Auditor Negligence, Fraud, & Details about Cyber-Forensics

Why do auditors often fail to catch fraud?

In the last 10 years, large corporate scandals occurring in the US and around the world have resulted in a significant expansion of regulation and professional standards to combat problems surrounding auditor accountability and financial statement fraud.

Problem: Regardless of the new regulation, auditor negligence cases involving financial statement fraud continue to occur. In some cases this is because auditor independence is compromised. In others, the auditors become active participants in the fraud being perpetrated.

Essential: Auditors’ professional skepticism hinges on their ability to remain independent. And without professional skepticism, the auditor is in no position to identify fraud.

Result: To charge an auditor with negligence, you must identify the substandard quality of evidence collected by the auditor. Factors that contribute to a substandard audit-and one that often overlooks fraud:

• Excessive dependence on fees-resulting in reduced focus on red flags.
• Insufficient fees to perform an adequate audit.
• Friendly relationships that are developed over time between the auditors and management.
• Lack of independence.
• Conflicts of interest.
• Sophistication/complexity of the fraud…or its concealment.
• An audit partner relying too heavily on junior staff to identify and report suspicious matters.

Cyber-forensics – an increasingly critical business function

With computer-based work processes and communications increasingly providing the means for fraudsters to ply their trade, it has become virtually imperative that organizations adopt rules and resources for conducting what is commonly referred to as “cyber forensics.” This is the use of data to gather evidence that may be used in legal proceedings in a variety of cases-including fraud.

Cyber forensics encompasses a wide variety of techniques, methodologies and procedures. Each organization must establish those that work best for it and incorporate them into a formal investigative policy.

In addition, cyber-forensics experts must be familiar with and comply with a host of state and federal regulations to avoid rendering collected evidence inadmissible.

Recommended steps that organizations can follow to formulate an approach to conducting fraud investigations when digital evidence is critical to proving wrongdoing:

Step 1: Initial contact: The request. In order for there to be a cyber investigation, someone must make a request to initiate an investigation.

Typical: A “document of request” submitted by an authorized individual, such as an official corporate request, subpoena, court order, contract or letter of engagement.

Aim: To spell out the justification for the investigation, along with the rules, laws, company policies and procedures that must be complied with when conducting the investigation.

Helpful: Avoid limiting the proposed search criteria-or scope-of the investigation when making the request to such things as keywords, dates or date ranges and file types. It’s best to keep the request as general and generic as possible to maintain as much latitude as possible in going after the evidence you need.

Step 2: Evidence handling.

Objective: To preserve the integrity of the evidence collected and to be able to prove its integrity in a court of law.

Widely accepted cyber-forensics rule: It is prudent to be overly cautious-document every step, photograph every piece, take many notes etc. This cannot be emphasized enough, as it is all too easy for a tiny misstep to render critical cyber-evidence inadmissible in a legal proceeding. (White Collar Crime Fighter V.14 No.7)

Also important: Maintain a detailed evidence handling log that documents who had the evidence, when and to whom it was turned over and when and the reason(s) for turning it over.

Step 3: Acquisition of evidence. The critical objective of collecting evidence in a cyber-fraud case is to secure a forensically sound image of the original evidence and preserve the integrity of the original.

Example: In the case of acquiring digital evidence from a computer network, the forensic investigator must first ensure proper chain of custody by acquiring an accurate IP address to which to connect the network. The next step is to use specially designed network acquisition software to collect the pertinent data.

Step 4: Data preparation. The objective of data preparation is to make data suitable for analysis and investigation. The process can be broken down into two main functions-pre-processing and searching.

Pre-processing involves the steps required to prepare the evidence before it is searched by investigators. This may involve mounting of the filing system contained in a piece of evidence. This makes the evidence structure viewable which in turn makes it easy to find specific files.

Pre-processing can also require recovery of deleted files. With the proper forensic tools, an investigator can recover files that someone thought they were getting rid of.

Searching typically involves refining the original evidence into a smaller subset of data which can then be investigated.

Step 5: Investigation. In its simplest form the investigation in a cyber-crime case boils down to finding the incriminating data matching the criteria in the original investigation request. It is the process of hunting down the proverbial “smoking gun.”

The investigation begins when the investigator comes up with a list of keywords to use in searching the relevant data. The keywords, if properly conceived, will flag specific files in the data set that could be incriminating. In most data-centric fraud investigations, a certain number of “false positives” will emerge-data that appears incriminating at first, but upon further review proves not to be. A critical part of the investigator’s job is to identify, review and eliminate these items so that the remaining evidence represents the material needed for management to decide whether to proceed with legal action against the suspect. (White Collar Crime Fighter V.14 No.7)