IT IT
CSA Sentinel - The Institute Of Internal Auditors  

IN THIS ISSUE

PUBLISHED BY THE INSTITUE OF INTERNAL AUDITORS
Volume 8 · No. 2 · June 2004
printPrint Article
printPrint Entire Issue

Detecting Fraud in the Information Age

Patrick Taylor
President and CEO
Oversight Technologies
Atlanta, Ga.

As more internal auditors become involved in technology-related enterprise risk management, many are considering the benefits of continuous transaction monitoring and analysis to test internal controls and detect fraud.


The advent of enterprise resource planning (ERP) applications and e-commerce have streamlined many business processes, reducing overhead and improving productivity. However, the technology that drives business in the digital world has also created a new level of corporate fraud, as corporate insiders are becoming savvy at manipulating it. In addition to eliminating the audit paper trail, new technologies have also increased the number of employees accessing corporate systems, which opens the door for insider deceit, theft, and fraud. To combat these issues, management and internal auditors can perform real-time continuous transaction monitoring and analysis to identify suspicious activity that may indicate internal fraud, misuse, and errors. The technology's quick and decisive responses can help reduce the risk of loss.

Internal auditors who understand the growing risk of systems-based fraud also recognize their role in meeting the accompanying audit challenges and regulatory requirements. In conjunction with their company's risk management process, internal auditors in progressive organizations are deploying solutions for continuous transaction monitoring, empowering the auditors to reduce their dependence on sampling-based audits and dedicate more of their time to investigating suspicious transactions flagged by the system.

Fraud From the Inside

While Internet-related hackers make news headlines for disrupting business, stealing intellectual assets, and putting personal information at risk, internal computer fraud remains a dirty little secret of many businesses. Industry experts agree that 60 percent to 70 percent of the financial losses suffered as a result of computer crime come at the hands of authorized insiders, draining from 1 percent to 6 percent of an enterprise's total revenue.

Organizations have historically focused on perimeter defenses, such as network firewalls and virtual private networks, to keep unauthorized outsiders from accessing internal systems. However, reports from Gartner, Yankee Group, and other national research organizations continually point toward authorized insiders as the biggest threat to real financial loss in businesses and government organizations.

Most enterprises don't have to look far to find examples of potential fraud in their business. Systems-based fraudulent schemes can include:

  • Fictitious employees on the payroll.
  • False — or ghost — vendors that invoice the organization for payment.
  • Accounts payable tampering to redirect payments.
  • Overpayments, duplicate payments, missing allowances.
  • Fabricated commissions.
  • Fictitious invoices, refunds, or expense claims from valid vendors, customers, or employees.

When reviewing purchasing transactions, for example, traditional fraud detection involves looking for vendors with similar billing addresses to those of employees. However, an employee with authorized system access can create a ghost vendor account with an unsuspicious address and then, just before the check-print batch run is processed, go into the system to alter the billing address. After the checks are printed, the employee goes back into the system and re-enters the original credible address.

Finding evidence of fraud with employees who know how to cover their tracks is often difficult. As users become familiar with a system, they figure out the logic behind it and learn how to beat the system — known in the business hackers' world as "gaming the system." Authorized insiders also often circumvent internal controls to bypass inefficient processes. Although this flexibility may be good for boosting productivity, it opens the door for misuse by overriding approvals, creating duplicate accounts, or introducing systems-based errors.

Misuse and abuse of the system often create an opportunity for other less-moral insiders to commit fraud. For example, if an employee sees that an invoice is paid twice or that a single invoice is booked twice without detection or correction, he or she may capitalize on the opportunity to commit fraud by routing the second payment for personal benefit.

As the number of transactions has increased dramatically with automated systems and businesses link more system information with vendors, suppliers, and contractors, fraud has the potential to pervade an enterprise in unforeseen places.

Maintaining Controls

To identify and prevent fraud, organizations are increasingly reliant upon the built-in controls of their ERP applications. However, these controls often come with a lot of baggage. Built-in segregation of duties controls, for example, can protect a company by enforcing a procedure that does not allow the same person to approve an invoice and its related payment voucher. These control functions can be incredibly detailed; maintaining and updating them is often overlooked and viewed as a heavy burden that few organizations are willing to undertake. Keeping up with new users, eliminating old users, and adding new roles for existing users can be a daunting task.

Any individual familiar with internal business processes represents a significant threat. Because a large percentage of computer crimes involve insiders with access to key data transactions, internal auditors are tasked with identifying vulnerabilities within the business systems. Unfortunately, management often overrules resulting audit recommendations for more stringent system controls because the direct costs of implementing and maintaining those controls outweighs the benefits or because the controls introduce unwelcome inefficiencies. 

Benefits of Continuous Transaction Monitoring

Continuous transaction monitoring can help assess the effectiveness of system-based controls and complement existing system-generated exception reports. Typical assessments involve examining 100 percent of selected types of transactions to determine whether or not they comply with defined controls. The assessments can also determine if transactions exist for which no controls have been implemented. Internal auditors, empowered with more comprehensive ammunition regarding anomalies, errors, and exceptions can help determine the related control weaknesses and can provide management with more meaningful audit recommendations.

Recently enacted federal legislation introduces requirements related to the financial losses from systems-based fraud. In particular, the U.S. Sarbanes-Oxley Act of 2002 requires many businesses to rethink their internal controls. Section 302 of Sarbanes-Oxley requires public companies to disclose significant internal control deficiencies, whereas Section 404 outlines specific requirements for managers to document the effectiveness of internal controls on financial reporting. Although most organizations are working to meet these requirements, they must also provide a process to continually assess the effectiveness of these documented controls. Continuous transaction monitoring, one solution to this need, suggests four key requirements to effective oversight:

  • Continuous transaction monitoring must be conducted independent of operations so that users cannot determine out how to game the system.
  • Transaction monitoring solutions must access information from the ERP system in real time so that ERP users do not have an opportunity to cover their tracks. Without a paper trail, transaction monitoring must produce inalterable data detailing the fraudulent act.
  • Transaction monitoring should analyze all elements of the transaction.
  • A minimal number of financial and IT personnel should have administrative privileges to the transaction incident monitoring system to reduce the risk of a guilty party deleting alerts and forensic information.

With vigilance over all transactions within a business system, continuous transaction monitoring can be used to recognize the context of a transaction and cross-reference outside data sources. By flagging the transaction — for example, a mailing address that is altered just before payment — and comparing information from various systems, such as Dunn & Bradstreet vendor numbers and human resource applications, continuous transaction monitoring builds a case of evidence for internal auditors to pursue.

Continuous transaction monitoring can also help businesses identify transaction errors. For example, a telecommunications company was contacted by one of its vendors to report that the company sent duplicate payments for a single $500,000 invoice. Transaction monitoring allows an enterprise to understand holes in its system and eliminate costly errors.

Benefits Versus Costs

In most cases, continuous transaction monitoring directly benefits the bottom line. For every instance of fraud or error that is identified, transaction oversight proves its value. Through diligent maintenance and documentation, it can also reduce the time and costs of implementing the requirements of regulatory compliance.

As technology continues to streamline internal business processes, enterprises should evaluate how these efficiencies might create vulnerabilities that insiders can exploit. Continuous transaction monitoring can easily identify systems-based fraud and help organizations comply with regulations.

Patrick Taylor has more than 15 years' experience in companies such as Internet Security Systems, ORACLE, and Symantec in sales, product management, marketing communications, and channel marketing activities for information security and wireless Internet platforms.

biskjune04

Quick Poll

How has flextime work schedules impacted audit completion time for your agency?

Audits have been completed faster.

There has been no change.

Audits take longer to complete.

My agency does not have a flextime poilcy.



View Results