computer auditing(6) final(3)

8/9/2019 Computer Auditing(6) Final(3)

1/98

Paul Lower and Henry Hardoon 2010

FRAUD DETECTION & CONTROL

COMPUTER BASED FRAUDS


2/98

Computer Fraud

Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT

Chartered Accountant & Chartered Management Consultant


3/98


4/98

COMPUTER BASED FRAUD -CBF

By

Henry Hardoon


5/98

Computer fraud is a fraud related to information technology,

electronic commerce, etc. Computer fraud also known ascyber fraud, is increasing rapidly with the increase in use ofinternet by the people.

CBF - Intro


6/98

Top Ten Countries By Count (Perpetrators)in 2009

United States 66.1%; United Kingdom 10.5%; Nigeria 7.5%

Canada 3.1%; China 1.6%; South Africa 0.7%; Ghana 0.6%

Spain 0.6%; Italy 0.5%; Romania 0.5%

CBF - statistics


7/98

CBF - statistics


8/98

CBF - statistics

Complaint Type Percentage of Reported Total

Loss

Of those who reported a loss theAverage (median) $ Loss per

Complaint

Check Fraud 7.8% $3,000.00

Confidence Fraud 14.4% $2,000.00

Nigerian Letter Fraud 5.2% $1,650.00

Computer Fraud 3.8% $1,000.00

Non-delivery (merchandise andpayment)

28.6% $800.00

Auction Fraud 16.3% $610.00

Credit/Debit Card Fraud 4.7% $223.00

Amount Lost by Selected Fraud Type forIndividualsReporting Monetary Loss 2009


9/98

CBF perpetrators - statistics

77.4% were male and50% resided in one of the following states: California, NewYork, Florida, Texas, District of Columbia, and Washington.The majority of reported perpetrators(66.1%) were from the United States;

however, a significant number of perpetrators where alsolocated in the United Kingdom , Nigeria , Canada , China,and South Africa.


10/98

CBF targets - statistics

55.4% were male, nearly half were between the ages of 30and 50 and one-third resided in one of the four mostpopulated states: California, Florida, Texas, and New York.

A number of complaints from Canada, United Kingdom,

Australia, India, and France.

Males lost more money than females (ratio of $1.69 dollarslost per male to every $1.00 dollar lost per female). Thismay be a function of both online purchasing differences bygender and the type of fraudulent schemes by which theindividuals were victimized.E-mail (74.0%) and web pages (28.9%) were the twoprimary mechanisms by which the fraudulent contact tookplace.


11/98

NFA reveals true cost of fraud in UK is30bn a year

The figures issued by the NFA equate to 621 for every adultin the UK. The report from the agency set up in October 2008to take charge of fighting fraud, is the UK's first comprehensive

survey into the crime.

CBF Cost to Economy


12/98

Computer fraud is any dishonest misrepresentation of fact

intended to let another to do or refrain from doing somethingwhich causes loss.[citation needed] In this context, the fraud willresult in obtaining a benefit by:

altering computer input in an unauthorized way. This requireslittle technical expertise and is not an uncommon form of theftby employees altering the data before entry or entering falsedata, or by entering unauthorized instructions or usingunauthorized processes;

CBF - Intro


13/98

altering or deleting stored data;

altering or misusing existing system tools or softwarepackages, or altering or writing code for fraudulent purposes.This requires real programming skills and is not common.

Other forms of fraud may be facilitated using computer

systems, including bank fraud, identity theft, extortion,and theft of classified information.

CBF - Intro


14/98

Common types of computer fraud include:

Establishing phony accounts.

Draining established accounts.

Changing ownership of assets or shipping assets to falseaddresses.

Purchasing assets for private use,

Creating phantom sales transactions,

Giving individuals personal credentials or rewards, they have

not earned.

CBF - examples


15/98

CBF types

There are various types of computer frauds [also known ascyber frauds] which are follows:

Hackers [Hacking].

Viruses.

Fraud.

Phreakers.

Data fiddling

Crackers

Violation of privacy, etc.


16/98

Every year, huge amounts of funds are generated fromillegal activities. These funds are mostly in the form ofcash. Section 66 Clause (1) of the Information Technology

Act, 2000 defines hacking as follows:

Whoever with the intent to cause or knowing that he is likelyto cause wrongful loss or damage to the public or anyperson destroys or deletes or alters any informationresiding in a computer resource or diminishes its value orutility or affects it injurious by any means, commits

hacking.

Hacking


17/98

Presently, the most notorious type of computer fraud iscreation of computer viruses.

A virus usually affects numerous computer systems andusually is transferred from one system to another.

A virus may occur through transfer of disks or any otherkind of storage devices.

A virus can be in variety of forms. One of the less harmful

types others are of dangerous kinds which can corruptdata.

Viruses


18/98

Use antivirus software

Use alerts to tell you when antivirus software is out of date

Ensure users are vigilant in downloading files

Prevent users from downloading files

Only load CDs and DVDs from a reputable source orcheck them on a standalone machine first

Update personnel skills

Viruses- What to do?


19/98

Malware, short for malicious software, is software designedto infiltrate a computer system without the owner's informedconsent.

Examples- infections that install key-loggers on the PCs ofwebsite visitors

Financial institutions are particularly susceptible tokeylogging attacks as account numbers and passwordsentered at banks' websites can immediately be captured by

a keylogger. You tube video key logger scam

Malware


20/98

Configure computers correctly

Prepare for the impact of third party application exploits

Maintenance of default configurations

Update personnel skills

Malware What to do?


21/98

Fraud is defined as any behavior by which one personintends to gain a dishonest advantage over another. Inother words fraud is an act or omission which is intended tocause wrongful gain to one person & wrongful loss to theother either by way of concealment of facts or otherwise.

Fraud


22/98

Phreaking is a slang term coined to describe the activity ofa subculture of people who study, experiment with, orexplore telecommunication systems; such as equipmentand systems connected to public telephone networks. Astelephone networks have become computerised, phreakinghas become closely linked with computer hacking. This issometimes called the H/P culture (with H standing forHacking and P standing forPhreaking).

The term "phreak" is a portmanteau of the words "phone"

and "freak", and may also refer to the use of various audiofrequencies to manipulate a phone system.

Phreaking


23/98

Harassment covers a wide range of offensive behavior. It iscommonly understood as behavior intended to disturb orupset. In the legal sense, it is behavior which is foundthreatening or disturbing. Harassment is words, conduct, oractions directed at a specific person that annoys, alarms, orcauses a lot of emotional distress for no legitimate purpose.

Harassment


24/98

Data Fiddling is the changing of data before or during entryinto the computer system. Examples include forging orcounterfeiting documents used for data entry andexchanging valid disks and tapes with modifiedreplacements. This kind of an attack involves altering theraw data just before it is processed by a computer and thenchanging it back after the processing is completed.

Data Fiddling


25/98

A computer professional who gains illegal access intocomputers by hacking passwords is known as a cracker.Instead of a hacker cracker dichotomy, they give moreemphasis to a spectrum of different categories, such aswhite hat (ethical hacking), grey hat, black hat and scriptkiddie.

Crackers


26/98

White hat

A white hat hacker breaks security for non-maliciousreasons, for instance testing their own security system.

This type of hacker enjoys learning and working withcomputer systems, and consequently gains a deeperunderstanding of the subject. Such people normally go onto use their hacking skills in legitimate ways, such asbecoming security consultants. The word 'hacker' originally

included people like this, although a hacker may not besomeone into security.

Crackers cont


27/98

Grey hat

A grey hatted hacker is a hacker of ambiguous ethicsand/or borderline legality, often frankly admitted.

Crackers cont


28/98

Black hat

A black hat hacker, sometimes called "cracker", issomeone who breaks computer security without

authorization or uses technology (usually a computer,phone system or network) for vandalism, credit card fraud,identity theft, piracy, or other types of illegal activity.

Crackers cont


29/98

Script kiddie

A script kiddie is a non-expert who breaks into computersystems by using pre-packaged automated tools written by

others, usually with little understanding. These are theoutcasts of the hacker community.

Crackers cont


30/98

When an individual wants to keep a data or informationhidden and for his or own private use is said have kept itprivate.

Violation of privacy


31/98

Red flags are warnings that somethingcould be or is wrong.

Auditors, employees, and management need to be awareof red flags in order to monitor the situation and then takecorrective action as needed.

Employees who notice that red flags are ignored maymistakenly believe that it is okay to game the system or

that they wont get caught.

A little fraud soon becomes a large one if left to grow.

Importance of Red Flags


32/98

What Red flags can you think of?

Red Flags


33/98

Employee Red Flags

I. Employee lifestyle changes: expensive cars, jewellery,homes, clothes

II. Significant personal debt and credit problems

III. Behavioural changes: these may be an indication of drugs,alcohol, gambling, or just fear of losing the job

IV.High employee turnover, especially in those areas whichare more vulnerable to fraud

V. Refusal to take vacation or sick leave

VI.Lack of segregation of duties in the vulnerable area

Red Flags of computer fraud


34/98

Management Red Flags

I. Reluctance to provide information to auditors

II. Managers engage in frequent disputes with auditors

III. Management decisions are dominated by an individualor small group

IV.Managers display significant disrespect for regulatorybodies



35/98

Management Red Flags cont...

I. There is a weak internal control environment

II. Accounting personnel are lax or inexperienced in theirduties

III. Decentralisation without adequate monitoring

IV.Excessive number of checking accounts



36/98


I. Frequent changes in banking accounts

II. Frequent changes in external auditors

III. Company assets sold under market value

IV.Significant downsizing in a healthy market



37/98


I. Continuous rollover of loans

II. Excessive number of year end transactions

III. High employee turnover rate

IV.Unexpected overdrafts or declines in cash balances



38/98


I. Refusal by company or division to use serial numbereddocuments (receipts)

II. Compensation program that is out of proportion

III. Any financial transaction that doesnt make sense - eithercommon or business

IV.Service Contracts result in no product

V. Photocopied or missing documents



39/98


I. Frequent changes in banking accounts

II. Frequent changes in external auditors

III. Company assets sold under market value

IV.Significant downsizing in a healthy market

V. Continuous rollover of loans



40/98

Changes in Behaviour Red Flags

The following behaviour changes can be Red FlagsforEmbezzlement:

I. Borrowing money from co-workers

II. Creditors or collectors appearing at the workplace

III. Gambling beyond the ability to stand the loss

IV.Excessive drinking or other personal habits



41/98

Changes in Behaviour Red Flags

I. Easily annoyed at reasonable questioning

II. Providing unreasonable responses to questions

III. Refusing vacations or promotions for fear of detection

IV.Bragging about significant new purchases

V. Carrying unusually large sums of money

VI.Rewriting records under the guise of neatness inpresentation



42/98

Cash/Accounts Receivable

Since cash is the asset most often misappropriated, localgovernment officials and auditors should pay

I. close attention to any of these warning signs.

II. Excessive number of voids, discounts and returns

III. Unauthorized bank accounts

IV.Sudden activity in a dormant banking accounts



43/98

Cash/Accounts Receivable cont...

I. Taxpayer complaints that they are receiving non-paymentnotices

II. Discrepancies between bank deposits and posting

III. Abnormal number of expense items, supplies, orreimbursement to the employee

IV.Presence of employee checks in the petty cash for the

employee in charge of petty cash

V. Excessive or unjustified cash transactions



44/98

Cash/Accounts Receivable cont...

I. Large number of write-offs of accounts

II. Bank accounts that are not reconciled on a timely basis



45/98

Red Flags in Payroll

Red flags that show up in payroll are generally worthy oflooking into. Although payroll is usually an automatedfunction, it is a vulnerable area, especially if collusion is

involved.

I. Inconsistent overtime hours for a cost centre

II. Overtime charged during a slack period



46/98

Red Flags in Payrollcont..

I. Overtime charged for employees who normally would nothave overtime wages

II. Budget variations for payroll by cost centre

III. Employees with duplicate Social Security numbers, names,and addresses (UK Only)

IV.Employees with few or no payroll deductions



47/98

Red Flags in Purchasing/Inventory

I. Increasing number of complaints about products or service

II. Increase in purchasing inventory but no increase in sales

III. Abnormal inventory shrinkage

IV.Lack of physical security over assets/inventory



48/98

Red Flags in Purchasing/Inventorycont..

I. Charges without shipping documents

II. Payments to vendors who arent on an approved vendor list

III. High volume of purchases from new vendors

IV.Purchases that bypass the normal procedures



49/98

Red Flags in Purchasing/Inventorycont...

I. Vendors without physical addresses

II. Vendor addresses matching employee addresses

III. Excess inventory and inventory that is slow to turnover

IV.Purchasing agents that pick up vendor payments

rather than have it mailed



50/98

Red Flags in otherareas

I. Creating fictitious employees and collecting the paycheques (impersonation)

II. Recording fictitious transactions on the books to coverup theft

III. No supporting documentation for adjusting entries



51/98

Red Flags in otherareas cont...

I. Incomplete or untimely bank reconciliations

II. Increased customer complaints

III. Write-offs of inventory or cash shortages with noattempt to determine the cause

IV. Unrealistic performance expectations



52/98

What is the effect on the business at hand? Sometimes redflags that have no financial impact may not require achange in procedure. Remember though, that a red flag isa warning that something is or could be wrong. If youdiscover fraud, then an investigation is usually the nextstep. If it is just an error, then steps should be taken to

correct the error and a procedure or follow up should beinitiated to prevent it from occurring again.

Red Flags next steps..


53/98

Financialanalysishasseveralapplications when redflagsare present. The most common is to determine

what effect it has on the conduct of the local government.For example, what is the potential as well as the historicalloss as the result of the red flag? What is the cost to

prevent a potential loss from occurring and what will it costto recoup the identified loss?

Red Flags prevention v costs


54/98

How many ways can you think to control ComputerFraud:

A resources problem?

A people problem?

A systems problem?

A culture problem?

A country problem?

A global problem?

Controlling CBF


55/98

Auditing around the computer




56/98

Internal auditing involves:

A review of the reliability and integrity of financial andoperating information

A review of the controls employed to safeguard assets

An assessment of employees' compliance withmanagement policies, procedures and applicable laws andregulations

An evaluation of the efficiency and effectiveness with whichmanagement achieves its organizational objectives.

Evaluating the effectiveness of existing policies,procedures and controls.

Using auditors to control CBF


57/98

For internal audits to be effective, it is important to have acompetent internal audit department

Training Computer Auditors

Training of computer auditors is seen as a perennial

problem within the profession. The questionnaire sought toestablish how computer audit skills are achieved. On-the-

job experience was rated most important, with professionalexaminations being considered least important of the sixmethods specified on the questionnaire.

Using auditors to control CBFcont


58/98

For internal audits to be effective, it is important to have acompetent internal audit department

Training Internal auditors

The AICPA's new audit standard on fraud, SAS No. 82, is

designed to help auditors detect material fraud resultingfrom fraudulent financial reporting and misappropriation ofassets and also to clarify for users and practitioners theauditors' responsibilities for detecting fraud.

Using auditors to control CBFcont


59/98

Provide training to directors and senior managers on howto identify and monitor these fraud risks and handling fraudsituations.

Provide training to company employees on how to identify,communicate and handling uncovered fraudulent activities.

Using staff and management tocontrol CBF


60/98

Develop formal guidelines concerning the actions to be takenagainst the perpetrator of a computer fraud.

All dishonest acts should be investigated, and the guiltyshould be prosecuted and dismissed immediately. The veryexistence of these policies deters fraud and enhances internal

control.

Using effective deterrents tocontrol CBF


61/98

Computer Fraud: A People Problem?

If organisations are to counter computer fraud, they mustadopt suitable personnel procedures to deter computercrime.

The most important consideration is to hire and retainhonest people.

Selecting employees with high integrity. Companies shouldhave an applicant fill out a written application, solicit

resumes and letters of reference, and obtain credit bureaureports on the applicant.

Using HR to control CBF


62/98

Auditing with the Computer




63/98

Computer programs (interrogation software) have beendeveloped that identify red flags of computer fraud andcan even quantify it.

As early as 1982 CAATs was a powerful audit tool fordetecting financial errors.

In the last 10 years use of CAATs standard practice.

Audit software permits auditors to obtain a quickoverview of the business operations and drill down intothe details of specific areas of interest.

CAATs can perform 100% at minimal costs

Allows continuous monitoring

Using CAATs to control CBF


64/98

Some examples of routines that can identify red flags include:

No of complaints

Computer-based comparisons of object and sourceversions

Lots of deleted transactions

Lots of Journals

No of transactions per month



65/98


comparing actual vs. budgeted expenditures for todetermine unusual patterns;

duplicate or non existent Social Security numbers for

employees or vendors;

comparing employee addresses with vendor addressesto identify employees that are also vendors;

searching for duplicate check numbers to findphotocopies of company checks;



66/98


searching for vendors with post office boxes foraddresses;

analyzing the sequence of all transactions to identify

missing checks or invoices;

identifying vendors with more than one vendor code ormore than one mailing address;

Unusual patterns of overtime payments;



67/98


finding several vendors with the same mailing address;

sorting payments by amount to identify transactions thatfall just under financial control on contract limits;

patterns such as negative entries in inventory receivedfields;

voided transactions followed by "No Sale,;

or a high percentage of returned items.


Using computer controls to control


68/98

Using computer controls to controlCBF cont

Another simple digital analysis technique is to search for invoiceswith even sterling/dollar amounts, such as 200.00 or 5,000.00. Theexistence of particular even amounts may be a symptom of fraud andshould be examined.

Case Study: Even AmountsTravel expenses had always been a concern for the auditors of X

Company since it was an area where the controls were weak.Employees had a maximum per diem rate when travelling but had tosubmit receipts to cover the actual expenses. Maximums were alsoestablished for meals: breakfast $10.00, lunch $20.00, dinner $30.00,and hotel lodging $100.00. The auditors configured the auditsoftware to identify meal expenses that were multiples of $10.00.These transactions were compared to receipts to ensure that theamounts expensed were appropriate. A detailed review determinedthat many travelers were charging the maximum rates for meals eventhough their receipts did not justify the amounts.



69/98


Case Study: Doctored BillsThe auditors reviewed the patient billing system at Company Y todetermine if the appropriate charges were being assessed by healthcare providers. An initial analysis of the data was performed tocalculate the ratio of the highest and lowest charges for eachprocedure. A judgment was made those procedures with a max/min

ratio of greater than 1.30 be noted and subjected to additional review.For a particular quarter, three procedures had ratios higher than 1.30,the highest being 1.42. A filter was used to identify the recordsrelated to the three procedures in question, and additional analysiswas performed. This quickly determined that one doctor wascharging significantly more than the other doctors for the sameprocedures. A comparison of charges from the billing system withpayments in the accounts receivable system revealed that the doctorwas skimming off the patient payments. The amount recorded in thereceivable system was in line with the usual billing amount for theprocedures. The doctor was unable to justify the higher prices orexplain the difference in the billing and the receivable systems.



70/98


Case Study: Contracting KickbacksJonathan, one of the contracting officers, had devised a great win/winkickback scheme. The auditors decided to use digital analysis as partof their review of the contracting section. One of the analysescalculated the total contract amount by supplier for each of the pasttwo years. A ratio of current year to previous year was calculated and

the minimum, maximum, average, and highest and lowest five ratioswere displayed. While the average was close to 1.0, the highest andlowest five values showed that some companies had significantdecreases in business, while others had experienced significantincreases in business.The auditors reviewed the details of all companies that had a ratio ofless than 0.7 or more than 1.30. For companies with an increase inbusiness, the results revealed that Jonathan had raised many of thecontracts and he had raised no contracts with the companies thathad seen a decrease in business. Salesmen said that they were toldthey would only get business if they paid Jonathan a kickback.


71/98

Carrying out more frequent audits

A second technique for minimizing fraud risk is to intensifyinternal audits. Most crimes go undetected and often lastfor some time before being discovered. One way toincrease the likelihood of detecting fraud is to conduct more

frequent internal audits [7,10]. Internal auditors can providean independent appraisal of the effectiveness of internalcontrols and the quality of managerial performance incarrying out assigned responsibilities.

Using auditors to control CBF


72/98

The use of risk analysis in the prevention of computer fraud is

important. There should be control procedures over staff inhigh-risk areas-

Prevent staff from working out periods of notice

Compel staff to take holidays (it is important that all

employees who have custody of assets or are responsible forsensitive record keeping or authorization functions take anannual vacation).

Make use of special vetting orperiodicjob rotation among keyemployees.

Firms should not place a high level of trust in their employeeswho operate in high-risk areas.

Using risk analysis to control CBF


73/98

Computer controls





74/98

Computer controls is of two kinds. Physical access controlsand logical access controls. Physical access controls has todo with physical security measures taken to protect thecomputer, for example, keeping the computerin a lockedroom.

Logical access controls are those measures taken to limit theuse of computer and its resources. More information oncomputer controls can be found on thiswebsitehttp://www.isaca.org they have sections that can beaccessed by non-members or better still, you can register withthem to get more benefit.

Using computer controls to controlCBF

Using Physical access controls to


75/98

Physical access controls

Lock and Key

CCTV

Biometric Web Based systems

Using Physical access controls tocontrol CBF

Using Logical access controls to


76/98

Logical access controls

Biometric Web Based systems

Passwords

Access rights

Using Logical access controls tocontrol CBF



77/98

Spyware gets onto your system throughthe manipulation of a technologycalledActiveX

Use software to control to Stop Spyware (which is oftenused in computer fraud)

Use Software to Automatically block Malicious ActiveX,which hackers and identity thieves will use to gain entrance toyour PC and commit computer fraud.

Using computer controls to controlCBF



78/98

Spyware gets onto your system throughthe manipulation of a technologycalledActiveX

Use software to designate which websites get certainprivileges.

Use software to Intercept Malicious File Downloads

Use Software to warn of dangerous Web sites

Use Software to force changes in passwords periodically

Use Software like FraudBreaker to that captures yourtransaction data and performs real time checks on a widerange of risk factors.




79/98

FraudBreaker allows you to:

Assign weight factors to all the risk elements youconfigure FraudBreaker to check. FraudBreaker thenmeasures and correlates all individual risk scores andcalculates the overall risk factor on your transactions.

Set up rules that allow you to correlate fraud elements withAND-OR-NOT logic

Set up accept/reject/manual review thresholds

Configure and blacklists whitelists

And get detailed reports and statistics as a spreadsheetfor custom analysis.

http://www.fraudbreaker.com/fraudbreaker-hosted-fraud-detection-software


Using substantive testing to control


80/98

Input/output reconciliationsInstallation review

Test packs

Using substantive testing to controlCBF


81/98

Embedded Audit Modules are utilised to monitor ongoingprocesses and to discreetly alert internal auditors to possibleirregularities, errors or weak areas.

These include:

i. Snapshots: This technique involves taking a picture of atransaction as it flows through the computer systems. Auditsoftware routines are embedded at different points in theprocessing logic to capture images of the transaction as itprogresses through the various stages of the processing.Such a technique permits auditors to track data andevaluate the computer processes applied to the data.

Using Embedded audit facilities


82/98

These include:

ii. System Control Audit Review File: This involvesembedding audit software modules within an applicationsystem to provide continuous monitoring of the systemstransactions. The information is collected into a special

computer file that the auditors can examine.

Using Embedded audit facilities

Setting up formal procedures to


83/98

A lack of formal procedures specifically designed to combatcomputer fraud appears to leave many organizations relativelyunprepared and unprotected.

Employees should know the rules and standards required bythe company. The company should prepare clearly stated

policies that explicitly describe honest and acceptablebehaviour, covering all issues from conflicts of interest to theacceptance of gratuities.

Defining and documenting a company ethic/fraud policyaddressing company expectations from employees,

customers, suppliers and stake holders.

Setting up formal procedures tocontrol CBF

Using segregation of duties to


84/98

The most effective internal control is to segregate tasks

among employees so that no single employee can bothperpetrate and conceal a fraud or an unintentional error. Inparticular, the authorization, recording and custody ofassets functions must be separated to effectively segregatethe duties.

Using segregation of duties tocontrol CBF



85/98

In highly integrated computer-based accounting information

systems, procedures that might otherwise be performed byseparate individuals may be combined within the computerprocessing function. Any person who has unrestrictedaccess to the computer can both perpetrate and concealfraud.




86/98

Authority and responsibility must be clearly divided among

the following functions:

Application systems analysis and programming

Computer operations

Systems programming

Transaction authorization

File library maintenance and data control.

With an effective separation of duties, it will be difficult foran employee to embezzle funds.


S C


87/98

Effective supervision that (a) assists employees engaged inoperating ordata processing tasks, (b) monitors theeffectiveness with which employees carry out their assignedtasks and (c) safe-guards assets by watching over employeeswho have access to assets. Supervision is an importantmeans of control in organizations that are too small to afford

adequate separation of duties for internal control purposes.

Supervision to control CBF

Using internal controls to control


88/98

Control procedures are preventive, detective or correctivein nature. Preventive controls are the most important,because they eliminate problems before they occur. Manycontrol problems can be prevented by hiring honest, well-trained individuals, appropriately segregating duties,effectively controlling physical access to facilities, utilizingwell-designed documents and authorizing transactions.

Using internal controls to controlCBF



89/98

Detective controls discoverproblems after they arise andinclude double checking calculations, periodic performancereporting that highlights variances between actual andstandard costs, reporting past due accounts or out-of-stockinventory items, preparing bank reconciliations andverifying the use of pre-numbered documents. Detectivecontrol procedures are a necessary part of any effectivecontrol system because all potential control problemscannot be prevented.




90/98

Corrective controls remedy problems discovered bydetective controls. They include procedures to identify thecause of a problem, correct errors arising from the problemand modify the system so that future errors may beminimized or eliminated. One such procedure is to maintainbackup copies of key transaction and master files so thatdamaged or destroyed files can be restored.


C t C lt FACT


91/98

Enron happened because of individual and collective greedcompany, its employees, analysts, auditors, bankers, ratingagencies and investorsdidnt want to believe the companylooked too good to be true

Corporate Culture FACT

S tti lt t t l CBF


92/98

Management's attitude toward internal control can be a veryimportant fraud deterrent.

Statements and actions by management become apparent toall members of the organization.

If management considers internal control to be important,other members of the organization will strive harder to adhereto control policies and procedures in order to accomplish theorganization's objectives.

Fraud is much less likely to occur in an environment where

company employees believe that security is everyone'sbusiness.

Setting up a culture to control CBF

S tti lt t t l CBF


93/98

The ethical values of an organization play an important role inboth detecting and minimizing the occurrences of fraudulentactivities.

Assist senior management in the development andestablishment policy to encourage the reporting of fraudulent

activities and protect the 'whistleblowers'?


S tti lt t t l CBF


94/98

Many companies incorporate their key ethical values into aformal policy document, typically referred to as a code ofethics or code of conduct. Establishing andcommunicating such a code is an excellent way to ensurethat employees and business associates understand thecorporate values and

the expected behaviors in support of those values.Communicating this code

often includes training programs that further articulate theconduct and

behaviors expected of all company employees and, inmany cases, of those who do business with the company.


Setting up a culture to


95/98

Many companies incorporate their key ethical values into aformal policy document, typically referred to as a code ofethics or code of conduct.

Establishing and communicating such a code is anexcellent way to ensure that employees and business

associates understand the corporate values and theexpected behaviors in support of those values.

Communicating this code often includes training programsthat further articulate the conduct and behaviors expectedof all company employees and, in many cases, of thosewho do business with the company.

Set up an independent committee to set up the code

g pcontrol CBF cont

What's in a code of ethics


96/98

A code of ethics or code of conduct commonly includesspecific segments that address:

Behaving with honesty and integrity.

Complying with laws and regulations.

Disclosing/reporting conflicts of interest.

Maintaining confidentiality of information.

Receiving or giving gifts.

Reporting instances of company code violations.

Using company assets and resources.

What's in a code of ethics

Reward honesty to control CBF


97/98

Corporate practices to prevent employee fraud include hiringand retaining honest individuals.

The company should consistently recognize and publiclyreward honesty. A high standard of integrity accompanied by apolicy of recognition and rewards will reduce the temptation to

commit fraud.

Reward honesty to control CBF


98/98

Thank you !Thank you !

computer auditing(6) final(3)

Documents