddling is the changing of data before or during entryinto the computer system. Examples include forging orcounterfeiting documents used for data entry andexchanging valid disks and tapes with modifiedreplacements. This kind of an attack involves altering theraw data just before it is processed by a computer and thenchanging it back after the processing is completed.
Data Fiddling
8/9/2019 Computer Auditing(6) Final(3)
25/98
A computer professional who gains illegal access intocomputers by hacking passwords is known as a cracker.Instead of a hacker cracker dichotomy, they give moreemphasis to a spectrum of different categories, such aswhite hat (ethical hacking), grey hat, black hat and scriptkiddie.
Crackers
8/9/2019 Computer Auditing(6) Final(3)
26/98
White hat
A white hat hacker breaks security for non-maliciousreasons, for instance testing their own security system.
This type of hacker enjoys learning and working withcomputer systems, and consequently gains a deeperunderstanding of the subject. Such people normally go onto use their hacking skills in legitimate ways, such asbecoming security consultants. The word 'hacker' originally
included people like this, although a hacker may not besomeone into security.
Crackers cont
8/9/2019 Computer Auditing(6) Final(3)
27/98
Grey hat
A grey hatted hacker is a hacker of ambiguous ethicsand/or borderline legality, often frankly admitted.
Crackers cont
8/9/2019 Computer Auditing(6) Final(3)
28/98
Black hat
A black hat hacker, sometimes called "cracker", issomeone who breaks computer security without
authorization or uses technology (usually a computer,phone system or network) for vandalism, credit card fraud,identity theft, piracy, or other types of illegal activity.
Crackers cont
8/9/2019 Computer Auditing(6) Final(3)
29/98
Script kiddie
A script kiddie is a non-expert who breaks into computersystems by using pre-packaged automated tools written by
others, usually with little understanding. These are theoutcasts of the hacker community.
Crackers cont
8/9/2019 Computer Auditing(6) Final(3)
30/98
When an individual wants to keep a data or informationhidden and for his or own private use is said have kept itprivate.
Violation of privacy
8/9/2019 Computer Auditing(6) Final(3)
31/98
Red flags are warnings that somethingcould be or is wrong.
Auditors, employees, and management need to be awareof red flags in order to monitor the situation and then takecorrective action as needed.
Employees who notice that red flags are ignored maymistakenly believe that it is okay to game the system or
that they wont get caught.
A little fraud soon becomes a large one if left to grow.
Importance of Red Flags
8/9/2019 Computer Auditing(6) Final(3)
32/98
What Red flags can you think of?
Red Flags
8/9/2019 Computer Auditing(6) Final(3)
33/98
Employee Red Flags
I. Employee lifestyle changes: expensive cars, jewellery,homes, clothes
II. Significant personal debt and credit problems
III. Behavioural changes: these may be an indication of drugs,alcohol, gambling, or just fear of losing the job
IV.High employee turnover, especially in those areas whichare more vulnerable to fraud
V. Refusal to take vacation or sick leave
VI.Lack of segregation of duties in the vulnerable area
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
34/98
Management Red Flags
I. Reluctance to provide information to auditors
II. Managers engage in frequent disputes with auditors
III. Management decisions are dominated by an individualor small group
IV.Managers display significant disrespect for regulatorybodies
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
35/98
Management Red Flags cont...
I. There is a weak internal control environment
II. Accounting personnel are lax or inexperienced in theirduties
III. Decentralisation without adequate monitoring
IV.Excessive number of checking accounts
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
36/98
Management Red Flags cont...
I. Frequent changes in banking accounts
II. Frequent changes in external auditors
III. Company assets sold under market value
IV.Significant downsizing in a healthy market
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
37/98
Management Red Flags cont...
I. Continuous rollover of loans
II. Excessive number of year end transactions
III. High employee turnover rate
IV.Unexpected overdrafts or declines in cash balances
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
38/98
Management Red Flags cont...
I. Refusal by company or division to use serial numbereddocuments (receipts)
II. Compensation program that is out of proportion
III. Any financial transaction that doesnt make sense - eithercommon or business
IV.Service Contracts result in no product
V. Photocopied or missing documents
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
39/98
Management Red Flags cont...
I. Frequent changes in banking accounts
II. Frequent changes in external auditors
III. Company assets sold under market value
IV.Significant downsizing in a healthy market
V. Continuous rollover of loans
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
40/98
Changes in Behaviour Red Flags
The following behaviour changes can be Red FlagsforEmbezzlement:
I. Borrowing money from co-workers
II. Creditors or collectors appearing at the workplace
III. Gambling beyond the ability to stand the loss
IV.Excessive drinking or other personal habits
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
41/98
Changes in Behaviour Red Flags
I. Easily annoyed at reasonable questioning
II. Providing unreasonable responses to questions
III. Refusing vacations or promotions for fear of detection
IV.Bragging about significant new purchases
V. Carrying unusually large sums of money
VI.Rewriting records under the guise of neatness inpresentation
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
42/98
Cash/Accounts Receivable
Since cash is the asset most often misappropriated, localgovernment officials and auditors should pay
I. close attention to any of these warning signs.
II. Excessive number of voids, discounts and returns
III. Unauthorized bank accounts
IV.Sudden activity in a dormant banking accounts
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
43/98
Cash/Accounts Receivable cont...
I. Taxpayer complaints that they are receiving non-paymentnotices
II. Discrepancies between bank deposits and posting
III. Abnormal number of expense items, supplies, orreimbursement to the employee
IV.Presence of employee checks in the petty cash for the
employee in charge of petty cash
V. Excessive or unjustified cash transactions
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
44/98
Cash/Accounts Receivable cont...
I. Large number of write-offs of accounts
II. Bank accounts that are not reconciled on a timely basis
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
45/98
Red Flags in Payroll
Red flags that show up in payroll are generally worthy oflooking into. Although payroll is usually an automatedfunction, it is a vulnerable area, especially if collusion is
involved.
I. Inconsistent overtime hours for a cost centre
II. Overtime charged during a slack period
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
46/98
Red Flags in Payrollcont..
I. Overtime charged for employees who normally would nothave overtime wages
II. Budget variations for payroll by cost centre
III. Employees with duplicate Social Security numbers, names,and addresses (UK Only)
IV.Employees with few or no payroll deductions
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
47/98
Red Flags in Purchasing/Inventory
I. Increasing number of complaints about products or service
II. Increase in purchasing inventory but no increase in sales
III. Abnormal inventory shrinkage
IV.Lack of physical security over assets/inventory
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
48/98
Red Flags in Purchasing/Inventorycont..
I. Charges without shipping documents
II. Payments to vendors who arent on an approved vendor list
III. High volume of purchases from new vendors
IV.Purchases that bypass the normal procedures
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
49/98
Red Flags in Purchasing/Inventorycont...
I. Vendors without physical addresses
II. Vendor addresses matching employee addresses
III. Excess inventory and inventory that is slow to turnover
IV.Purchasing agents that pick up vendor payments
rather than have it mailed
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
50/98
Red Flags in otherareas
I. Creating fictitious employees and collecting the paycheques (impersonation)
II. Recording fictitious transactions on the books to coverup theft
III. No supporting documentation for adjusting entries
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
51/98
Red Flags in otherareas cont...
I. Incomplete or untimely bank reconciliations
II. Increased customer complaints
III. Write-offs of inventory or cash shortages with noattempt to determine the cause
IV. Unrealistic performance expectations
Red Flags of computer fraud
8/9/2019 Computer Auditing(6) Final(3)
52/98
What is the effect on the business at hand? Sometimes redflags that have no financial impact may not require achange in procedure. Remember though, that a red flag isa warning that something is or could be wrong. If youdiscover fraud, then an investigation is usually the nextstep. If it is just an error, then steps should be taken to
correct the error and a procedure or follow up should beinitiated to prevent it from occurring again.
Red Flags next steps..
8/9/2019 Computer Auditing(6) Final(3)
53/98
Financialanalysishasseveralapplications when redflagsare present. The most common is to determine
what effect it has on the conduct of the local government.For example, what is the potential as well as the historicalloss as the result of the red flag? What is the cost to
prevent a potential loss from occurring and what will it costto recoup the identified loss?
Red Flags prevention v costs
8/9/2019 Computer Auditing(6) Final(3)
54/98
How many ways can you think to control ComputerFraud:
A resources problem?
A people problem?
A systems problem?
A culture problem?
A country problem?
A global problem?
Controlling CBF
8/9/2019 Computer Auditing(6) Final(3)
55/98
Auditing around the computer
Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT
Chartered Accountant & Chartered Management Consultant
8/9/2019 Computer Auditing(6) Final(3)
56/98
Internal auditing involves:
A review of the reliability and integrity of financial andoperating information
A review of the controls employed to safeguard assets
An assessment of employees' compliance withmanagement policies, procedures and applicable laws andregulations
An evaluation of the efficiency and effectiveness with whichmanagement achieves its organizational objectives.
Evaluating the effectiveness of existing policies,procedures and controls.
Using auditors to control CBF
8/9/2019 Computer Auditing(6) Final(3)
57/98
For internal audits to be effective, it is important to have acompetent internal audit department
Training Computer Auditors
Training of computer auditors is seen as a perennial
problem within the profession. The questionnaire sought toestablish how computer audit skills are achieved. On-the-
job experience was rated most important, with professionalexaminations being considered least important of the sixmethods specified on the questionnaire.
Using auditors to control CBFcont
8/9/2019 Computer Auditing(6) Final(3)
58/98
For internal audits to be effective, it is important to have acompetent internal audit department
Training Internal auditors
The AICPA's new audit standard on fraud, SAS No. 82, is
designed to help auditors detect material fraud resultingfrom fraudulent financial reporting and misappropriation ofassets and also to clarify for users and practitioners theauditors' responsibilities for detecting fraud.
Using auditors to control CBFcont
8/9/2019 Computer Auditing(6) Final(3)
59/98
Provide training to directors and senior managers on howto identify and monitor these fraud risks and handling fraudsituations.
Provide training to company employees on how to identify,communicate and handling uncovered fraudulent activities.
Using staff and management tocontrol CBF
8/9/2019 Computer Auditing(6) Final(3)
60/98
Develop formal guidelines concerning the actions to be takenagainst the perpetrator of a computer fraud.
All dishonest acts should be investigated, and the guiltyshould be prosecuted and dismissed immediately. The veryexistence of these policies deters fraud and enhances internal
control.
Using effective deterrents tocontrol CBF
8/9/2019 Computer Auditing(6) Final(3)
61/98
Computer Fraud: A People Problem?
If organisations are to counter computer fraud, they mustadopt suitable personnel procedures to deter computercrime.
The most important consideration is to hire and retainhonest people.
Selecting employees with high integrity. Companies shouldhave an applicant fill out a written application, solicit
resumes and letters of reference, and obtain credit bureaureports on the applicant.
Using HR to control CBF
8/9/2019 Computer Auditing(6) Final(3)
62/98
Auditing with the Computer
Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT
Chartered Accountant & Chartered Management Consultant
8/9/2019 Computer Auditing(6) Final(3)
63/98
Computer programs (interrogation software) have beendeveloped that identify red flags of computer fraud andcan even quantify it.
As early as 1982 CAATs was a powerful audit tool fordetecting financial errors.
In the last 10 years use of CAATs standard practice.
Audit software permits auditors to obtain a quickoverview of the business operations and drill down intothe details of specific areas of interest.
CAATs can perform 100% at minimal costs
Allows continuous monitoring
Using CAATs to control CBF
8/9/2019 Computer Auditing(6) Final(3)
64/98
Some examples of routines that can identify red flags include:
No of complaints
Computer-based comparisons of object and sourceversions
Lots of deleted transactions
Lots of Journals
No of transactions per month
Using CAATs to control CBF
8/9/2019 Computer Auditing(6) Final(3)
65/98
Some examples of routines that can identify red flags include:
comparing actual vs. budgeted expenditures for todetermine unusual patterns;
duplicate or non existent Social Security numbers for
employees or vendors;
comparing employee addresses with vendor addressesto identify employees that are also vendors;
searching for duplicate check numbers to findphotocopies of company checks;
Using CAATs to control CBF
8/9/2019 Computer Auditing(6) Final(3)
66/98
Some examples of routines that can identify red flags include:
searching for vendors with post office boxes foraddresses;
analyzing the sequence of all transactions to identify
missing checks or invoices;
identifying vendors with more than one vendor code ormore than one mailing address;
Unusual patterns of overtime payments;
Using CAATs to control CBF
8/9/2019 Computer Auditing(6) Final(3)
67/98
Some examples of routines that can identify red flags include:
finding several vendors with the same mailing address;
sorting payments by amount to identify transactions thatfall just under financial control on contract limits;
patterns such as negative entries in inventory receivedfields;
voided transactions followed by "No Sale,;
or a high percentage of returned items.
Using CAATs to control CBF
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
68/98
Using computer controls to controlCBF cont
Another simple digital analysis technique is to search for invoiceswith even sterling/dollar amounts, such as 200.00 or 5,000.00. Theexistence of particular even amounts may be a symptom of fraud andshould be examined.
Case Study: Even AmountsTravel expenses had always been a concern for the auditors of X
Company since it was an area where the controls were weak.Employees had a maximum per diem rate when travelling but had tosubmit receipts to cover the actual expenses. Maximums were alsoestablished for meals: breakfast $10.00, lunch $20.00, dinner $30.00,and hotel lodging $100.00. The auditors configured the auditsoftware to identify meal expenses that were multiples of $10.00.These transactions were compared to receipts to ensure that theamounts expensed were appropriate. A detailed review determinedthat many travelers were charging the maximum rates for meals eventhough their receipts did not justify the amounts.
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
69/98
Using computer controls to controlCBF cont
Case Study: Doctored BillsThe auditors reviewed the patient billing system at Company Y todetermine if the appropriate charges were being assessed by healthcare providers. An initial analysis of the data was performed tocalculate the ratio of the highest and lowest charges for eachprocedure. A judgment was made those procedures with a max/min
ratio of greater than 1.30 be noted and subjected to additional review.For a particular quarter, three procedures had ratios higher than 1.30,the highest being 1.42. A filter was used to identify the recordsrelated to the three procedures in question, and additional analysiswas performed. This quickly determined that one doctor wascharging significantly more than the other doctors for the sameprocedures. A comparison of charges from the billing system withpayments in the accounts receivable system revealed that the doctorwas skimming off the patient payments. The amount recorded in thereceivable system was in line with the usual billing amount for theprocedures. The doctor was unable to justify the higher prices orexplain the difference in the billing and the receivable systems.
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
70/98
Using computer controls to controlCBF cont
Case Study: Contracting KickbacksJonathan, one of the contracting officers, had devised a great win/winkickback scheme. The auditors decided to use digital analysis as partof their review of the contracting section. One of the analysescalculated the total contract amount by supplier for each of the pasttwo years. A ratio of current year to previous year was calculated and
the minimum, maximum, average, and highest and lowest five ratioswere displayed. While the average was close to 1.0, the highest andlowest five values showed that some companies had significantdecreases in business, while others had experienced significantincreases in business.The auditors reviewed the details of all companies that had a ratio ofless than 0.7 or more than 1.30. For companies with an increase inbusiness, the results revealed that Jonathan had raised many of thecontracts and he had raised no contracts with the companies thathad seen a decrease in business. Salesmen said that they were toldthey would only get business if they paid Jonathan a kickback.
8/9/2019 Computer Auditing(6) Final(3)
71/98
Carrying out more frequent audits
A second technique for minimizing fraud risk is to intensifyinternal audits. Most crimes go undetected and often lastfor some time before being discovered. One way toincrease the likelihood of detecting fraud is to conduct more
frequent internal audits [7,10]. Internal auditors can providean independent appraisal of the effectiveness of internalcontrols and the quality of managerial performance incarrying out assigned responsibilities.
Using auditors to control CBF
8/9/2019 Computer Auditing(6) Final(3)
72/98
The use of risk analysis in the prevention of computer fraud is
important. There should be control procedures over staff inhigh-risk areas-
Prevent staff from working out periods of notice
Compel staff to take holidays (it is important that all
employees who have custody of assets or are responsible forsensitive record keeping or authorization functions take anannual vacation).
Make use of special vetting orperiodicjob rotation among keyemployees.
Firms should not place a high level of trust in their employeeswho operate in high-risk areas.
Using risk analysis to control CBF
8/9/2019 Computer Auditing(6) Final(3)
73/98
Computer controls
Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT
Chartered Accountant & Chartered Management Consultant
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
74/98
Computer controls is of two kinds. Physical access controlsand logical access controls. Physical access controls has todo with physical security measures taken to protect thecomputer, for example, keeping the computerin a lockedroom.
Logical access controls are those measures taken to limit theuse of computer and its resources. More information oncomputer controls can be found on thiswebsitehttp://www.isaca.org they have sections that can beaccessed by non-members or better still, you can register withthem to get more benefit.
Using computer controls to controlCBF
Using Physical access controls to
8/9/2019 Computer Auditing(6) Final(3)
75/98
Physical access controls
Lock and Key
CCTV
Biometric Web Based systems
Using Physical access controls tocontrol CBF
Using Logical access controls to
8/9/2019 Computer Auditing(6) Final(3)
76/98
Logical access controls
Biometric Web Based systems
Passwords
Access rights
Using Logical access controls tocontrol CBF
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
77/98
Spyware gets onto your system throughthe manipulation of a technologycalledActiveX
Use software to control to Stop Spyware (which is oftenused in computer fraud)
Use Software to Automatically block Malicious ActiveX,which hackers and identity thieves will use to gain entrance toyour PC and commit computer fraud.
Using computer controls to controlCBF
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
78/98
Spyware gets onto your system throughthe manipulation of a technologycalledActiveX
Use software to designate which websites get certainprivileges.
Use software to Intercept Malicious File Downloads
Use Software to warn of dangerous Web sites
Use Software to force changes in passwords periodically
Use Software like FraudBreaker to that captures yourtransaction data and performs real time checks on a widerange of risk factors.
Using computer controls to controlCBF cont
Using computer controls to control
8/9/2019 Computer Auditing(6) Final(3)
79/98
FraudBreaker allows you to:
Assign weight factors to all the risk elements youconfigure FraudBreaker to check. FraudBreaker thenmeasures and correlates all individual risk scores andcalculates the overall risk factor on your transactions.
Set up rules that allow you to correlate fraud elements withAND-OR-NOT logic
Set up accept/reject/manual review thresholds
Configure and blacklists whitelists
And get detailed reports and statistics as a spreadsheetfor custom analysis.
http://www.fraudbreaker.com/fraudbreaker-hosted-fraud-detection-software
Using computer controls to controlCBF cont
Using substantive testing to control
8/9/2019 Computer Auditing(6) Final(3)
80/98
Input/output reconciliationsInstallation review
Test packs
Using substantive testing to controlCBF
8/9/2019 Computer Auditing(6) Final(3)
81/98
Embedded Audit Modules are utilised to monitor ongoingprocesses and to discreetly alert internal auditors to possibleirregularities, errors or weak areas.
These include:
i. Snapshots: This technique involves taking a picture of atransaction as it flows through the computer systems. Auditsoftware routines are embedded at different points in theprocessing logic to capture images of the transaction as itprogresses through the various stages of the processing.Such a technique permits auditors to track data andevaluate the computer processes applied to the data.
Using Embedded audit facilities
8/9/2019 Computer Auditing(6) Final(3)
82/98
These include:
ii. System Control Audit Review File: This involvesembedding audit software modules within an applicationsystem to provide continuous monitoring of the systemstransactions. The information is collected into a special
computer file that the auditors can examine.
Using Embedded audit facilities
Setting up formal procedures to
8/9/2019 Computer Auditing(6) Final(3)
83/98
A lack of formal procedures specifically designed to combatcomputer fraud appears to leave many organizations relativelyunprepared and unprotected.
Employees should know the rules and standards required bythe company. The company should prepare clearly stated
policies that explicitly describe honest and acceptablebehaviour, covering all issues from conflicts of interest to theacceptance of gratuities.
Defining and documenting a company ethic/fraud policyaddressing company expectations from employees,
customers, suppliers and stake holders.
Setting up formal procedures tocontrol CBF
Using segregation of duties to
8/9/2019 Computer Auditing(6) Final(3)
84/98
The most effective internal control is to segregate tasks
among employees so that no single employee can bothperpetrate and conceal a fraud or an unintentional error. Inparticular, the authorization, recording and custody ofassets functions must be separated to effectively segregatethe duties.
Using segregation of duties tocontrol CBF
Using segregation of duties to
8/9/2019 Computer Auditing(6) Final(3)
85/98
In highly integrated computer-based accounting information
systems, procedures that might otherwise be performed byseparate individuals may be combined within the computerprocessing function. Any person who has unrestrictedaccess to the computer can both perpetrate and concealfraud.
Using segregation of duties tocontrol CBF
Using segregation of duties to
8/9/2019 Computer Auditing(6) Final(3)
86/98
Authority and responsibility must be clearly divided among
the following functions:
Application systems analysis and programming
Computer operations
Systems programming
Transaction authorization
File library maintenance and data control.
With an effective separation of duties, it will be difficult foran employee to embezzle funds.
Using segregation of duties tocontrol CBF
S C
8/9/2019 Computer Auditing(6) Final(3)
87/98
Effective supervision that (a) assists employees engaged inoperating ordata processing tasks, (b) monitors theeffectiveness with which employees carry out their assignedtasks and (c) safe-guards assets by watching over employeeswho have access to assets. Supervision is an importantmeans of control in organizations that are too small to afford
adequate separation of duties for internal control purposes.
Supervision to control CBF
Using internal controls to control
8/9/2019 Computer Auditing(6) Final(3)
88/98
Control procedures are preventive, detective or correctivein nature. Preventive controls are the most important,because they eliminate problems before they occur. Manycontrol problems can be prevented by hiring honest, well-trained individuals, appropriately segregating duties,effectively controlling physical access to facilities, utilizingwell-designed documents and authorizing transactions.
Using internal controls to controlCBF
Using internal controls to control
8/9/2019 Computer Auditing(6) Final(3)
89/98
Detective controls discoverproblems after they arise andinclude double checking calculations, periodic performancereporting that highlights variances between actual andstandard costs, reporting past due accounts or out-of-stockinventory items, preparing bank reconciliations andverifying the use of pre-numbered documents. Detectivecontrol procedures are a necessary part of any effectivecontrol system because all potential control problemscannot be prevented.
Using internal controls to controlCBF
Using internal controls to control
8/9/2019 Computer Auditing(6) Final(3)
90/98
Corrective controls remedy problems discovered bydetective controls. They include procedures to identify thecause of a problem, correct errors arising from the problemand modify the system so that future errors may beminimized or eliminated. One such procedure is to maintainbackup copies of key transaction and master files so thatdamaged or destroyed files can be restored.
Using internal controls to controlCBF
C t C lt FACT
8/9/2019 Computer Auditing(6) Final(3)
91/98
Enron happened because of individual and collective greedcompany, its employees, analysts, auditors, bankers, ratingagencies and investorsdidnt want to believe the companylooked too good to be true
Corporate Culture FACT
S tti lt t t l CBF
8/9/2019 Computer Auditing(6) Final(3)
92/98
Management's attitude toward internal control can be a veryimportant fraud deterrent.
Statements and actions by management become apparent toall members of the organization.
If management considers internal control to be important,other members of the organization will strive harder to adhereto control policies and procedures in order to accomplish theorganization's objectives.
Fraud is much less likely to occur in an environment where
company employees believe that security is everyone'sbusiness.
Setting up a culture to control CBF
S tti lt t t l CBF
8/9/2019 Computer Auditing(6) Final(3)
93/98
The ethical values of an organization play an important role inboth detecting and minimizing the occurrences of fraudulentactivities.
Assist senior management in the development andestablishment policy to encourage the reporting of fraudulent
activities and protect the 'whistleblowers'?
Setting up a culture to control CBF
S tti lt t t l CBF
8/9/2019 Computer Auditing(6) Final(3)
94/98
Many companies incorporate their key ethical values into aformal policy document, typically referred to as a code ofethics or code of conduct. Establishing andcommunicating such a code is an excellent way to ensurethat employees and business associates understand thecorporate values and
the expected behaviors in support of those values.Communicating this code
often includes training programs that further articulate theconduct and
behaviors expected of all company employees and, inmany cases, of those who do business with the company.
Setting up a culture to control CBF
Setting up a culture to
8/9/2019 Computer Auditing(6) Final(3)
95/98
Many companies incorporate their key ethical values into aformal policy document, typically referred to as a code ofethics or code of conduct.
Establishing and communicating such a code is anexcellent way to ensure that employees and business
associates understand the corporate values and theexpected behaviors in support of those values.
Communicating this code often includes training programsthat further articulate the conduct and behaviors expectedof all company employees and, in many cases, of thosewho do business with the company.
Set up an independent committee to set up the code
g pcontrol CBF cont
What's in a code of ethics
8/9/2019 Computer Auditing(6) Final(3)
96/98
A code of ethics or code of conduct commonly includesspecific segments that address:
Behaving with honesty and integrity.
Complying with laws and regulations.
Disclosing/reporting conflicts of interest.
Maintaining confidentiality of information.
Receiving or giving gifts.
Reporting instances of company code violations.
Using company assets and resources.
What's in a code of ethics
Reward honesty to control CBF
8/9/2019 Computer Auditing(6) Final(3)
97/98
Corporate practices to prevent employee fraud include hiringand retaining honest individuals.
The company should consistently recognize and publiclyreward honesty. A high standard of integrity accompanied by apolicy of recognition and rewards will reduce the temptation to
commit fraud.
Reward honesty to control CBF
8/9/2019 Computer Auditing(6) Final(3)
98/98
Thank you !Thank you !