Overview of Fraud – The Fraud Triangle
Fraud has become an important topic in today’s business environment, especially in the light of scandals such as Enron (Read: Enron Accounting Scandal) and WorldCom (Read: WorldCom Accounting Scandal). While many think of top corporate executives committing fraudulent acts, especially those considering financial reporting, it is important to note that lower level employees also add to the risk of fraud within a company. The fraud triangle shows the three main elements necessary in order to create fraud: pressure, rationalization, and opportunity.
Financial pressure is often the first reason someone within a corporation would want to commit fraud. This could take the form of a lower level employee who finds himself in a difficult personal situation and believes that he would only benefit from stealing from the company. Alternatively, an employee may commit fraud because they believe that the company or their job could be in jeopardy if they do not meet their stated financial goals for the period. In either situation, the employee could be a normally moral person, but felt pressure to meet personal or company expectations.
The second factor necessary for fraud is rationalization. This is where the employee justifies to himself that committing the fraud is not as bad as it seems. Often an employee will rationalize by saying that the money will be paid back if it is stolen, or that the company could make up the losses later, if the issue involves financial reporting.
Finally, there must be an opportunity for the perpetrator to commit the fraud. This is usually made possible by weak internal controls in the company and weak tone at the top regarding the ethical responsibility of employees. This is the most important aspect of the fraud triangle because without opportunity, the employee would have no way of actually carrying out the fraudulent activity.
There are three main ways that companies can mitigate the risks associated with fraud. First, establish a firm tone at the top, ensuring that all employees understand and devote time and effort to their ethical responsibilities. Management’s view of ethics is of the utmost importance. Secondly, auditors should view companies with a healthy sense of skepticism in all work performed, keeping in mind that anyone can commit fraud. Finally, the company should make sure that there is plenty of communication at all levels of the supply chain.
Information Technology’s Impact on Fraud
Information technology can be both the cause to fraud and the solution to fraud. Auditors can use information technology to assist in an audit, while a company can use computer software in order to make records easier to collect.
Information technology is becoming an increasingly more important part of a company’s business strategy. While many companies are counting on information technology to curb fraud, it also increases some risks. The use of information technology can lead to unauthorized access to important company data and information. This could result in someone having the ability to record nonexistence transactions or change information that has already been updated in the system. Additionally, because the use of information technology in accounting systems may require technical expertise in using the system, it is easier for those who do know how to use the systems to change the controls or programs. These increased risks can increase fraud in the financial statements. With the use of information technology, auditors must be more alert to the implications of information technology on the risk of fraud associated with the audit.
Additionally, cybercrime is of particular concern to companies that use the internet for any part of their operations. Many cybercriminals are able to combine their computer skills with social engineering in order to access critical company information and personal customer data. Hacking techniques, such as phishing, are becoming more of a problem. Hackers are keeping up with cyber security, and organizations must ensure that they are aware of what is going on in regards to their computer systems. In a business environment that increasingly relies more on information technology to assist operations, it is becoming more important for management and auditors to be aware of any technological changes made to systems in order to keep track of any issues that could result in fraudulent financial reporting.
Responsibility for Fraud
According to auditing standards, auditors are not responsible for making assertions on fraud, but rather are responsible for determining whether or not the financial statements are free of material misstatement. Therefore, the responsibility of fraud lies in the hands of a company’s management.
The Public Company Accounting Reform and Investor Protection Act of 2002 (better known as the Sarbanes-Oxley Act) was put into effect partially to restore investor confidence in financial statements after a series of fraudulent financial reporting incidents. This Act made management much more responsible for fraud in financial statements than ever before. Section 303 of this act requires that the Chief Financial Officer and Chief Executive Officer of the company sign off on the final statements and verify that they are valid. Ultimately, management will be responsible for fraud, but there is always the argument that if fraud is found that someone will seek compensation from the auditors.
History of Fraud and Forensic Auditing
Now that we have a basic understanding of what fraud and forensic auditing is, it is important for us to examine the history of the field. Fraud and forensic auditing emerged during the 1970s and 1980s with the explosion of technology-based business functions. As we know all too well, technology can increase efficiency, while simultaneously increasing risks to security and fraud. Also during this time, concerns about fraud, government waste, and crime (white-collar and blue-collar) were being plastered on the news. Therefore, it was quickly apparent that businesses needed some form of intrusion detection systems to manage the risks of inappropriate activities, thus leading to the discipline of fraud and forensic auditing.
This new form of auditing goes beyond government regulations and is designed to be used in litigation for claims of insurance, bankruptcy, embezzlement, computer fraud, and other related crimes. Computer crimes and financial fraud are carefully calculated, intuitive attacks by criminals. Therefore, fraud and forensic auditing requires more than just a basic set of standards; it requires intuition. Because fraud is often detected by accident, fraud auditors have developed a set of “scenarios” to learn to be proactive and think like a criminal. Jack Bologna, president of Computer Protection Systems, Inc. in 1984, stated that the best training for fraud auditors was on-the-job training. Bologna went on to say that because of the great degree of variability in fraud there is no clear way to learn everything in the classroom, although fraud auditors must have a basic understanding of accounting and auditing. Thus, the best experience comes from working in the field.
Fraud and forensic auditing is a dynamic and rapidly changing discipline. The first fraud and forensic auditing tools (referred to as intrusion detection systems) involved systems administrators watching a computer console to monitor user’s actions. The goal of these intrusion detection systems was to detect unauthorized or illegal use of the systems. Systems administrators looked for “red-flags” on the system, such as, vacationing employees remotely logging in to the system or a seldom-used computer component suddenly being turned on for no apparent reason. The results of these early intrusion detection devices were logged on sheets of folded computer paper that were subsequently stacked several feet high by the end of each week. The systems administrators were then faced with the daunting task of filtering through these stacks of information to find potential fraud. Although the goal of this system was to detect fraud and improper or illegal use of the systems, it was more reactive than proactive. The approach was slow and complex with the detection system logs run at night and not examined until the next day. Therefore, most intrusions were not detected until after they had already occurred. However, in the 1990s, real-time intrusion detection scanners were introduced allowing systems administrators a better opportunity to review systems information as it was produced and the ability to respond in real-time. This much more proactive approach increased the effectiveness of the intrusion detection systems, and in some cases, allowed administrators the ability to attack preemption.
However, as the intrusion detection systems evolved, so have the types of fraud. Currently, the Securities and Exchange Commission hear over 100 cases of financial fraud and accounting cases per year, which is a stark increase before the explosion of technology in business before the 1970s. In some cases, big named companies, such as, Bausch and Lomb, Sunbeam, and Knowledgeware have had to restate financial reports due to fraud. This in turn affects stock prices, and often leads to bankruptcy, changes in ownership, and layoffs, among other problems. In terms of financial fraud cases, however, only about 2% make it to trial, 20% are dismissed; the remainder are settled out of court. Prosecution is costly both to the government and to investors and company employees. Nevertheless, as economic times worsen, as we have seen in recent years, the number and variety of fraud cases increases. Financial fraud is a dynamic, ever changing market that changes every day with increases in new technologies.
In order to keep pace with the demand for fraud detection systems, fraud and forensic auditors are being held responsible for the increase in the detection of fraud. However, as Jack Bologna discussed, most fraud detection systems cannot be learned in a classroom, but rather must be learned on-the-job. Following this concept, most universities today still lack curriculum in financial fraud detection. Although, the demand for auditors trained in fraud detection is increasing at a rapid pace as the incidence and variety of fraud increases. With the dynamic fraud environment, accountants and auditors alike must stay up-to-date on fraud detection so that auditing programs are adequately designed to meet the changing needs of forensic auditing. Therefore, as most would agree, auditors must balance education and training to provide the best defense to combat financial fraud.
How is Fraud and Forensic Auditing Different from a Traditional Audit?
With the development of the Sarbanes-Oxley Act of 2002, the auditing and accounting world was turned on its head. The Sarbanes-Oxley Act was a game-changer in fraud detection. Prior to the Act, auditing firms were primarily self-regulated, which proved to be problematic. Firms, such as Arthur Anderson, showed a lack of integrity conspired to commit fraud right along with the fraudulent companies. Therefore, Sarbanes-Oxley created the Public Company Oversight Board (PCAOB) to provide more oversight and regulation to the accounting profession. In 2004, fraud cost the United States economy $684 billion, twenty times the cost of standard street crime, further illustrating the importance of a strong fraud detection system.
Although it may seem that fraud and forensic auditing are virtually the same as a regular audit, there are some differences. Both fraud and forensic audits and regular financial audits share the goal of detecting material misrepresentation of the financial statements; however, fraud and forensic auditing takes auditing a step further. Fraud and forensic audits are subject to stricter guidelines and rules and are primarily concerned with internal controls. They examine audit trails for variances or deviations in strong internal control. Fraud and forensic auditors are often described as one part accountant, one part lawyer, one part detective, and entirely professional. These auditors must be able to prove all their findings. Fraud and forensic auditors rely on the use of methodology tables to show flows of transactions and examine deviations. They must have so much detail, because they have the burden of proof to provide evidence to juries of non-accountants. Therefore, the evidence must be outlined in lay terms and must be beyond a reasonable doubt.
Even though there are differences between a traditional audit and a fraud or forensic audit, the fraud and forensic auditor’s work can greatly help financial accountants and auditors with their tasks. Sarbanes-Oxley Section 404 requires top management to sign-off and be responsible for all financial information, including internal control for their company. To the benefit of traditional auditors, fraud and forensic audits guarantee the application of Section 404. Because fraud and forensic auditors guarantee such levels of detail in internal controls, financial auditors can more easily understand the entity’s internal control structure and better design audit procedures to detect risk of material misstatement in the financial statements. This greatly decreases the amount of time in planning the audit and allows the financial auditors more time to design further audit procedures that are more responsible to assess the risk of material misstatement.
Role of Computer Forensics
Due to the increase of potential fraud, especially with computers being used by individuals and in every company on a day-to-day basis, forensic auditing and accounting has become an important aspect in addressing these challenges. One way of quickly and easily handling fraud and abuse cases is through computer matching and other various computer technologies and techniques. And, considering that computers and online use contribute in some way to almost every kind of criminal activity existing today, the information found is the key to the identification of the criminals behind these fraud activities.
Computer forensics is the main source of examining evidence during investigations because anything done on a network can be tracked and vital information can be captured. It is the idea of reconstructing events and completely analyzing all electronic evidence to provide accurate documentation and preserve the integrity of the data to effectively accuse or defend in a court of law. If computer forensics is not utilized correctly, then any information found may not be admissible in court. This means that law enforcement officers must have a general understanding of computer forensics in order to properly utilize evidence and better understand how to recognize and handle information a computer could potentially have to aid in criminal investigations.
Two typical aspects of computer forensics are to understand the potential evidence they are looking for and to select the appropriate tools. Crimes involving a computer can range from identity theft to destruction of intellectual property, so it is important to know what kind of evidence to be looking for in the investigation. To prevent any further damage to the files, it is important to know how to recover the information that may have been deleted or tampered with by a criminal.
A forensic auditor’s tool kit will consist of a variety of tools and programs necessary for recovering data, disassembling a computer case, or taking images. Some examples of tools in the toolkit include physical tools of a screwdriver and pliers, archive media, and a digital camera and software and applications including disk wiping, disk imaging, hash calculations, search utilities, file and data recovery, file viewing, and password cracking.
A screwdriver and pliers are used when having to disassemble the computer case to access the hard drive. A type of archive media, recordable DVD or CD-ROM, is used to copy and store the contents of the hard drive and a digital camera will be needed to save images of the physical structure of the computer and anything that may need to be captured. Looking at the applications and software, disk wiping ensures the hard drives are cleaned and overwritten with binary information while disk imaging creates a bit-stream backup maintaining the hard drive’s information. Hash calculations are used to verify that the source and destination files have the same 32-bit hash value. Auditors then search for text strings and use EnCase to recover and view files and data.
Two applications, digital analysis and data query models, have the specific purpose of detecting fraud. Digital analysis uses Benford’s Law, which is an exponential distribution based on the first digit of naturally occurring numbers that do not occur in a set pattern. Phone numbers and zip codes do have a pattern and therefore cannot be used; however, invoice amounts and compound interest do not have recurring patterns and could be used. Benford’s Law helps IT auditors detect fraud by comparing the expected frequency distributions with the observed frequency distributions. Data query models compare computer assisted audit technique results with other evidence obtained during the audit, making sure that the evidence makes sense and supports assertions made.
Not only can computer forensics be used to accuse criminals, but it can also be used to uncover evidence believed to have been deleted in cases such as the Enron scandal. Despite the efforts of employees and several financial institutions to mislead investors, internal e-mails, thought to have been deleted, led to suspicions of loans and therefore the investigations of the real numbers Enron should have been reporting. Anything saved, opened or viewed on a computer is permanently recorded somewhere. Unless it is properly overwritten, it is capable of being found and restored. When McKesson, Inc. acquired HBO & Inc. and company auditors found irregularities in their accounting documents. An in depth audit using computer forensic tools recovered several deleted emails and files removed that were part of an effort to hide HBO’s falsification of their books.
Trends in Forensic Auditing
Forensic auditing increased its presence in the auditing environment mostly due to the fraud scandals of companies like Enron and WorldCom in 2002. Immediately afterwards the Auditing Standards Board (ASB) approved a new standard, No. 99, in order to more clearly define the financial auditors’ responsibility concerning the detection of fraud. However, because financial audits are not designed to detect fraud, they cannot be relied upon to uncover it at any significant level. This is shown in a statistic of about ten and twelve percent of all fraud detected is accredited to financial auditors. Due to this lack of fraud detection in financial auditing, an increasing need for forensic auditing has arisen along with an increase in fraud education and training in all different areas of auditing.
Even before the Sarbanes-Oxley Act (SOX) of 2002, accounting practitioners did not have adequate ethics or fraud training. Without students having that training or education, a lot of difficulty arose in the industry in recognizing fraud. However, after many fraudulent scandals and the passing of SOX, fraud and ethics training has been an essential part of every accounting student’s education. These reforms resulting from SOX have specifically brought to light a number of areas in which auditing firms have been weak. A lack or shortage of staffing and experience of employees working in audit firms are some of the weak areas that led to a positive trend in the education of auditors. Due to auditing companies needing to meet regulatory requirements and the fact that baby boomers are now retiring, demand for auditors is high. Along with training in ethics, risk management, and financial statement analysis, forensic accounting is increasingly being taught and offered in accounting higher education in order to meet marketplace needs with such a high demand for auditors.
Not only are elements of forensic auditing being permeated into financial auditing in general, but also they are finding their way into specific areas of auditing such as internal auditing. Approaches, techniques, and objectives that internal auditors use are quite similar to those forensic auditors use, which paves a way for fraud investigations to be more a part of internal auditing now and in the future. Historically, internal auditors have just been involved with fraud investigations after the fact: to examine the breakdown of internal controls that led to the fraud and to provide recommendations to prevent it from happening in the future. However, companies are now looking to internal auditors to have more of a role in fraud investigations. Without the need to hire external resources for every fraud investigation, there is a potential for high cost savings in the future. However, when investigations arise where a much more in depth knowledge and experience in forensic auditing is needed, failing to outsource for higher qualified resources can be more costly in the long run because of a poorly executed or failed investigation.
Future of Computer Forensic Technology
Cyber-forensics is becoming more important and will be extremely important in the near future because computers and the web are the fastest growing technology tools used by criminals. These cybercrimes and white collar crimes have become popular among criminals because of the high profit yields and low risk of conviction and sentencing if caught. Computer forensics will soon be as essential as an officer’s handcuffs or radio. The fact is that so many forms of communication, banking, shopping, and social networking take place online, so naturally, it has become the perfect place for criminals to be involved.
Another upcoming use of information technology is the application of business intelligence with computers. Business intelligence is a way of extracting information and analyzing it through various tools. The information that is analyzed helps detect fraud through the use of patterns and acts as a guide to investigations.
Investigations are still led by police officers and investigators, but the use of computers and computer technologies aid procedures and allow for more in depth searches, the ability to analyze relevant information, and provide the capability of tracing or retrieving documents from computer networks considering that much of fraud created today stems from online activity.
To conclude, fraud and forensic auditing will continue to impact businesses in the future. Companies will need to ensure that their fraud practices are keeping up with emerging technologies. Just as technology has advanced in the past thirty years, so have incidences of fraud. Thus, as we have seen the complexity of fraud and forensic audit techniques have greatly improved. Computer forensics has expanded the capabilities of these techniques and will continue to grow in importance because of the continuing growth in technology. Fraud and forensic auditors are becoming more educated and trained in fraud and forensic auditing which will increase the amount of fraud uncovered. Overall, fraud and forensic auditing is vital to properly utilizing evidence in a court of law.