icai-wirc trends in business & it forensics · 2012-01-23 · icai-wirc trends in business...

ICAI-WIRC

Trends in Business & IT

Forensics

Presented by,

Prashant BhatSenior Manager, Mumbai

Saturday, January 21, 2012

Agenda

© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.

Protiviti is not licensed or registered as a public accounting firm and does not issue

opinions on financial statements or offer attestation services. 2

What is Fraud?

Need for Forensics

Common Fraud Scenarios

What Does Fraud Cost You?

Forensic Audits Approach & Methodology

Types of Forensic Audits?

Computer Forensics - Methodology

Special Investigative Unit

Case Studies

What is Fraud?

What is Fraud?




Institute of Internal Auditors defines fraud as:

Any illegal acts characterized by deceit, concealment or violation of trust. These acts are

not dependent upon the application of threat of violence or of physical force. Frauds are

perpetrated by parties and organizations to obtain money, property or services; to avoid

payment or loss of services; or to secure personal or business advantage.

Fraud Detection and management framework

Need for Forensics





5%of annual revenues are lost to occupational fraud*

2010 Report to the Nations: ictim Organizations - # Case / Avg. Loss




Victim Organization# Case / Avg.

Loss

Mining 12 / $1M

Wholesale Trade 42 / $513K

Oil and Gas 57 / $478K

Real Estate 57 / $ 475K

Agriculture, Forestry, Fishing and Hunting 27 / $320K

Manufacturing 193 / $300K

Transportation and Warehousing 62 / $300K

Technology 65 / $250K

Construction 77 / $200K

Communication / Publishing 16 / $110K

Religious, Charitable or Social Services 41 / $75K

Insurance 91 / $197K

Healthcare 107 / $150K

Education 90 / $71K

Telecommunications 37 / $131K

Arts, Entertainment and Recreation 57 / $475K

Victim Organization# Case / Avg.

Loss

Retail 119 / $85K

Government and Public Administration 176 / $81K

Services (Professional) 51 / $110K

Utilities 45 / $120K

Services (Other) 89 / $109K

Banking / Financial Services 298 / $175K

0

10

20

30

40

50

60

70

80

90

Legend

2010

2008

Asset

Misappropriation

Corruption Financial

Statement Fraud

No

. o

f F

rau

ds


Percentage of Companies* Reporting Indicated Frauds

Legend

2009

2010

Percentage

Types o

f F

raud

Top Fraud Type

27 % of the companies

reported Information

theft, loss or attack in

2010, a 34% increase

from 2009

* Results are based on survey of companies in USA


Percentage of companies* within industry reporting information theft, loss

or attack

Percentage

Type o

f In

dustr

y

Legend2009

2010

Top Affected Industry

Sector

42 % of the Financial

services companies

reported Information theft,

loss or attack in 2010, a

43% increase from 2009

40 % of the professional

services companies

reported Information theft,

loss or attack in 2010, a

32% increase from 2009

37 % of the technology,

media & distribution

companies reported

Information theft, loss or

attack in 2010, a 22%

increase from 2009* Results are based on survey of companies in

USA


Common Fraud Scenarios

Categories of Fraud




• Misappropriation of Assets

• Improper or unauthorized expenditures (including bribery and other

improper payment schemes)

• Self-dealings (including kickbacks)

• Violations of laws and regulations

• Fraudulent financial reporting

The various categories of fraud that are relevant for consideration by

management in identifying risks of fraud include:

Common Fraud Scenarios: Cross-Industry Risks




• Fraudulent financial reporting

– Earnings management

– Improper revenue recognition

– Overstatement of assets

– Understatement of liabilities

– Fraudulent journal entries

– Round-trip or “wash” trades

• Misappropriation of assets

– Billing schemes

– Collusion

– Concealment

– Embezzlement

– Forgery

– Ghost employees

– Kiting

– Lapping

– Larceny

– Misapplication

– Payroll fraud

– Theft

• Expenditures and liabilities incurred

for improper or illegal purposes

– Bribes

– Corrupt payments

– FCPA violations

– Concealment

– Related party payments

• Violations of Laws & Regulations

– Compliance violations

– Tax fraud

– Money laundering

– Anti-trust violations

• Self Dealings

– Kickbacks

– Conflicts of interest

– Related Party Transactions

– Misuse of position

Categories of Fraud

Financial Service Industry




• Bank Fraud

– Loan fraud

– Fraudulent loan applications

– Account takeover

– Wire Fraud

– Check fraud

– Counterfeiting

– Payment card fraud

– Phishing

– Identity theft

– Kiting

– Money laundering

– Demand draft fraud

– Forged documents

– Skimming

– Structuring

– Terrorist Financing

• Common types of investment fraud:

– Unsuitable investments

– Ponzi scheme

– Affinity fraud- investment made because of

recommendation by a “trusted” friend based

on similar backgrounds

– Unregistered investments

– Unlicensed salespeople

– Rogue traders

• Insurance Companies

– Bribery / Kickbacks / Gifts to adjusters

– Conflict of Interest / Related Party

Transactions

– Collusion of internal and external

perpetrators

– Double Billing / Double Processing of

Claims

– False Billings by Claims Processers

– Identity Theft by internal perpetrators

– Overbilling of Underlying Procedures

Can Frauds Happen ? Red Flags / Key Indicators – Entity Level




Internal control gaps, deficiencies, weaknesses

Business results that continually outperform expectations

Management override of controls

Rapid or significant turnover of resources

– Senior management

– Key financial positions

– Key employees

Inadequate segregation of duties

– Turnover

– Cut-backs / lay-offs

Unusual end-of-month or end-of-quarter journal entries or topside entries

High-level of related-party transactions

Employee, customer or vendor complaints

Repeated changes of independent public accountants

Disclosures

– Investigations

– Suspicion of illegal activities

Red Flags

Process Level – Red Flags




Cash

• High volume of manually prepared

checks

• Unrestricted access to blank checks,

signature plates, and check signing

equipment

• Improper segregation of duties

• Improper authorization or weak

controls over wire transfers

• Unexplained items when preparing

bank reconciliation

• Excessive number of unexplained

voided checks

• Excessive number of bank accounts

and activity between these accounts

as to make it difficult to follow the flow

of funds

Accounts Receivable Process

• Lack of accountability for invoice numbers

issued

• Lack of segregation of duties between the

following:

– Processing of accounts receivable

invoices and posting to sub-ledger

– Posting to accounts receivable sub-

ledger and cash receipts

• Lack of policies and procedures regarding

write-offs

• Frequent undocumented and/or unapproved

adjustments, credits, and write- off’s

• Low turnover or slow collection cycle

• Dramatic increase in allowance for doubtful

accounts

• No reconciliation of AR sub-ledger to GL

control account

• Unrestricted access to sub-ledgers and

general ledger





Inventory/Production Process

• Credit balances in inventory accounts

• Consistent fluctuations in inventory accounts between months

• Excessive inventory write-offs without documentation or approvals

• Unusual volume of adjustments, write-offs, and disposal of material, inventory, or fixed assets

• Unrestricted access to inventory storage

• No policy regarding identification, sale, and disposal of obsolete and surplus materials

• FG inventory turnover rate does not correlate with operating cycle

• No segregation of duties between:

– Receipt of inventory and issuing of materials

– Recording of inventory accounts and ordering materials

– Identification of obsolete and surplus materials and sale and disposal of such materials

Distribution

• Substantial cash payments, price

discounts, rebates, or other concessions to

distributors to induce continued buying as

well as promise not to return goods

• Payments or concessions to distributors

that are recorded as expenses rather than

reductions in revenue

• Inventory sent to distributors include rights

of return

• Distributors sell goods on consignment but

revenue is recognized immediately

• Recognizing revenue before the risk of

loss has passed to the customer

• Distributors are nothing more than

warehouses where inventory is stored but

sale is recorded





Fixed Assets

• Expenses are inappropriately

capitalized

• Leased assets are recorded as fixed

assets

• Incorrectly classified assets (short-

term vs. long-term)

• Fixed assets classified at market

value rather than historical cost

• Unexplained discrepancies between

the fixed asset register and the

general ledger

Accounts Payable

• Recurring identical amounts from the same vendor

• PO Boxes or multiple remittance addresses for the same vendor

• Sequential invoice numbers from the same vendor or invoice numbers with an alpha suffix

• Lack of segregation of duties

• Processing AP invoices and updating vendor master file

• Preparing checks and posting to vendor accounts

• Preparing and mailing signed checks

• No proper documentation of changes to vendor master file

• Suspicious/excessive adjustments for returned goods





Purchasing

• Turnover among buyers within the purchasing department significantly exceeds attrition rates throughout the organization

• Purchase order proficiency rates fluctuate significantly among buyers within comparable workload levels

• Dramatic increase in purchase volume per certain vendor(s) not justified by competitive bidding or changes in production specifications

• Unaccounted purchase order numbers or physical loss of purchase orders

• Rise in the cost of routine purchases beyond the inflation rate

• Unusual purchases not consistent with the categories identified by prior trends or operating budget

Bidding Process

• Costs for work performed by certain contractors are coded differently (e.g. by an unusual project number or general ledger account) than for similar work performed by other contractors

• Certain contractors are typically allowed to overrun their bid amount without proper authorization or change order documentation

• Existence of conflicts of interest (e.g. a company employee having a financial interest in a contractor’s business)

• Contractor who consistently submits the lowest bid after all other bids have been submitted

• Inappropriate interaction between purchasing department personnel and contractors

• Background checks indicate that the contractor has numerous DBAs and those other companies compete against the contractor during the bidding process





Payroll

• Dramatic increase in labor force or overtime not justified by production or sales volume

• Turnover within the payroll department significantly exceeds attrition rates throughout the organization

• Missing or easy access to blank checks, facsimile, and manual check preparation machine

• Tax deposits are substantially less than those required by current payroll expenses

• High volume of manually prepared payroll checks

Finance Process

• Significant adjustments to accrued liabilities, accounts receivable, contingencies, and other accounts prior to acquisition of new financing

• Dramatic change in key leverage, operating, and profitability ratios prior to obtaining financing

• Adopting a change in accounting principle or revising an accounting estimate prior to obtaining financing

• Increase in short-term cash and a decrease in receivables while sales are increasing prior to seeking new financing

• A change in external activities, legal counsel, or treasury department head prior to obtaining new financing

• A delay in issuance of monthly, quarterly, or annual financial reports prior to seeking new financing

Forensic Audits Approach & Methodology

What is Fraud Auditing?




• Anomalies

• Exceptions

• Irregularities

• Oddities

• Patterns

Combination of tools and techniques used to detect indicators of fraud and

misconduct, including:

Fraud auditing : Be Skeptical!




• Always request originals.

• Ask yourself whether transactions make sense.

• Have documents been altered?

• Look to see where the documents are maintained.

• Do employees have close personal relationships with vendors?

• Is there a lack of supporting documentation?

• Do background checks identify related parties and DBAs?

• Does an answer not make sense?

• Are you avoided more than usual?

• When asking a relatively simple question, are you unexpectedly referred

to someone high up in the organization?

• Go with your gut!

Fraud Auditing : Rules for focus




• Where are the weakest links in the system’s

controls?

• What deviations from conventional good

accounting practices are possible?

• How are off-line transactions handled and who

has the ability to authorize these transactions?

• What would be the simplest way to compromise

the system?

• What control features in the system can be

bypassed by higher authorities?

• What is the nature of the work environment?

Protiviti’s Forensic Audit Lifecycle




Sources of Investigation




• Tips

• By Accident

• Internal Audit

• Data Analytics

• Monitoring

• External Auditors

• Government

Investigative Techniques




• Interviewing

• Evidence Collection

• Collaboration

• Research

• Evidence Analysis

• Documentation

• Report

Issues to Consider in Initiating and Conducting an Investigation




• Evaluation of the Allegation

• Scope of the Investigation

• Investigative Expertise

• Internal and External Perpetrators

• Preservation of Evidence

• Chain of Custody

• Document Management

• Reports

Investigative Techniques - precautions





Where is Electronic

Evidence ?

Forensic Accounting

ActivitiesComputer Forensics

Activities

Types of Forensic Audits / Reviews

• Identifying

Accounting

irregularities

• Performing

Wrongdoing

investigations

• Asset tracing

• Performing

Regulatory

investigation

• Forensic data

Acquisitions

• Forensic Data

analysis

• Forensic data

preservation

• Litigation support




Computer forensics is a discipline that combines elements of law and computer

science to collect and analyze data from computer systems, networks, wireless

communications, and storage devices in a way that is admissible as evidence in a

court of law.

It is the specialist process of imaging and processing computer data which is

reliable enough to be used as evidence in court.

Computer Forensics – What is it?

Computer Forensics ushers digital information case solving with

traditional forensics !!

Data Talks and Data Doesn't Lie




Forensics vs. Computer Forensics?

FORENSICS

The use of science and

technology to investigate and

establish facts in criminal or civil

courts of law

COMPUTER FORENSICS

The acquisition, analysis, and

reporting of digital evidence

http://images.google.com/imgres?imgurl=http://perso.orange.fr/fingerchip/biometrics/types/fingerprint/fp/fingerprint_definition.jpg&imgrefurl=http://perso.orange.fr/fingerchip/biometrics/types/fingerprint.htm&h=295&w=347&sz=32&hl=en&start=4&tbnid=ai5iHq-URS7hiM:&tbnh=102&tbnw=120&prev=/images?q=fingerprint&gbv=2&ndsp=20&svnum=10&hl=en&sa=N

http://images.google.com/imgres?imgurl=http://www.sonnenschein.com/images/images_infosec/fingerprint.jpg&imgrefurl=http://www.sonnenschein.com/practice_areas/isie/corecomps/cc1/index.aspx&h=235&w=240&sz=45&hl=en&start=1&tbnid=jbQq4hVnIB6RLM:&tbnh=108&tbnw=110&prev=/images?q=computer+forensics+fingerprint&gbv=2&svnum=10&hl=en

Forensics vs. Computer Forensics?




• Any internal investigation where computer plays a key role

Ninety percent of U.S. companies are involved in litigation (Jaworski & Fulbright).

Computer data plays a critical role in virtually every internal investigation or litigation.

Electronically stored information is able to reveal much more than just the contents of

a file.

Where is Computer Forensics used ?

• Any government probe or financial investigation

• Any litigation where electronically stored information is requested or produced.

Where is the Electronic Evidence ?




• Laptops/Desktops• PDA’s/Cell phones• Printers• Servers• CD’s/DVD’s• USB Thumb Drive

Where is Electronic Evidence ?

Some Storage Devices are Less Obvious Than Others

Computer Forensics - Methodology

Computer Forensics Illustrative Methodology




Preservation and

CollectionExamination

Computer Forensics Analysis

Reporting and Testimony

Acquisition Analysis Reporting

Media Data Information Evidence

Data Acquisition

Data collection & preservation

Data Analysis

Computer forensic analysis/examination

Acquisition-Preservation and Collection




• Take authority to undertake the

Forensic investigation from the

client

Legal Document

Chain of Custody

is used in court as

evidence of

Integrity

Authorization

Chain of

Custody

• Documents chain of events

•Who – Names of people involved

•What – Information about the

device being acquired

•When – Dates/Times of

possession

•Where – Location of the device

•How – Details about the imaging

process





An improperly filled out CoC can hurt the case !


Video tape and photographs are

good supplements to handwritten

notes.

The following is an indicative list –

•Physical surrounding of the

Machine

•State of the machine

•Computers Make

•Model Number

•Serial Number

•Photographs of the back of the

PC

•List of attachments to the target

device

Document

Surroundings

Target computer

location photograph

Target computer model

number photograph

Target computer on state front

and back photograph

Prevent evidence

tampering & have

adequate

documentation

•Restrict access to

the equipment /

target machine to

avoid tampering

•Document the

scene in as much

detail as possible.


Media

Extraction

• Extract Media

• Take a Photograph

• Document

Acquisition-Preservation and Collection – Initial

Reaction – Key Points

Determine if a destructive script is active on the system. If yes, remove

the power cord from the back of the system.

Document the target machine and the surrounding

If the computer is running take a photograph of the screen.

Take photographs of the back, front, side and inside of the computer.

Bag and tag all potential evidences.

Search for sticky notes, pieces of paper and bag all evidences.

In case a confiscation is needed secure the evidence and transfer the

same to a secure location.

Acquisition- Examination

Acquisition-Examination

For examination of data , the first step is to create unaltered images ( at least 2) of the

whole HDD and other data sources. This image is called a Bit Stream Image or a forensic

image.

Bit by bit/sector by sector copy of the data is

performed.

Read-Read-Copy is the cycle, NO Write !!

Use write-blockers especially for Windows.

Copy the data

Verify the data – Compare Hashes

MD5 Hash of the original Media MD5 Hash of the copied data

Typical Tools Used:

Encase & FTK

Encase FTK

Success !

Forensic Analysis

Forensic Analysis

Keyword Searches

Email Searches

index.dat INFO2

The Windows Swap File

Print spool files

Analysis of the following can be performed

Temporary Files

Signature Analysis

Slack Space

Signature Analysis

Cookies Metadata Analysis

Forensic Analysis – Where does the Evidence Hide ?Two categories of data as evidence

• System Files

• User Data Files

• Word, Excel, etc.

• Company issued e-mail address

• Data that the user can “see”

Active Data

• Hidden Files

• Deleted Files

• Unallocated File Space

• Internet History

• Web Based E-Mail Activity

• Yahoo!, Hotmail, etc.

• Data user cannot “see”

Passive Data

NOT Usually Backed UpUsually Backed Up

Forensic Analysis – Where does the Evidence Hide ?Evidence Extraction

Deleted Files

• Secrets.doc

• ClientList.doc

• Spreadsheet.xls

Why DELETE does not mean DELETE

“Deleting” a file changes the

first character in the file name;

the data for the file remains on

the drive until overwritten.

Hiding Files

Changing the extension is

the most common way of

hiding the file from preying

eyes


Temporary Internet files

Stock Trading Records Web Based Banking &


Analysis using Encase

Searching for the

term “Hacking” using

Encase to scavenge

for evidences from

the data dump


Analysis using FTK

Searching for the

term “Hacking” using

FTK to scavenge for

evidences from the

data dump

Reporting and Litigation

Reporting and LitigationEvidence Extraction

Reporting

To be admissible in the Courts of law, evidence and reporting typically undergos a pre trial

(called “Daubert Hearing” in USA). Four categories determine the success/failure of

evidences viz.

•Testing

•Error Rate

•Publication

•Acceptance

Testing

False Positives False Negatives

Error Rate

Tool

Implementation

Error Rates

Abstraction

Error

Reporting and LitigationEvidence Extraction

Publication

• Documentation in a public place

• Undergone a peer review

• Technical procedures used to extract the data must be addressed in the publication

• Most important and difficult aspect of the general acceptance of a tool/technique used

by the tool.

Acceptance

• Closed source tools use

the testimony of the users

using them.

• Open source tools have

their codes released for

the review of the extraction

procedures.

Reporting and LitigationAvoid Spoliation

A quick internal investigation may make the

evidence inadmissible !!

Special Investigative Unit

Special Investigative Units




Steering Committee

Board of Directors

• Client FTE

OR

• Consultants

Telecoms

(if required)

• Client FTE

OR

• Consultants

• Client FTE

OR

• Consultants

• Client FTE

OR

• Consultants

• Client FTE

OR

• Consultants

Software:

Applications

• Sponsor project and set targets

• Approve key objectives

• Drive change and arbitrate

differences

Software:

Storage

Hardware:

ApplicationsHardware:

Storage

• Provide category

specific expertise &

assistance

• Advise & update

teams on key

strategies &

benchmarks

• Cross-functional experts and

key stakeholders

• Senior Resources

• Junior Resources

Special Investigative UnitInternal Audit Team

• Senior Resources

• Junior Resources

• Provide category

specific expertise &

assistance

• Participate in periodic

meetings/ sanction

interim deliverables

• Assist in change

management activities

How Organizations have Embedded Forensics Capabilities within the IA teams

Case Studies

Case 1 - Harassment Case and the application of Forensics




The Victim The Accused

•Claimed was Harassed

by CEO

•Married, Loyal Woman

•Files $10M Suit

•CEO of the leading

company

Case Study




Initial Evidence Initial Investigation

•Produces 18-month

chronology

•Produces damaging e-mail

•Corporation discusses

$1.5M settlement

•Forensics Process is

initiated

Recovered Searches

for:

“Harassment”

“Harassment

Settlements” “Big

Harassment

Claim”


Case Study




Investigation - Analysis of

data

•Instant Messages:

•Berating the CEO.

•Confession of poor

performance

•Deleted Emails discussing

the planning for the wrongly

accusing the CEO


Case Study




Investigation – Fabricated

MS word files which were

later printed as threats

Counsel decides to analyze PC belonging to “co-worker”


Case Study




Charges Dropped

Company sues for Fraud and

Embezzlement


Case Study




Major Biochemistry Research

Organization

Case 2 - Theft of Intellectual Property

•Team of Scientists Leave the Company

•Launch New Organization•Receive Lab Funding •Announce Discoveries

Case Study




Initial

InvestigationInitial Evidence

•Files copied to removable

media?

•Files e-mailed as

attachments?

•Collaborating on company

time?

•Forensics Process is

initiated


XX

•No evidence of

file copying

•No evidence of

files sent by e-

mail

•No incriminating

activity on

company server X

Case Study




Initial

Investigation

• Recovered Internet-based

E-mail Accounts


• Communications between

Involved Parties

• Web e-mails with

attachments

Case Study




Result of

investigation

• Temporary Internet Files

revealed

• Theft of IP through

web-based e-mail

• Elaborate planning and

coordination

• Months of preparation


Case Study

Q & AThank You