Audit Programs
AuditNet Links
AuditNet Virtual Library
AuditNet Newsletter
Ask the Auditor
Audit Jobs
Partner Discounts
Search the Site
Our Sponsors
Advertise
Sign the Guestbook
AuditNet Home Page

Accounting Procedures for Internal Control
CLICK HERE TO ORDER

Fraud: New Directions for Detection and Prevention

By Patrick Taylor, president and CEO of Oversight Technologies.

The dictionary defines fraud as “A deception deliberately practiced in order to secure unfair or unlawful gain.” Because fraud in companies takes place at all levels - dishonest employees, light-fingered retail customers, conniving vendors, and corrupt managers – it has become a truism that fraud is just one of those things which will always be with us as long as our venal human nature doesn’t change. Companies have come to accept this as the way things are; for example, the “common” knowledge that 2% (of sales) is an acceptable figure for “shrinkage”, a euphemism for lost inventory, kited checks, fake invoices, and other assets evaporating off the bottom line due to fraud.

The recent shenanigans at Enron, WorldCom, Adelphia and the rest were a clarion call, not only because of the scale of the frauds but because of the realization that fraud had become inherent in the culture of some companies, up to the highest levels of management. The demise of Arthur Andersen, one of the largest and most trusted public accounting firms, after the Enron debacle led to the understanding that even the watchdogs had taken their eyes off the fraud ball.

Sarbanes-Oxley Arrives

The result has been a relative flood of new legislation to provide “adult oversight” of our public companies and financial institutions. In early 2002, Congress passed The Public Accounting and Investor Protection Act, HR.3763, better known as Sarbanes-Oxley. This legislation places direct responsibility, for the first time, on the officers and management of public companies, for their systems of internal control and the accuracy of financial reporting. The C-level executives now carry personal liability for failures.

The kicker is that Sarbanes-Oxley never defines the required standards for internal controls. So CEOs and CFOs are faced with the vexing question of how to improve their systems of internal controls. In other words, “What do we do now that we didn’t do before?” Although the specter of the perp walk looms, Sarbanes-Oxley remains inscrutable.

More specifically, how does a Corporation do a better job of detecting the three manifestations of internal fraud: misappropriation of assets, corruption, and fraudulent statements?

Let’s look at just two major components of classical internal control and defense against fraud: separation of incompatible functions and independent review by internal auditors.

With proper separation of functions no one person can generate financial transactions as well as record them in the accounting records. The potential for fraud if this principle is broken is obvious. However, two trends are operating against this elegant principle, namely layoffs in administrative functions and integrated computer systems. Just a few years ago, several people in the company would have reviewed a sales transaction or a vendor invoice before it was processed. Now the customer or vendor very often enters the transaction directly into the computer from a Web site. The (skeptical) human eye is being removed from the system.

Therefore, more responsibility is falling on the internal auditors to detect fraud. So the next question is “What more can the auditors do to detect and deter fraud?”

Broadly, internal auditors review the systems of internal control for compliance with company policies and auditing standards. They also extract samples of transactions – such as vendor invoices or expense disbursements – for detailed review. Given the huge transaction volumes in current systems, these samples are necessarily small, rarely more than a few percent of the total. So, part of the answer appears to be for auditors to review more transactions.

Use of Audit Software

The volume of transactions is processed by computers, so auditors should be making more and more effective use of those computers. Software is readily available to analyze files, extract samples, check totals and footing, identify exceptions, analyze accounts receivable balances, test for gaps in invoice number sequences, statistical analyses and extractions, and so on. Major products in this space include ACL, IDEA, and (of course) Microsoft Excel.

The use of those systems is only just beginning, however: in a 2002 software survey by the Institute of Internal Auditors, published in the August 2002 edition of Internal Auditor magazine, 65% of respondents noted that they do not use any continuous monitoring audit software.

However, the uses of software mentioned in the previous paragraph are essentially extensions of manual audit functions, namely sorting and collating data, extracting samples, identifying exceptions, calculating accounting ratios, and generating audit working papers. The audit software assists with the after-the-fact audit process but doesn’t significantly change the approach. In essence, the manual audit process has been speeded up but not significantly changed.

But a change in approach is what is needed after frauds of the scale of Enron and under Sarbanes-Oxley. The auditors need to become more proactive, to be able to identify frauds as they occur, not at the end of the month or when the next audit cycle occurs.

A new approach.

As a paradigm, let’s look at the area of network security. The Internet was originally designed to be as open and flexible as possible, with very few controls. It didn’t take the hackers long to realize they could capitalize on this by modifying valid Internet packets, spoofing email addresses, creating self-propagating viruses and worms, and all the other well-known horrors.

But the industry didn’t sit idle. A whole new technology industry spontaneously arose to defend the Internet and keep the bad guys out of corporate networks. This technology was built around the now ubiquitous firewall, a hardware/software combination designed to identify and exclude undesirable network traffic before it enters the network. In essence, a firewall examines 100% of network packets reaching the network and applies a set of access control rules to every packet; any packet which infringes one of those rules can be summarily dropped, after being logged for later investigation.

In similar fashion, another defensive technology, anti-virus (AV) software, examines all inbound emails and compares their contents to the “signatures” of known viruses, worms, and other cyber-undesirables; offenders are summarily rejected after being logged for later analysis.

So network hacking attacks comprise “bad” packets, injected into the “good” data stream by unauthorized hackers whose goal is damage the network in some way. Similarly, fraud consists of one or more “bad” transactions injected into the stream of valid financial transactions, in order to subvert controls and misappropriate assets. We might whimsically call fraud a form of financial hacking.

The Financial Firewall

Then, the defense mechanism we are looking for is a financial equivalent of a firewall: a technology which will examine 100% of financial transactions – not just a sample – in real-time, comparing each one against a predetermined set of business rules. Transactions which infringe the business rules will typically not be rejected (like a network firewall) but would be extracted for more detailed reviewed by the auditors.

What would these business rules look like? They should simply be a formalized version of the normal internal control rules. In any company, these are based on GAAP or internal management policy. For example, every vendor payment must be evidenced by an invoice, suitably dated, and an earlier purchase order with all details matching. The rules could also be more subtle; for example, highlight any vendor record with an address matching an address of a company employee or where a customer’s credit rating, from an online credit bureau, is questionable.

The rules could also be designed to detect deliberate infringements of company policy. For example, detect any sequence of 2 or more purchase orders, originating from the same branch, where the value is just less than the cutoff amount requiring approval by a divisional manager (e.g., several POs for $49,900, to avoid gaining approval for a purchase over $50,000.)

Our financial firewall could also emulate AV or IDS software by watching for the “signatures” of more subtle signs of fraud, such as invoice amounts with exact round values (unlikely with freight charges and sales taxes.) Even craftier would be to identify sequences of transactions where the amounts don’t conform to Benford’s Law (a subtle mathematical theorem which essentially states that humans are bad at faking monetary amounts!)

How would a financial firewall operate? Clearly, it must be online to the corporation’s financial system server – running SAP, Oracle Financials, PeopleSoft, etc. – and match every real-time transaction against its base of business rules. Transactions selected for review must be categorized and securely recorded for audit review. This would bring the audit process as close as possible to true real-time monitoring of transactions.

Conclusion

With the advent of new oversight legislation, like Sarbanes-Oxley, executive managers are now personally on the line for failures of internal control or financial reporting. Because fraud and error have become their baby, they should and will demand better and more effective auditing techniques.

Simply increasing headcount in the internal audit group or increasing sample sizes for audit review won’t cut the mustard. Nor will running audit software in batch mode at the end of the month. We need a new approach to auditing, literally a continuous audit in real-time so that the percentage of transactions actually audited increases but without commensurate increases in headcounts.

The ongoing battle between hackers and network defenses is instructive. Just as firewalls protect the network from rogue traffic, we need to construct financial “firewalls” to watch for and detect the corporation from fraudulent transactions. If we can achieve this change, an added benefit is likely to be a drop in fraud for two reasons: first, the system should allow auditors to follow up on questionable transactions much more quickly, and second, by virtue of the “surveillance camera effect” – just as the presence of a surveillance camera deters theft, so the existence of an effective financial firewall will likely deter attempts at fraud.

And, hopefully the era of “2% shrinkage” may be at an end!

Bio - Mr. Taylor is recognized as a leader in the convergence of controls monitoring, information security and the implementation of technology to boost corporate governance. As CEO of Oversight Technologies, Patrick is responsible for understanding customer needs for continuous transaction incident monitoring and making sure those needs are met in Oversight's product development. Patrick recognized that most IT security focuses on perimeter security and ignores the greater inside threat from insiders who abuse their system privileges to commit fraud. After speaking with executives from across the country, Patrick launched Oversight Technologies to pioneer the concepts and technology for continuous transaction incident monitoring.

As a respected information security industry insider who served in various product management and strategic marketing roles with Internet Security Systems and Symantec, Patrick is a frequent speaker at conferences, such as RSA, Networld + Interop, Comdex, NetSec and the Goldman Sachs Information Technology Conference.

In addition to his previous experience with ISS and Symantec, Patrick worked in leading roles with ORACLE, Red Brick Systems, GO, Air2Web and Fast-Talk. Patrick has a Bachelor of Mechanical Engineering with honors from the Georgia Institute of Technology and a MBA from the Harvard Graduate School of Business Administration.