Webinar Series Overview: In today’s world, fraud investigations have become an everyday part of corporate life and the auditor must gain expertise in this area.
The 8 part series will cover the tasks of the fraud auditor, Forensic techniques and tools and the abilities required of the fraud auditor, the type and nature of common frauds, investigating fraud, computer fraud and control, white collar crime, the auditor in court.
This session Fraud Auditing Creative Techniques
• Auditing Techniques
• Auditing method 1- 'Tiger Team Test"
• Auditing method 2- "Application of Benford's Theorem"
• Auditing method 3- "Use of Barium test"
• Auditing method 4- " Use of Birbal tricks and traps"
• Auditing method 5- "Application of inverse logic"
• Auditing method 6- "Use of Space-time dimension in data evaluation"
1. 10/19/2017
1
Fraud Auditing Creative
Techniques
October 19, 2017
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors (now
available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007 Bradford
Cadmus Memorial Award.
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
2. 10/19/2017
2
About Richard Cascarino, MBA,
CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
3
About AuditNet® LLC
• AuditNet®, the global resource for auditors, is available on the
Web, iPad, iPhone, Windows and Android devices and features:
• Over 2,700 Reusable Templates, Audit Programs,
Questionnaires, and Control Matrices
• Training without Travel Webinars focusing on fraud, data
analytics, IT audit, and internal audit
• Audit guides, manuals, and books on audit basics and using
audit technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
• NASBA Approved CPE Sponsor
Introductions
Page 4
3. 10/19/2017
3
Housekeeping
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique
join link.
We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
If you have indicated you would like CPE you must answer the polling questions (all or minimum
required) to receive CPE per NASBA.
If you meet the NASBA criteria for earning CPE you will receive a link via email to download your
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to
white list this address. It is from this email that your CPE credit will be sent. There is a processing
fee to have your CPE credit regenerated post event.
Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
Please complete the evaluation questionnaire to help us continuously improve our Webinars.
IMPORTANT INFORMATION
REGARDING CPE!
SUBSCRIBERS/SITE LICENSE USERS - If you attend the Webinar and answer the polling
questions (all or minimum required) you will receive an email with the link to download your CPE
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important
to white list this address. It is from this email that your CPE credit will be sent. There is a
processing fee to have your CPE credit regenerated post event.
NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the Webinar and answer the
polling questions (all or minimum required) and requested CPE you must pay a fee to receive
your CPE. No exceptions!
We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your
email system or a firewall that will redirect or not allow delivery of this email from Gensend.io
Anyone may register, attend and view the Webinar without fees if they opted out of receiving
CPE.
We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
4. 10/19/2017
4
The views expressed by the presenters do not necessarily represent
the views, positions, or opinions of AuditNet® LLC. These materials,
and the oral presentation accompanying them, are for educational
purposes only and do not constitute accounting or legal advice or
create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is
accurate and complete, AuditNet® makes no representations,
guarantees, or warranties as to the accuracy or completeness of the
information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from
the information contained in this presentation, including any
websites maintained by third parties and linked to the AuditNet®
website.
Any mention of commercial products is for information only; it does
not imply recommendation or endorsement by AuditNet® LLC
Today’s Agenda
When Should You investigate Fraud?
Auditing Techniques
Auditing method 1- “Tiger Team Test"
Auditing method 2- "Application of Benford's Theorem"
Auditing method 3- "Use of Barium test"
Auditing method 4- " Use of Birbal tricks and traps"
Auditing method 5- "Application of inverse logic"
Auditing method 6- "Use of Space-time dimension in data
evaluation"
Page 8
5. 10/19/2017
5
When Should You Investigate
Fraud?
Consider the following:
strength of the predication
cost of the investigation
exposure or amount that could have been taken
the signal that investigation or non-investigation
will send to others in the organization
9
What is Meant by
“Predication of Fraud?”
Circumstances, taken as a whole,
that leads a reasonable prudent
professional to believe a fraud is
occurring, or has occurred, or
will occur
10
6. 10/19/2017
6
When Should You Investigate
Fraud?
risks of investigating
and not investigating
public exposure or loss
of reputation from
investigating and not
investigating
nature of the possible
fraud
11
Fraud Investigation Methods
Once there is predication, determine the:
Who?
How?
How much?
Questions of the fraud.
12
7. 10/19/2017
7
Where the Evidence Resides
Data files
Volatile data in kernel structures
Slack space
Free or unallocated space
The logical file system
events log
application logs
the registry
the swap file
special application files
temporary files
the recycle bin
the printer spool
email sent or received
POLLING QUESTION
8. 10/19/2017
8
Applying Benford’s Law
Benford’s Law was first used by accountants
in late 1980
Benford’s Law History
Simon Newcomb – 1881
Frank Benford – 1938
Roger Pinkham – 1961
Theodore Hill – 1995
Mark Nigrini “Benford’s Law” Wiley, 2012
9. 10/19/2017
9
What Is Benford’s Law
BENFORD’S LAW FORMULA
The probability of any number “d” from
1 through 9 being the first digit is….
Log10 (1 + 1/d)
What Is Benford’s Law?
Benford’s law gives the probability of
obtaining digits 1 through 9 in each position
of a number.
For example, 3879
3 - first digit
8 - second digit
7 - third digit
9 – fourth digit
10. 10/19/2017
10
What Is Benford’s Law
Most people assume the probability is 1/9
that the first digit will be 1 - 9
This would mean digits are equally likely to
occur, but this is not the case
According to Benford’s Law the probability of
obtaining a 1 in the first digit position is
30.1%
Expected Frequencies Based
on Benford’s Law
Digit 1
st
Place 2
nd
Place 3
rd
Place 4
th
Place
0 0.11968 0.10178 0.10018
1 0.30103 0.11389 0.10138 0.10014
2 0.17609 0.19882 0.10097 0.1001
3 0.12494 0.10433 0.10057 0.10006
4 0.09691 0.10031 0.10018 0.10002
5 0.07918 0.09668 0.09979 0.09998
6 0.06695 0.09337 0.0994 0.09994
7 0.05799 0.0935 0.09902 0.0999
8 0.05115 0.08757 0.09864 0.09986
9 0.04576 0.085 0.09827 0.09982
Source: Nigrini, 1996.
11. 10/19/2017
11
Types of Data That Conform
Accounts payable data
Accounts receivable data
Estimations in the general ledger
Relative size of inventory unit prices among
locations
New combinations of selling prices
Customer refunds
Duplicate payments
Uses in Fraud Investigations
Invented or altered numbers are not likely to
follow Benford’s Law
Human choices are not random
1993, State of Arizona v.Wayne James
Nelson
12. 10/19/2017
12
POLLING QUESTION
Tiger Team Auditing
Tiger teams
Groups assembled to actively test a system
Members have expertise in security and fraud
Commonly used in the past
24
13. 10/19/2017
13
Use of Barium test
Barium test is a clinical technique involving:
Use of a radio-opaque medium to expose
abnormalities in internal systems which would not
be visible in conventional X-ray internal testing
Audit application
To detect abnormalities within systems which
would not be observable in common audit tests
Involves introducing transactions which would be
observable within normal tests
25
Barium Testing
May include audit techniques such as:
Parallel Simulation
Test Data
Integrated Test Facility
26
14. 10/19/2017
14
Birbal tricks and traps
Raja Birbal, was a Hindu advisor in the court
of the Mughal emperor Akbar
Birbal could guess what a thief had in mind
and plan a situation so as to trap him
Chetan Dalal, an Indian Fraud Examiner is
credited with applying Birbal Tricks and traps
to fraud investigation
27
Birbals Litmus Test
A suspect’s honesty or dishonesty can be identified in an
investigation by observing his reactions and general
behavior for example:
Cashier suspected of theft
Auditor surreptitiously removed some cash from the
transaction log
Honest cashier on seeing a shortfall would:
A) report it or
B) keep quiet and hope nobody notices
A subsequent audit showing no shortfall may indicate that
the books were recooked to cover up the
Litmus test indicates dishonesty is probable
28
15. 10/19/2017
15
Application of inverse logic
Logically
Fraud involves theft
Inverse logic
Theft involves fraud
Not necessarily true
29
Use of Space-time dimension
in data evaluation
A method for detecting anomalous patterns in
general categorical data set
Detecting anomalous patterns in massive,
multivariate data sets
Dynamic query interfaces (DQIs) are a recently
developed database access mechanism that
provides continuous real-time feedback to the user
during query formulation
May be used in Anomaly detection
30
16. 10/19/2017
16
POLLING QUESTION
What are Anomalies?
Anomaly is a pattern in the data that does
not conform to the expected behavior
Also referred to as outliers, exceptions,
peculiarities, surprise, etc.
Anomalies translate to significant (often
critical) real life entities
Cyber intrusions
Credit card fraud
17. 10/19/2017
17
Key Challenges
Defining a representative normal region is challenging
The boundary between normal and outlying behavior is
often not precise
The exact notion of an outlier is different for different
application domains
Availability of labelled data for training/validation
Malicious adversaries
Data might contain noise
Normal behavior keeps evolving
Types of Anomaly
Point Anomalies
Contextual Anomalies
Collective Anomalies
18. 10/19/2017
18
Point Anomalies
An individual data instance is anomalous with
respect to the data
X
Y
N1
N2
o1
o2
O3
Contextual Anomalies
An individual data instance is anomalous within a context
Requires a notion of context
Also referred to as conditional anomalies*
* Xiuyao Song, Mingxi Wu, Christopher Jermaine, Sanjay Ranka, Conditional Anomaly Detection, IEEE
Transactions on Data and Knowledge Engineering, 2006.
Normal
Anomaly
19. 10/19/2017
19
Collective Anomalies
A collection of related data instances is anomalous
Requires a relationship among data instances
Sequential Data
Spatial Data
Graph Data
The individual instances within a collective anomaly are not
anomalous by themselves
Anomalous Subsequence
Anomaly Detection Problems
Nature of input data
Availability of supervision
Type of anomaly: point, contextual, structural
Output of anomaly detection
Evaluation of anomaly detection techniques
20. 10/19/2017
20
Data Classification
Main idea: build a classification model for normal (and
anomalous (rare)) events based on labelled data, and use
it to classify each new unseen event
Classification models must be able to handle skewed
(imbalanced) class distributions
Categories:
Supervised classification techniques
Require knowledge of both normal and anomaly class
Build classifier to distinguish between normal and known anomalies
Semi-supervised classification techniques
Require knowledge of normal class only!
Use modified classification model to learn the normal behavior and then
detect any deviations from normal behavior as anomalous
Using ACL to Detect Fraud
Anomalous records could include both transactions and
master file entries which indicate violations of the
organization’s policies and procedures or legal violations of
statue. Such violations could include items such as:
Customers with account balances exceeding their credit limits
Excessive use of sole vendors
Vendors with unusual or overseas bank accounts
Dormant vendors
Duplicate vendors
Duplicate employees
Invalid Social Security numbers on employee records
Excessive use of overtime
Loans which are past due
Transactions over corporate limits
40
21. 10/19/2017
21
Statistics Based Techniques
Data points are modelled using stochastic distribution
points are determined to be outliers depending on their
relationship with this model
Advantage
Utilize existing statistical modelling techniques to model various
type of distributions
Challenges
With high dimensions, difficult to estimate distributions
Parametric assumptions often do not hold for real data sets
Types of Statistical Techniques
Parametric Techniques
Assume that the normal (and possibly anomalous) data is generated
from an underlying parametric distribution
Learn the parameters from the normal sample
Determine the likelihood of a test instance to be generated from this
distribution to detect anomalies
Non-parametric Techniques
Do not assume any knowledge of parameters
Use non-parametric techniques to learn a distribution – e.g. parzen
window estimation
22. 10/19/2017
22
Application of Dynamic
Graphics
Apply dynamic graphics to the
exploratory analysis of spatial
data.
Visualization tools are used to
examine local variability to
detect anomalies
Manual inspection of plots of
the data that display its
marginal and multivariate
distributions
* Haslett, J. et al. Dynamic graphics for exploring spatial data with application to locating global and local anomalies.
The American Statistician
Anomaly vs Misuse Detection
Anomaly detection is based on profiles that represent normal behavior
of users, hosts, or networks, and detecting attacks as significant
deviations from this profile
Major benefit - potentially able to recognize unforeseen attacks.
Major limitation - possible high false alarm rate, since detected deviations do
not necessarily represent actual attacks
Major approaches: statistical methods, expert systems, clustering, neural
networks, support vector machines, outlier detection schemes
Misuse detection is based on extensive knowledge of patterns
associated with known attacks provided by human experts
Existing approaches: pattern (signature) matching, expert systems, state
transition analysis, data mining
Major limitations:
Unable to detect novel & unanticipated attacks
Signature database has to be revised for each new type of discovered attack
23. 10/19/2017
23
Accounting Anomalies
Missing documents.
Excessive voids or credits.
Increased reconciliation items.
Alterations on documents.
Duplicate payments.
Common names or addresses of payees or
customers
Increased past due accounts.
POLLING QUESTION
24. 10/19/2017
24
ACL Testing Techniques
Analytic Techniques
Statistical samples
Seeking Duplicates and Missing Items
Use of pivot tables
Trend analysis
Continuous monitoring
Compliance
Analysis of Transaction by Teller
Unauthorized internet access
Pricing rules not followed
47
ACL Testing Techniques
Fraud
Identify duplicate employees in the employee
master table
Excessive sole vendor contracts
Ghost employees
Duplicate payments
Benford analysis
48
25. 10/19/2017
25
Software to Detect Fraud
Provide reports for customer credits, adjustment
accounts, inventory spoilage or loss, fixed-asset write-
offs.
Detect unusual anomalies such as unusual amounts
or patterns
Compare vendor addresses and phone numbers with
employee data
Use Range or Limit Validation to detect fraudulent
transactions
Logged computer activity, login or password attempts,
data access attempts, and geographical location data
access.
49
Red flags software can detect
Out-of-sequence checks
Large number of voids or refunds made by
employee or customer
Manually prepared checks from large company
Payments sent to nonstandard (unofficial)
address
Unexplained changes in vendor activity
Vendors with similar names or addresses
Unapproved vendor or new vendor with high
activity
50
27. 10/19/2017
27
Forensic Software
The Sleuth Kit is an open source forensic toolkit for
analyzing Microsoft and UNIX file systems and disks
Autopsy® is a digital forensics platform and graphical
interface to The Sleuth Kit® and other digital forensics
tools. It can be used by law enforcement, military, and
corporate examiners to investigate what happened on
a computer.
DFF (Digital Forensics Framework) is a free and
Open Source computer forensics software built on top
of a dedicated Application Programming Interface
(API).
53
Forensic Software
Forensic Control - List of over 130 free tools
provided as a free resource for all.
Updated several times a year
No support or warranties for the listed software
User’s responsibility to verify licensing agreements.
SANS Investigative Forensic Toolkit (SIFT)
Developed by SANS and made available to
the whole community as a public service.
54
28. 10/19/2017
28
Forensic Analysis
Physical Analysis
String search DOS-based StringSearch -
http://www.maresware.com
Search and extract
eg $4A $46 $49 $46 $00 $01 is start of a JPEG file
http://www.wotsit.org
File slack and free space extraction
http://www.nti.com
Logical Analysis
Logical File space
Slack space
Unallocated space
55
POLLING QUESTION
29. 10/19/2017
29
Questions?
Any Questions?
Don’t be Shy!
AuditNet® and cRisk Academy
If you would like
forever access to this
webinar recording
If you are watching
the recording, and
would like to obtain
CPE credit for this
webinar
Previous AuditNet®
webinars are also
available on-demand
for CPE credit
http://criskacademy.com
http://ondemand.criskacade
my.com
Use coupon code: 50OFF
for a discount on this
webinar for one week
30. 10/19/2017
30
Thank You!
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Richard Cascarino & Associates
Cell: +1 970 819 7963 - South Africa +27 (0)78 980 7685
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
Page 59