11
Using Information Technology for Fraud Examination and Financial Forensics

In this chapter and the following modules, we examine various tools and techniques for fraud detection and risk assessment grounded in information technology. These modules, along with the learning objectives, include the following:

  • Module 1 introduces digital concepts associated with forensic accounting and fraud examination to the reader. The information covered here seeks to reconcile traditional “paper and pencil” techniques presented in prior chapters with the subtleties and nuances of collecting and analyzing evidence electronically. The objective of this module is for the reader to be able to identify opportunities within the digital environment for increased efficiency and effectiveness.
  • Module 2 drills down into digital evidence, including sources of evidence and the need to properly collect and protect electronic evidence in a manner admissible to courts of law. The goal of this module is for readers to apply the tools and techniques associated with digital evidence to case scenarios.
  • Module 3 explores the methodologies for detection and examination in a digital environment. This module includes analytical tools and techniques available in most software programs, as well as specific electronic tools, such as Excel and IDEA. The objective is for the reader to be able to identify appropriate digital approaches and use those approaches to examine digital data.
  • Module 4 outlines graphical tools and techniques. Graphics serve at least three important roles for forensic and antifraud professionals: as an investigative tool, as an identifier of needed procedures, and as a communications tool. The goal here is for the reader to be able to apply graphics skills and software to case scenarios.
  • Module 5 considers the tools and techniques for case management. The goal in this module is for the reader to identify when and how to use case management software.

Module 1: The Digital Environment

The purpose of this chapter is to provide an overview of the information systems control environment, as well as big data, data extraction, and analysis tools and techniques. Technology is a specialized area, and, as a result, the auditor, fraud examiner, or forensic accountant may need to solicit the assistance of a professional with expertise in digital environments, tools, and techniques. Of course, determining the required level of expertise is similar to other tasks that arise in many areas of the fraud examination or forensic accounting engagement—it requires judgment on the part of the professional involved.

The starting point for the use of electronic data in the fraud or forensic accounting area, as a means of fraud prevention and deterrence, is an evaluation of the integrity of the data and their related systems. Many have heard the acronym GIGO, “garbage-in, garbage-out.” If the data going into the information system lack integrity—the data has been manipulated or corrupted, or the information processes somehow destroy the integrity of the data—any information subsequently extracted will lack integrity. Similar to the chain of custody concepts, good audit trails that allow the data to be tracked through the system are also crucial to the goal of maintaining data integrity and, just as important, the ability to prove the origins and credibility of the data.

Overview of Information Technology Controls

Many of the process controls applicable to paper-based information systems are analogous to the internal controls surrounding digital information systems. An information technology (IT) audit consists of (1) planning, (2) tests of controls, and (3) substantive tests. Further, the IT audit requires an understanding of the control environment related to IT; risk assessment of the things that could go wrong in an IT environment; and information, communications, monitoring, and independent checks of the IT systems’ internal controls. Some of the control activities in an IT environment that parallel those in the world of paper include proper authorization and access controls, segregation of IT duties, IT supervision and approval, adequate record keeping, and independent supervision and verification.

More specific to IT, the general framework for viewing IT risks and controls include the following3:

  • IT Operations
  • Data Management Systems
  • New Systems (Software) Development and Integration
  • Systems Maintenance
  • Systems Backup and Contingency Planning
  • Electronic Commerce
  • Control over Computer Operations (Hardware, Software, and User Access)

Each of these areas has particular control issues and needs to be examined carefully because data integrity issues can arise in any area.

Big data, data analytics, and CAATTs (computer-aided audit tools and techniques) can assist with the testing of the IT systems control environment. One of the necessary areas of concern is applications controls. Applications are systems or subsystems in the areas of accounting, finance, marketing, sales, warehousing, distribution, payroll, personnel, etc. Application controls are designed to address risks that threaten the processing and storage of data in these areas.

The first application control applies to the initial input of data. A transaction must start somewhere, and someone must have the authority to initiate that transaction. The important financial and operational attributes of that transaction must then be captured by the digital system. In paper-based systems, this is accomplished by first “writing” the transaction on paper, such as preparing an invoice, or the transaction can be entered directly into the computer system. In some cases, such as e-commerce, transactions are entered directly into the computer by participants to the transaction who are not employees of the company, ordering a product on Amazon.com is an example. In such cases, little or no traditional source documents exist in paper form. In other cases, a paper trail is created.

Similar to paper-based information systems, the source documentation that supports the electronic data systems should be logged, date and time stamped, prenumbered, and used in sequence. Supporting source documents should be audited periodically and should be retained physically, or in electronic format, because they may include transaction information; sign-offs for those who prepared the document/transaction; required approvals and other authorizations; and the identity of the person who processed the information into and/or through the application system.

Once documents or transactions are captured by the application systems, data coding controls can be used to identify transcription and transposition errors. In some cases, check digits may accompany transactions as a means of authenticating those transactions as they move throughout the system.

Batch controls are used when groups of documents or transactions are entered or processed in batches (e.g., totals for a day). Batch controls may consist of a document count or a manual sum of all the transactions to be entered, which is later compared to the electronic batch total from the computer system after entry. Batch total controls use system-generated criteria that ensure data integrity for groups of transactions as they move through the system.

Validation controls detect input errors by flagging those transactions that fall outside accepted ranges. These controls may look for numeric, alphabetical, or alpha-numeric data in a particular field, as an example. They attempt to identify and isolate errors during data input, so that the error can be addressed before those data are further processed. Validation controls can also be established to ensure that the correct file is accessed.

Record validation is another technique that ensures that data relationships within a record make sense. It can include reasonableness checks, sequence checks, and other checks. An important application control is input error correction. This control requires that all errors are properly addressed prior to the data being processed through the system.

Finally, the application input system needs to be examined, as a whole, to ensure that input errors can be identified and addressed as quickly as possible.

Once the transaction data are “inside” the application system(s), they are available for further processing and transfer to other application systems. Processing controls are necessary to ensure that processed data maintain integrity as they move through the system. These include run-to-run controls that monitor various batch totals, recalculate control totals, transaction codes, and sequence checks, as data move from procedure to procedure. Some data processing requires systems operator intervention to initiate further action. Operator intervention increases the chance of human error, so controls need to be in place to minimize this. As data are processed through the system, an audit trail also needs to be developed. The data audit trail usually includes transaction logs, logs of automated transactions, a listing of automated transactions, unique transaction identifiers, and error logs.

Once the data have been sufficiently processed, they are available for output in the form of reports, as well as for transfer to other systems for additional processing. Output controls are established for spooling (how outputs move through the system and address output backlogs), print programs, and bursting (separating and collating printed pages). Output controls also address how to monitor waste and how to identify who is responsible for data accuracy and maintenance, report distribution, and end-user controls.

IT Audits and Assurance Activities

Auditors and forensic accountants who specialize in IT audit and assurance can approach IT system controls testing by one of two major approaches. First, the IT systems can be audited around. This is often referred to as the “black-box” approach, by which the professional relies on interviews and flowcharts to develop an understanding of the systems but primarily tests the integrity of the data and the system by reconciling inputs to outputs. The second alternative is the “white-box” approach, which utilizes a relatively small dataset to test the system. Some of the tests performed include authenticity, accuracy, completeness, redundancy, access audit trail, and rounding error tests. CAATTs can facilitate the white-box approach by creating test data and performing electronic system walk-throughs (tracing). Computer forensic professionals may employ integrated test facilities by which the auditor examines the applications and their logic during normal operations by running parallel simulations.

These examinations are necessary to ensure that the data used by the auditor or forensic accountant have integrity. Various levels of assurance are necessary, depending on the engagement. Professionals in this environment need to be cognizant of the possibility that one or more of the IT systems personnel may be colluding with others to commit or conceal fraud. As such, fraud and forensic accounting professionals need to remain alert to the human side of fraud, the fraud triangle (pressure, opportunity, and rationalization), as well as M-I-C-E (motivations such as money, ideology, coercion, and ego). In fact, the IT professional may be in a unique position to commit and conceal a fraud, simply because so few others understand IT and how data can be manipulated.

The prior discussion focused mainly on the integrity of data entered into, processed by, and output from the digital environment. However, other risks may be present. For example, the data may accurately go through the system as programmed in the software, but an IT professional periodically substitutes an inappropriate version of the software into the digital environment. Thus, in this example, most transactions are handled correctly and according to system design and company policy; however, some legitimate data are processed by the substituted software and, as a result, are not accurate. Searching for those exceptional transactions requires sifting through the remainder, but it can be approached more effectively with some of the following data extraction and analysis tools.

The IT auditors or assurance professionals need to ensure that they examine the entire control environment, including controls that address other aspects of the computer operation—such as IT operational policies and procedures; data management systems; systems development and integration into the digital environment; system maintenance policies and procedures, including backup and contingency planning; electronic commerce; and daily, weekly, monthly, and annual computer operations—with regard to hardware, software, and IT personnel and user access.

Module 2: Digital Evidence

According to the New York Times Peter Henning, “Mishandle a Fraud Search, and All That Fine Evidence Could Be for Nothing.”4 The author observed that

“The government obtained warrants to search Benjamin Wey’s company, New York Global Group, and his New York City apartment for evidence that he used other companies and investors as part of a plan to manipulate the shares of companies used for mergers with China-based businesses. The warrants listed 12 categories of documents that related to transactions with 220 individuals and companies, including the seizure of computers and other electronic devices that might contain records related to them.”

The warrant allowed agents to open every file to view the first few pages of a document, and search terms could be used to scan the laptop’s entire memory. In upholding the search, the United States Court of Appeals for the Second Circuit in Manhattan pointed out that “files and documents can easily be given misleading or coded names, and words that might be expected to occur in pertinent documents can be encrypted; even very simple codes can defeat a preplanned word search.”

So what caused the problem for prosecutors in the case? According to Henning, “the primary flaw was that while the affidavit submitted by an F.B.I. agent to a magistrate judge gave a reasonable description of the crimes under examination, that document was not incorporated in the warrant, or even attached to it, to establish the parameters for the search.” As Henning concluded, “Judge Nathan’s decision sends a clear message to agents and prosecutors in white-collar-crime examinations to tread carefully when using a search warrant to gather evidence. Although a treasure trove of materials can be obtained this way, failing to pay attention to the details of properly writing and executing a warrant can have devastating consequences for a case.”

Auditors solicit, obtain, evaluate, and develop audit evidence to test management’s assertions concerning the fairness of the presentation of the financial statements and to ensure that they are free from material misstatement, whether as a result of error or fraud. The assertions of management related to financial statements include the following:

  1. The existence of assets and transactions
  2. The completeness of the transactions reflected in the financial statements and related notes
  3. Proper disclosure of all rights and obligations associated with assets and liabilities
  4. The reasonableness of the valuation of transactions and balances reflected in the financial statements
  5. Proper financial statement presentation and disclosure of the related notes

As part of their work, forensic accountants and fraud examiners use information technology to gather, manage, and analyze evidence. Digital evidence analysis is particularly beneficial when the professional must sift through, organize, and analyze large amounts of evidence. Given Internal Revenue Service cycle times, audit engagement budgets, and cost-benefit considerations in litigation support engagements, large amounts of data, evidence, and information must be examined with speed and accuracy. Electronic imaging is a technique for scanning evidence and case documents into an electronic format for easy storage and retrieval. This process normally entails some coding to facilitate ease of access. Once the material has been captured and coded in electronic format, the professional can sort, analyze, and examine the data.

Computer forensics involves using specialized tools and techniques to image and capture data and information, housed on computer hardware and embedded in software applications, so that the integrity and chain of custody of such evidence is protected and can be admitted into a court of law. Electronic evidence refers to any evidence captured by computers and electronic devices. As such, it can be captured from desktop computers, notebook computers, network servers, backup storage medium, cell phones, personal digital assistants (PDAs), handheld computers, CDs, DVDs, digital cameras, stick drives, or any other electronic device or storage medium. Electronic mail (email), text messaging, social media posts, and correspondence are a rich source of digital evidence. People often put comments and information in electronic forms that they might never say out loud or include in a formal memo or letter. As with other digitized information, the challenge with electronic communication is the sheer volume of exchanges. It is only through electronic retrieval and searches that the benefits of these data are available to the investigator. Generally, a warrant or subpoena is required to obtain digital evidence. To obtain a warrant, the professional must show probable cause.

One of the main concerns in the digital environment is related to the initial acquisition of the evidence. Auditors and forensic accountants may attempt to “do too much” when they first encounter digital evidence. For example, the simple act of turning on a confiscated computer, digital camera, cell phone, PDA, etc. may make all the evidence on that digital device inadmissible in a courtroom. That is because, as soon as a device is turned on, it starts writing logs and performing other activities that alter the structure of the hard drive where data are stored (the defense would argue that the alterations show that the digital evidence had been tampered with). If this is the situation, it can’t be proven beyond a reasonable doubt what the data looked like before the device was booted up. Forensic accountants and fraud examiners seldom perform the work that is within the expertise of computer forensic professionals—usually, computer and electrical engineers and management information systems (MIS) personnel—who have specialized training and experience in digital evidence associated with fraud and forensic accounting issues. It is not only the need to protect the integrity of the data that justifies the use of the specialized knowledge, skills, and abilities of the computer forensic specialist but also their ability to find hidden information, deal with encrypted data, and retrieve previously deleted or erased files.

When the traditional forensic accountant or fraud examiner receives data in electronic format, they presume the digital evidence was obtained through legal means and was extracted in accordance with methodologies that protect its admissibility in a court of law. Students should understand that, with regard to digital evidence, only those with specialized training, experience, and appropriate professional certifications should initially handle digital evidence. Once the digital evidence has been made available to auditors and forensic accountants, they may work with the tools discussed in the following section to conduct audit procedures that will help them to detect and investigate fraud.

To maintain data integrity and admissibility, the antifraud/forensic accounting professional needs to be able to reconcile their work back to initially retrieved “master” datasets. Consistent with other aspects of the fraud and forensic accounting engagement, professionals should maintain good work papers and be able to demonstrate the foundations of their work. In an electronic world, audit trails and logs are especially helpful. As an example, if the data extraction and analysis require multiple steps, each step and its results should be documented.

Tools Used to Gather Digital Evidence

Numerous tools have been developed to gather and protect digital evidence, some of which are described as follows.

Road MASSter 3

Road MASSter 3 can be described as a portable computer (digital) forensic lab. It is housed in a metal briefcase-type container on wheels; inside is a keyboard, a color LCD display, and data-copying devices. Road MASSter 3 can be used in the field (e.g., at crime scenes or search warrant locations) to acquire and analyze electronic data and preview and image hard drives. The system can copy the hard drive to a number of different formats for subsequent data extraction and analysis, including Microsoft Windows XP (Access and Excel), Linux, EnCase, Safe Back, ICS, or other imaging file formats. Road MASSter 3’s tools are designed to perform quick, reliable hard drive imaging and data analysis. The device can be used to image hard drives of any kind as well as to capture data from other media (e.g., CDs, stick drives, flash drives) and unopened computers. IT computer forensics professionals can also copy and analyze information stored on hard drives and mobile devices, such as smart phones. Investigators can save or print audit trail reports for use as evidence in court. Finally, Road MASSter 3 can also be used to write-protect and sanitize hard drives.

EnCase

EnCase is another tool for digital imaging of hard drives and other storage media. EnCase acquires data in a forensically sound manner that has generally been accepted in courtrooms. Like Road MASSter 3, EnCase can be used to investigate and analyze data on multiple platforms, including Windows, Linux, AIX, OS X, Solaris, and others. This software also provides tools to identify information stored on hard drives despite efforts to hide, cloak, or delete the data. It is also designed to manage large volumes of computer evidence and to view relevant file types, including so-called deleted files, file slack, and unallocated space. Once the data have been properly and legally obtained, they can be transferred as evidence files for additional analysis and examination.

Recovering Deleted Files

Computer forensic specialists may discover that files have been deleted from a hard drive. Generally, recovering deleted files is not considered difficult, provided that the file has not been overwritten or corrupted and that the drive has not been repartitioned or reformatted. A number of software tools, for example, UNERASER for Windows and Data Rescue 5 for Apple Computers as well as other similar products, are commercially available. Recovering deleted files is considered a separate task from restoring overwritten or corrupted files. The reason is that when a file is deleted from your computer, it has not been removed from the hard drive. The delete function simply removes the file from the list of files in a particular folder. The first step to recovering a deleted file is to look in the Recycle Bin. With Windows, deleted file names are simply moved there. While the file resides in Window’s Recycle Bin, the file can be restored by “right-clicking” on the file name and choosing “restore.”

If the deleted file is not in the Recycle Bin, it may still be recoverable. When a file is deleted or the Recycle Bin has been emptied, the file name is removed from the list of files in the folder. The risk is that the space where the file resides was made available for reuse. Until the computer reuses the space where the file resides, the data contained in the file remain intact. Obviously, the more time that passes, the lower are the chances of recovering a deleted file intact, because it becomes increasingly likely that the computer will reuse all or part of the file’s disk space for another task.

Another activity that can severely reduce the ability to recover deleted files is the “Defrag” command. Defrag, or defragmenting the hard drive, is a method of reorganizing the computer hard drive so that the unused space is allocated for the most efficient data storage. For example, over time, as the computer user creates and deletes files, adds and removes software, etc., computer programs and files occupy the available hard drive. This creates pockets of used and unused space. The result is that large contiguous storage space is no longer available, and the computer has to store files in pieces. Thus, the computer has to spend time searching for space to save new files and programs, and large files or programs may need to be stored in more than one place on the hard drive. When a computer has a fragmented hard drive, computer operations slow down. Defrag reorganizes the files so that more parts of each file are contiguous. This enhances computer performance and creates a larger cluster of unused storage space. Because defragmenting the hard drive moves the files around, the probability of recovering deleted files is reduced. In the Defrag process, the computer’s files are rearranged to enhance efficiency, and as a result, deleted files are overwritten. After the Defrag command, even undelete software tools have a difficult time restoring deleted files.

Assuming that Recycle Bin recovery is not successful, the Defrag command has not been run, and a limited amount of time has passed since a particular file was deleted; third-party undelete software can be acquired to attempt to recover the deleted files. Undelete software understands the internal system of pointers used by the computer to store files. With this knowledge, it searches for clues as to the location of the disk space where the deleted file may reside. Undelete software can also examine the unallocated disk space, that is, space where the deleted files had been located but which the computer has not yet chosen to reuse. If a number of files are to be recovered, recovered files should be stored on a separate hard drive, stick drive, or some storage space, where the save action will not impair the recovery of other deleted files on the hard drive. The separate hard drive or other external storage device can also be used as the location for the undelete programs for the same reason.

Recovering Deleted Emails

Emails are stored in mail folders (not individually as separate files), and each mail folder is considered a separate file. Some email systems have a recycle bin feature that is analogous to Window’s Recycle Bin for deleted files. If the email software system has a recycle bin, that is the first place to attempt email recovery. However, most email recycle bins have some time limit or some other “auto-empty recycle bin” feature that periodically clears the deleted emails. For example, Outlook Express provides an option to empty the Deleted Items folder when the user exits the program. In such cases, recovery of deleted emails becomes more difficult.

Normally, even after an email has been deleted from a mail folder or from the recycle bin, the space it occupied is left empty until the mail program compacts the folder. Prior to compaction, deleted email messages may be recovered using special email recovery software. Some of the email recovery tools include Email Recovery Software (for Outlook Express and Windows Mail) and Outlook PST Repair (for Microsoft Outlook PST files). Another option for recovering deleted emails is to restore them from backup tapes or another backup storage medium. New e-discovery rules require organizations to be able to provide email and other electronic files that go back in time in a manner similar to that of paper files. So the probability of recovery of email and other deleted files in an e-discovery environment is greatly enhanced.

Restoring Data

Restoring data and files is a more sophisticated approach to recovering deleted files and is used to restore lost files under more challenging circumstances, such as the following:

  • Lost files, photos, or documents
  • Deleted files or folders where the Recycle Bin has been emptied
  • Irreplaceable files that cannot be found and may have accidentally been deleted
  • Archived files or photos (e.g., to CD or DVD) where the CD or DVD has been corrupted or tagged unreadable
  • Files deleted some time ago, but which are now needed
  • A hard drive that has failed
  • A hard drive that has been reformatted
  • A hard drive that has been damaged (some files in the damaged area will be lost)

Assuming that techniques to recover deleted files do not work, it is important to stop writing to the drive while the possibility of a missing or unrecoverable deleted file exists. This increases the probability of recovering whatever is left of previously deleted files. At this point, third-party software is most likely necessary to facilitate the restoration process.

Third-party software is not as readily available for Apple Mac computers. However, one such software package for Apple computers is Data Rescue II.

In some cases, the undelete utility from the software package may appear to restore a file, but it is evaluated as corrupt when the user attempts to open it. It may be because the contents of the file are unrecoverable and some restoration software tools are better as compared to others. Not surprisingly, some of the more effective data recovery tools cost more. Nevertheless, if the restoration project is important and the software package fails, others may be attempted until the file can be fully restored.

If third-party software restoration fails but provides some results, in some cases, software engineers and computer forensic specialists can manually search for lost files. The human brain can often solve difficult tasks. Software programs can replicate the ability to solve complex problems if properly designed and programmed. However, some recovery can be so unpredictable and difficult that even the best software programs cannot anticipate all possible restoration solutions. For example, assume that a computer forensic analyst has a partially recovered Microsoft Word document and the language of the document stops halfway through a sentence (and the rest of the file starting with the unfinished sentence is missing). In such a case, the computer forensic specialist can search the entire hard disk for clusters that may contain what are likely to be the next words in the document (i.e., those words that might complete the sentence) and piece together files from fragments of data. In other cases, the data recovery specialist can restore files by taking the magnetic platters out of the drive casing and reading them using special equipment. Of course, it’s not surprising that manual (intervention) restoration is far more expensive than recovery or restoration using third-party software; however, in some situations, the cost-benefit may warrant the additional cost.

The good news for fraud examiners and forensic accountants is that files deleted from a computer are not actually deleted and can be recovered and restored relatively easily. For perpetrators, this is not good news for someone who is relying on the deletion of data for concealing his or her crime. For high-security needs, data security software and privacy tools, such as Privacy Guardian or Privacy Suite, are available. These do more than delete files; they overwrite the disk sectors that held the data. Once these sectors have been overwritten, generally, even a computer forensic specialist cannot recover the files. Because some application software programs write data to temporary locations during use, the high-security packages also erase and overwrite known temporary storage locations and other unused disk space. If a tool of this type has been used, the chance of restoring files is, essentially, nonexistent. However, depending on the nature, size, or other attributes of an examination and the importance of the digital evidence, computer forensic tools and techniques may be worth a try. Traces of the sensitive data may remain. Even if all files cannot be recovered, enough pieces may be available that vital evidence can be developed. Like other cases previously described, if high-security or privacy software has been used, a computer forensic specialist likely examines the storage device manually to determine what can be recovered.

General knowledge of tools and techniques used by forensic computer scientists for retrieving files from seized computers—and of how the work of forensic accountants must be coordinated with forensic computer specialists—is an important aspect of fraud examination and forensic accounting engagements. In addition, fraud examiners and forensic accountants need to be able to identify situations that demand a forensic computer specialist, and they need to understand how legal proceedings against a perpetrator can be jeopardized if evidence is gathered by one who lacks appropriate skills.

Module 3: Detection and Examination in a Digital Environment

According to the AICPA’s Journal of Accountancy (Big Data: What forensic accountants need to know),5 many CPAs will need to learn new IT skills due to the rise of Big Data, but those skills should produce a variety of forensic accounting business opportunities. Despite the Big Data buzz, data extraction and analysis is not new to CPAs. Data analytics has been part of the antifraud and forensic accounting professionals’ toolkit for a long time. According to the article, some of the key issues to understand are as follows:

  • Software tools to examine big data are available and improving.
  • Organizations generate a lot of data.
  • Tying the data to a source that is complete and accurate is a challenge.
  • Getting data into a usable format is also a significant challenge.
  • The article suggests that spreadsheet tool capabilities stop at around 1 million rows of data. Beyond one million records, the professional needs to engage more powerful software tools.
  • Slicing and dicing data is necessary to draw meaningful information.
  • Analysis should be focused and driven by the need to answer a query, or test a theory, raised by your side or a claim from the other side, to validate or invalidate a theory.
  • Financial and nonfinancial numbers (e.g., hours worked) and data (e.g., text) are subject to systematic examination.

In recent years, computer companies and programmers have developed software that enables users to sift through large volumes of information and transactions. These programs identify customers, suppliers, vendors, and employees and can be used to analyze performance, trends, and other important attributes related to a company. They can also be configured to identify control weaknesses in application programs, as well as anomalies in accounting books and records. Fraud examiners and auditors use data analysis software as the ultimate system of red flags, detecting a potential fraud in situations for which manual examination would prove extremely difficult or impossible.

Because of the sheer size of some databases and the amount of information stored in electronic media, the key to successful fraud detection and examination using digital tools and techniques is a targeted approach. The fraud examiner or auditor must have an understanding of what could go wrong, what did go wrong, and how those concerns would manifest in the information system. This requires knowledge of the schemes, the industry, the organization, its IT control environments, its history of fraud, and other aspects outlined in the steps to develop a targeted risk assessment. With this foundation, the antifraud professional has an idea of what he or she is looking for.

As a starting point for digital analysis, whether for fraud detection or examination, the electronic data must be obtained and delivered in some kind of file structure. Optimally, the data have been converted in advance into a text, ASCII, Microsoft Access, Excel, or some format that can be read and analyzed by some of the more popular programs for data extraction and analysis. From there, the data can be analyzed in the format received or converted for use in programs such as IDEA, ACL, or Tableau. However, the data often come in some other format and must be prepared for use in one of the many programs available for analysis. Data files normally come in either a “flat file” or “hierarchical and network database” structure. Some of the flat file structures include sequential, indexed, hashing, and pointer file structures. With “hierarchical and network database” structures, the database is relational. Relational databases often incorporate some aspects of the flat file structures and linkages between the data as well. These need to be converted for use in programs such as Excel, Access, IDEA, ACL, and Tableau. This can only be done by knowing the type of database and its accompanying file structure.

Each of the previously discussed programs often used by fraud examiners and forensic accountants has “import” functionality embedded in the program. This allows the program to access and read data from various formats for later use. In most cases, the files to be exported from a source computer system, program, or database—whether flat, hierarchical, or network—need to be converted into a file format that can be read by Excel, Access, IDEA, ACL, or Tableau, for example. In other cases, the extraction process creates a generic file structure that most programs can read. No matter how the data are exported from a computer system and, subsequently, imported for use by the fraud examiner or forensic accountant, data and file integrity controls must be in place to ensure completeness and accuracy.

A continued point of emphasis is the idea that a targeted approach is required. There are horror stories of IT specialists running programs that kick out thousands of anomalies that may be indicative of fraud, errors, internal control breakdowns, or other issues. However, the exceptions are so numerous that no one from the audit team has the time to examine each anomaly. Such an approach may even create liability exposure for the financial statement auditor, because a diligent lawyer may subpoena such records and contract with other professionals who take the time to sift through the anomalies to locate the few that were indicative of a much larger problem. Although the action or inaction of the auditors with respect to such an extensive number of anomalies makes sense and is justifiable, a jury may take a different position, if a significant (material) fraud is subsequently discovered when, all the while, the auditors had the red flags right in front of them.

In contrast, a targeted risk assessment, followed by incorporating IT tools and techniques that search for specific anomalies, is likely to yield far fewer exceptions and a far higher probability that the red flags deserve additional attention and work on the part of the auditor. Conan Albrecht and Steve Silver have referred to this as a “rifle shot” approach, as opposed to a “shotgun” approach to data extraction and analysis.

Framework for Data Extraction and Analysis Tools and Techniques

Big data, data analytics, and financial analytics are terms that have gained recognition in the financial forensics community. Such approaches to data analysis, used in a targeted manner, can contribute significantly to both the effectiveness and efficiency of a forensics examination. For example, in one case, extensive related party accounts receivable (A/R) transactions were buried in the general ledger. Other symptoms of fraud initiated the examination, but the discovery that about 40% of revenues came from related parties shifted the examination toward A/R. Related parties totaled approximately 30 of 100 customers (30%). In numerous instances, related-party A/R balances were allowed to accumulate and then written off against (buried) revenues. The write-offs were done by an individual related-party entity, and identifying them among the numerous revenue and receivables transactions was time-consuming. These transactions spanned a five-year period and were documented in printed general ledgers with each general ledger requiring about a 3-inch binder.

After spending a day or so of engagement time, QuickBooks general ledgers were requested in electronic format. Knowing that electronic analysis would probably blow the case wide-open, the opposing side resisted for months. Finally, the five general ledgers in CSV format were received on a Friday afternoon. By Saturday afternoon, all five had been imported into Excel and analyzed. The findings revealed that millions of dollars of related-party receivables had been written off. In the private company under examination, the unrelated party shareholders were negatively impacted in their annual dividend payoffs because of this “disappearing” money in the hands of the controlling shareholder’s family members. Only with the benefit of electronic analysis was this examination able to be completed in a cost-effective manner.

Digital analysis can be used as part of risk assessment, testing of controls, substantive analytical procedures, testing of transaction details (e.g., recalculation), and, upon completion, helping to formulate conclusions and opinions. In many cases, the results from the analytical procedures form the foundation of “paper-and-pencil” work: pulling invoices, contracts, purchase orders, journal entries, reconciliations, and other materials needed to complete the examination in terms of who, what, when, where, and how. In other cases, the digital analytical results are compelling and stand-alone.

Digital data can be disaggregated along numerous lines including the following:

  • Financial
  • Nonfinancial
  • Processes
  • Control points
  • Demographics
  • Geographic
  • Business sector
  • Product line
  • Any other logical manner that might contribute relevant findings to a case examination

In fraud and forensic examinations, timing is often a critical component. Digital data lends itself well to examinations across time and by time period.

As with nondigital data, the quality of the data matters, including the source (reliability) and the accuracy (validity) of the data. Data generated in the accounting and financial reporting areas may be corrupt, whereas data from other operational areas (e.g., marketing, distribution, online sales) and data from external (independent) third parties may be more reliable.

Metadata can also contribute significantly to fraud examination and forensic analysis. Metadata is not the data in the file itself that most people retrieve, access, analyze, etc., but is more like an activity log that captures file details, such as who created the file, when, who last edited the file and when, etc. This data can be critical to answering many of the questions—who, what, when, where, and how.

With the power of computing increasing over time, the ability to systematically examine and analyze text and other forms of unstructured data will also improve. Programs can be written to pull text files—such as emails, instant messages, memos, handbooks, policy manuals, and other forms of written material—to search for particular and unique words and word strings. For example, programs can look for emotive words that are consistent with stress in the author’s message.

Targeted Approach

In some circumstances, an initial big data examination will lead to a large number of anomalies. Such a large number of exceptions may be more problematic than helpful. The recent AICPA publication, “Guide to Audit Data Analytics,” offers some suggestions.6 The Guide suggests three possible courses of action:

  1. The examiner should consider more clearly defining the characteristics of the data that should be identified as anomalies. For example, a preliminary review of the data analytics anomalies may suggest that some items are easily explainable in the context of the organization and its operations. In such a case, the data analytics parameters can be refined to more effectively identify those transactions that require closer examination.
  2. The examiner may stratify the preliminary results to identify subgroups that are more likely to be of concern. In the earlier example, the related-party A/R transactions were of greater import. The analytics parameters can be updated to focus on high or higher risk subgroups.
  3. The examiner may determine that a particular data analytics technique is not effective and that the data should be examined differently, using other forensics tools and techniques, even those grounded in paper documents.

As noted above, data analytics can be used as part of risk assessment. Risk assessment is an attempt to identify early in an engagement the major concerns and points of focus. While auditors need the ability to examine the books and records to ensure that the financial statements are free from material misstatement, fraud and forensic examinations often have scope limitations. Scope limitations serve to focus and shape the examination while permitting a deep dive into the details under examination, often more carefully examined than in typical audit procedures.

Nevertheless, an initial assessment of the risk associated with an area under examination in terms of the control environment and relevant internal controls is warranted. Such assessment contributes to the ability to generate reliable and valid data that can be examined. Careful consideration of data sources and accuracy helps shape the examination. If the examiner determines that the data generated may not be reliable or valid, then the examiner needs to complete additional procedures to gain confidence in the data examined or seek out alternative data sources. For example, the examination may need to obtain data from independent, external third parties or reconcile data under examination to that generated by other departments within the organization where data integrity is considered high, and the data deemed accurate and reliable.

Data analytics can also be completed to perform analytical procedures. Analytical procedures are defined as “evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass such examination, as necessary, of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.”7 Typical substantive procedures may include comparisons within an organization (e.g., common-size, vertical, horizontal, ratio, trends) or between the organization and its key competitors or industry averages. A critical aspect of substantive analytical procedures is the development of a reasonable expectation upon which deviations and anomalies can be accurately and effectively identified.

Anomalies are telling; anomalies suggest that either an internal control is lacking or one that is properly designed is not operational or not functioning properly. Assuming that the risk assessment stage suggests that the control environment and particular controls are reliable, anomalies suggest that the judgment was inaccurate, at least, in terms of those transactions where the anomalies were noted. One course of action beyond additional examination of anomalies may be a need to revisit the risk assessment stage for this particular group of transactions.

Data Extraction and Analysis Software Functions

Computer software can be utilized to scan the database for several different types of information. The resulting output may confirm transaction integrity, while highlighting anomalies and red flags. To accomplish this, most software packages use a combination of functions, including the following:

  • Sorting: arranging the data in some meaningful order, such as customer name, number, amount, date
  • Record selection and extraction: querying (requesting) that the computer find occurrences of items or records in a field that match some criteria of interest to the investigator. This type of request only returns (extracts) instances where the record occurred, effectively reducing large amounts of information into concise lists. Often, additional criteria placed on the record selection or query reveal a more pertinent list of information.
  • Joining files: gathering together the specified parts of different data files. Joining files uses a common attribute between files to combine fields from two input files to create a third file that consists of selected data from the original files. For example, the join function can be used to match data in a transaction file with records in a master file, such as matching invoice data in an accounts receivable file to the name and address of the customer.
  • Multifile processing: relating multiple files by defining relationships between those files, without the use of the join (or similar) command. An example of a common data relationship might be to relate an outstanding customer invoice file to an accounts receivable file based on the customer number.
  • Correlation analysis: determining statistical relationships between different variables in a dataset. Investigators can learn a lot about data by observing how variables move together, disparately, or have little to no relationship with one another. For example, employee hotel expenses should increase as the number of days traveled increases for a given time period. Similarly, gallons of paint used should increase as the number of houses built increases. Investigators look for correlations where none had existed previously, as well as correlations that no longer exist. Such anomalies, within a targeted risk assessment framework, may suggest further investigative steps.
  • Verifying multiples of a number: examining the relationship between quantities and prices. For example, an invoice total can be recalculated based on the quantity ordered and the price per the published price lists. Exceptions require further examination. Other examples of inquiries related to multiplication expectations include reimbursement rates for mileage, pay check amounts for hours worked (with or without overtime), etc. For instance, a mileage reimbursement check that does not compute, given the current per mile rate and the number of miles driven, can be a red flag.
  • Compliance verification: using the software functionality to determine whether employee transactions are in compliance with company policies. For example, company policy may require that customers seeking high credit limits obtain the approval of the accounts receivable manager or some other high-ranking official. If the computer captures the approval function, a query can be set up to search for large credit invoices and accounts receivable balances where both approvals were not present (input). In some instances, fraud examiners can find early indications of fraud by testing detail data for values above or below specified amounts. As another example, when employees are out of town, do they adhere to company policy of spending not more than the per diem amount for meals? As a starting point, a query can identify all expense report data where meal expense per day exceeds the per diem. Even though the identified variances may be small ($2 and $3), the time taken to perform further research with respect to small variances can be well invested. Small anomalies may be the “tip of the iceberg” and might lead to something larger.
  • Duplicate searches: querying the database for the observance of duplicates in a database where none are expected. For example, a search for the same or similar mailing addresses for different suppliers, vendors, or employees. As a further example, fraud examiners and auditors can perform searches on invoice disbursements numerically to determine whether any invoices have been paid twice. By cross-checking the invoices with vendor payments, they can catch duplicate billings.
  • Vertical ratio analysis: analyzing the relationships between the items on an income statement, balance sheet, or statement of cash flows by expressing each line item as a percentage of a selected total. For example, in a vertical analysis of an income statement, net sales are usually 100%, and each income statement includes line items presented as a percentage of net sales; on a balance sheet, total assets, liabilities, or equity is often assigned on the basis of 100%. For instance, an investigator may be able to determine whether paid expenditures over multiple periods are reasonable. If one area of company expenses seems abnormally large or growing/declining in a manner that is unexpected, a red flag could be raised and further examination might be appropriate.
  • Horizontal ratio analysis: analyzing the percentage change in individual financial statement line items from one year to the next. With horizontal analysis, the first year is considered the base year. In subsequent years, changes from the prior year are computed and expressed as a percentage of the base year or the most recent prior year. This function determines the trends over time (e.g., expenses, inventory). Discrepancies and unexpected trends may suggest further inquiry.
  • Date functions: querying the database based on dates. This function can be used to identify discrepancies in dates across database files; for example, invoice dates in the accounts receivable files may not agree with invoice dates in the customer history file. By using the software to verify that dates are consistent, the fraud examiner or forensic accountant can extract suspicious transactions where the dates are inconsistent. Other date functions include aging of data and looking for transaction dates outside of expected date ranges.
  • Recalculations: checking the accuracy of amounts by recomputing those amounts using quantities and prices/dollar rates. For example, employee paycheck amounts can be examined by pulling hours data from the manufacturing data capture files and pulling the employee’s wage rate from the employee master file. Amounts that do not agree with the paycheck amount could be flagged for further examination.
  • Transactions and balances exceeding expectations: checking to ensure that transaction amounts and balances (conglomerations of transactions) do not exceed expected limits. For example, a twenty-four-hour day, seven-day work week is 168 hours. Clearly, no employee should be paid for more hours than there are in a week. Likewise, a salaried employee should be paid his or her salary amount for the pay period. Notwithstanding bonuses, the paycheck amount should not exceed the salary amount based on the employee master file.

Given the functions previously described, the following are some examples of data analysis queries that can be performed by most data analysis software8:

GENERAL LEDGER ANALYSIS

  • Select specific journal entries for analysis
  • Create actual to budget comparison reports
  • Analyze and confirm specific ledger accounts for legitimate transaction activity
  • Speed account reconciliation through specialized account queries
  • Calculate financial ratios
  • Calculate percentage comparison ratios between accounts
  • Prepare custom reports, cash flow, profit/loss, and asset and liability total reports
  • Compare summaries by major account in any order (low to high, high to low)
  • Create reports in any format by account, division, department, etc.

ACCOUNTS RECEIVABLE

  • Create a list of customer limit increases and decreases
  • Age accounts receivable in various formats
  • Identify gaps in sequential forms such as invoices
  • Identify duplicate invoices or customer account number entries
  • Show specified reports on credits taken by customers
  • Report customer summaries by invoice, product, etc.
  • Identify customer activity by age, product, etc.
  • Compare customer credit limits and current or past balances

SALES ANALYSIS

  • Create a report of all system overrides and sales exceptions
  • Analyze returns and allowances by store, department, or other areas
  • Summarize trends by customer type, products, salesperson, etc.
  • Compare ratios of current sales to outstanding receivables or other variables
  • Generate reports on a correlation between product demand or supply and sales prices

ACCOUNTS PAYABLE

  • Audit paid invoices for manual comparison with actual invoices
  • Summarize large invoices by amount, vendor, etc.
  • Identify debits to expense accounts outside of set default accounts
  • Reconcile check registers to disbursements by vendor invoices
  • Verify vendor 1099 requirements
  • Create vendor detail and summary analysis reports
  • Review recurring monthly expenses and compare to posted/paid invoices
  • Generate a report on specified vouchers for manual audit or examination

ASSET MANAGEMENT

  • Generate depreciation to cost reports
  • Compare book and tax depreciation and indicate variances
  • Sort asset values by asset type or dollar amount
  • Select samples for asset existence verification
  • Recalculate expense and reserve amounts using replacement costs

CASH DISBURSEMENT

  • Summarize cash disbursements by account, bank, department, vendor, etc.
  • Verify audit trail for all disbursements by purchase order, vendor, department, etc.
  • Generate vendor cash activity summary for analysis
  • Identify disbursements by department, supervisor approval, or amount limits

PAYROLL

  • Summarize payroll activity by specific criteria for review
  • Identify changes to payroll or employee files
  • Compare time card and payroll rates for possible discrepancies
  • Prepare check amount reports for amounts over a certain limit
  • Check proper supervisory authorization on payroll disbursements

PURCHASING

  • Track scheduled receipt dates versus actual receipt dates, summary, and detail
  • Compare vendor performance by summarizing item delivery times and amounts
  • Isolate purchase order types for analysis
  • Analyze late shipments

These accounting systems can be reconciled to nonfinancial data, operational systems outside of accounting, or to data provided by independent third parties, as needed, depending on the circumstances of the examination. Other functional business areas that may be examined in a forensic accounting or fraud examination engagement include human resources, marketing/promotion, customer service support, sales, distribution, research and development, administration and management, production, operations, procurement/purchasing, quality control, loan acquisition and administration, treasury, information technology, legal, compliance, contract management, legal, and security.

The following are some key issues to address as data analysis is completed in a digital environment:

  • Data validity and data integrity. As data are moved or transferred from one file or storage location to another, data validity and integrity must be verified. The first step in data analysis is to ensure the validity and integrity of the data.
  • Data format and structure. Data format and structure have an impact on the ability to import and export data to and from computers and software programs.
  • Magnitude. Targeted risk assessment is concerned not only with the probability of a fraud scheme but also its relative size. Preliminary targeted risk assessment and related analyses ensure that the potential issue is a reasonable and proper utilization of fraud examination and forensic accounting resources.
  • Monitoring choices. Consider the various levels of aggregation in the data and their impact on the ability of digital tools and techniques to monitor exceptional transactions (red flags and other anomalies) successfully. The lowest level of monitoring is often at the transaction level, whereas the highest level of monitoring is account balances and financial statement totals. Between transactions and financial statement amounts are various intervening layers. How to monitor these layers effectively and efficiently is often dictated, at least in part, by the targeted risk assessment—the likelihood of a particular fraud scheme and its relative magnitude. As discussed throughout the text, the fraud and forensic accounting professional needs to be cognizant of the sole fraudster, as well as predator fraudsters, collusion, and management override schemes that can be more difficult to detect and investigate and more costly to the organization.

Data Extraction and Analysis Software

There are many types of data analysis software on the market, with new products emerging and new versions of old products. Because every fraud examination or forensic accounting engagement is different, choosing a data analysis tool is something that the fraud examiner should consider in each individual case to decide which package is most appropriate for the current examination.

Data mining and knowledge discovery software is classified into two general categories:

  • Public domain/shareware/freeware: available free, or for a nominal charge, through websites, ftp sites, and newsgroups. Many shareware programs allow users a trial period, after which a fee must be paid to reactivate the software. Freeware and shareware programs can be located through Internet search engines and through software download services. In some cases, users are asked to review performance, report malfunctions, etc. for research prototypes/beta versions or free software in the development stages.
  • Commercial applications: general release products, usually with technical support and warranty.

Readers should understand that the following tools are presented as examples of the types that are available, that the listing of available tools is not complete, and that the authors are not promoting the use of any specific software.

Excel

Excel is a staple analytical and presentation tool for forensic accountants and fraud examiners. Even when more sophisticated analytical tools are used, the results are often exported to, and presented in, Excel. Excel lends itself to running Benford’s Law tests, filtering, sorting, removing duplicates, using logic functions, creating conditional formatting, finding and replacing, performing transposition tasks, creating pivot tables, and other processes. Excel’s strengths are its simple, yet powerful, functions including the following:

  • =SUM() – the sum of a range of cells
  • =AVERAGE() – the mean of a range of cells
  • =MIN() – the smallest number contained in a range of cells
  • =MAX() – the largest number contained in a range of cells
  • =TRIM() – this function cleans up data when the data cell contain nonrelevant information
  • =COUNT() – the number (frequency) of numerical entries in a range of cells
  • =COUNTA() – the number (frequency) of character entries in a range of cells
  • =COUNTIF() – the number (frequency) of numerical or character entries meeting the designated criteria in a range of cells
  • =LEN() – the number of characters in a single cell
  • =CONCATENATE() – Combine data from two cells into one cell
  • =DAYS() – the number of days between two dates in a spreadsheet
  • =NETWORKDAYS() – the number of work days between two dates in a spreadsheet
  • =SQRT() – the square root of a number in a cell
  • =ROUND() – the ability to round of numbers in a cell

IDEA Data Analysis Software

IDEA is an acronym for Interactive Data Extraction and Analysis. This software package is a PC-based file interrogation package that allows accountants, auditors, and financial managers to view, sample, and analyze data from other computerized systems. IDEA is generalized audit software. IDEA is able to import data in differing file formats. For audit trail purposes, IDEA field statistics are created during the import function, which creates the working files that IDEA then analyzes.

Once the data are imported, IDEA can be used to examine file statistics and observe the raw data values underlying those statistics. Users can browse through the data; search for records meeting specified attributes; sort and index the records; extract records meeting specified criteria; search for duplicates and gaps in the data; summarize, stratify, and export files to other formats, such as Excel.

IDEA has many of the data analysis features of products, such as Excel or other spreadsheet packages. It can be used with mathematical formulas or functions (e.g., statistics) to analyze data presented in columns and rows or to create new data columns for further analysis. For example, IDEA can be used to test invoice totals, by selecting prices and quantities from their respective columns and multiplying them in a new column. Then, the calculated (extended) invoice amount can be compared to the invoice total to ensure that the two amounts match. In addition, IDEA users can create pivot tables, aging analyses (e.g., accounts receivables and payables), conduct Benford’s Law tests, plan and draw samples, and statistically evaluate audit findings in sampled transactions. When the user imports several files, IDEA can join, append, and compare them and create action fields, that is, identify those from one file that have relationship to a field of another IDEA file. Information about the processing measures is automatically recorded in the audit log history of this software.

IDEA also supports the organization of work by allowing users to create to-do lists and folders, move and copy files, and create macros.

For training purposes, IDEA provides a comprehensive tutorial called “IDEA: Data Analysis Software Workbook.” It is an easy-to-use, intuitive tutorial, with step-by-step instructions, solutions, and screenshots to coach new users in the appropriate use of the IDEA software. Tutorial users perform three separate audits/examinations: (1) for accounts receivable, (2) accounts payable/fraud examination, and (3) inventory analysis.

In the accounts receivable section, the tutorial requires students to identify: the potential risks, the business implications of those risks (e.g., the inability to collect accounts receivables from customers who do not meet credit standards), and the objectives of the audit tests (such as completeness, accuracy, valuation, existence, validity, and presentation). Students must also provide an overview of the types of tests required, such as mechanical accuracy and valuation, analysis, exception testing, gap and duplicate analysis, matching records across files, and comparison tests and sampling. Next, students are provided with an eight-step audit program to work through.

From there, users need to set up the engagement in IDEA and import the data files, given the formats received from the fictitious client. Step-by-step instructions, explanations, and screenshots are provided to give users confidence that they are taking the correct actions. Once the files are imported, users work with control total functions to ensure that the import is successful. Then, students complete the following tasks in the accounts receivable and related files:

  • Examine field statistics
  • Develop and complete reconciliations
  • Randomly sample records
  • Develop and analyze the accounts receivable aging
  • Extract transactions and balances with high values
  • Extract old unpaid accounts receivable items
  • Identify and review credit notes
  • Recalculate transaction amounts
  • Analyze balances and taxes by account
  • Check debtors/amounts against authorized credit limits from another file

In the accounts payable and fraud examination section of the tutorial, students identify those auditing procedures and analyses that can be addressed using data extraction and analysis tools, and they also deal with an increased risk of fraud. In the described scenario, the chief financial officer (CFO) is concerned that a particular member of the accounts payable department is living beyond his means. In addition, other risks addressed using digital tools include the following:

  • Payments made to unauthorized suppliers
  • Payments made to nonvendor individuals and employees
  • Unauthorized premiums given to suppliers
  • Invoices paid after the due date
  • Invoices paid on unscheduled payment dates
  • Invoices processed and paid twice
  • Payments made “off-line” so that they are not detected by normal audit procedures
  • Missing supporting documentation, such as POs, delivery receipts, etc.

In this fictitious case, because the suspicion of fraud is enhanced, the data are obtained through the CFO without the knowledge of the accounts payable clerk. The file formats are ASCII Delimited and Excel. Then, students examine the following elements of the accounts payable and the supplier files:

  • Analyze the profile of payments (stratification)
  • Identify large and unusual payments (by dollar amount)
  • Identify exceptional transactions
  • “Cash” as the payee
  • Round sum payments
  • Payments authorized by the suspected manager
  • Payments processed on Sunday
  • Amounts that appear to violate Benford’s Law
  • Test for duplicate payments
  • Search for gaps in check number sequence
  • Search for gaps in the date sequence
  • Analyze payment days to identify favorable terms to suppliers
  • Test payments to unauthorized suppliers
  • Analyze payments by suppliers

The following are the results of the Benford’s Law “first-two digit” analysis. The tutorial addresses issues associated with inventory. More specifically, the CFO has identified problems with the underlying inventory system and needs assistance in identifying those issues and making recommendations for corrective action. Some of the anomalies include the following:

  • The listing of obsolete items seems to have too few items and is incomplete.
  • The business is suffering from frequent stock-outs.
  • The margins on products do not seem to be reflective of the market for some products.

Thus, this section is more of a consulting-type engagement, where the power and strength of data extraction and analysis tools can facilitate a more comprehensive identification and examination of issues that may also have an impact on the amounts reflected in the financial statements.

Then, students examine the inventory attributes as follows:

  • Identify obsolete inventory items
  • Calculate usage ratios
  • Estimate the obsolescence provision
  • Estimate the obsolescence provision by depot (location)
  • Test the accuracy of the automatic reordering system
  • Analyze selling prices and related margins
  • Analyze payments by suppliers

The IDEA tutorial then has students work through a number of useful tasks that apply to most data extraction and analysis projects:

  • Designing reports
  • Printing
  • Rerunning analyses
  • Housekeeping activities
  • Reviewing and documenting analysis outcomes
  • Managing folders and projects
  • Backing up and restoring data files
  • Deleting data and other files
  • Copying data files
  • Searching for data files
  • Renaming a database

Each of the audits/examinations in the workbook increases in complexity for using IDEA’s functions and tests, building on the experience learned in earlier sections. The data files provided for use in the IDEA workbook were created in a variety of formats to provide experience in importing data from a number of different file types. The screenshots and check figures facilitate quick and independent development of the skills needed to use the software to its fullest potential. In summary, IDEA can read, display, analyze, manipulate, sample, and extract data from files obtained from many sources in many formats.

ACL

ACL Services Ltd. provides audit analytics and continuous monitoring software. The software provided by ACL can be used to ensure internal controls compliance—thereby reducing the risk of fraud—and to detect and investigate potential fraudulent activity. ACL facilitates organization-wide testing and monitoring of internal controls through independent verification of transactional data. ACL can be used for audit analytics and controls monitoring on a continuous basis (continuous auditing). ACL may also be used to secure data access.

ACL stands for Audit Control Language, a phrase that points to the early roots of the software. This software package is PC-based and permits data importation from different file formats. Once the data files have been imported, ACL can be used to examine file characteristics, visually examine the raw data, and create various analyses and statistics that can be used as audit and investigative evidence. Imported data can be reviewed, searched, sorted, indexed, and extracted. Users can also search for duplicate records and for unexpected gaps in the data. Finally, ACL summarizes and stratifies and can be used to export files to other formats, such as Excel.

Like Excel, ACL data are presented in rows and columns. ACL has equation editors to create mathematical formulas that can generate new data for further analysis. ACL equations can also be set up to filter and extract data, and users can also perform additional functions such as the following:

  • Aging analyses (e.g., accounts receivables and payables)
  • Benford’s Law analyses
  • Draw samples
  • Statistically evaluate audit findings
  • Import and join multiple files
  • Append and compare files

The user’s activities are automatically captured in a log to create an audit trail. Like IDEA, ACL provides a comprehensive tutorial.

Other Software Packages

Traditional statistical packages such SAS, Stata, JUMP, SPSS, R, Python, and similar software can be used for data extraction and analysis. Many of these packages also offer features that make forensic accounting and fraud examination analysis relatively efficient to use in an engagement context.

Module 4: Graphics and Graphics Software

According to The CPA Journal author, George Aldhizer, a picture is worth a thousand words.9 This is especially true for the estimated 65% of the population who are visual learners. Aldhizer states that “visual analytics is an exploratory and iterative process involving the creative and dynamic discovery of potential fraud schemes. It builds on humans’ natural ability to absorb and comprehend greater amounts of information through the use of distinctive patterns, shapes, and shadings than through analysis of columns of numeric data. Instead of creating static, simplistic bar charts and scatter plots and relying on a finite number of embedded rules-based red flags for potential fraud, visual analytics can create customized, multidimensional, or layered graphics, resulting in more granular analyses of all of the structured data. As a result, visual analytic software may more easily uncover otherwise hidden relationships between data elements, enabling the discovery of new fraud red flags. Thus, visual analytic software may be an attractive alternative to IDEA and ACL for auditors of larger, publicly held entities to reduce the risk of undetected material misstatements, including fraud.” The author also champions geospatial analysis and heat maps as investigative tools.

Aldhizer also finds that “unstructured text data—which is not created and stored in a predefined, standardized format and thus to a large extent cannot be analyzed by IDEA, ACL, and visual analytic software—has exploded in growth and can provide additional clues as to the existence of material fraud schemes. For example, many individuals appear willing to reveal sensitive and incriminating narrative and pictorial data in supposedly private communications and social network postings that they would not consider disclosing in a financial report or a business meeting. Other types of unstructured data include corporate memos and emails, PDF files, social media postings, and audio and video files.” The author concludes by suggesting that “forensic practices should seriously consider implementing text analytic capabilities. Audit practices also may benefit from an awareness of text analytic capabilities and consider applying them to high-risk engagements.”

We agree: a picture is worth a thousand words! Data analysis programs and graphics software packages can provide numerous pictorial representations of the data. Graphics have at least three distinct roles in an examination.

  • First, they can be used as an investigative tool. By visually putting together linkages, flows, timelines, and other graphics, the investigator can gain insight into the case, possibly seeing the case in ways that he or she had not previously considered.
  • Second, graphics can also help the investigator to identify holes in the case or problem areas where further examination is required. For example, the graphics might suggest that individuals with the opportunity to commit the fraud have not been properly eliminated as suspects. Similarly, graphics can be used to identify questions that need to be answered to wrap up a case. Graphical representations of the data, like spreadsheets and examination of raw data, such as source documents, can facilitate critical thinking by facilitating consideration of the case from differing perspectives.
  • Third, graphics can be useful to communicate investigative findings, conclusions, and results. Although individuals with a mathematical or accounting background are comfortable looking at spreadsheets to derive information and interpret its significance to an examination, most people are overwhelmed by a page of numbers (or pages of numbers) with subtotals, totals, columns, rows total, rows of data, etc. Translating numerical and other important case data into graphics allows those with less experience and less comfort with numbers to better understand the fraud and forensic professional’s findings. Case outcomes often hinge on the ability of the professional to take complex ideas, relationships, and the results of detailed data extraction and analysis activities and express them in a simpler, more meaningful manner, so that a greater number of people, including juries, are likely to understand what the professional is trying to communicate.

The professional needs (1) to answer the questions who, what, when, where, and how; (2) to address the fraud triangle to the extent that evidence is available; and (3) to be centered on the elements of fraud: the act, concealment, and conversion. Understanding the motivation for fraudulent activities, such as money, ideology, coercion, and ego (M-I-C-E), helps investigators to better detect these crimes in the future.

The Association Matrix

One of the first graphical tools is an association matrix for identifying major players who are central to an examination and to identify linkages between those players. Linkages can take the form of names, places, addresses, phone numbers, etc. Although all of these data are documented as preliminary evidence electronically in some software tools, such as Excel, Access, or even Word, the association matrix is a starting point for reflecting some of the most important data in a simplified format. These matrices often serve as an intermediate format that organizes observed relationship material into a compact arrangement to facilitate review and as a basis for creating more complex charts.

The format for the association matrix, including an example, is presented in Figure 11-1.

Illustration of association matrix

FIGURE 11-1 Association matrix

Notice that, on each line in the association matrix, the name of an important person, place, address, business, organization, etc. is written, followed by the boxes with the relationship that exists between the entities (as known from the evidence). In this example, Stephanie and Jason are divorcing. The divorce is being contested by Jason, who has a reputation as a playboy. Stephanie started and developed the 54-store PJ’s Pizza chain, named after her little sister, who has Lyme disease. Stephanie has been hands-off, pursuing charity work for the last couple of years, and has entrusted the day-to-day operations of the pizza chain to her chief operating officer and friend of thirty years, Alexandria. Alexandria has been with the company since day one, owns 20% of the stock and is considered a genius at marketing and store location, but her financial and accounting background is judged to be very weak.

Recently, Stephanie discovered enough evidence to suspect strongly that someone is embezzling reasonably large sums of money from her company. Mark is the treasurer and accounting manager located at corporate headquarters, and Richard is a regional manager of fifteen stores. Preliminary evidence suggests that the fraud is isolated to Richard’s region. Further, the fraud appears to be concealed by individual(s) with access to operational data, cash, and the accounting records. Initially, the divorce seemed to have no relation to the possible fraud. However, surveillance conducted by a licensed private investigator revealed that two of the key suspects have very close ties to Jason, Stephanie’s estranged husband; he has been seen with one or the other at least one time during each of the past five weeks. At no time were the three seen together. As a result, the association matrix was updated as shown in Figure 11-2.

Illustration of updated association matrix

FIGURE 11-2 Updated association matrix

In this example, the major players have been listed and their relationships described. Although no proof exists that Mark and Richard are in collusion to perpetrate a fraud, based on the graphic, it appears that Jason seems to be the common link. Given the impending divorce, he and his close friends may be trying to damage Stephanie and generate some cash in the process. This graphic helps the investigator see important links. In addition, this association matrix may be useful in communicating with lawyers, judges, and jury members, if such a need arises. From the information in the matrix, investigators can develop more complex graphics, such as a link chart.

Link Charts

Link charts are another way to graphically represent the associations, linkages, and other important relationships. They help to describe linkages between entities: people, businesses, and “organizations” (in quotes because some organizations may include gangs, consortiums of drug dealers, and organized criminal enterprises—which are usually not listed with the Secretary of State’s records—but may act and operate like many legitimate business entities). Link charts, therefore, create a graphic representation of known and suspected associations among businesses, individuals, organizations, telephone numbers, addresses, email accounts, websites, etc. that are potentially involved in criminal activity.

Link charts are more complex than association matrices and, as such, follow rules to ensure that viewers understand the graphics and are able to interpret their meaning with a minimum of error. The rules of link charting include the following:

  • Each person has one link chart symbol and location on the chart.
  • The chart should be developed as simply as possible, while remaining accurate.
  • The chart cannot be misleading.
  • Evidence and other documentation should be maintained as backup.
  • Preferably no linkage lines should cross (although this is not always practicable).
  • The date and important references should be printed on the chart.
  • A legend should be used to describe the meaning of symbols, colors, shapes, and lines.
  • Symbols and other aspects of the link chart should be used consistently.

In Figure 11-3, you can see the linkages between Jimmy John Jackson and several business enterprises.

Illustration of link chart example

FIGURE 11-3 Link chart example

In this example, three businesses are presented: Jackson Auto Body, Inc., JJ’s Truck Stop, and Jack & Jill Hotel. The Secretary of State’s records database indicates that Jimmy John Jackson has an ownership role in all three. Assume further that evidence indicates that a supplier fraud is occurring at a trucking company, and it appears that the three companies presented are receiving payments for services not rendered. Also assume the evidence indicates that no actual businesses exist, and yet the mailing addresses are the same. If a criminal activity is suspected and these three businesses are involved, it appears that Jimmy John Jackson is at the center of everything. Armed with this information and a pictorial representation, the investigator is able to concentrate his or her effort and can easily communicate findings. Along a similar line, the association matrix previously discussed can be converted into a link chart (see Figure 11-4).

Schematic of association matrix converted into a link chart

FIGURE 11-4 Association matrix converted into a link chart

Notice that the picture here is clearer and easier to read and understand than the association matrix previously presented. Further, notice that a dashed line exists between Mark and Richard because the evidence does not yet suggest that the two have a known relationship. Also note that no line is presented to connect Stephanie with Mark or Richard. This is because she is generally a hands-off owner/CEO and thus may not know either of them. These possible relationships need to be investigated further. At this point, a fraud may have been committed by Richard and Mark, and one of the other beneficiaries could be Jason. However, what if Stephanie is purposely taking money out of the company to lower its value so that her divorce payout to Jason is lower? This could only be determined through further examination.

Thus, link charts and other graphics are not only beneficial as investigative and communication tools but can also be helpful in identifying shortcomings in the case and areas where further work is necessary.

Flow Diagrams

The next type of graphic is the flow diagram. It allows the investigator to analyze the movement of events, activities, and commodities—to see what that flow means in relation to a suspected criminal activity. The flow diagram can be used for the following:

  • To illustrate the operation of the illegal movement of goods, services, people, money, etc.
  • To present the activities that precede a suspected criminal act
  • To show the flow of criminal goods, cash flows, and profits
  • To illustrate and describe a money-laundering scheme
  • To present changes in organizational structure over time
  • To illustrate the flow of cash, information, or documents through an organization.

The general purpose is to discover the meaning of those activities and their importance to the examination. For example, the following flow diagram (Figure 11-5) can be used to show how activities and transactions are captured and how they flow through the accounting system into the periodic financial statements and tax returns.

Flowchart of review of suspect company's financial and nonfinancial activities through the accounting books and records

FIGURE 11-5 Flowchart: review of suspect company’s financial and nonfinancial activities through the accounting books and records

In this example, transactions take place between the suspect entities (and their representatives) and others: suppliers, vendors, customers, employees, etc. The essence of these transactions is captured in paper or electronic format. Examples of possible evidentiary documents include receipts, invoices, purchase orders, delivery receipts, bills of lading, contracts, and other sources. Certain information presented in the documents is captured in journal entries. The journal entries are then posted to the general ledger, which acts like a series of buckets where transactions are categorized and sorted. The general ledger amounts—the sum total of the transactions in a particular bucket—are then summarized and presented in periodic financial statements and tax returns.

In Figure 11-6, a kickback scheme is outlined graphically. In this case, evidence suggests that the investigators know everything about the scheme except how the inside kickback recipient received his or her payoff. The investigators are considering three options:

  • Option 1: Third-party merchandiser writes a check to kickback recipient.
  • Option 2: Third-party merchandiser writes checks to cash and gives cash to kickback recipient.
  • Option 3: Third-party merchandiser writes a check to fictitious company controlled by the kickback recipient.
Kickback scheme illustration

FIGURE 11-6 Kickback scheme illustration

At this point, the investigators can see that more work needs to be done related to the conversion aspect of the case. Because the actual kickback aspect of the scheme is unknown, dotted instead of solid lines are used in the presentation. The movement of commodities lends itself particularly well to flow diagrams, such as:

  • Money laundering (flow of cash)
  • Stolen goods
  • Narcotics trafficking
  • Smuggling

Timelines

The next type of graphical analysis is a timeline, which organizes information about events or activities chronologically to determine what has, or may have, occurred and the impact that these actions have had on the activity under examination. In the following example (see Figure 11-7), Seth purchases a sales and marketing company from Vance. Further, by 2004, Seth is bankrupt and is now complaining that he was sold a failing company by Vance. However, Seth knew very little about the sales and marketing business when he purchased the company, with newly inherited wealth from his father, except that Vance drove a Mercedes and lived in a large, expensive house. Seth seems to have assumed that he could do the same. However, Vance claims that the success of the company under his ownership was his ability to secure large contracts with successful clients. As seen from the following timeline, after purchasing the company, Seth negotiated no new contracts. If additional evidence supports Vance’s contention, it appears that the demise of Seth’s company is due to his own inability to secure new sales and marketing contracts.

Illustration of timeline example

FIGURE 11-7 Timeline example

The break in the pattern of new sales and marketing contracts is clear and distinct, especially when presented in graphical form.

Other Graphical Formats

As stated, graphics can be a simple, clear, and concise method of presenting case material to communicate outcomes. They can be developed in nearly any manner and for almost any purpose that appears to further the examination. For example, in Figure 11-8, you can see the impact of a person selling a company in a sham transaction and establishing himself during the sales transaction as a secured creditor. As shown in the left-hand column, the former owner was “last in line” before the company was sold. However, after the sale, the former owner was now first in line and moved ahead of every other creditor. If the former owner has the right contractual relationship with his former company, he or she could milk the company of all cash and profits and effectively bankrupt it. Because of a position as secured creditor, unsecured creditors (such as off-balance sheet liability holders, i.e., a plaintiff to a lawsuit against the company) have little recourse unless it could be proven that the sales transaction was a sham.

The result of graphical analysis and presentation can offer a number of outcomes. Critical questions need to be answered:

  • What actions are essential to the activity under examination?
  • Who are the key people involved?
  • Who appears to guide the activity?
  • What is the net result of the activities?
  • Who appears to benefit?
Illustration of defendant's company financial structure before and after the sale in 2007

FIGURE 11-8 Defendant’s company financial structure before and after the sale in 2007

Additional follow-up is needed to finalize the case:

  • Reinterview the suspect to determine possible motivation for the fraud.
  • Subpoena bank records.
  • Trace laundered money to source.
  • Use undercover agent to pose as vendor of questionable ethical character to develop evidence of a kickback scheme.

Graphical Software

The above graphics were completed in PowerPoint, Microsoft Word, or Excel. These packages, especially PowerPoint, offer numerous tools to create sophisticated graphics that can be used for the three purposes cited above (i.e., help the examiner understand and interpret case findings, identify additional examination needs, and communicate the results of the examination). With the advent of “YouTube” videos, as well as helpful instructional tools from the developer, even the novice professional can create effective graphics.

In addition to the above, other tools may also be used in the forensic and fraud examination graphical space.

Microsoft Visio can be used to create simple as well as complicated diagrams. Like PowerPoint, Visio offers a variety of built-in shapes, objects, and other materials to use as foundations for graphics. The software also permits users to create and import their own shapes. Visio is more powerful than PowerPoint, for example, because it was designed to make diagramming and graphical creation as easy as possible for users. Visio comes complete with templates that permit starting a graphical project with relative ease. Maybe one of the best features of Visio is that it is “live”—the software can pull in data from external sources, such as an Excel spreadsheet or Access database—ensuring that graphics automatically align with the most recent dataset as changes are made to the underlying database. This feature is not available for graphics created in PowerPoint, Excel, Word, etc.

Tableau is a data visualization tool that enables users to create interactive visual analytics that are presented using dashboards. Tableau is designed to help ordinary people see and understand the information buried in data. Tableau supports nontechnical users by offering the ability to create, with relative ease and some training, customized dashboards that provide graphical, easy-to-understand insight into the data under examination. Like Visio, one of the strengths of Tableau is that the software can query relational databases, cloud data, spreadsheets, and similar sources, using the information to form graphical presentations. Tableau also offers some data analytic tools that can be used to examine big data, such as statistical trends. Somewhat unique to Tableau is its mapping function that can plot latitude and longitude coordinates and connect to spatial files from other software sources. Tableau’s built-in geocoding allows for data examination by country, state/province, county/district, postal code, area code, airport, and European Union statistical area and geographic criteria. Furthermore, this geographic coding may also be grouped according to users to create custom territories.

Module 5: Case Management Software

Case management software can be used in a number of situations to oversee cases and case data, organize it in meaningful ways, and even present information for use in reports or during testimony. Sophisticated, complicated, and complex cases can benefit from the use of case management software, including the following:

  • Complex fraud schemes: examples include insurance schemes, health care frauds, investment schemes, credit card scams, identity theft rings.
  • Money laundering: organize and investigate large databases of suspicious activities, movements of money around the world, and other sophisticated financial crimes.
  • Compliance: internal examinations and risk management, such as Sarbanes-Oxley compliance.
  • Complex and complicated financial statement frauds: multiple participating persons and possibly multiple schemes.
  • Organized criminal operations: complex organizational structures and related activities, such as money laundering, movement of contraband, and cash flows.
  • Drug trafficking: loosely knit but fluid organizational structures that include the movement of narcotics and the flow of money back to the individuals controlling the activity.
  • Terrorism financing: the perpetrators exist in semiautonomous cells, operating in various localities around the world.

Case management software can be used to initiate examinations that can evolve into complex cases. New examinations can be initiated, and evidence collected and organized when it is developed through various channels—including detectives, forensic accountants, computer forensic specialists, internal auditors and other experts, as well as from employees, vendors, customers, and other participating people and organizations.

Most case management software has workflow rules, so that leads, evidence, and next-steps can be prioritized, and investigative approaches can be tasked to the most appropriate people. With some software packages, investigators are able to send and receive emails within the system and record notes, evidence, activities, and investigative outcomes. Another feature of case management software is the ability to organize and present data graphically so they can be reported.

Readers should understand that the following tools are presented as examples of the types that are available, that the listing of commercially available tools is not complete, and that the authors are not endorsing any specific tools described.

Analyst’s Notebook i2

One of the case management software tool options is Analyst’s Notebook i2. It is currently one of the leading providers of visual investigative analysis software for law enforcement, intelligence, military, and business enterprises. i2 allows investigators and analysts to visualize complex schemes and to organize and analyze large volumes of seemingly unrelated data. Upon completion and at appropriate times during the examination, the results can be efficiently communicated to attorneys, other investigators, supervisors, judges, juries, and grand juries. As previously discussed, visual analysis can bring clarity to complex examinations, schemes, and scenarios. This software can generate timelines, flow charts, activities matrices, link charts, and other graphics to help investigators better understand the schemes, who is involved, and how participants benefit from their activities.

All data are gathered and stored in various databases that the software can access. From those, the evidence can be searched, analyzed, and visualized from multiple perspectives and given various alternative assumptions, with the goal of resolving the case. The main advantage is that less time is required to manage, organize, and process data, which are then analyzed and housed in one comprehensive locale. With more efficient evidence management for complex cases, more time can be spent on analysis and on drawing conclusions from the complete set of evidence, enabling investigators to uncover, interpret, and display complex information about seemingly unrelated persons, places, and events in an intuitive visual format.

LexisNexis CaseMap

CaseMap® by LexisNexis makes it easy to organize, evaluate, and explore evidence, the list of potential suspects and witnesses, and other case issues; it is designed for litigators and investigators. CaseMap is a central repository for case knowledge. The software can be used to organize information, facts, evidence, documents, people, case issues, and applicable law. CaseMap files include spreadsheets, documents, and PDF files. Every CaseMap spreadsheet can be sorted, filtered, and tagged for later use. CaseMap details can be sent to the TimeMap® tool to create timeline graphics. CaseMap software also evaluates relationships between different attributes of the case information. For example, it can be structured to connect facts to applicable case law that supports a particular position on an issue.

CaseMap is supported by TimeMap and also several other related packages, including TextMap® for transcription summary, NoteMap® for creating outlines, and DepPrep® for preparing witnesses for deposition and courtroom testimony. CaseMap and its suite of related products also have a reporting feature so that outcomes can be exported to other software packages.

We have eight types of assignments for instructors to choose from:

  1. Critical Thinking
  2. Review Questions
  3. Multiple Choice Questions
  4. Fraud Casebook
  5. Brief Cases
  6. Major Case Investigation (MCI)
  7. IDEA Exercises
  8. Tableau Exercises

CRITICAL THINKING

The Killer Apartment Colin McFee had a Manhattan apartment to die for, an enormously spacious duplex that looked down on Park Avenue from the 18th and 19th floors. He also had a fortune worth killing for. So it wasn’t too surprising when the old man was found to be a victim of foul play. The day of the murder began innocently enough. McFee’s two nephews and his niece were all visiting him from Duluth and the old millionaire had been so captivated by the charming trio that he impulsively decided to change his will.

The generous millionaire spent the morning signing the new document, which left his entire estate divided equally among the three vacationing relatives. McFee’s faithful maid witnessed the document, ushered the lawyer out, and, with an uneasy glance at the shiny-eyed heirs, retreated to her room.

Nothing happened until shortly after noon. The maid was in her upper floor bedroom, watching TV, when she heard McFee’s unmistakable voice screaming out in pain. For a few seconds, she was in shock, wondering what her employer’s voice was doing on an old Columbo episode. And then she realized it wasn’t the TV.

The maid went out into the hall and found Nick, the older nephew, standing at the top of a rarely used back staircase. “It came from downstairs,” Nick stammered.

Pushing past Nick, the maid led the way down the narrow stairs. “Mr. McFee!” she shouted and a moment later caught a spider web across the face. The back staircase went directly down to the east library. The dim, wood paneled room was empty except for the corpse on the floor by the bookshelves. Colin McFee, it seemed, had been hacked to death, although there was no knife in sight.

The three McFee heirs sat with the maid in the center of the lower level, by the main staircase, awaiting the police and rehearsing their stories. “I was in my second floor bedroom,” Nick said, “watching an old murder mystery show. When Uncle Colin screamed, I didn’t do anything for a minute. Then I went out into the hall. That’s where I met up with you.” Nick smiled at the maid, his alibi.

“I was upstairs in the west dining room,” Nora volunteered, “examining the old dumbwaiter. Even though the scream came from downstairs and on the far side of the apartment, I still heard it. I thought it must be robbers.

So, I barricaded the dining room door and didn’t come out until I heard you all calling my name.”

Astor McFee, the younger nephew, claimed to have been asleep. “I was reading a magazine, right here in this chair and I nodded off. The scream woke me. It took a few seconds to realize that something was wrong. When I heard people talking in the library,

I went off in that direction. That’s when I ran into you,” he said, nodding toward Nick and the maid.

When the police arrived, they took everyone’s statement, and then went to the main floor kitchen in search of the murder weapon. They found it in a utensil drawer, a huge butcher knife that had been wiped clean of blood, the same blood type as the victim’s.

“This tells us everything we need to know,” the homicide chief said with a grin.

Who killed Colin McFee?

REVIEW QUESTIONS

  1. What are the two major approaches for testing IT system controls?
  2. What is meant by the acronym CAATTs and what are they used for?
  3. What is computer forensics?
  4. What computer functions can make recovering deleted files more difficult?
  5. How do e-discovery rules impact the storage of email and other electronic files?
  6. What functions are used by data extraction and analysis software to highlight red flags of fraud?
  7. What are the two categories of data mining and knowledge discovery software?
  8. What role do graphics play in an investigation?
  9. What is the purpose of timelines in an investigation?
  10. How is case management software used in an investigation?

MULTIPLE CHOICE QUESTIONS

  1. Which of the following is one of the major approaches for testing IT system controls?
    1. Audit the output from the information systems.
    2. Audit the control logs for systems implementations and changes.
    3. Rely on the auditor for the software systems provider used by the client.
    4. Audit input, processing, and output related to the computer systems.
  2. Computer-aided audit tools and techniques can be used in all of the following areas except___.
    1. Examination of IT personnel
    2. IT systems control environment
    3. Creating data and performing system walk-throughs
    4. Examination of application controls
  3. Which of the following is not considered an application of computer forensics?
    1. Ensure the integrity and chain of evidence associated with digital evidence
    2. Examine the content of email transmissions
    3. Image and capture data housed on storage devices associated with PDAs, cell phones, and iPods
    4. Image and capture data housed on computer hard drives
  4. Which of the following does not make recovering deleted files more difficult from a personal computer?
    1. A long period of computer use after a file has been deleted
    2. The use of “defrag” after a file has been deleted
    3. The sending and receiving of emails on the network server
    4. Emptying the computer’s recycle bin
  5. E-discovery rules were developed primarily with regard to what communication technology?
    1. Telephone communications, including faxes
    2. Sending and receiving emails
    3. Downloading of e-books, using a Kindle or similar device
    4. Downloading pornographic Web content onto a personal computer hard drive
  6. Which is the most accurate statement with regard to using data extraction and analysis software to highlight red flags of fraud?
    1. Data extraction and analysis work product often points directly to the culprit.
    2. Data extraction and analysis work product is often the most relevant evidence a jury can consider.
    3. Data extraction and analysis work product is a preliminary first step that often requires additional analysis in Excel, Access, or some other electronic data product.
    4. Data extraction and analysis work product often provides important evidence of the act, concealment, and conversion but may not be compelling by itself.
  7. Which of the following is not a data extraction and analysis software product?
    1. IDEA
    2. Excel
    3. PowerPoint
    4. ACL
  8. Which graphics presentation likely plays the smallest role in an investigation?
    1. Association matrix
    2. Link charts
    3. Flow diagrams
    4. Timelines
  9. Upon completion of graphics analyses, which of the following is not a likely outcome?
    1. Identification of investigative shortcomings that require additional follow-up
    2. Evidence of the alleged culprit’s psychological condition
    3. The ability to use the analyses to communicate investigative findings
    4. Increased insight into the investigation
  10. In which of the following situations is case management software least likely to benefit an investigation?
    1. A terrorism financing case using shell companies and charities
    2. Organized criminal activities incorporating money laundering techniques in legitimate business organization
    3. International movement of money to benefit an illegal drug operation
    4. A complicated financial reporting fraud using unsupported journal entries

FRAUD CASEBOOK

MCI WorldCom

Read the following articles or other related articles regarding the MCI WorldCom case and then answer the questions below:

Sources:

Zabihollah Rezaee and Richard Riley, Financial Statement Fraud: Prevention and Detection (Wiley, 2010), “MCI: The Fraud That WorldCom Acquired,” pp. 216–17.

Neil Weinberg, “Aggressive Accounting: Ring of Thieves,” Forbes.com, June 10, 2002.

Mike Celizic, “White Collar Ex-con: Jail Looms for Mortgage Execs,” MSNBC, October 8, 2008.

For a more complete description of these events, see Pavlo, Walter, Jr., and Neil Weinberg, “Stolen without a Gun: Confessions from Inside History’s Biggest Accounting Fraud – the Collapse of MCI WorldCom,” Etika, 2007.

Short Answer Questions

1. How much cash did Mr. Pavlo steal in six months?

2. What was the accounting inadequacy at MCI that Mr. Pavlo faced?

3. At least how many financial reporting (accounting) schemes did Mr. Pavlo use for the MCI collection problem?

4. What opportunity did Mr. Pavlo perceive would allow him to perpetrate his fraud and get away with it?

5. How much time did Mr. Pavlo spend in prison?

6. Who were Mr. Pavlo’s unintended victims?

Discussion Questions

1. From the excerpt and article, describe the rationalizations used by Mr. Pavlo.

2. Given that Mr. Pavlo’s fraud was restricted to an accounts receivable embezzlement scheme, what symptoms might auditors observe?

3. Given that Mr. Pavlo’s fraud was restricted to an accounts receivable embezzlement scheme but was buried among legitimate accounts receivable transactions, describe the three most effective data extraction and analysis tests (using IDEA, Picalo, or ACL) for accounts receivable that you believe would identify this fraud and state why you believe them to be effective. (Limit your answer to no more than one page.)

BRIEF CASES

Chart and Graphical Presentation

Assume the following:

  1. A construction contract has the following language: “It is the responsibility of the contractor to inspect and become familiar with the Project and to acquaint itself thoroughly with all conditions likely to be encountered in performing the required work.”
  2. The construction required extensive outside work in nature’s elements.
  3. Typical rain for July was eight days averaging 0.5 inches per day for a historical monthly rain of 4 inches (4").
  4. Typical rain for August was ten days averaging 0.5 inches per day for a historical monthly rain of 5 inches (5").
  5. July and August rain was as follows:
    Analysis of Rain
    Rain
    July Date Rain August Date Rain
    W 1 0.01 Sa 1 0.01
    M 6 0.2 Su 2 0.45
    T 7 0.31 M 3 0.05
    W 8 0.09 W 5 0.30
    Th 9 0.05 Th 6 0.43
    F 10 0.71 Su 9 0.11
    Sa 11 0.1 M 10 1.09
    Th 16 0.54 Th 13 2.33
    F 17 0.01 Su 16 0.13
    Sa 18 0.91
    W 22 0.18
    Th 23 0.14
    F 24 0.04
    M 27 0.03
    F 31 0.08
    Employees Paid for Rain
    July
    F 10 Rain Pay
    August
    Th 6 Rain Pay
    M 10 Rain Pay
    Th 13 Rain Pay
  6. Assume that when the contractor cancels work for rain, scheduled employees were paid for rain. Paid rain days for July and August were as follows:
    Employees Paid for Rain
    July
    F 10 Rain Pay
    August
    Th 6 Rain Pay
    M 10 Rain Pay
    Th 13 Rain Pay

    Assignment: using the above provided information and assumptions, select one chart or a graphical format, and, using a software package of your choice, analyze and present the information on a single page, using only one chart or graphic (properly labeled) to highlight the possible impact of rain, if any, on the construction project.

Graphical Presentation: Keystone

Part I

Assume the following facts:

  1. Keystone is defunct, has zero assets, and has two liabilities remaining on its balance sheet:
    1. Unsecured pension liability = $5 million
    2. Secured loan to an owner named Mr. Javlin = $10,000,000
  2. Assume that Keystone has two owners: Mr. Javlin (67%) and Mr. Linton (33%)
  3. Assume that during the period 20×2 through 20×8, companies owned by Mr. Javlin were paid $32,000,000 by Keystone. Company names included Sword Ridge, Sword River, Rock River, Rock Rider, Cobra Coal, Rock Walker, Arctic Resources, Cinnamon Resources.
  4. Assume that during the period 20×2 through 20×8, companies owned by Mr. Linton were paid $16,000,000 by Keystone. Company names included Atlantic Supply, Keystone Land & Coal, First Management, Sundance.
  5. After one year of litigation discovery, no evidence was provided by Keystone, Javlin, or Linton to substantiate the business purposes for these payments by Keystone.
  6. Neither Mr. Javlin nor Mr. Linton drew a salary during the period 20×2–20×8.

Assignment: Graphically present this information on one sheet of paper.

Part II

Assume the following additional facts:

  1. During the period 20 × 2 − 20 × 8, Keystone had capital expenditures for investments in new property plant and equipment and equipment rentals as follows:
    Cap Ex Rental Expense
    a. 20×2 = $1.6 million $1.2 million
    b. 20×3 = $500,000 $1.05 million
    c. 20×4 = $600,000 $800,000
    d. 20×5 = $175,000 $900,000
    e. 20×6 = $25,000 $800,000
    f. 20×7 = $50,000 $750,000
    g. 20×8 = $0 $250,000

Assignment: Graphically present this information on one sheet of paper. What conclusions can you draw?

MAJOR CASE INVESTIGATION

The following is the “inventory” of items received to continue the examination at Johnson Real Estate. The goal is to focus on the missing deposits: who, what, when, where, and how.

  • Hume Trucking & Hauling, Riverwalk Bank of Morgantown account (subpoenaed from bank)
    • February 20×9–January 20×0 Bank Statements
    • February 20×9–January 20×0 Canceled Checks
  • David Hume Affidavit (Hume was unaware that his bank records had been subpoenaed)

These items will be provided by the course instructor.

Assignment:

Continuing to focus on evidence associated with the act, concealment, and conversion, use the evidentiary material to continue the examination. In addition, as the examiner also start to think of terms of who, what (did the person(s) do), when (during what period?), where (physical place, location in books and records), and how (perpetrated, hidden and did the perpetrator benefit).

IDEA EXERCISES: ASSIGNMENT 11

ideaCase background: See Chapter 1.

Question: Does the Fairmont payroll system’s company expense file match to its payroll disbursements file?

Student task: Students should (a) present a listing of company expense disbursements that do not appear to have corresponding disbursements in the payroll system and (b) discuss the finding and recommend investigative next steps.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

TABLEAU EXERCISES: ASSIGNMENT 11

tableauTableau case background: See Chapter 1.

The forensic audit showed that a general accounting clerk, Mary Perez, has company expenses for FICA (social security), Medicare and 401K, despite no hours, nor gross payroll expense.

Question: Can you create a graphic of the Fairmont payroll system’s company expenses that highlight general accounting clerk, Mary Perez, has company expenses for FICA (social security), Medicare and 401K, despite no hours, nor gross payroll expense?

Student task: Students should (a) highlight general accounting clerk, Mary Perez, company expenses for FICA (social security), Medicare and 401K, as well as gross payroll expense and hours and (b) discuss the finding and recommend investigative next steps.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

Endnotes

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.209.118