In this chapter and the following modules, we examine various tools and techniques for fraud detection and risk assessment grounded in information technology. These modules, along with the learning objectives, include the following:
The purpose of this chapter is to provide an overview of the information systems control environment, as well as big data, data extraction, and analysis tools and techniques. Technology is a specialized area, and, as a result, the auditor, fraud examiner, or forensic accountant may need to solicit the assistance of a professional with expertise in digital environments, tools, and techniques. Of course, determining the required level of expertise is similar to other tasks that arise in many areas of the fraud examination or forensic accounting engagement—it requires judgment on the part of the professional involved.
The starting point for the use of electronic data in the fraud or forensic accounting area, as a means of fraud prevention and deterrence, is an evaluation of the integrity of the data and their related systems. Many have heard the acronym GIGO, “garbage-in, garbage-out.” If the data going into the information system lack integrity—the data has been manipulated or corrupted, or the information processes somehow destroy the integrity of the data—any information subsequently extracted will lack integrity. Similar to the chain of custody concepts, good audit trails that allow the data to be tracked through the system are also crucial to the goal of maintaining data integrity and, just as important, the ability to prove the origins and credibility of the data.
Many of the process controls applicable to paper-based information systems are analogous to the internal controls surrounding digital information systems. An information technology (IT) audit consists of (1) planning, (2) tests of controls, and (3) substantive tests. Further, the IT audit requires an understanding of the control environment related to IT; risk assessment of the things that could go wrong in an IT environment; and information, communications, monitoring, and independent checks of the IT systems’ internal controls. Some of the control activities in an IT environment that parallel those in the world of paper include proper authorization and access controls, segregation of IT duties, IT supervision and approval, adequate record keeping, and independent supervision and verification.
More specific to IT, the general framework for viewing IT risks and controls include the following3:
Each of these areas has particular control issues and needs to be examined carefully because data integrity issues can arise in any area.
Big data, data analytics, and CAATTs (computer-aided audit tools and techniques) can assist with the testing of the IT systems control environment. One of the necessary areas of concern is applications controls. Applications are systems or subsystems in the areas of accounting, finance, marketing, sales, warehousing, distribution, payroll, personnel, etc. Application controls are designed to address risks that threaten the processing and storage of data in these areas.
The first application control applies to the initial input of data. A transaction must start somewhere, and someone must have the authority to initiate that transaction. The important financial and operational attributes of that transaction must then be captured by the digital system. In paper-based systems, this is accomplished by first “writing” the transaction on paper, such as preparing an invoice, or the transaction can be entered directly into the computer system. In some cases, such as e-commerce, transactions are entered directly into the computer by participants to the transaction who are not employees of the company, ordering a product on Amazon.com is an example. In such cases, little or no traditional source documents exist in paper form. In other cases, a paper trail is created.
Similar to paper-based information systems, the source documentation that supports the electronic data systems should be logged, date and time stamped, prenumbered, and used in sequence. Supporting source documents should be audited periodically and should be retained physically, or in electronic format, because they may include transaction information; sign-offs for those who prepared the document/transaction; required approvals and other authorizations; and the identity of the person who processed the information into and/or through the application system.
Once documents or transactions are captured by the application systems, data coding controls can be used to identify transcription and transposition errors. In some cases, check digits may accompany transactions as a means of authenticating those transactions as they move throughout the system.
Batch controls are used when groups of documents or transactions are entered or processed in batches (e.g., totals for a day). Batch controls may consist of a document count or a manual sum of all the transactions to be entered, which is later compared to the electronic batch total from the computer system after entry. Batch total controls use system-generated criteria that ensure data integrity for groups of transactions as they move through the system.
Validation controls detect input errors by flagging those transactions that fall outside accepted ranges. These controls may look for numeric, alphabetical, or alpha-numeric data in a particular field, as an example. They attempt to identify and isolate errors during data input, so that the error can be addressed before those data are further processed. Validation controls can also be established to ensure that the correct file is accessed.
Record validation is another technique that ensures that data relationships within a record make sense. It can include reasonableness checks, sequence checks, and other checks. An important application control is input error correction. This control requires that all errors are properly addressed prior to the data being processed through the system.
Finally, the application input system needs to be examined, as a whole, to ensure that input errors can be identified and addressed as quickly as possible.
Once the transaction data are “inside” the application system(s), they are available for further processing and transfer to other application systems. Processing controls are necessary to ensure that processed data maintain integrity as they move through the system. These include run-to-run controls that monitor various batch totals, recalculate control totals, transaction codes, and sequence checks, as data move from procedure to procedure. Some data processing requires systems operator intervention to initiate further action. Operator intervention increases the chance of human error, so controls need to be in place to minimize this. As data are processed through the system, an audit trail also needs to be developed. The data audit trail usually includes transaction logs, logs of automated transactions, a listing of automated transactions, unique transaction identifiers, and error logs.
Once the data have been sufficiently processed, they are available for output in the form of reports, as well as for transfer to other systems for additional processing. Output controls are established for spooling (how outputs move through the system and address output backlogs), print programs, and bursting (separating and collating printed pages). Output controls also address how to monitor waste and how to identify who is responsible for data accuracy and maintenance, report distribution, and end-user controls.
Auditors and forensic accountants who specialize in IT audit and assurance can approach IT system controls testing by one of two major approaches. First, the IT systems can be audited around. This is often referred to as the “black-box” approach, by which the professional relies on interviews and flowcharts to develop an understanding of the systems but primarily tests the integrity of the data and the system by reconciling inputs to outputs. The second alternative is the “white-box” approach, which utilizes a relatively small dataset to test the system. Some of the tests performed include authenticity, accuracy, completeness, redundancy, access audit trail, and rounding error tests. CAATTs can facilitate the white-box approach by creating test data and performing electronic system walk-throughs (tracing). Computer forensic professionals may employ integrated test facilities by which the auditor examines the applications and their logic during normal operations by running parallel simulations.
These examinations are necessary to ensure that the data used by the auditor or forensic accountant have integrity. Various levels of assurance are necessary, depending on the engagement. Professionals in this environment need to be cognizant of the possibility that one or more of the IT systems personnel may be colluding with others to commit or conceal fraud. As such, fraud and forensic accounting professionals need to remain alert to the human side of fraud, the fraud triangle (pressure, opportunity, and rationalization), as well as M-I-C-E (motivations such as money, ideology, coercion, and ego). In fact, the IT professional may be in a unique position to commit and conceal a fraud, simply because so few others understand IT and how data can be manipulated.
The prior discussion focused mainly on the integrity of data entered into, processed by, and output from the digital environment. However, other risks may be present. For example, the data may accurately go through the system as programmed in the software, but an IT professional periodically substitutes an inappropriate version of the software into the digital environment. Thus, in this example, most transactions are handled correctly and according to system design and company policy; however, some legitimate data are processed by the substituted software and, as a result, are not accurate. Searching for those exceptional transactions requires sifting through the remainder, but it can be approached more effectively with some of the following data extraction and analysis tools.
The IT auditors or assurance professionals need to ensure that they examine the entire control environment, including controls that address other aspects of the computer operation—such as IT operational policies and procedures; data management systems; systems development and integration into the digital environment; system maintenance policies and procedures, including backup and contingency planning; electronic commerce; and daily, weekly, monthly, and annual computer operations—with regard to hardware, software, and IT personnel and user access.
According to the New York Times Peter Henning, “Mishandle a Fraud Search, and All That Fine Evidence Could Be for Nothing.”4 The author observed that
“The government obtained warrants to search Benjamin Wey’s company, New York Global Group, and his New York City apartment for evidence that he used other companies and investors as part of a plan to manipulate the shares of companies used for mergers with China-based businesses. The warrants listed 12 categories of documents that related to transactions with 220 individuals and companies, including the seizure of computers and other electronic devices that might contain records related to them.”
The warrant allowed agents to open every file to view the first few pages of a document, and search terms could be used to scan the laptop’s entire memory. In upholding the search, the United States Court of Appeals for the Second Circuit in Manhattan pointed out that “files and documents can easily be given misleading or coded names, and words that might be expected to occur in pertinent documents can be encrypted; even very simple codes can defeat a preplanned word search.”
So what caused the problem for prosecutors in the case? According to Henning, “the primary flaw was that while the affidavit submitted by an F.B.I. agent to a magistrate judge gave a reasonable description of the crimes under examination, that document was not incorporated in the warrant, or even attached to it, to establish the parameters for the search.” As Henning concluded, “Judge Nathan’s decision sends a clear message to agents and prosecutors in white-collar-crime examinations to tread carefully when using a search warrant to gather evidence. Although a treasure trove of materials can be obtained this way, failing to pay attention to the details of properly writing and executing a warrant can have devastating consequences for a case.”
Auditors solicit, obtain, evaluate, and develop audit evidence to test management’s assertions concerning the fairness of the presentation of the financial statements and to ensure that they are free from material misstatement, whether as a result of error or fraud. The assertions of management related to financial statements include the following:
As part of their work, forensic accountants and fraud examiners use information technology to gather, manage, and analyze evidence. Digital evidence analysis is particularly beneficial when the professional must sift through, organize, and analyze large amounts of evidence. Given Internal Revenue Service cycle times, audit engagement budgets, and cost-benefit considerations in litigation support engagements, large amounts of data, evidence, and information must be examined with speed and accuracy. Electronic imaging is a technique for scanning evidence and case documents into an electronic format for easy storage and retrieval. This process normally entails some coding to facilitate ease of access. Once the material has been captured and coded in electronic format, the professional can sort, analyze, and examine the data.
Computer forensics involves using specialized tools and techniques to image and capture data and information, housed on computer hardware and embedded in software applications, so that the integrity and chain of custody of such evidence is protected and can be admitted into a court of law. Electronic evidence refers to any evidence captured by computers and electronic devices. As such, it can be captured from desktop computers, notebook computers, network servers, backup storage medium, cell phones, personal digital assistants (PDAs), handheld computers, CDs, DVDs, digital cameras, stick drives, or any other electronic device or storage medium. Electronic mail (email), text messaging, social media posts, and correspondence are a rich source of digital evidence. People often put comments and information in electronic forms that they might never say out loud or include in a formal memo or letter. As with other digitized information, the challenge with electronic communication is the sheer volume of exchanges. It is only through electronic retrieval and searches that the benefits of these data are available to the investigator. Generally, a warrant or subpoena is required to obtain digital evidence. To obtain a warrant, the professional must show probable cause.
One of the main concerns in the digital environment is related to the initial acquisition of the evidence. Auditors and forensic accountants may attempt to “do too much” when they first encounter digital evidence. For example, the simple act of turning on a confiscated computer, digital camera, cell phone, PDA, etc. may make all the evidence on that digital device inadmissible in a courtroom. That is because, as soon as a device is turned on, it starts writing logs and performing other activities that alter the structure of the hard drive where data are stored (the defense would argue that the alterations show that the digital evidence had been tampered with). If this is the situation, it can’t be proven beyond a reasonable doubt what the data looked like before the device was booted up. Forensic accountants and fraud examiners seldom perform the work that is within the expertise of computer forensic professionals—usually, computer and electrical engineers and management information systems (MIS) personnel—who have specialized training and experience in digital evidence associated with fraud and forensic accounting issues. It is not only the need to protect the integrity of the data that justifies the use of the specialized knowledge, skills, and abilities of the computer forensic specialist but also their ability to find hidden information, deal with encrypted data, and retrieve previously deleted or erased files.
When the traditional forensic accountant or fraud examiner receives data in electronic format, they presume the digital evidence was obtained through legal means and was extracted in accordance with methodologies that protect its admissibility in a court of law. Students should understand that, with regard to digital evidence, only those with specialized training, experience, and appropriate professional certifications should initially handle digital evidence. Once the digital evidence has been made available to auditors and forensic accountants, they may work with the tools discussed in the following section to conduct audit procedures that will help them to detect and investigate fraud.
To maintain data integrity and admissibility, the antifraud/forensic accounting professional needs to be able to reconcile their work back to initially retrieved “master” datasets. Consistent with other aspects of the fraud and forensic accounting engagement, professionals should maintain good work papers and be able to demonstrate the foundations of their work. In an electronic world, audit trails and logs are especially helpful. As an example, if the data extraction and analysis require multiple steps, each step and its results should be documented.
Numerous tools have been developed to gather and protect digital evidence, some of which are described as follows.
Road MASSter 3 can be described as a portable computer (digital) forensic lab. It is housed in a metal briefcase-type container on wheels; inside is a keyboard, a color LCD display, and data-copying devices. Road MASSter 3 can be used in the field (e.g., at crime scenes or search warrant locations) to acquire and analyze electronic data and preview and image hard drives. The system can copy the hard drive to a number of different formats for subsequent data extraction and analysis, including Microsoft Windows XP (Access and Excel), Linux, EnCase, Safe Back, ICS, or other imaging file formats. Road MASSter 3’s tools are designed to perform quick, reliable hard drive imaging and data analysis. The device can be used to image hard drives of any kind as well as to capture data from other media (e.g., CDs, stick drives, flash drives) and unopened computers. IT computer forensics professionals can also copy and analyze information stored on hard drives and mobile devices, such as smart phones. Investigators can save or print audit trail reports for use as evidence in court. Finally, Road MASSter 3 can also be used to write-protect and sanitize hard drives.
EnCase is another tool for digital imaging of hard drives and other storage media. EnCase acquires data in a forensically sound manner that has generally been accepted in courtrooms. Like Road MASSter 3, EnCase can be used to investigate and analyze data on multiple platforms, including Windows, Linux, AIX, OS X, Solaris, and others. This software also provides tools to identify information stored on hard drives despite efforts to hide, cloak, or delete the data. It is also designed to manage large volumes of computer evidence and to view relevant file types, including so-called deleted files, file slack, and unallocated space. Once the data have been properly and legally obtained, they can be transferred as evidence files for additional analysis and examination.
Computer forensic specialists may discover that files have been deleted from a hard drive. Generally, recovering deleted files is not considered difficult, provided that the file has not been overwritten or corrupted and that the drive has not been repartitioned or reformatted. A number of software tools, for example, UNERASER for Windows and Data Rescue 5 for Apple Computers as well as other similar products, are commercially available. Recovering deleted files is considered a separate task from restoring overwritten or corrupted files. The reason is that when a file is deleted from your computer, it has not been removed from the hard drive. The delete function simply removes the file from the list of files in a particular folder. The first step to recovering a deleted file is to look in the Recycle Bin. With Windows, deleted file names are simply moved there. While the file resides in Window’s Recycle Bin, the file can be restored by “right-clicking” on the file name and choosing “restore.”
If the deleted file is not in the Recycle Bin, it may still be recoverable. When a file is deleted or the Recycle Bin has been emptied, the file name is removed from the list of files in the folder. The risk is that the space where the file resides was made available for reuse. Until the computer reuses the space where the file resides, the data contained in the file remain intact. Obviously, the more time that passes, the lower are the chances of recovering a deleted file intact, because it becomes increasingly likely that the computer will reuse all or part of the file’s disk space for another task.
Another activity that can severely reduce the ability to recover deleted files is the “Defrag” command. Defrag, or defragmenting the hard drive, is a method of reorganizing the computer hard drive so that the unused space is allocated for the most efficient data storage. For example, over time, as the computer user creates and deletes files, adds and removes software, etc., computer programs and files occupy the available hard drive. This creates pockets of used and unused space. The result is that large contiguous storage space is no longer available, and the computer has to store files in pieces. Thus, the computer has to spend time searching for space to save new files and programs, and large files or programs may need to be stored in more than one place on the hard drive. When a computer has a fragmented hard drive, computer operations slow down. Defrag reorganizes the files so that more parts of each file are contiguous. This enhances computer performance and creates a larger cluster of unused storage space. Because defragmenting the hard drive moves the files around, the probability of recovering deleted files is reduced. In the Defrag process, the computer’s files are rearranged to enhance efficiency, and as a result, deleted files are overwritten. After the Defrag command, even undelete software tools have a difficult time restoring deleted files.
Assuming that Recycle Bin recovery is not successful, the Defrag command has not been run, and a limited amount of time has passed since a particular file was deleted; third-party undelete software can be acquired to attempt to recover the deleted files. Undelete software understands the internal system of pointers used by the computer to store files. With this knowledge, it searches for clues as to the location of the disk space where the deleted file may reside. Undelete software can also examine the unallocated disk space, that is, space where the deleted files had been located but which the computer has not yet chosen to reuse. If a number of files are to be recovered, recovered files should be stored on a separate hard drive, stick drive, or some storage space, where the save action will not impair the recovery of other deleted files on the hard drive. The separate hard drive or other external storage device can also be used as the location for the undelete programs for the same reason.
Emails are stored in mail folders (not individually as separate files), and each mail folder is considered a separate file. Some email systems have a recycle bin feature that is analogous to Window’s Recycle Bin for deleted files. If the email software system has a recycle bin, that is the first place to attempt email recovery. However, most email recycle bins have some time limit or some other “auto-empty recycle bin” feature that periodically clears the deleted emails. For example, Outlook Express provides an option to empty the Deleted Items folder when the user exits the program. In such cases, recovery of deleted emails becomes more difficult.
Normally, even after an email has been deleted from a mail folder or from the recycle bin, the space it occupied is left empty until the mail program compacts the folder. Prior to compaction, deleted email messages may be recovered using special email recovery software. Some of the email recovery tools include Email Recovery Software (for Outlook Express and Windows Mail) and Outlook PST Repair (for Microsoft Outlook PST files). Another option for recovering deleted emails is to restore them from backup tapes or another backup storage medium. New e-discovery rules require organizations to be able to provide email and other electronic files that go back in time in a manner similar to that of paper files. So the probability of recovery of email and other deleted files in an e-discovery environment is greatly enhanced.
Restoring data and files is a more sophisticated approach to recovering deleted files and is used to restore lost files under more challenging circumstances, such as the following:
Assuming that techniques to recover deleted files do not work, it is important to stop writing to the drive while the possibility of a missing or unrecoverable deleted file exists. This increases the probability of recovering whatever is left of previously deleted files. At this point, third-party software is most likely necessary to facilitate the restoration process.
Third-party software is not as readily available for Apple Mac computers. However, one such software package for Apple computers is Data Rescue II.
In some cases, the undelete utility from the software package may appear to restore a file, but it is evaluated as corrupt when the user attempts to open it. It may be because the contents of the file are unrecoverable and some restoration software tools are better as compared to others. Not surprisingly, some of the more effective data recovery tools cost more. Nevertheless, if the restoration project is important and the software package fails, others may be attempted until the file can be fully restored.
If third-party software restoration fails but provides some results, in some cases, software engineers and computer forensic specialists can manually search for lost files. The human brain can often solve difficult tasks. Software programs can replicate the ability to solve complex problems if properly designed and programmed. However, some recovery can be so unpredictable and difficult that even the best software programs cannot anticipate all possible restoration solutions. For example, assume that a computer forensic analyst has a partially recovered Microsoft Word document and the language of the document stops halfway through a sentence (and the rest of the file starting with the unfinished sentence is missing). In such a case, the computer forensic specialist can search the entire hard disk for clusters that may contain what are likely to be the next words in the document (i.e., those words that might complete the sentence) and piece together files from fragments of data. In other cases, the data recovery specialist can restore files by taking the magnetic platters out of the drive casing and reading them using special equipment. Of course, it’s not surprising that manual (intervention) restoration is far more expensive than recovery or restoration using third-party software; however, in some situations, the cost-benefit may warrant the additional cost.
The good news for fraud examiners and forensic accountants is that files deleted from a computer are not actually deleted and can be recovered and restored relatively easily. For perpetrators, this is not good news for someone who is relying on the deletion of data for concealing his or her crime. For high-security needs, data security software and privacy tools, such as Privacy Guardian or Privacy Suite, are available. These do more than delete files; they overwrite the disk sectors that held the data. Once these sectors have been overwritten, generally, even a computer forensic specialist cannot recover the files. Because some application software programs write data to temporary locations during use, the high-security packages also erase and overwrite known temporary storage locations and other unused disk space. If a tool of this type has been used, the chance of restoring files is, essentially, nonexistent. However, depending on the nature, size, or other attributes of an examination and the importance of the digital evidence, computer forensic tools and techniques may be worth a try. Traces of the sensitive data may remain. Even if all files cannot be recovered, enough pieces may be available that vital evidence can be developed. Like other cases previously described, if high-security or privacy software has been used, a computer forensic specialist likely examines the storage device manually to determine what can be recovered.
General knowledge of tools and techniques used by forensic computer scientists for retrieving files from seized computers—and of how the work of forensic accountants must be coordinated with forensic computer specialists—is an important aspect of fraud examination and forensic accounting engagements. In addition, fraud examiners and forensic accountants need to be able to identify situations that demand a forensic computer specialist, and they need to understand how legal proceedings against a perpetrator can be jeopardized if evidence is gathered by one who lacks appropriate skills.
According to the AICPA’s Journal of Accountancy (Big Data: What forensic accountants need to know),5 many CPAs will need to learn new IT skills due to the rise of Big Data, but those skills should produce a variety of forensic accounting business opportunities. Despite the Big Data buzz, data extraction and analysis is not new to CPAs. Data analytics has been part of the antifraud and forensic accounting professionals’ toolkit for a long time. According to the article, some of the key issues to understand are as follows:
In recent years, computer companies and programmers have developed software that enables users to sift through large volumes of information and transactions. These programs identify customers, suppliers, vendors, and employees and can be used to analyze performance, trends, and other important attributes related to a company. They can also be configured to identify control weaknesses in application programs, as well as anomalies in accounting books and records. Fraud examiners and auditors use data analysis software as the ultimate system of red flags, detecting a potential fraud in situations for which manual examination would prove extremely difficult or impossible.
Because of the sheer size of some databases and the amount of information stored in electronic media, the key to successful fraud detection and examination using digital tools and techniques is a targeted approach. The fraud examiner or auditor must have an understanding of what could go wrong, what did go wrong, and how those concerns would manifest in the information system. This requires knowledge of the schemes, the industry, the organization, its IT control environments, its history of fraud, and other aspects outlined in the steps to develop a targeted risk assessment. With this foundation, the antifraud professional has an idea of what he or she is looking for.
As a starting point for digital analysis, whether for fraud detection or examination, the electronic data must be obtained and delivered in some kind of file structure. Optimally, the data have been converted in advance into a text, ASCII, Microsoft Access, Excel, or some format that can be read and analyzed by some of the more popular programs for data extraction and analysis. From there, the data can be analyzed in the format received or converted for use in programs such as IDEA, ACL, or Tableau. However, the data often come in some other format and must be prepared for use in one of the many programs available for analysis. Data files normally come in either a “flat file” or “hierarchical and network database” structure. Some of the flat file structures include sequential, indexed, hashing, and pointer file structures. With “hierarchical and network database” structures, the database is relational. Relational databases often incorporate some aspects of the flat file structures and linkages between the data as well. These need to be converted for use in programs such as Excel, Access, IDEA, ACL, and Tableau. This can only be done by knowing the type of database and its accompanying file structure.
Each of the previously discussed programs often used by fraud examiners and forensic accountants has “import” functionality embedded in the program. This allows the program to access and read data from various formats for later use. In most cases, the files to be exported from a source computer system, program, or database—whether flat, hierarchical, or network—need to be converted into a file format that can be read by Excel, Access, IDEA, ACL, or Tableau, for example. In other cases, the extraction process creates a generic file structure that most programs can read. No matter how the data are exported from a computer system and, subsequently, imported for use by the fraud examiner or forensic accountant, data and file integrity controls must be in place to ensure completeness and accuracy.
A continued point of emphasis is the idea that a targeted approach is required. There are horror stories of IT specialists running programs that kick out thousands of anomalies that may be indicative of fraud, errors, internal control breakdowns, or other issues. However, the exceptions are so numerous that no one from the audit team has the time to examine each anomaly. Such an approach may even create liability exposure for the financial statement auditor, because a diligent lawyer may subpoena such records and contract with other professionals who take the time to sift through the anomalies to locate the few that were indicative of a much larger problem. Although the action or inaction of the auditors with respect to such an extensive number of anomalies makes sense and is justifiable, a jury may take a different position, if a significant (material) fraud is subsequently discovered when, all the while, the auditors had the red flags right in front of them.
In contrast, a targeted risk assessment, followed by incorporating IT tools and techniques that search for specific anomalies, is likely to yield far fewer exceptions and a far higher probability that the red flags deserve additional attention and work on the part of the auditor. Conan Albrecht and Steve Silver have referred to this as a “rifle shot” approach, as opposed to a “shotgun” approach to data extraction and analysis.
Big data, data analytics, and financial analytics are terms that have gained recognition in the financial forensics community. Such approaches to data analysis, used in a targeted manner, can contribute significantly to both the effectiveness and efficiency of a forensics examination. For example, in one case, extensive related party accounts receivable (A/R) transactions were buried in the general ledger. Other symptoms of fraud initiated the examination, but the discovery that about 40% of revenues came from related parties shifted the examination toward A/R. Related parties totaled approximately 30 of 100 customers (30%). In numerous instances, related-party A/R balances were allowed to accumulate and then written off against (buried) revenues. The write-offs were done by an individual related-party entity, and identifying them among the numerous revenue and receivables transactions was time-consuming. These transactions spanned a five-year period and were documented in printed general ledgers with each general ledger requiring about a 3-inch binder.
After spending a day or so of engagement time, QuickBooks general ledgers were requested in electronic format. Knowing that electronic analysis would probably blow the case wide-open, the opposing side resisted for months. Finally, the five general ledgers in CSV format were received on a Friday afternoon. By Saturday afternoon, all five had been imported into Excel and analyzed. The findings revealed that millions of dollars of related-party receivables had been written off. In the private company under examination, the unrelated party shareholders were negatively impacted in their annual dividend payoffs because of this “disappearing” money in the hands of the controlling shareholder’s family members. Only with the benefit of electronic analysis was this examination able to be completed in a cost-effective manner.
Digital analysis can be used as part of risk assessment, testing of controls, substantive analytical procedures, testing of transaction details (e.g., recalculation), and, upon completion, helping to formulate conclusions and opinions. In many cases, the results from the analytical procedures form the foundation of “paper-and-pencil” work: pulling invoices, contracts, purchase orders, journal entries, reconciliations, and other materials needed to complete the examination in terms of who, what, when, where, and how. In other cases, the digital analytical results are compelling and stand-alone.
Digital data can be disaggregated along numerous lines including the following:
In fraud and forensic examinations, timing is often a critical component. Digital data lends itself well to examinations across time and by time period.
As with nondigital data, the quality of the data matters, including the source (reliability) and the accuracy (validity) of the data. Data generated in the accounting and financial reporting areas may be corrupt, whereas data from other operational areas (e.g., marketing, distribution, online sales) and data from external (independent) third parties may be more reliable.
Metadata can also contribute significantly to fraud examination and forensic analysis. Metadata is not the data in the file itself that most people retrieve, access, analyze, etc., but is more like an activity log that captures file details, such as who created the file, when, who last edited the file and when, etc. This data can be critical to answering many of the questions—who, what, when, where, and how.
With the power of computing increasing over time, the ability to systematically examine and analyze text and other forms of unstructured data will also improve. Programs can be written to pull text files—such as emails, instant messages, memos, handbooks, policy manuals, and other forms of written material—to search for particular and unique words and word strings. For example, programs can look for emotive words that are consistent with stress in the author’s message.
In some circumstances, an initial big data examination will lead to a large number of anomalies. Such a large number of exceptions may be more problematic than helpful. The recent AICPA publication, “Guide to Audit Data Analytics,” offers some suggestions.6 The Guide suggests three possible courses of action:
As noted above, data analytics can be used as part of risk assessment. Risk assessment is an attempt to identify early in an engagement the major concerns and points of focus. While auditors need the ability to examine the books and records to ensure that the financial statements are free from material misstatement, fraud and forensic examinations often have scope limitations. Scope limitations serve to focus and shape the examination while permitting a deep dive into the details under examination, often more carefully examined than in typical audit procedures.
Nevertheless, an initial assessment of the risk associated with an area under examination in terms of the control environment and relevant internal controls is warranted. Such assessment contributes to the ability to generate reliable and valid data that can be examined. Careful consideration of data sources and accuracy helps shape the examination. If the examiner determines that the data generated may not be reliable or valid, then the examiner needs to complete additional procedures to gain confidence in the data examined or seek out alternative data sources. For example, the examination may need to obtain data from independent, external third parties or reconcile data under examination to that generated by other departments within the organization where data integrity is considered high, and the data deemed accurate and reliable.
Data analytics can also be completed to perform analytical procedures. Analytical procedures are defined as “evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass such examination, as necessary, of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.”7 Typical substantive procedures may include comparisons within an organization (e.g., common-size, vertical, horizontal, ratio, trends) or between the organization and its key competitors or industry averages. A critical aspect of substantive analytical procedures is the development of a reasonable expectation upon which deviations and anomalies can be accurately and effectively identified.
Anomalies are telling; anomalies suggest that either an internal control is lacking or one that is properly designed is not operational or not functioning properly. Assuming that the risk assessment stage suggests that the control environment and particular controls are reliable, anomalies suggest that the judgment was inaccurate, at least, in terms of those transactions where the anomalies were noted. One course of action beyond additional examination of anomalies may be a need to revisit the risk assessment stage for this particular group of transactions.
Computer software can be utilized to scan the database for several different types of information. The resulting output may confirm transaction integrity, while highlighting anomalies and red flags. To accomplish this, most software packages use a combination of functions, including the following:
Given the functions previously described, the following are some examples of data analysis queries that can be performed by most data analysis software8:
GENERAL LEDGER ANALYSIS
ACCOUNTS RECEIVABLE
SALES ANALYSIS
ACCOUNTS PAYABLE
ASSET MANAGEMENT
CASH DISBURSEMENT
PAYROLL
PURCHASING
These accounting systems can be reconciled to nonfinancial data, operational systems outside of accounting, or to data provided by independent third parties, as needed, depending on the circumstances of the examination. Other functional business areas that may be examined in a forensic accounting or fraud examination engagement include human resources, marketing/promotion, customer service support, sales, distribution, research and development, administration and management, production, operations, procurement/purchasing, quality control, loan acquisition and administration, treasury, information technology, legal, compliance, contract management, legal, and security.
The following are some key issues to address as data analysis is completed in a digital environment:
There are many types of data analysis software on the market, with new products emerging and new versions of old products. Because every fraud examination or forensic accounting engagement is different, choosing a data analysis tool is something that the fraud examiner should consider in each individual case to decide which package is most appropriate for the current examination.
Data mining and knowledge discovery software is classified into two general categories:
Readers should understand that the following tools are presented as examples of the types that are available, that the listing of available tools is not complete, and that the authors are not promoting the use of any specific software.
Excel is a staple analytical and presentation tool for forensic accountants and fraud examiners. Even when more sophisticated analytical tools are used, the results are often exported to, and presented in, Excel. Excel lends itself to running Benford’s Law tests, filtering, sorting, removing duplicates, using logic functions, creating conditional formatting, finding and replacing, performing transposition tasks, creating pivot tables, and other processes. Excel’s strengths are its simple, yet powerful, functions including the following:
IDEA is an acronym for Interactive Data Extraction and Analysis. This software package is a PC-based file interrogation package that allows accountants, auditors, and financial managers to view, sample, and analyze data from other computerized systems. IDEA is generalized audit software. IDEA is able to import data in differing file formats. For audit trail purposes, IDEA field statistics are created during the import function, which creates the working files that IDEA then analyzes.
Once the data are imported, IDEA can be used to examine file statistics and observe the raw data values underlying those statistics. Users can browse through the data; search for records meeting specified attributes; sort and index the records; extract records meeting specified criteria; search for duplicates and gaps in the data; summarize, stratify, and export files to other formats, such as Excel.
IDEA has many of the data analysis features of products, such as Excel or other spreadsheet packages. It can be used with mathematical formulas or functions (e.g., statistics) to analyze data presented in columns and rows or to create new data columns for further analysis. For example, IDEA can be used to test invoice totals, by selecting prices and quantities from their respective columns and multiplying them in a new column. Then, the calculated (extended) invoice amount can be compared to the invoice total to ensure that the two amounts match. In addition, IDEA users can create pivot tables, aging analyses (e.g., accounts receivables and payables), conduct Benford’s Law tests, plan and draw samples, and statistically evaluate audit findings in sampled transactions. When the user imports several files, IDEA can join, append, and compare them and create action fields, that is, identify those from one file that have relationship to a field of another IDEA file. Information about the processing measures is automatically recorded in the audit log history of this software.
IDEA also supports the organization of work by allowing users to create to-do lists and folders, move and copy files, and create macros.
For training purposes, IDEA provides a comprehensive tutorial called “IDEA: Data Analysis Software Workbook.” It is an easy-to-use, intuitive tutorial, with step-by-step instructions, solutions, and screenshots to coach new users in the appropriate use of the IDEA software. Tutorial users perform three separate audits/examinations: (1) for accounts receivable, (2) accounts payable/fraud examination, and (3) inventory analysis.
In the accounts receivable section, the tutorial requires students to identify: the potential risks, the business implications of those risks (e.g., the inability to collect accounts receivables from customers who do not meet credit standards), and the objectives of the audit tests (such as completeness, accuracy, valuation, existence, validity, and presentation). Students must also provide an overview of the types of tests required, such as mechanical accuracy and valuation, analysis, exception testing, gap and duplicate analysis, matching records across files, and comparison tests and sampling. Next, students are provided with an eight-step audit program to work through.
From there, users need to set up the engagement in IDEA and import the data files, given the formats received from the fictitious client. Step-by-step instructions, explanations, and screenshots are provided to give users confidence that they are taking the correct actions. Once the files are imported, users work with control total functions to ensure that the import is successful. Then, students complete the following tasks in the accounts receivable and related files:
In the accounts payable and fraud examination section of the tutorial, students identify those auditing procedures and analyses that can be addressed using data extraction and analysis tools, and they also deal with an increased risk of fraud. In the described scenario, the chief financial officer (CFO) is concerned that a particular member of the accounts payable department is living beyond his means. In addition, other risks addressed using digital tools include the following:
In this fictitious case, because the suspicion of fraud is enhanced, the data are obtained through the CFO without the knowledge of the accounts payable clerk. The file formats are ASCII Delimited and Excel. Then, students examine the following elements of the accounts payable and the supplier files:
The following are the results of the Benford’s Law “first-two digit” analysis. The tutorial addresses issues associated with inventory. More specifically, the CFO has identified problems with the underlying inventory system and needs assistance in identifying those issues and making recommendations for corrective action. Some of the anomalies include the following:
Thus, this section is more of a consulting-type engagement, where the power and strength of data extraction and analysis tools can facilitate a more comprehensive identification and examination of issues that may also have an impact on the amounts reflected in the financial statements.
Then, students examine the inventory attributes as follows:
The IDEA tutorial then has students work through a number of useful tasks that apply to most data extraction and analysis projects:
Each of the audits/examinations in the workbook increases in complexity for using IDEA’s functions and tests, building on the experience learned in earlier sections. The data files provided for use in the IDEA workbook were created in a variety of formats to provide experience in importing data from a number of different file types. The screenshots and check figures facilitate quick and independent development of the skills needed to use the software to its fullest potential. In summary, IDEA can read, display, analyze, manipulate, sample, and extract data from files obtained from many sources in many formats.
ACL Services Ltd. provides audit analytics and continuous monitoring software. The software provided by ACL can be used to ensure internal controls compliance—thereby reducing the risk of fraud—and to detect and investigate potential fraudulent activity. ACL facilitates organization-wide testing and monitoring of internal controls through independent verification of transactional data. ACL can be used for audit analytics and controls monitoring on a continuous basis (continuous auditing). ACL may also be used to secure data access.
ACL stands for Audit Control Language, a phrase that points to the early roots of the software. This software package is PC-based and permits data importation from different file formats. Once the data files have been imported, ACL can be used to examine file characteristics, visually examine the raw data, and create various analyses and statistics that can be used as audit and investigative evidence. Imported data can be reviewed, searched, sorted, indexed, and extracted. Users can also search for duplicate records and for unexpected gaps in the data. Finally, ACL summarizes and stratifies and can be used to export files to other formats, such as Excel.
Like Excel, ACL data are presented in rows and columns. ACL has equation editors to create mathematical formulas that can generate new data for further analysis. ACL equations can also be set up to filter and extract data, and users can also perform additional functions such as the following:
The user’s activities are automatically captured in a log to create an audit trail. Like IDEA, ACL provides a comprehensive tutorial.
Traditional statistical packages such SAS, Stata, JUMP, SPSS, R, Python, and similar software can be used for data extraction and analysis. Many of these packages also offer features that make forensic accounting and fraud examination analysis relatively efficient to use in an engagement context.
According to The CPA Journal author, George Aldhizer, a picture is worth a thousand words.9 This is especially true for the estimated 65% of the population who are visual learners. Aldhizer states that “visual analytics is an exploratory and iterative process involving the creative and dynamic discovery of potential fraud schemes. It builds on humans’ natural ability to absorb and comprehend greater amounts of information through the use of distinctive patterns, shapes, and shadings than through analysis of columns of numeric data. Instead of creating static, simplistic bar charts and scatter plots and relying on a finite number of embedded rules-based red flags for potential fraud, visual analytics can create customized, multidimensional, or layered graphics, resulting in more granular analyses of all of the structured data. As a result, visual analytic software may more easily uncover otherwise hidden relationships between data elements, enabling the discovery of new fraud red flags. Thus, visual analytic software may be an attractive alternative to IDEA and ACL for auditors of larger, publicly held entities to reduce the risk of undetected material misstatements, including fraud.” The author also champions geospatial analysis and heat maps as investigative tools.
Aldhizer also finds that “unstructured text data—which is not created and stored in a predefined, standardized format and thus to a large extent cannot be analyzed by IDEA, ACL, and visual analytic software—has exploded in growth and can provide additional clues as to the existence of material fraud schemes. For example, many individuals appear willing to reveal sensitive and incriminating narrative and pictorial data in supposedly private communications and social network postings that they would not consider disclosing in a financial report or a business meeting. Other types of unstructured data include corporate memos and emails, PDF files, social media postings, and audio and video files.” The author concludes by suggesting that “forensic practices should seriously consider implementing text analytic capabilities. Audit practices also may benefit from an awareness of text analytic capabilities and consider applying them to high-risk engagements.”
We agree: a picture is worth a thousand words! Data analysis programs and graphics software packages can provide numerous pictorial representations of the data. Graphics have at least three distinct roles in an examination.
The professional needs (1) to answer the questions who, what, when, where, and how; (2) to address the fraud triangle to the extent that evidence is available; and (3) to be centered on the elements of fraud: the act, concealment, and conversion. Understanding the motivation for fraudulent activities, such as money, ideology, coercion, and ego (M-I-C-E), helps investigators to better detect these crimes in the future.
One of the first graphical tools is an association matrix for identifying major players who are central to an examination and to identify linkages between those players. Linkages can take the form of names, places, addresses, phone numbers, etc. Although all of these data are documented as preliminary evidence electronically in some software tools, such as Excel, Access, or even Word, the association matrix is a starting point for reflecting some of the most important data in a simplified format. These matrices often serve as an intermediate format that organizes observed relationship material into a compact arrangement to facilitate review and as a basis for creating more complex charts.
The format for the association matrix, including an example, is presented in Figure 11-1.
Notice that, on each line in the association matrix, the name of an important person, place, address, business, organization, etc. is written, followed by the boxes with the relationship that exists between the entities (as known from the evidence). In this example, Stephanie and Jason are divorcing. The divorce is being contested by Jason, who has a reputation as a playboy. Stephanie started and developed the 54-store PJ’s Pizza chain, named after her little sister, who has Lyme disease. Stephanie has been hands-off, pursuing charity work for the last couple of years, and has entrusted the day-to-day operations of the pizza chain to her chief operating officer and friend of thirty years, Alexandria. Alexandria has been with the company since day one, owns 20% of the stock and is considered a genius at marketing and store location, but her financial and accounting background is judged to be very weak.
Recently, Stephanie discovered enough evidence to suspect strongly that someone is embezzling reasonably large sums of money from her company. Mark is the treasurer and accounting manager located at corporate headquarters, and Richard is a regional manager of fifteen stores. Preliminary evidence suggests that the fraud is isolated to Richard’s region. Further, the fraud appears to be concealed by individual(s) with access to operational data, cash, and the accounting records. Initially, the divorce seemed to have no relation to the possible fraud. However, surveillance conducted by a licensed private investigator revealed that two of the key suspects have very close ties to Jason, Stephanie’s estranged husband; he has been seen with one or the other at least one time during each of the past five weeks. At no time were the three seen together. As a result, the association matrix was updated as shown in Figure 11-2.
In this example, the major players have been listed and their relationships described. Although no proof exists that Mark and Richard are in collusion to perpetrate a fraud, based on the graphic, it appears that Jason seems to be the common link. Given the impending divorce, he and his close friends may be trying to damage Stephanie and generate some cash in the process. This graphic helps the investigator see important links. In addition, this association matrix may be useful in communicating with lawyers, judges, and jury members, if such a need arises. From the information in the matrix, investigators can develop more complex graphics, such as a link chart.
Link charts are another way to graphically represent the associations, linkages, and other important relationships. They help to describe linkages between entities: people, businesses, and “organizations” (in quotes because some organizations may include gangs, consortiums of drug dealers, and organized criminal enterprises—which are usually not listed with the Secretary of State’s records—but may act and operate like many legitimate business entities). Link charts, therefore, create a graphic representation of known and suspected associations among businesses, individuals, organizations, telephone numbers, addresses, email accounts, websites, etc. that are potentially involved in criminal activity.
Link charts are more complex than association matrices and, as such, follow rules to ensure that viewers understand the graphics and are able to interpret their meaning with a minimum of error. The rules of link charting include the following:
In Figure 11-3, you can see the linkages between Jimmy John Jackson and several business enterprises.
In this example, three businesses are presented: Jackson Auto Body, Inc., JJ’s Truck Stop, and Jack & Jill Hotel. The Secretary of State’s records database indicates that Jimmy John Jackson has an ownership role in all three. Assume further that evidence indicates that a supplier fraud is occurring at a trucking company, and it appears that the three companies presented are receiving payments for services not rendered. Also assume the evidence indicates that no actual businesses exist, and yet the mailing addresses are the same. If a criminal activity is suspected and these three businesses are involved, it appears that Jimmy John Jackson is at the center of everything. Armed with this information and a pictorial representation, the investigator is able to concentrate his or her effort and can easily communicate findings. Along a similar line, the association matrix previously discussed can be converted into a link chart (see Figure 11-4).
Notice that the picture here is clearer and easier to read and understand than the association matrix previously presented. Further, notice that a dashed line exists between Mark and Richard because the evidence does not yet suggest that the two have a known relationship. Also note that no line is presented to connect Stephanie with Mark or Richard. This is because she is generally a hands-off owner/CEO and thus may not know either of them. These possible relationships need to be investigated further. At this point, a fraud may have been committed by Richard and Mark, and one of the other beneficiaries could be Jason. However, what if Stephanie is purposely taking money out of the company to lower its value so that her divorce payout to Jason is lower? This could only be determined through further examination.
Thus, link charts and other graphics are not only beneficial as investigative and communication tools but can also be helpful in identifying shortcomings in the case and areas where further work is necessary.
The next type of graphic is the flow diagram. It allows the investigator to analyze the movement of events, activities, and commodities—to see what that flow means in relation to a suspected criminal activity. The flow diagram can be used for the following:
The general purpose is to discover the meaning of those activities and their importance to the examination. For example, the following flow diagram (Figure 11-5) can be used to show how activities and transactions are captured and how they flow through the accounting system into the periodic financial statements and tax returns.
In this example, transactions take place between the suspect entities (and their representatives) and others: suppliers, vendors, customers, employees, etc. The essence of these transactions is captured in paper or electronic format. Examples of possible evidentiary documents include receipts, invoices, purchase orders, delivery receipts, bills of lading, contracts, and other sources. Certain information presented in the documents is captured in journal entries. The journal entries are then posted to the general ledger, which acts like a series of buckets where transactions are categorized and sorted. The general ledger amounts—the sum total of the transactions in a particular bucket—are then summarized and presented in periodic financial statements and tax returns.
In Figure 11-6, a kickback scheme is outlined graphically. In this case, evidence suggests that the investigators know everything about the scheme except how the inside kickback recipient received his or her payoff. The investigators are considering three options:
At this point, the investigators can see that more work needs to be done related to the conversion aspect of the case. Because the actual kickback aspect of the scheme is unknown, dotted instead of solid lines are used in the presentation. The movement of commodities lends itself particularly well to flow diagrams, such as:
The next type of graphical analysis is a timeline, which organizes information about events or activities chronologically to determine what has, or may have, occurred and the impact that these actions have had on the activity under examination. In the following example (see Figure 11-7), Seth purchases a sales and marketing company from Vance. Further, by 2004, Seth is bankrupt and is now complaining that he was sold a failing company by Vance. However, Seth knew very little about the sales and marketing business when he purchased the company, with newly inherited wealth from his father, except that Vance drove a Mercedes and lived in a large, expensive house. Seth seems to have assumed that he could do the same. However, Vance claims that the success of the company under his ownership was his ability to secure large contracts with successful clients. As seen from the following timeline, after purchasing the company, Seth negotiated no new contracts. If additional evidence supports Vance’s contention, it appears that the demise of Seth’s company is due to his own inability to secure new sales and marketing contracts.
The break in the pattern of new sales and marketing contracts is clear and distinct, especially when presented in graphical form.
As stated, graphics can be a simple, clear, and concise method of presenting case material to communicate outcomes. They can be developed in nearly any manner and for almost any purpose that appears to further the examination. For example, in Figure 11-8, you can see the impact of a person selling a company in a sham transaction and establishing himself during the sales transaction as a secured creditor. As shown in the left-hand column, the former owner was “last in line” before the company was sold. However, after the sale, the former owner was now first in line and moved ahead of every other creditor. If the former owner has the right contractual relationship with his former company, he or she could milk the company of all cash and profits and effectively bankrupt it. Because of a position as secured creditor, unsecured creditors (such as off-balance sheet liability holders, i.e., a plaintiff to a lawsuit against the company) have little recourse unless it could be proven that the sales transaction was a sham.
The result of graphical analysis and presentation can offer a number of outcomes. Critical questions need to be answered:
Additional follow-up is needed to finalize the case:
The above graphics were completed in PowerPoint, Microsoft Word, or Excel. These packages, especially PowerPoint, offer numerous tools to create sophisticated graphics that can be used for the three purposes cited above (i.e., help the examiner understand and interpret case findings, identify additional examination needs, and communicate the results of the examination). With the advent of “YouTube” videos, as well as helpful instructional tools from the developer, even the novice professional can create effective graphics.
In addition to the above, other tools may also be used in the forensic and fraud examination graphical space.
Microsoft Visio can be used to create simple as well as complicated diagrams. Like PowerPoint, Visio offers a variety of built-in shapes, objects, and other materials to use as foundations for graphics. The software also permits users to create and import their own shapes. Visio is more powerful than PowerPoint, for example, because it was designed to make diagramming and graphical creation as easy as possible for users. Visio comes complete with templates that permit starting a graphical project with relative ease. Maybe one of the best features of Visio is that it is “live”—the software can pull in data from external sources, such as an Excel spreadsheet or Access database—ensuring that graphics automatically align with the most recent dataset as changes are made to the underlying database. This feature is not available for graphics created in PowerPoint, Excel, Word, etc.
Tableau is a data visualization tool that enables users to create interactive visual analytics that are presented using dashboards. Tableau is designed to help ordinary people see and understand the information buried in data. Tableau supports nontechnical users by offering the ability to create, with relative ease and some training, customized dashboards that provide graphical, easy-to-understand insight into the data under examination. Like Visio, one of the strengths of Tableau is that the software can query relational databases, cloud data, spreadsheets, and similar sources, using the information to form graphical presentations. Tableau also offers some data analytic tools that can be used to examine big data, such as statistical trends. Somewhat unique to Tableau is its mapping function that can plot latitude and longitude coordinates and connect to spatial files from other software sources. Tableau’s built-in geocoding allows for data examination by country, state/province, county/district, postal code, area code, airport, and European Union statistical area and geographic criteria. Furthermore, this geographic coding may also be grouped according to users to create custom territories.
Case management software can be used in a number of situations to oversee cases and case data, organize it in meaningful ways, and even present information for use in reports or during testimony. Sophisticated, complicated, and complex cases can benefit from the use of case management software, including the following:
Case management software can be used to initiate examinations that can evolve into complex cases. New examinations can be initiated, and evidence collected and organized when it is developed through various channels—including detectives, forensic accountants, computer forensic specialists, internal auditors and other experts, as well as from employees, vendors, customers, and other participating people and organizations.
Most case management software has workflow rules, so that leads, evidence, and next-steps can be prioritized, and investigative approaches can be tasked to the most appropriate people. With some software packages, investigators are able to send and receive emails within the system and record notes, evidence, activities, and investigative outcomes. Another feature of case management software is the ability to organize and present data graphically so they can be reported.
Readers should understand that the following tools are presented as examples of the types that are available, that the listing of commercially available tools is not complete, and that the authors are not endorsing any specific tools described.
One of the case management software tool options is Analyst’s Notebook i2. It is currently one of the leading providers of visual investigative analysis software for law enforcement, intelligence, military, and business enterprises. i2 allows investigators and analysts to visualize complex schemes and to organize and analyze large volumes of seemingly unrelated data. Upon completion and at appropriate times during the examination, the results can be efficiently communicated to attorneys, other investigators, supervisors, judges, juries, and grand juries. As previously discussed, visual analysis can bring clarity to complex examinations, schemes, and scenarios. This software can generate timelines, flow charts, activities matrices, link charts, and other graphics to help investigators better understand the schemes, who is involved, and how participants benefit from their activities.
All data are gathered and stored in various databases that the software can access. From those, the evidence can be searched, analyzed, and visualized from multiple perspectives and given various alternative assumptions, with the goal of resolving the case. The main advantage is that less time is required to manage, organize, and process data, which are then analyzed and housed in one comprehensive locale. With more efficient evidence management for complex cases, more time can be spent on analysis and on drawing conclusions from the complete set of evidence, enabling investigators to uncover, interpret, and display complex information about seemingly unrelated persons, places, and events in an intuitive visual format.
CaseMap® by LexisNexis makes it easy to organize, evaluate, and explore evidence, the list of potential suspects and witnesses, and other case issues; it is designed for litigators and investigators. CaseMap is a central repository for case knowledge. The software can be used to organize information, facts, evidence, documents, people, case issues, and applicable law. CaseMap files include spreadsheets, documents, and PDF files. Every CaseMap spreadsheet can be sorted, filtered, and tagged for later use. CaseMap details can be sent to the TimeMap® tool to create timeline graphics. CaseMap software also evaluates relationships between different attributes of the case information. For example, it can be structured to connect facts to applicable case law that supports a particular position on an issue.
CaseMap is supported by TimeMap and also several other related packages, including TextMap® for transcription summary, NoteMap® for creating outlines, and DepPrep® for preparing witnesses for deposition and courtroom testimony. CaseMap and its suite of related products also have a reporting feature so that outcomes can be exported to other software packages.
We have eight types of assignments for instructors to choose from:
The Killer Apartment Colin McFee had a Manhattan apartment to die for, an enormously spacious duplex that looked down on Park Avenue from the 18th and 19th floors. He also had a fortune worth killing for. So it wasn’t too surprising when the old man was found to be a victim of foul play. The day of the murder began innocently enough. McFee’s two nephews and his niece were all visiting him from Duluth and the old millionaire had been so captivated by the charming trio that he impulsively decided to change his will.
The generous millionaire spent the morning signing the new document, which left his entire estate divided equally among the three vacationing relatives. McFee’s faithful maid witnessed the document, ushered the lawyer out, and, with an uneasy glance at the shiny-eyed heirs, retreated to her room.
Nothing happened until shortly after noon. The maid was in her upper floor bedroom, watching TV, when she heard McFee’s unmistakable voice screaming out in pain. For a few seconds, she was in shock, wondering what her employer’s voice was doing on an old Columbo episode. And then she realized it wasn’t the TV.
The maid went out into the hall and found Nick, the older nephew, standing at the top of a rarely used back staircase. “It came from downstairs,” Nick stammered.
Pushing past Nick, the maid led the way down the narrow stairs. “Mr. McFee!” she shouted and a moment later caught a spider web across the face. The back staircase went directly down to the east library. The dim, wood paneled room was empty except for the corpse on the floor by the bookshelves. Colin McFee, it seemed, had been hacked to death, although there was no knife in sight.
The three McFee heirs sat with the maid in the center of the lower level, by the main staircase, awaiting the police and rehearsing their stories. “I was in my second floor bedroom,” Nick said, “watching an old murder mystery show. When Uncle Colin screamed, I didn’t do anything for a minute. Then I went out into the hall. That’s where I met up with you.” Nick smiled at the maid, his alibi.
“I was upstairs in the west dining room,” Nora volunteered, “examining the old dumbwaiter. Even though the scream came from downstairs and on the far side of the apartment, I still heard it. I thought it must be robbers.
So, I barricaded the dining room door and didn’t come out until I heard you all calling my name.”
Astor McFee, the younger nephew, claimed to have been asleep. “I was reading a magazine, right here in this chair and I nodded off. The scream woke me. It took a few seconds to realize that something was wrong. When I heard people talking in the library,
I went off in that direction. That’s when I ran into you,” he said, nodding toward Nick and the maid.
When the police arrived, they took everyone’s statement, and then went to the main floor kitchen in search of the murder weapon. They found it in a utensil drawer, a huge butcher knife that had been wiped clean of blood, the same blood type as the victim’s.
“This tells us everything we need to know,” the homicide chief said with a grin.
Who killed Colin McFee?
Read the following articles or other related articles regarding the MCI WorldCom case and then answer the questions below:
Zabihollah Rezaee and Richard Riley, Financial Statement Fraud: Prevention and Detection (Wiley, 2010), “MCI: The Fraud That WorldCom Acquired,” pp. 216–17.
Neil Weinberg, “Aggressive Accounting: Ring of Thieves,” Forbes.com, June 10, 2002.
Mike Celizic, “White Collar Ex-con: Jail Looms for Mortgage Execs,” MSNBC, October 8, 2008.
For a more complete description of these events, see Pavlo, Walter, Jr., and Neil Weinberg, “Stolen without a Gun: Confessions from Inside History’s Biggest Accounting Fraud – the Collapse of MCI WorldCom,” Etika, 2007.
1. How much cash did Mr. Pavlo steal in six months?
2. What was the accounting inadequacy at MCI that Mr. Pavlo faced?
3. At least how many financial reporting (accounting) schemes did Mr. Pavlo use for the MCI collection problem?
4. What opportunity did Mr. Pavlo perceive would allow him to perpetrate his fraud and get away with it?
5. How much time did Mr. Pavlo spend in prison?
6. Who were Mr. Pavlo’s unintended victims?
1. From the excerpt and article, describe the rationalizations used by Mr. Pavlo.
2. Given that Mr. Pavlo’s fraud was restricted to an accounts receivable embezzlement scheme, what symptoms might auditors observe?
3. Given that Mr. Pavlo’s fraud was restricted to an accounts receivable embezzlement scheme but was buried among legitimate accounts receivable transactions, describe the three most effective data extraction and analysis tests (using IDEA, Picalo, or ACL) for accounts receivable that you believe would identify this fraud and state why you believe them to be effective. (Limit your answer to no more than one page.)
Assume the following:
Analysis of Rain | |||||
Rain | |||||
July | Date | Rain | August | Date | Rain |
W | 1 | 0.01 | Sa | 1 | 0.01 |
M | 6 | 0.2 | Su | 2 | 0.45 |
T | 7 | 0.31 | M | 3 | 0.05 |
W | 8 | 0.09 | W | 5 | 0.30 |
Th | 9 | 0.05 | Th | 6 | 0.43 |
F | 10 | 0.71 | Su | 9 | 0.11 |
Sa | 11 | 0.1 | M | 10 | 1.09 |
Th | 16 | 0.54 | Th | 13 | 2.33 |
F | 17 | 0.01 | Su | 16 | 0.13 |
Sa | 18 | 0.91 | |||
W | 22 | 0.18 | |||
Th | 23 | 0.14 | |||
F | 24 | 0.04 | |||
M | 27 | 0.03 | |||
F | 31 | 0.08 | |||
Employees Paid for Rain | |||||
July | |||||
F | 10 | Rain Pay | |||
August | |||||
Th | 6 | Rain Pay | |||
M | 10 | Rain Pay | |||
Th | 13 | Rain Pay |
Employees Paid for Rain | ||
July | ||
F | 10 | Rain Pay |
August | ||
Th | 6 | Rain Pay |
M | 10 | Rain Pay |
Th | 13 | Rain Pay |
Assignment: using the above provided information and assumptions, select one chart or a graphical format, and, using a software package of your choice, analyze and present the information on a single page, using only one chart or graphic (properly labeled) to highlight the possible impact of rain, if any, on the construction project.
Assume the following facts:
Assignment: Graphically present this information on one sheet of paper.
Assume the following additional facts:
Cap Ex | Rental Expense |
a. 20×2 = $1.6 million | $1.2 million |
b. 20×3 = $500,000 | $1.05 million |
c. 20×4 = $600,000 | $800,000 |
d. 20×5 = $175,000 | $900,000 |
e. 20×6 = $25,000 | $800,000 |
f. 20×7 = $50,000 | $750,000 |
g. 20×8 = $0 | $250,000 |
Assignment: Graphically present this information on one sheet of paper. What conclusions can you draw?
The following is the “inventory” of items received to continue the examination at Johnson Real Estate. The goal is to focus on the missing deposits: who, what, when, where, and how.
These items will be provided by the course instructor.
Assignment:
Continuing to focus on evidence associated with the act, concealment, and conversion, use the evidentiary material to continue the examination. In addition, as the examiner also start to think of terms of who, what (did the person(s) do), when (during what period?), where (physical place, location in books and records), and how (perpetrated, hidden and did the perpetrator benefit).
Case background: See Chapter 1.
Question: Does the Fairmont payroll system’s company expense file match to its payroll disbursements file?
Student task: Students should (a) present a listing of company expense disbursements that do not appear to have corresponding disbursements in the payroll system and (b) discuss the finding and recommend investigative next steps.
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
Tableau case background: See Chapter 1.
The forensic audit showed that a general accounting clerk, Mary Perez, has company expenses for FICA (social security), Medicare and 401K, despite no hours, nor gross payroll expense.
Question: Can you create a graphic of the Fairmont payroll system’s company expenses that highlight general accounting clerk, Mary Perez, has company expenses for FICA (social security), Medicare and 401K, despite no hours, nor gross payroll expense?
Student task: Students should (a) highlight general accounting clerk, Mary Perez, company expenses for FICA (social security), Medicare and 401K, as well as gross payroll expense and hours and (b) discuss the finding and recommend investigative next steps.
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
18.223.209.118