June 2009

Fighting High-tech Fraud

Auditors must master data analysis and other techniques to help prevent and detect fraud in an automated world.

Ken Askelson, CIA, CPA, CITP

Fraud is a business risk that executives, especially chief audit executives (CAEs), have dealt with for a long time. Headlines about corporate scandals and wrongdoing demonstrate the need for organizations and governments to improve governance and oversight. When computers are used to facilitate fraud, it adds another dimension of complexity to how organizations address this risk.

Last year, the U.S. Department of Justice prosecuted an international computer hacker who infected hundreds of computers at a major international company using “botnets” and adware that cost tens of thousands of dollars to detect and neutralize. The hacker was sentenced to more than three years in prison and ordered to pay US $65,000 in restitution.

In another case, employees of a Wake County, N.C., school district and an auto parts company exchanged phony invoices over a two-year period, costing taxpayers at least US $3.8 million, according to The News & Observer. Many red flags went unnoticed: Payments to the parts company increased 342 percent in one year, two-thirds of the invoices were under the bid limit, and a large number of invoices, totaling US $909,266, was submitted at year end.

How to address fraud risk within an organization effectively and efficiently is a major topic of concern for boards, management, business owners, internal auditors, government leaders, legislators, regulators, and other stakeholders. Moreover, new laws and regulations have forced organizations around the world to take a fresh look at this longstanding problem.

Despite tight budgets, limited staffing, and extended workloads, today’s audit professionals are expected to take a proactive role in helping organizations identify fraudulent activity and fraud risks by ensuring that appropriate controls are in place to help prevent and detect fraud. To meet the expectations of management, business owners, and boards, CAEs must use their available resources effectively and efficiently. As such, internal auditors require appropriate skills and technological tools to meet the demands of a successful fraud management program that covers prevention, detection, and investigation. All audit professionals must become proficient in fraud investigation, data analysis, and the use of technology.

Fraud encompasses a wide range of irregularities and illegal acts characterized by intentional deception or misrepresentation. Last year, The IIA, the Association of Certified Fraud Examiners, and the American Institute of Certified Public Accountants released Managing the Business Risk of Fraud: A Practical Guide, which outlines five key principles of the fraud risk management process:

  • A fraud risk management program should be in place, including a written policy.
  • Fraud risk exposure should be assessed periodically.
  • Fraud prevention techniques should be established, where feasible.
  • Fraud detection techniques should be established to uncover fraud events.
  • A reporting process should be in place to solicit input on fraud, including a coordinated approach to investigation and corrective action.

Internal audit departments and CAEs should identify and evaluate significant exposures to fraud risk and contribute to the improvement of risk management and control systems. A good starting point for organizations to better understand fraud risk and the specific exposures that apply to them is to complete a fraud risk assessment. Key elements that would be documented in this assessment include: 

  • The types of fraud that may occur.
  • The inherent risk of fraud, considering the availability of liquid and saleable assets; the levels of segregation of duties; organizational morale and employee turnover; the history of fraud and losses; and other business area indicators.
  • The adequacy of existing anti-fraud programs, monitoring, and preventive controls.
  • The potential gaps in the organization’s fraud controls.
  • The likelihood of a significant fraud event occurring.
  • The business impact/significance of a fraud event.

As the CAE coordinates the organization’s efforts to complete a comprehensive fraud risk assessment, it is important that potential fraud schemes related to IT be identified and included in the enterprisewide risk assessment. One of the first steps in this mission is for the CAE to join forces with the chief information officer to identify individuals within the organization who could complete the assessment effectively. Key participants to consider are IT and information security management, IT auditors, IT risk managers, loss prevention managers, compliance managers, and others with skills that would add value to the process.


It is important that potential fraud schemes related to IT be identified and included in the assessment. CAEs should consider and address these general fraud scenarios, if applicable to their organization.

Access to Systems or Data for Personal Gain

Some of the most valuable information desired by individuals perpetrating a fraud in the IT area resides in the form of digital assets maintained by the organization. Most organizations collect, create, use, store, disclose, and discard information that has market value to others outside the organization. This data can include personal information, such as Social Security, bank account, credit card, and bank routing numbers. This information can be sold to others or used for personal gain for crimes such as identity theft, unauthorized purchases on stolen credit cards, counterfeiting of credit cards, or stealing or diverting money from a bank account.

Changes to System Programs or Data for Personal Gain
If the organization has control breakdowns or weaknesses in the systems development life cycle, opportunities occur for fraud. The January 2008 Insider Threat Study, conducted by the U.S. Secret Service and the CERT Coordination Center, demonstrates how fraud may exist throughout system development. For example, in the systems design phase, an employee who realized there was no oversight in the system and business processes worked with organized crime to enter fake health claims totaling US $20 million. The oversight in this case was insufficient attention to security details in the automated workflow processes. In the system maintenance phase, a currency trader covered up losses of US $691 million over a five-year period by making unauthorized changes to source code. The oversights in this case included lack of code reviews and end-user access to source code.

Fraud Detection Using Data Analysis
Data analysis technology enables auditors to analyze transactional data to obtain insights into the operating effectiveness of internal controls and identify indicators of fraud risk or actual fraudulent activities. Whether it is reviewing payroll records for fictitious employees or accounts payable transactions for duplicate invoices, data analysis can help auditors address fraud risks.

Several analytical techniques are highly effective in detecting fraud. Audit departments should consider these techniques when evaluating their use of technology in fraud detection: 

  • Calculation of statistical parameters (e.g., averages, standard deviations, highest and lowest values) to identify outlying transactions that could indicate fraudulent activity.
  • Classification to find patterns and associations among data elements.
  • Stratification of numeric values to identify unusual (i.e., excessively high or low) values.
  • Digital analysis using Benford’s Law to identify statistically unlikely occurrences of specific digits in randomly occurring data sets. Benford’s Law states that in lists of numbers, the leading number is distributed in a specific way. The first digit is “1” approximately 30 percent of the time, and larger digits occur as the leading digit with lower frequency.
  • Joining different data sources to identify inappropriate matching values — such as names, addresses, and account numbers — in disparate systems.
  • Duplicate testing to identify simple or complex duplications of business transactions such as payments, payroll, claims, or expense report line items.
  • Gap testing to identify missing numbers in sequential data.
  • Summing of numerical values to check control totals that may have been falsified.
  • Validating data entry dates to identify postings or data entry times that are inappropriate or suspicious.

These data analysis techniques can be applied to a vast number of potential fraud areas within an organization. Typical fraud tests include looking for fictitious vendors, duplicate invoices, duplicate payments, goods not received, and payroll and accounts payable fraud.


Keeping up with technology advances is important for organizations to maintain a competitive edge, achieve business objectives, and manage risks. With these advances come new fraud schemes. The use of automated tools to perpetuate these schemes provides new challenges for fraud detection and prevention efforts.

Internal auditors must continually improve their audit skills and use technology to help their organization address risks and controls relating to fraud. This includes testing specific fraud controls that focus on IT processes, and using data analysis tools to identify indicators of fraud risk or actual fraudulent activities.

This ITAudit article is from the June issue of Internal Auditor. The article is based on the Global Audit Technology Guide, Fraud Prevention and Detection in an Automated World, which will be published later this year.

Ken Askelson, CIA, CPA, CITP, is the former senior IT audit manager for JCPenney Co. in Chandler, Ariz.

To comment on this article, e-mail the author at ken.askelson@theiia.org.


Share This Article:    

Good to share
The contents of this article very useful! it can enhance the mind mapping process
Posted By: Jeffrey ng
2010-03-30 1:48 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO