control, and governance
Fighting High-tech Fraud
Auditors must master data analysis and other techniques to help prevent and detect fraud in an automated world.
Ken Askelson, CIA, CPA, CITP
Fraud is a business risk that executives, especially chief audit executives (CAEs), have dealt with for a long time. Headlines about corporate scandals and wrongdoing demonstrate the need for organizations and governments to improve governance and oversight. When computers are used to facilitate fraud, it adds another dimension of complexity to how organizations address this risk.
Last year, the U.S. Department of Justice prosecuted an international computer hacker who infected hundreds of computers at a major international company using “botnets” and adware that cost tens of thousands of dollars to detect and neutralize. The hacker was sentenced to more than three years in prison and ordered to pay US $65,000 in restitution.
In another case, employees of a Wake County, N.C., school district and an auto parts company exchanged phony invoices over a two-year period, costing taxpayers at least US $3.8 million, according to The News & Observer. Many red flags went unnoticed: Payments to the parts company increased 342 percent in one year, two-thirds of the invoices were under the bid limit, and a large number of invoices, totaling US $909,266, was submitted at year end.
How to address fraud risk within an organization effectively and efficiently is a major topic of concern for boards, management, business owners, internal auditors, government leaders, legislators, regulators, and other stakeholders. Moreover, new laws and regulations have forced organizations around the world to take a fresh look at this longstanding problem.
Despite tight budgets, limited staffing, and extended workloads, today’s audit professionals are expected to take a proactive role in helping organizations identify fraudulent activity and fraud risks by ensuring that appropriate controls are in place to help prevent and detect fraud. To meet the expectations of management, business owners, and boards, CAEs must use their available resources effectively and efficiently. As such, internal auditors require appropriate skills and technological tools to meet the demands of a successful fraud management program that covers prevention, detection, and investigation. All audit professionals must become proficient in fraud investigation, data analysis, and the use of technology.
ASSESSING FRAUD RISK
Fraud encompasses a wide range of irregularities and illegal acts characterized by intentional deception or misrepresentation. Last year, The IIA, the Association of Certified Fraud Examiners, and the American Institute of Certified Public Accountants released Managing the Business Risk of Fraud: A Practical Guide, which outlines five key principles of the fraud risk management process:
Internal audit departments and CAEs should identify and evaluate significant exposures to fraud risk and contribute to the improvement of risk management and control systems. A good starting point for organizations to better understand fraud risk and the specific exposures that apply to them is to complete a fraud risk assessment. Key elements that would be documented in this assessment include:
As the CAE coordinates the organization’s efforts to complete a comprehensive fraud risk assessment, it is important that potential fraud schemes related to IT be identified and included in the enterprisewide risk assessment. One of the first steps in this mission is for the CAE to join forces with the chief information officer to identify individuals within the organization who could complete the assessment effectively. Key participants to consider are IT and information security management, IT auditors, IT risk managers, loss prevention managers, compliance managers, and others with skills that would add value to the process.
IT FRAUD RISKS
It is important that potential fraud schemes related to IT be identified and included in the assessment. CAEs should consider and address these general fraud scenarios, if applicable to their organization.
Access to Systems or Data for Personal Gain
Some of the most valuable information desired by individuals perpetrating a fraud in the IT area resides in the form of digital assets maintained by the organization. Most organizations collect, create, use, store, disclose, and discard information that has market value to others outside the organization. This data can include personal information, such as Social Security, bank account, credit card, and bank routing numbers. This information can be sold to others or used for personal gain for crimes such as identity theft, unauthorized purchases on stolen credit cards, counterfeiting of credit cards, or stealing or diverting money from a bank account.
Changes to System Programs or Data for Personal Gain
If the organization has control breakdowns or weaknesses in the systems development life cycle, opportunities occur for fraud. The January 2008 Insider Threat Study, conducted by the U.S. Secret Service and the CERT Coordination Center, demonstrates how fraud may exist throughout system development. For example, in the systems design phase, an employee who realized there was no oversight in the system and business processes worked with organized crime to enter fake health claims totaling US $20 million. The oversight in this case was insufficient attention to security details in the automated workflow processes. In the system maintenance phase, a currency trader covered up losses of US $691 million over a five-year period by making unauthorized changes to source code. The oversights in this case included lack of code reviews and end-user access to source code.
Fraud Detection Using Data Analysis
Data analysis technology enables auditors to analyze transactional data to obtain insights into the operating effectiveness of internal controls and identify indicators of fraud risk or actual fraudulent activities. Whether it is reviewing payroll records for fictitious employees or accounts payable transactions for duplicate invoices, data analysis can help auditors address fraud risks.
Several analytical techniques are highly effective in detecting fraud. Audit departments should consider these techniques when evaluating their use of technology in fraud detection:
These data analysis techniques can be applied to a vast number of potential fraud areas within an organization. Typical fraud tests include looking for fictitious vendors, duplicate invoices, duplicate payments, goods not received, and payroll and accounts payable fraud.
NEW FRAUD CHALLENGES
Keeping up with technology advances is important for organizations to maintain a competitive edge, achieve business objectives, and manage risks. With these advances come new fraud schemes. The use of automated tools to perpetuate these schemes provides new challenges for fraud detection and prevention efforts.
Internal auditors must continually improve their audit skills and use technology to help their organization address risks and controls relating to fraud. This includes testing specific fraud controls that focus on IT processes, and using data analysis tools to identify indicators of fraud risk or actual fraudulent activities.
This ITAudit article is from the June issue of Internal Auditor. The article is based on the Global Audit Technology Guide, Fraud Prevention and Detection in an Automated World, which will be published later this year.
Ken Askelson, CIA, CPA, CITP, is the former senior IT audit manager for JCPenney Co. in Chandler, Ariz.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.