Corporate Fraud Anatomy and Case Study for Audit Trail
March 2014
Author: Saswot Raj Sharma
Institute of Chartered Accountant of India, New Delhi, India/ Tribhuwan University
Chartered Accountant (Final Level Student)/ Masters in Econometrics (Student)
Registration Number: FRO0001641
Current Address: Lazimpat, Kathmandu, Nepal
Mobile Number: +9779813 99 85 84
Email: saswot9999@gmail.com
1|Page
Table of Contents
Abstract ................................................................................................................................................... 4
Introduction ............................................................................................................................................ 4
Types of Fraud..................................................................................................................................... 6
Accounts may be falsified to conceal.................................................................................................. 6
Motives for Fraudulent Financial ........................................................................................................ 6
Ways of committing frauds ................................................................................................................. 7
Ways for detecting corporate Fraud ....................................................................................................... 7
♣
Vertical Analysis .......................................................................................................................... 7
♣
Horizontal Analysis ...................................................................................................................... 8
♣
Cross Section analysis ............................................................................................................... 10
♣
Ratio Analysis ............................................................................................................................ 10
♣
Substantive procedure/Analytical procedure ........................................................................... 11
♣
Trend analysis ........................................................................................................................... 16
♣
Mathematical model ................................................................................................................. 16
Digital analysis:.............................................................................................................................. 16
Beneish Model: ............................................................................................................................. 18
♣
Efficiency, production (input output and ratio analysis of cost sheet) ..................................... 22
♣
Propriety audit .......................................................................................................................... 22
♣
Materiality of items involved .................................................................................................... 22
♣
Capacity of management .......................................................................................................... 22
♣
Internal auditor, internal control, whistle blower interview and previous audit report .......... 22
♣
Interrogation (Neuro Linguistic Model) .................................................................................... 27
♣
Data Mining (CAAT)................................................................................................................... 29
Data mining application classes can be classified as .................................................................... 32
Classification of Data Mining Techniques for Financial Accounting Fraud Detection .................. 33
Forensic Audit on the CAAT .......................................................................................................... 34
♣
Stock market transaction .......................................................................................................... 36
♣
Tax filing (report, sales to sales tax, income to income tax etc) ............................................... 36
Other Qualitative Means for analyzing the fraud on Financial Statements are ................................... 37
Tests of reasonableness: ................................................................................................................... 37
Historical Comparisons ..................................................................................................................... 37
Off-Balance Sheet Transactions ........................................................................................................ 37
2|Page
Key Qualitative indicators ................................................................................................................. 38
INVESTIGATION OF VENDORS ........................................................................................................... 38
INVESTIGATIONS OF IMPROPER RELATED-PARTY ACTIVITY ............................................................. 39
INVESTIGATIONS OF EMPLOYEE MISAPPROPRIATIONS ................................................................... 39
Evidence collection for forensic auditing .............................................................................................. 39
Working papers ................................................................................................................................. 39
Annex 1 ................................................................................................................................................. 40
SAMPLE TABLE OF CONTENTS (FORENSIC AUDIT REPORT) .............................................................. 40
Annex II ................................................................................................................................................. 41
Works Cited ........................................................................................................................................... 41
Bibliography .......................................................................................................................................... 42
Table 1: Effective cash tax rate and quality of earnings ratio ................................................................ 11
Table 2: Examples of assertions and their respective audit procedures .................................................... 13
Table 3: Benford’s law............................................................................................................................... 17
Table 4: Benford’s law............................................................................................................................... 17
Table 5: Benford’s law............................................................................................................................... 18
Table 6: Beneish M-Score model .............................................................................................................. 19
Table 7: Beinsh Model Analysis for Enron, WorldCom, Global Crossing, Qwest .................................. 21
Table 8: investing ratios............................................................................................................................ 21
Table 9: Comparison of systems that can be turned off through the shut-down method or pullthe-plug method .......................................................................................................................................... 1
Figure 1: Trend analysis ........................................................................................................................ 16
Figure 2: Eye accessing clues ................................................................................................................ 28
Figure 3: Eye accessing clues ................................................................................................................ 29
Figure 4: Conceptual Framework for Application of Data Mining to Financial Accounting Fraud
Detection .............................................................................................................................................. 30
3|Page
Abstract
Fraud’ refers to an intentional act by one or more individuals among management, those charged
with governance, employees, or third parties, involving the use of deception to obtain an unjust or
illegal advantage. There are many literature's that cite the methods that can be used to identify the
fraud. There are usually two type of corporate fraud, assets theft fraud and financial statement
fraud, assets theft are done by dishonest employees e.g., Cardinal Whole Sale Case, whereas
Financial Statements frauds are committed by corporate executives whose compensation is closely
tied up with performance (Georgia Society of CPAs, September/October 2008). Forensic auditing
goes deeper to the fact that statutory auditors are unable to perform due to the limitation placed by
the court. There are fundamentally 18 methods that are listed so far for analysis of statements of
financial and performance and qualitative analysis of the corporate world. They if efficiently used
can help the auditors, investors and all the stakeholders can make them aware and alert to
cosmetics and fabrication to the performance of public companies. One reason for the increased
demand for forensic accountants is the post-Enron era. New accounting rules, SAS 99, and the
Sarbanes-Oxley corporate reform law are a direct result of the Enron scandal and many others.
Because of these new laws and regulations, nervous executives have been hiring hundreds of
forensic accountants, investigators, and attorneys from law enforcement and government agencies,
including the FBI, the SEC, and the IRS (Iwata, 2003).
Introduction
‘Fraud’ refers to an intentional act by one or more individuals among management, those
charged with governance, employees, or third parties, involving the use of deception to obtain
an unjust or illegal advantage. There are usually two type of corporate fraud, assets theft fraud
and financial statement fraud, assets theft are done by dishonest employees e.g., Cardinal Whole
Sale Case, whereas Financial Statements frauds are committed by corporate executives whose
compensation is closely tied up with performance. WorldCom fraud perfectly exemplifies
financial statement fraud. Under the direction of Bernie Ebbers (CEO) and Scott Sullivan (CFO),
WorldCom’s accountants improperly recorded billion of dollars in expenditures as assets
instead of expenses. Such improper accounting made WorldCom’s financial position look much
better than it really was and influenced investors and creditors to make economic decisions that
ultimately resulted in billions of dollars in losses. (Georgia Society of CPAs, September/October
2008). There are standards of accountingi (IFRS/US GAAP/IAS) which precisely have said the
means on which accounting statements should be prepared and how the valuation of most of
the items are to be made, but loopholes that the law has minimized cannot be nullified so there
exist change to commit deception and departure from standards.
Before proceeding towards the fraud detection we need to understand that what the fraud
actually is, the Association of Certified Fraud Examiners defines fraud as "deception or
misrepresentation that an individual or entity makes knowing that the misrepresentation could
result in some unauthorized benefit to the individual or to the entity or some other party."
Whereas in law it has been defined as an intentional concealment of facts, more broadly if an
error occurs and someone intentionally make arrangements to hide such error due to whatever
4|Page
the reason will also be regarded as fraud. Corporate commits fraud to disguise the actual
performance of entity, or they misrepresent information/ unsuitable disclosure so as to conceal
the performance, and to manipulate the stock prices on market (Shapiro v. UJB Financial Corp,
1992) (BASIC INC. ET AL.v. LEVINSON ET AL., 1988). Fraud is the most vulnerable areas where
auditors come across on cases and they try to minimize the effect by planning the audit program
that best suits to understand the environment where they operate and what basis is the thing
that it can conclude about. On (London & General Bank, Justice Lopes, 1895) added;
"An auditor is not bound to be a detective or ... approach his work with suspicion or with a
foregone conclusion that there is something wrong.
"He is a watch dog, but not a bloodhound."
In re London and General Bank, 1895-2 Ch 673 Lord Justice Lindley recorded his valuable
opinion in regard to the duties of an auditor in the following words at page 683 :
".....he must be honest, i.e., he must not certify what he does not believe to be true, and he must
take reasonable care and skill before he believes that what he certifies is true. What is
reasonable care in any particular case must depend upon the circumstances of that case. Where
there is nothing to excite suspicion very little inquiry will be reasonably sufficient, and in
practice I believe businessmen select a few cases at haphazard, see that they are right, and
assume that others like them are correct also. Where suspicion is aroused more care is
obviously necessary, but. still, an auditor is not bound to exercise more than reasonable care
and skill, even in a case of suspicion, and he is perfectly justified in acting on the opinion of an
expert where special knowledge is required......"
Again, in the year 1896, the same noble Lord reiterated his opinion in the case of In re Kingston
Cotton Mill Co., 1896-2 Ch 279 at p. 284:
"The duty of an auditor generally was very carefully considered by this Court in In re London
and General Bank and I cannot usefully add anything to what will be found there. It was there
pointed out that an auditor's duty is to examine the books..... But it was also pointed out that an
auditor is not an insurer, and that in the discharge of his duty he is only bound to exercise a
reasonable amount of care and skill, It was further pointed out that what in any particular case
is a reasonable amount of care and skill depends on the circumstances of that case; that if there
is nothing which ought to excite suspicion, less care may properly be considered reasonable
than could be so considered if suspicion was or ought to have been aroused. These are the
general principles which have to be applied to cases of this description protest, however,
against the notion that an auditor is bound to be suspicious as distinguished from reasonably
careful. To substitute the one expression for the other may easily lead to serious error."
5|Page
Types of Fraud
Frauds are classified as per the peoples that are affected by the fraud and they are as follows:
1.
2.
3.
4.
5.
6.
Creditors
Institution/ Business
Financial Institution's and Intermediary
Federal or local government
Financial Markets (Stock Market)
Investors
Frauds can also be categorized by the technique or activity used by the fraudster. These include:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Advance fee frauds
Bogus invoices
Computer hacking of information or property
Corruption and bribery
Counterfeiting, forgery, or copyright abuse
Credit Card fraud
False Accounting - manipulation of accounts and accounting records
Fraudulent bankruptcy - exploitation of cross-border corporate structures
Insurance fraud
Internet online scams - auctions, credit card purchases, investment scams
Investment fraud
Long Firm fraud
Misappropriation of assets
Money laundering
Mortgage Fraud
Payroll fraud
Principal agents - failure of systems to restrict key individuals
Pyramid schemes
Unsolicited letter frauds.
Accounts may be falsified to conceal
 Absolute theft of company assets and money (Employees).
 Disguise true results of operations, or financial position of the entity with a view to
prevent timely detection of corporate frauds and obtain unjust benefit for some
parties.
Motives for Fraudulent Financial
 Reporting by Management (To deceive the real performance of the company)
 Management is under pressure, from sources outside or inside the entity, to achieve
(perhaps unrealistic target, where consequences of failure are significant.)
 To increase the entity’s stock price or earnings trend, so as to indulge investors into
investing into stocks and thus earning commission from securities exchange for
concealing the performance.
 To keep the results attuned to knowingly unrealistic/non-achievable
forecasts/commitment made to creditors and lenders.
 Tax-motivated reasons to pay less tax and to fraud into nation's economy.
 To raise capital either by further issue of shares at a premium and/or through
borrowings corporate frauds are results of manipulation of accounts and accounting
jugglery designed to deceive others for wrongful gains.
6|Page
Ways of committing frauds
Normally the companies manipulate the financial statements through the following:






Fictitious income
Improper expenses recognition
Incorrect asset/liabilities valuation
Hidden liabilities and secret reserves
Unsuitable disclosures.
Deception such as manipulation, falsification or alteration of accounting records
or supporting documents.
 Misrepresentation in or intentional omission from the financial statements,
significant events, transactions or other information.
 Intentional, mis-application of accounting principles relating to measurement,
recognition,
 Classification, presentation, or disclosure of material transactions as required by
act is not followed
Ways for detecting corporate Fraud
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Vertical analysis
Horizontal analysis
Cross section analysis
Ratio analysis
Substantive procedure
Trend analysis
Mathematical model, (digital analysis, benish model)
Efficiency production (input output and ratio analysis of cost sheet)
Propriety audit
Materiality of items involved
Capacity of management
Internal auditor, whistle blower interview and previous audit report
Internal control evaluation
Interrogation (Neuro linguistic Models for lie detection)
Computer Aided Audit Techniques (log file and system entry point detection) ( and data
mining)
16. Stock market transaction (on certain date)
17. Tax filing (report, sales to sales tax, income to income tax etc)
18. Qualitative Techniques
♣ Vertical Analysis
This type of analysis used the concept of analyzing significant trend that occurred on the
balance sheet of same firm across times. Using the tool analysis of percentage and rations of
items of this year to previous year of the significant trend of the financial statement of the
organization we can analyze that if there is material modification on the trend that should be
occurred rather than trend being breached. for example, all the elements of income statement
7|Page
are expressed as a percentage of sales with common base items (considering the geographic
factors that causes certain items to appear as red flags but is apparent due to nature of location)
(THOMAS W. GOLDEN, 2006). Vertical analysis is also useful for timeline analysis, where you
can see relative changes in accounts over time, such as on a comparative basis over a five-year
period. For example, if operating expenses have a history of being 50% of sales in each of the
past four years, then a new percentage of 65% would be a cause for alarm.
Vertical Analysis of the Income Statement
Sales
Cost of goods sold
Gross margin
$ Totals
$1,000,000
400,000
600,000
Percent
100%
40%
60%
Salaries and wages
Office rent
Supplies
Utilities
Other expenses
Total expenses
Net profit
250,000
50,000
10,000
20,000
90,000
420,000
180,000
25%
5%
1%
2%
9%
42%
18%
Vertical Analysis of the Balance Sheet
Cash
Accounts receivable
Inventory
Total current assets
$ Totals
$100,000
350,000
150,000
600,000
Percent
10%
35%
15%
60%
Fixed assets
Total assets
400,000
$1,000,000
40%
100%
Accounts payable
Accrued liabilities
Total current liabilities
$180,000
70,000
250,000
18%
7%
25%
Notes payable
Total liabilities
Capital stock
Retained earnings
Total equity
Total liabilities and equity
300,000
550,000
200,000
250,000
450,000
$1,000,000
30%
55%
20%
25%
45%
100%
Hence if there is significant deviation of the benchmark that is estimated for a particular
organization over 5 year period of time owing to the fact of inflationary and other factors that
causes significant rise in the general price level.
♣ Horizontal Analysis
8|Page
This analysis is used to understand the percentage change of financial statements items over a
period of time, considering to the fact that same items change with same trend line and figures
and can be used to find out the actual findings of red flag. Here we analyze usually five years
average considering the general price level changes or two year change of financial statements
and variance that has produced over time. This type of analysis helps to find the significant
deviation to the trend of accounts of financial statements, and justification regarding significant
deviation ought to be asked from management.
Horizontal Analysis of the Income Statement
Sales/ Direct income
Cost of goods sold
Gross margin
20X1
$1,000,000
400,000
600,000
20X2
$1,500,000
600,000
900,000
Variance
$500,000
(200,000)
300,000
Salaries and wages
Office rent
Supplies
Utilities
Other expenses
Total expenses
Net profit
250,000
50,000
10,000
20,000
90,000
420,000
$180,000
375,000
80,000
20,000
30,000
110,000
615,000
$285,000
(125,000)
(30,000)
(10,000)
(10,000)
(20,000)
(195,000)
$105,000
Horizontal Analysis of the Balance Sheet
Cash
Accounts receivable
Inventory
Total current assets
20X1
$100,000
350,000
150,000
600,000
20X2 Variance
80,000
$(20,000)
525,000
175,000
275,000
125,000
880,000
280,000
Fixed assets
Total assets
400,000
$1,000,000
800,000
$1,680,000
400,000
$680,000
Accounts payable
Accrued liabilities
Total current liabilities
$180,000
70,000
250,000
$300,000
120,000
420,000
$120,000
50,000
170,000
Notes payable
Total liabilities
300,000
550,000
525,000
945,000
225,000
395,000
Capital stock
Retained earnings
Total equity
200,000
250,000
450,000
200,000
535,000
735,000
0
285,000
285,000
Total liabilities and equity
$1,000,000
$1,680,000
$680,000
Horizontal analysis can be mis-used to report skewed findings. This can happen when the
analyst modifies the number of comparison periods used to make the results appear unusually
good or bad. For example, the current period's profits may appear excellent when only
9|Page
compared with those of the previous month, but are actually quite poor when compared to the
results for the same month in the preceding year. Consistent use of comparison periods can
mitigate this problem.
♣ Cross Section analysis
This type of analysis uses the concept of economic theory that all the firms of same size, capacity
and recourse have the same level of input and output of products and resources. Hence we can
use the industrial average of particular type of organization or same type of organization and
see if the variables or items appearing on the balance sheet do not depict the pattern. Thus this
form indicated clarification regarding if, the general trend and general price level changes
across same industrial units have same degree of correlation.
♣ Ratio Analysis
This type of analysis can be used for finding the earning management done by the management
key ratios that are suggested by financial analyst are quality of earnings ratio( net income to
cash flow) (Brain-low and Updyke 2002; Anders 2002; Wills 2002), they cited that telltale sign
of trouble was negative OCF( operation cash flow) while the company's EBITDA ( earnings
before interest tax depreciation and amortization) was positive. Effective cash tax rate
Additional Red Flag: Quality of Earnings
Quaity of Earnings
=
Operating Cash Flow
-------------------Net Income
Enron
WorldCom
Global Crossing
Year:
2000
1999
2001
2000
2001
Benchmark:
4.88
1.38
5.78
1.88
-0.55
Red Flag?
No
Yes
No
Yes
Yes
Quest
2000
.6.60
Yes
Yes
2001
2000
-1.01
-45.44
Yes
Additional Red Flag: Effective Cash Tax Rate
GAAP:
Accrual Basis
Effective Tax Rate
=
Total Income Tax Expenses
------------------------------Net Income Before Taxes
versus
Cash Basis
Effective Tax Rate
=
Total Income Tax Paid
------------------------------Net Income Before Taxes
Enron
10 | P a g e
WorldCom
Global Crossing
Qwest
Year
2000
1999
2001
2000
GAAP Effective Tax Rate
30.7
10.4
38.7
40
4.4
5.1
9
9.8
6.97
2.03
4.3
4.08
2001
2000
2001
Losses: Not Meaningful
versus
Cash Effective Tax Rate
Benchmark: >2
Red Flag?
Yes
Yes
Yes
Yes
Table 1: Effective cash tax rate and quality of earnings ratio
Most relevant ratio analysis is:
1.
2.
3.
4.
5.
6.
Gross margin and sales growth
Price to book and price earning
Profit margin, top-line growth & bottom line growth
Return on assets and return on equity
Current ratio
Quality of earning and effective cash tax rate
Other type of ratios are that are generally used for analysisii
♣ Substantive procedure/Analytical procedure
The Meaning of Substantive Procedures: Substantive procedures involve verification of
transactions and account balances to supporting records such as invoices and ledgers. The
purpose of substantive procedures is to identify material misstatements in the financial
statements.
Substantive procedures consist of two activities as follows:
 Analytical Substantive Procedures (simply known as analytical procedures or
analytical review)
 Test of Details, which is sub-divided into:
 Test of transactions [i.e. test of income statement figures] AND
 Test of account balances [i.e. test of statement of financial position figures].
Analytical Procedures (ISA 520): Analytical procedures have been defined as the relationship
between financial data and non-financial data of the same period (month by month) or different
periods (year by year) to highlight significant differences. Analytical procedures also include
assessment of relevant accounting ratios and trends and investigation into unexpected
variances.
11 | P a g e
2000
Application of Analytical Procedure: Analytical procedures are applied by the auditor,
throughout the stages of audit as follows:
1. At the planning stage: This is a requirement by ISA 520 and helps auditors to
identify areas of significant fluctuations. Auditors then focus their test of controls
and substantive procedures on transactions and balances that indicate significant
variances. Auditors at this stage compare current year with previous year’s financial
statements to identify significant variances.
2. Substantive test stage: During the course of the audit, analytical procedures such
as year by year comparison and proof in total can be used to confirm assertions
completeness and accuracy respectively.
3. Final stage: The ISA 520 requires auditors to apply analytical procedures during
audit completion activities. The method used is to compare current year’s audited
figures with previous year. Additional substantive audit procedures must be
performed to address any material unexpected variances.
Substantive Procedures & Test of controls: Substantive procedures are performed after test
of controls. The level of substantive procedures is influenced by the result of test of controls. If
test of controls indicates that internal controls are weak, then more substantive procedures will
be performed to confirm any material misstatements, and vice versa.
Substantive Procedures & Sources of Audit Evidence: There are seven sources of audit
evidence (ISA 500) including observation, inquiry and recalculation. These sources of audit
evidence indicate how auditors derive information and also represent audit procedures. An
auditor may observe a company's revenue system (test of control) to confirm effectiveness of
controls. However, it is inappropriate to observe revenue income ($), as a form of substantive
test. For revenue income auditors preferred procedures include recalculation of sales invoice
total and sales journals. Thus audit procedures must be relevant to auditor’s objective.
Substantive Procedures & Financial Statement Assertions: Auditors’ substantive
procedures are designed in a manner to confirm financial statements assertions (aka
assertions). Assertions are the representations or claims made by financial statements. For
instance, a set of income statements maintain to presuppose specific characteristics (assertions)
of financial information reported such as completeness, accuracy, occurrence and cut-off. It is
worthy to note that as financial statements are prepared by directors, assertions are also
directors’ representations. Consider this question: Briefly explain directors representations
embodied in the receivables balance of $45,000.
Substantive procedures are therefore designed to confirm specific assertions claimed by
financial statements. An effective approach to substantive procedures is to consider relevant
assertions and to identify audit procedures needed to confirm such assertions.
12 | P a g e
The table below illustrates examples of assertions and their respective audit procedures. There
are more than one audit procedures to confirm an assertion. The suggested tabulated audit
procedures for each transaction or account balance reflect various ways of confirming an
assertion.
Income
Statement
Assertions
Completeness: All
transactions
are
recorded
Accuracy:Transactions
amounts recorded correctly
Occurrence:
Transactions
actually took place
Cut-off:
Transactions
recorded
in
correct
accounting period
Revenue
Select a sample of
sales invoices in
sequence and trace
to sales journal.
Select a sample of sales invoices
and trace price quoted to
official price list.
Select a sample of
sales invoices and
agree with goods
dispatch notes.
Select a sample of sales
invoices just before and
after year end to confirm
that it have been included
and excluded respectively.
Purchases
Compare
current
year purchases with
previous to assess
reasonableness of
variance.
Obtain purchase journals and
cast total totals to confirm it
correctness.
Select sample of
purchase orders
and agree with
purchase invoices
and good received
notes.
Select
a
sample
of
purchase invoices just
before and after year end
to confirm that it have
been
included
and
excluded respectively.
Payroll
Agree list of payroll
total with general
ledger
and
statement
of
financial position.
Select a sample of employees
and recalculate net pay using
appropriate tax rates.
Select a sample of
employees’ time
sheets
and
compare
with
payroll list and
bank payments.
Select
a
sample
of
employees’ time sheets
and net pays before and
after year end and trace to
correct accounting year.
Statement
of
Financial Position
(SFP) Assertions
Completeness: All
balances (assets &
liabilities) recorded
Existence: Balances
(assets & liabilities)
are real
Valuation: Assets &
liabilities
amount
are correct
Right
&
Obligation: Entity
has
control over assets or
responsibility
to
pay
liabilities
Non-current assets
(NCAs)
Obtain list of NCAs
and
agree
with
general ledger and
SFP.
Visit locations of
NCAs and inspect
conditions of NCAs.
Recalculate
depreciation charges
and
agree
with
account.
Review
appropriate
ownership documents to
confirm document details
relate to entity.
Receivables
Agree
list
of
receivables
total
with
receivable
control accounts.
Send confirmation
letters to sample
receivables.
Review receivables
list to ensure bad
debts are excluded.
Review addressees of
sample sale invoices and
GDNs with receivables
ledger.
Inventories
Obtain and cast
inventory list total
and agree with SFP.
Attend
inventory
count and inspect
sample inventories.
Review
inventory
list
and
assess
allowance for slow
moving items.
Review
sample
of
purchase invoices and
GRNs and confirm entity
indeed purchased items.
Table 2: Examples of assertions and their respective audit procedures
13 | P a g e
Audit of Accounting Estimates & Matters Confined To Management
IAS 8 permits preparers of accounts to estimate certain figures such as allowances for doubtful
debts, warranty and lawsuit. Obviously, there are no verifiable documents such as invoices to
support such estimates. Auditor’s approach is to assess reasonableness of estimates included in
the financial statements. Methods used by auditors in assessing estimates and matters confined
to management (e.g. subsequent events) include the following:
1.
2.
3.
4.
5.
Make inquiries from directors with respect to specific estimate or allowance.
Review board minutes to obtain evidence relating to specific allowance.
Obtain representation from directors to confirm reasonableness of allowance.
Inquire from directors assumptions used in deriving allowance.
Compare estimate with previous year to assess completeness (this procedure will be
irrelevant if it is a first time estimate).
6. Review after date position (i.e. post year end transactions) of estimate to confirm
appropriateness of allowance: For instance if at date of audit cash payments for
customers’ warranty, account for 90% of total allowance for warranty, then
allowance for warranty may be considered inadequate by the auditor.
Substantive Procedures Common Pitfalls:
Audit Procedures & Accounting Standards & Entries: Substantive audit procedures reflect
requirements of accounting standards and basic book-keeping entries. There are situations
where exams questions are unanswered not because of time pressure, but such questions may
be considered difficult. For instance audit procedures for bank balance should reflect
accounting entries related to cash book, bank reconciliation statement and even one’s
experience of personal banking.
Types of Ledger Accounts: Invariably, audit procedures make reference to ledger accounts.
There are three types of ledger accounts as follows:
1. Sales ledger: This consists of receivables balances (customers).
2.
Purchases ledger: This consists of payables balances (suppliers).
3. General ledger: This consists of all other accounts balances other than sales and
purchases ledgers. General ledgers comprise of sales revenue, purchases, assets &
liabilities, other income and expenses.
Sales revenue is therefore not a sales ledger account. Receivables and payables are not general
ledger category. The misuse of types of ledgers invalidates audit answers. For example it is
impracticable to agree sales revenue with sales ledger (receivables), as sales revenue consists of
cash and credit sales. Even where sales revenue is wholly on credit, sales revenue cannot be
agreed to sales ledger (receivables) as customers might have made some payments throughout
14 | P a g e
the year. However, sales revenue can be compared with sales ledger (i.e. analytical procedure)
to assess the reasonableness of receivables.
Help in Case Studies: Audit questions are often based on a case study. This requires answers to
reflect the specifics of case study. For example if sales tax (VAT) is not included in a case study,
answers should not refer to procedures on sales tax. In effect audit procedures should revolve
around a company’s accounting system. Candidates should be prepared to apply principles
learnt to annotate case study facts.
Appropriate Audit Procedures: The use of the term ‘check’ is often so vague that it attracts
little or no credits. The term ‘check’ is often used without stating exactly what is being checked.
A poor example of the use of ‘check’ may be for example: ‘Check sales ledger transactions’ (for
what?). A proper use of ‘check 'could be: ‘Check sales ledger transaction (and) to identify any
unusual postings’.
It is advisable to be mindful of the use of the conjunction ‘and’ in audit procedures where
necessary. Examiners’ reports often comment on weak answers such as ‘Obtain list of
receivables’ (for what?). This is incomplete answer. Rather the audit procedure should be
worded like ‘Obtain list of receivables and cast totals or agree total with sales ledger’.
Audit procedures should reflect a reason (the why or how) it being performed. Consider this
familiar but erroneous audit procedure: ‘Obtain management representation letter’. Rather this
audit procedure could be: ‘Obtain management representation letter to confirm entity is a going
concern or provision is reasonable’.
Audit procedures should also reflect appropriate direction of testing. For example when testing
for occurrence of sales transactions it is inappropriate to begin with ‘Trace sample goods
dispatch notes with respective sales invoices’. By starting with goods dispatch notes (GDNs), the
possibility of identifying misstatements is completely diminished. GDNs is a self-evidence of
occurrence of sales transactions. An appropriate test for occurrence of sales transaction is
to ‘Trace samples sales invoices to respective GDNs’.
Often test of controls are produced as substantive procedures and vice versa. An exams case
study may include both internal and accounting systems. Substantive procedures should be
restricted to accounting system. For example ‘‘review of approval of customers’ credit limits’’ will
normally be performed as test of control. However, substantive procedure on credit limit will be
to ‘Compare sample receivable balances with credit limits to confirm whether receivables are
within authorized limits’, as this will assess adequacy of allowance for receivables.
(Odei-Kissi, 2013)
15 | P a g e
♣ Trend analysis
This type of analysis uses the concept that all the business works on the trend line having
seasonal, cyclic, or static trend line that depict how data's are flowing and help to create the
analysis that data's ought to move that way viewing the cycles of business, demand, supply,
business lines competition etc. Typical trend lines for analysis of financial statements are for:
revenues, gross margin, net profit margin, account receivable and debt.
Figure 1: Trend analysis
♣ Mathematical modeliii
Digital analysis:12
The digital analysis also called the “Benford’s law” is basically the analysis of the frequency of
digits in every transaction. The law has been evolved over the years and concluding the ideal
probability in percentage of occurrence of each digit in every transaction.
As we know that amount of every transaction stars from one digit from 1,2,3,4,5,6,7,8,or 9. Now
we need to conduct 1st digit, 2nd digit, 3rd digit and 4th digit analysis of the given data. During
1
2
http://www.jsrsys.com/fema/new15sys.htm
http://www.csub.edu/~bbae/publication/digital%20analysis%20in%20audit.todays%20cpa%202002.pdf
16 | P a g e
this analysis we establish the frequency of each digit and then compare it with the established
probable result by the Benford’s law. Where the calculated frequency exceeds the established
probability it should be red flagged as potential fraud and needs to be further verified in detail.
e.g. in a given data of 7000 transactions we conduct a single digit or 1st digit analysis and the
following are the results:
Table 3: Benford’s law
Now compare the calculated results as per column C with the established probabilities under
the Benford’s law and identify the group of transactions having potential fraud risk. Similarly
the frequency of 2nd, 3rd and 4th digit can be calculated and compared with the ideal
probability for identification of the potential fraud in the group of transactions.
The following table B gives the standard probability of the 1st, 2nd, 3rd and 4th digit for the
compassion with the actual calculated results.
Table 4: Benford’s law
17 | P a g e
Now compare the values calculated in column C of the table A with the 1st digit probability as
mentioned in
Table 5: Benford’s law
Now see the positive variation where the actual frequency of 1st digit exceeds the standard
probable frequency of the same. This variation denotes that the transactions starting with these
digits (i.e. 3,4,5,8 & 9) are potentially risky area and needs further verification and application of
substantive procedures.
The auditor intends to use the digital analysis must keep in mind that the digital analysis is
applicable only on the relatively large data. The relatively large data means the set of
transactions should be at least more than 300 transactions. The digital analysis may not be
useful for the small data and result calculated under digital analysis will not serve the purpose.
Furthermore, once understood the application and using the digital analysis at first digit level
same technique can be used to analyze the 2nd, 3rd and 4th digit analysis. Normally the desired
results can be obtained only by applying the 1st digit analysis and we may not need to apply the
2nd, 3rd and 4th digit analysis.
Beneish Model:3
The Beneish M-Score model (the Model), developed in 1999 by Messod D. Beneish, Ph.D.,
professor of accounting in the Kelley School of Business at Indiana University—Bloomington,
consists of eight indices capturing financial statement anomalies that can result from earnings
manipulation or other types of fraudulent activity. Actual data in the financial statements builds
3
http://www.google.com.np/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CE4QFjAE&url=http%3A%2
F%2Faaahq.org%2Faudit%2Fmidyear%2F04midyear%2Fpapers%2FDangers%2520of%2520Applying%2520Benf
ord's%2520Law%2520-%2520Paper%2520%2520December%25202003.doc&ei=MG4dU9mjGsayiAfxnoC4BA&usg=AFQjCNGtv8eznX9auz5FQlMsaKJ0OLD
ZYg&bvm=bv.62578216,d.aGc
18 | P a g e
the calculations of the indices that create the overall M-Score describing the degree of possible
earnings manipulation or possible other fraudulent activity, such as concealing embezzlement
activity. In his study, Beneish found that he could correctly identify 76% of the earnings
manipulators and incorrectly identify 17.5% as non-manipulators.1 In other words, Beneish
found that 17.5% of the companies whose financial statements he thought were free from
earnings manipulation re-filed financial statements later due to earnings manipulation. From
the financial forensic examiner's perspective, the percentage of correct identification provides
reassurance that the calculations deliver reliable information concerning the examination of the
financial information, thus allowing the investigative work to be more effective and efficient.
The M-Score has been set at -2.22, the auditors are required to calculate the M-Score of the
company under audit and compare it with the standard given in the Beneish Model. If the
outcome of the actual analysis is less than -2.22 it means that the financials given by the
company are accurate and there is zero probability of manipulation of the books of accounts
used to prepare the financial statements. Whereas the greater M-Score means that the financial
statements have been manipulated.
In order to calculate the M-Score following ratios are calculated from the financial statements
under audit:
Table 6: Beneish M-Score model
The factor/ ratios calculated as per above table then used in the following formula with the
given constant values to calculate the M-Score:
M = -4.84 + 0.92*DSRI + 0.528*GMI + 0.404*AQI + 0.892*SGI + 0.115*DEPI – 0.172*SGAI +
4.679*TATA – 0.327*LVGI
19 | P a g e
The above calculation of M-Score is referred as 8- variable M- score because it contains 8
factors for the analysis of the financial statement to identify the potential manipulation of the
financial statements. There is another version called 5-variable M-Score can also be used to
analyze the financial statements for the same purpose. In order to calculate the 5-variable MScore the following formula is used:
M = -6.065 + 0.823*DSRI + 0.906*GMI + 0.593*AQI + 0.717*SGI + 0.107*DEPI
Once you have calculated all ratios calculate the M-Score and compare it with the standard i.e. 2.22 and conclude that financial statements are manipulated or not.
20 | P a g e
Table 7: Beinsh Model Analysis for Enron, WorldCom, Global Crossing, Qwest
Table 8: investing ratios
(Hugh & Tom, 2004)
21 | P a g e
♣ Efficiency, production (input output and ratio analysis of cost
sheet)
This analysis can be used to find the actual calculation made by the auditors regarding certain
items like interest, tax, depreciation, reserves amortization and seeing the actual results and
thus identifying the red flags areas.
♣ Propriety audit
Propriety audit is conducted by Supreme Audit Institutions (SAI) to report on whether
Government accounts, i.e., all expenditure sanctioned and incurred are need-based and all
revenues due to Government have been realized in time and credited to the government
account. In conducting the propriety audit, “Value for Money audit” technique aims at lending
assurance that economy, efficiency and efficacy have been achieved in the transactions for
which expenditure has been incurred or revenue collected is usually applied. The same analogy,
with modifications to the principles of propriety of public finance, applies in forensic audit to
establish fraudulent intentions if any, on the part of the management. Financial frauds are
results of wasteful, unwarranted and
fruitful expenditure or diversion of funds by the
investigated entity to another entity.
♣ Materiality of items involved
All the items that are material either individually or in aggregate should not be relied on
sampling basis. These items must be audited on one to one basis, using substantive procedure
and significances of internal control should not be overruled while performing audit of
materials items.
♣ Capacity of management
Management having high ethical character, moral integrity, professional development is used as
a basis of finding whether they can be motives of performing fraud or not. If noticed that senior
management team composes of person having non qualities and are just promoted as a relation
to favoritism, cronyism, and nepotism then they may show red flag areas that should be
overlooked.
♣ Internal auditor, internal control, whistle blower interview and
previous audit report
 Internal control is a process. It’s a means to an end, not an end in itself.
22 | P a g e
 Internal control is affected by people. It’s not merely policy manuals and forms, but
people at every level of an organization.
 Internal control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity’s management and board.
 Internal control is geared to the achievement of objectives in one or more separate
but overlapping categories.
Internal control consists of five interrelated components. These are derived from the way
management runs a business, and are integrated with the management process. Although the
components apply to all entities, small and mid-size companies may implement them differently
than large ones. Its controls may be less formal and less structured, yet a small company can still
have effective internal control. The components are:
1. Control Environment — The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values and competence of the
entity’s people; management’s philosophy and operating style; the way management
assigns authority and responsibility, and organizes and develops its people; and the
attention and direction provided by the board of directors.
2. Risk Assessment — Every entity faces a variety of risks from external and internal
sources that must be assessed. A precondition to risk assessment is establishment of
objectives, linked at different levels and internally consistent. Risk assessment is the
identification and analysis of relevant risks to achievement of the objectives, forming
a basis for determining how the risks should be managed. Because economic,
industry, regulatory and operating conditions will continue to change, mechanisms
are needed to identify and deal with the special risks associated with change.
3. Control Activities — Control activities are the policies and procedures that help
ensure management directives are carried out. They help ensure that necessary
actions are taken to address risks to achievement of the entity’s objectives. Control
activities occur throughout the organization, at all levels and in all functions. They
include a range of activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets and segregation
of duties.
4. Information and Communication — pertinent information must be identified,
captured and communicated in a form and timeframe that enable people to carry out
their responsibilities. Information systems produce reports, containing operational,
financial and compliance-related information, that make it possible to run and
control the business. They deal not only with internally generated data, but also
information about external events, activities and conditions necessary to informed
business decision-making and external reporting. Effective communication also
must occur in a broader sense, flowing down, across and up the organization. All
personnel must receive a clear message from top management that control
23 | P a g e
responsibilities must be taken seriously. They must understand their own role in the
internal control system, as well as how individual activities relate to the work of
others. They must have a means of communicating significant information upstream.
There also needs to be effective communication with external parties, such as
customers, suppliers, regulators and shareholders.
5. Monitoring — Internal control systems need to be monitored–a process that
assesses the quality of the system’s performance over time. This is accomplished
through ongoing monitoring activities, separate evaluations or a combination of the
two. Ongoing monitoring occurs in the course of operations. It includes regular
management and supervisory activities, and other actions personnel take in
performing their duties. The scope and frequency of separate evaluations will
depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies should be reported upstream,
with serious matters reported to top management and the board.
Integrity and Ethical Values
1. Existence and implementation of codes of conduct and other policies regarding
acceptable business practice, conflicts of interest, or expected standards of ethical
and moral behavior.
2. A dealing with employees, suppliers, customers, investors, creditors, insurers,
competitors, and auditors, etc. (e.g., whether management conducts business on a
high ethical plane, and insists that others do so, or pays little attention to ethical
issues).
3. Pressure to meet unrealistic performance targets — particularly for short-term
results — and extent to which compensation is based on achieving those
performance targets.
Commitment to Competence
 Formal or informal job descriptions or other means of defining tasks that comprise
particular jobs.
 Analyses of the knowledge and skills needed to perform jobs adequately.
 Board of Directors or Audit Committee
 Independence from management, such that necessary, even if difficult and probing,
questions are raised.
 Frequency and timeliness with which meetings are held with chief financial and/or
accounting officers, internal auditors and external auditors.
 Sufficiency and timeliness with which information is provided to board or committee
members, to allow monitoring of management’s objectives and strategies, the entity’s
financial position and operating results, and terms of significant agreements.
 Sufficiency and timeliness with which the board or audit committee is apprised of
sensitive information, investigations and improper acts (e.g., travel expenses of senior
officers, significant litigation, investigations of regulatory agencies, defalcations,
embezzlement or misuse of corporate assets, violations of insider trading rules, political
payments, illegal payments).
24 | P a g e
Management’s Philosophy and Operating Style
 Nature of business risks accepted, e.g., whether management often enters into
particularly high-risk ventures, or is extremely conservative in accepting risks.
 Frequency of interaction between senior management and operating management,
particularly when operating from geographically removed locations.
 Attitudes and actions toward financial reporting, including disputes over application
of accounting treatments (e.g., selection of conservative versus liberal accounting
policies; whether accounting principles have been misapplied, important financial
information not disclosed, or records manipulated or falsified).
Organizational Structure
 Appropriateness of the entity’s organizational structure, and its ability to provide
the necessary information flow to manage its activities.
 Adequacy of definition of key managers’ responsibilities, and their understanding of
these responsibilities.
 Adequacy of knowledge and experience of key managers in light of responsibilities.
Assignment of Authority and Responsibility
 Assignment of responsibility and delegation of authority to deal with organizational
goals and objectives, operating functions and regulatory requirements, including
responsibility for information systems and authorizations for changes.
 Appropriateness of control-related standards and procedures, including employee
job descriptions.
 Appropriate numbers of people, particularly with respect to data processing and
accounting functions, with the requisite skill levels relative to the size of the entity
and nature and complexity of activities and systems.
Human Resource Policies and Practices
 Extent to which policies and procedures for hiring, training, promoting and
compensating employees are in place.
 Appropriateness of remedial action taken in response to departures from approved
policies and procedures.
 Adequacy of employee candidate background checks, particularly with regard to
prior actions or activities considered to be unacceptable by the entity.
 Adequacy of employee retention and promotion criteria and information-gathering
techniques (e.g., performance evaluations) and relation to the code of conduct or
other behavioral guidelines
Risks: Entity Level. Risks at the entity-wide level can arise from external or internal factors.
Examples include:
25 | P a g e
External Factors
1. Technological developments can affect the nature and timing of research and
development, or lead to changes in procurement.
2. Changing customer needs or expectations can affect product development,
production process, customer service, pricing or warranties.
3. Competition can alter marketing or service activities.
4. New legislation and regulation can force changes in operating policies and
strategies.
5. Natural catastrophes can lead to changes in operations or information systems and
highlight the need for contingency planning.
6. Economic changes can have an impact on decisions related to financing, capital
expenditures and expansion.
Internal Factors
1. A disruption in information systems processing can adversely affect the entity’s
operations.
2. The quality of personnel hired and methods of training and motivation can influence
the level of control consciousness within the entity. A change in management
responsibilities can affect the way certain controls are affected.
3. The nature of the entity’s activities, and employee accessibility to assets, can
contribute to misappropriation of resources.
4. An unassertive or ineffective board or audit committee can provide opportunities
for indiscretions
Circumstances Demanding Special Attention
This focus on managing change is founded on the premise that, because of their potential
impact, certain conditions should be the subject of special consideration. The extent to which
such conditions require management’s attention, of course, depends on the effect they may have
in the particular circumstances. Such conditions are:
1. Changed Operating Environment — A changed regulatory or economic environment
can result in increased competitive pressures and significantly different risks.
“Divestiture” in the telecommunications industry, and deregulation of commission
rates in the brokerage industry, for example, thrust entities into a vastly changed
competitive environment.
2. New Personnel — A senior executive new to an entity may not understand the
entity’s culture, or may focus solely on performance to the exclusion of control26 | P a g e
3.
4.
5.
6.
7.
8.
related activities. High turnover of personnel, in the absence of effective training and
supervision, can result in breakdowns.
New or Revamped Information Systems — Normally effective controls can break
down when new systems are developed, particularly when done under unusually
tight time constraints — for example, to gain competitive advantage or make tactical
moves.
Rapid Growth — When operations expand significantly and quickly, existing systems
may be strained to the point where controls break down; where processing shifts or
clerical personnel are added, existing supervisors may be unable to maintain
adequate control.
New Technology — When new technologies are incorporated into production
processes or information systems, a high likelihood exists that internal controls will
need to be modified. Just-in-time inventory manufacturing technologies, for
instance, commonly require changes in cost systems and related controls to ensure
reporting of meaningful information.
New Lines, Products, Activities — When an entity enters new business lines or
engages in transactions with which it is unfamiliar, existing controls may not be
adequate. Savings and loan organizations, for example, ventured into investment
and lending arenas in which they had little or no previous experience, without
focusing on how to control the risks involved.
Corporate Restructurings — Restructurings — resulting, for example, from a
leveraged buyout, or from significant business declines or cost-reduction programs
— may be accompanied by staff reductions and inadequate supervision and
segregation of duties. Or, a job performing a key control function may be eliminated
without a compensating control put in its place. A number of companies learned too
late that they made rapid, large-scale cutbacks in personnel without adequate
consideration of serious control implications.
Foreign Operations — The expansion or acquisition of foreign operations carries
new and often unique risks that management should address. For instance, the
control environment is likely to be driven by the culture and customs of local
management. Also, business risks may result from factors unique to the local
economy and regulatory environment. Or, channels of communication and
information systems may not be well established and available to all individuals.
(Coopers & Lybrand , May 1994)
♣ Interrogation (Neuro Linguistic Model)
Following model can be used while accessing the information regarding whether subject is lying
while providing answers to questionnaire. This is the famous model used by clinical hypnotist and
interrogation agencies working for national defense. This method is universal and is applicable to all
the subjects under considering since it uses the model of brain accessing and eye movements.
Its concept are:
1. Eyes Up and Left: Non-dominant hemisphere visualization - i.e., remembered imagery (Vr).
2. Eyes Up and Right: Dominant hemisphere visualization - i.e., constructed imagery and visual
fantasy (Vc).
27 | P a g e
3. Eyes Lateral Left: Non-dominant hemisphere auditory processing - i.e., remembered sounds,
words, and "tape loops" (Ar) and tonal discrimination.
4. Eyes Lateral Right: Dominant hemisphere auditory processing - i.e., constructed sounds and
words (Ac).
5. Eyes Down and Left: Internal dialogue, or inner self-talk (Ad).
6. Eyes Down and Right: Feelings, both tactile and visceral (K).
7. Eyes Straight Ahead, but Defocused or Dilated: Quick access of almost any sensory
information; but usually visual.
Figure 2: Eye accessing clues
To explore the relationship between eye movements and thinking for yourself, find a partner, ask
the following questions, and observe his or her eye movements. For each question keep track of
your partner's eye movements in one of the boxes (following the questions below) by using marks,
lines or numbers that represent the sequence of positions you observe.
1. Visual Remembered: Think of the color of your car. What kind of pattern is on your
bedspread? Think of the last time you saw someone running. Who were the first five
people you saw this morning?
2. Visual Construction: Imagine an outline of yourself as you might look from six feet above
us and see it turning into a city skyline. Can you imagine the top half of a toy dog on the
bottom half of a green hippopotamus?
3. Auditory Remembered: Can you think of one of your favorite songs? Think of the sound
of clapping. How does your car's engine sound?
4. Auditory Constructed: Imagine the sound of a train's whistle changing into the sound of
pages turning. Can you hear the sound of a saxophone and the sound of your mother's
voice at the same time?
5. Auditory Digital (Internal Self Talk): Take a moment and listen to the sound of your own
inner voice. How do you know it is your voice? In what types of situations do you talk to
yourself the most? Think of the kinds of things that you say to yourself most often.
6. Kinesthetic Remembered: (Tactile) When was the last time you felt really wet? Imagine
the feelings of snow in your hands. What does a pine cone feel like? When was the last
time you touched a hot cooking utensil? (Visceral/Emotional) Can you think of a time
you felt satisfied about something you completed? Think of what it feels like to be
exhausted. When was the last time you felt impatient?
28 | P a g e
7. Kinesthetic Construction: (Tactile) Imagine the feelings of stickiness turning into the
feelings of sand shifting between your fingers. Imagine the feelings of dog's fur turning
into the feelings of soft butter. (Visceral/Emotional) Imagine the feelings of frustration
turning into the feeling of being really motivated to do something. Imagine the feeling of
being bored turning into feeling silly about feeling bored.
Figure 3: Eye accessing clues
(Dilts, Robert)
♣ Data Mining (CAAT)
29 | P a g e
Data-mining analytics are different from the other types of analytic procedures in that they are
queries or searches performed within accounts or other client data to identify anomalous
individual items, while the other types use aggregated financial information. What can be
expected of data mining depends on the purpose of the procedure. For example, scanning a
numerical sequence may bring to light certain gaps that merit investigation, while scanning
payment amounts may yield evidence of duplicate payments. The expectation in searching for
large and unusual items is based on the forensic accounting investigator’s assessment of what
constitutes normal. While some analytics such as a scan of closing or adjusting entries may be
performed manually, others such as filters, duplicates, gaps, and sorts may require computerassisted audit techniques using software packages like Audit Command Language, Access, or
Excel. You may also opt to build your own tool for large data sets. (THOMAS W. GOLDEN, 2006)
Figure 4: Conceptual Framework for Application of Data Mining to Financial Accounting Fraud Detection
Software engineers have developed various software's4 that can be used for data mining and finding
patterns, that were previously unavailable. External intruders5 are too a risk factor that can cause a
serious harm. (Hoke, 2004)
1.
2.
3.
4
Deloitte & Touché has set up a worldwide network of computer forensic labs for their forensic accountants and
technicians (Iwata, 2003).
There are many new technologies that allow the investigators to recover deleted files, crack encryptions or
codes, and extract and sort data (Bigler, 2001).
KPMG Forensic Accounting has developed software that it uses to aid in determining how the fraud was
perpetrated. The software prepares a TRACE (Transactional Representation of Assets and Court Evidence)
diagram. The TRACE diagram provides a computer-generated graphical and concise summary of a series of
transactions, events or structures in an easy-to-read format, to map the flow of funds through the perpetrator’s
private companies/accounts, identify the parties involved, and provide litigation support to the civil and criminal
proceedings (Sing, 1999).
30 | P a g e
The following ten steps describe the key activities in implementing a forensic readiness program that
we can use as trail on court against criminal proceedings:
1.
2.
3.
4.
Define the business scenarios that require digital evidence.
Identify available sources and different types of potential evidence.
Determine the evidence collection requirement.
Establish a capability for securely gathering legally admissible evidence to meet the
requirement.
5. Establish a policy for secure storage and handling of potential evidence.
6. Ensure monitoring is targeted to detect and deter major incidents.
7. Specify circumstances when escalation to a full formal investigation (which may use the
digital evidence) should be launched.
8. Train staff in incident awareness, so that all those involved understand their role in the
digital evidence process and the legal sensitivities of evidence.
9. Document an evidence-based case describing the incident and its impact.
10. Ensure legal review to facilitate action in response to the incident.
(Robert Rowlingson Ph.D, 2004)6
Data-mining might include all of the following:
 Scanning transaction listings
 Identifying gaps in check runs or shipping documents
 Identifying duplicate invoice numbers, payments, or payroll transactions to the same
payee
 Matching return dates and credit memos to test for proper cutoff
 Comparing recent invoice prices with costs on the perpetual inventory records
 Filtering to identify all new suppliers, nonstandard journal entries, accounts under
dispute, and the like
 Stratifying or grouping customer accounts by balance size or employees by overtime
pay
4.
5.
5
6
A software program (called Gargoyle) can detect steganography (i.e., steganography is a process by which data
can be hidden within other files). Using steganography, a fraudster could hide stolen data within an MP3-format
song making it virtually undetectable until Gargoyle. WetStone Technologies released the Gargoyle software in
May 2003. It was developed to work with the government-sponsored National Software Reference Library
(NSRL) database. The NSRL database is a collection of digital file signatures, known as hashes, developed from
thousands of common software programs. These hashes allow investigators to check if any alterations have
occurred. Currently, Gargoyle can identify a large quantity of programs. In addition to stenography programs,
Gargoyle includes 550 Trojan-horse toolkits, 94 wireless-war-driving software tools, 455 file encryption programs,
and hundreds of key-logging and password-cracking applications (Piazza, 2003).
A company based out of Houston (called ChurchStreet Technology) has developed a very useful tool for forensic
accountants and other crime-fighting agencies. ChurchStreet has developed a method for reconstructing shredded
documents electronically, offering a speedier alternative to the laborious task of searching, matching, and pasting
strips manually. The process uses proprietary digitizing techniques to scan the shredded paper and then matches
them with specialized software. The software can even reconstruct documents that have been cross-shred or cut in
two directions into tiny pieces (Satov, 2003).
http://www.pkftexas.com/media/258401/fullmagvol4iss3.pdf
https://www.utica.edu/academic/institutes/ecii/publications/articles/A0B13342-B4E0-1F6A-156F501C49CF5F51.pdf
31 | P a g e
Data mining application classes can be classified as:
Classification: Classification builds up and utilizes a model to predict the categorical labels of
unknown objects to distinguish between objects of different classes. These categorical labels are
predefined, discrete and unordered. The research literature describes that classification or
prediction is the process of identifying a set of common features (patterns), and proposing
models that describe and distinguish data classes or concepts. Common techniques include
neural networks, the Naïve Bayes technique, decision trees and support vector machines. Such
classification tasks are used in the detection of credit card, healthcare and automobile
insurance, and corporate fraud, among other types of fraud, and classification is one of the most
common learning models in the application of data mining in fraud detection.
Clustering: Clustering is used to partition objects into previously unknown conceptually
meaningful groups (i.e. clusters), with the objects in a cluster being similar to one another but
very dissimilar to the objects in other clusters. Clustering is also known as data segmentation or
partitioning and is regarded as a variant of unsupervised classification. Cluster analysis
decomposes or partitions a data set (single or multivariate) into dissimilar groups so that the
data points in one group are similar to each other and are as different as possible from the data
points in other groups. It is suggested that data objects in each cluster should have high intracluster similarity within the same cluster but should have low inter-cluster similarity to those in
other clusters. The most common clustering techniques are the K-nearest neighbor, the Naïve
Bayes technique and self-organizing maps.
Prediction: Prediction estimates numeric and ordered future values based on the patterns of a
data set . It is noted that, for prediction, the attribute, for which the value being predicted is
continuous-valued (ordered) rather than categorical (discrete-valued and unordered). This
attribute is referred as the predicted attribute. Neural networks and logistic model prediction
are the most commonly used prediction techniques.
Outlier Detection: Outlier detection is employed to measure the distance between data objects
to detect those objects that are grossly different from or inconsistent with the remaining data
set. Data that appear to have different characteristics than the rest of the population are called
outliers. The problem of outlier/anomaly detection is one of the most fundamental issues in
data mining. A commonly used technique in outlier detection is the discounting learning
algorithm.
Regression: Regression is a statistical methodology used to reveal the relationship between one
or more independent variables and a dependent variable (that is continuous-valued). Many
empirical studies have used logistic regression as a benchmark. The regression technique is
typically undertaken using such mathematical methods as logistic regression and linear
regression, and it is used in the detection of credit card, crop and automobile insurance, and
corporate fraud.
32 | P a g e
Visualization: Visualization refers to the easily understandable presentation of data and to
methodology that converts complicated data characteristics into clear patterns to allow users to
view the complex patterns or relationships uncovered in the data mining process. The
researchers have exploited the pattern detection capabilities of the human visual system by
building a suite of tools and applications that flexibly encode data using color, position, size and
other visual characteristics. Visualization is best used to deliver complex patterns through the
clear presentation of data or functions .
Classification of Data Mining Techniques for Financial Accounting Fraud Detection
To determine the main algorithms used for financial accounting fraud detection, we present a
Review of data mining techniques identified in literature applied to the detection of financial
fraud. The most frequently used techniques are logistic models, neural networks, the Bayesian
belief network, and decision trees, all of which fall into the classification category. These four
techniques are discussed in more detail in the following paragraphs.
Regression Models: The regression based models are mostly used in financial accounting fraud
detection. The majority of them are based on logistic regression, stepwise-logistic regression,
multi criteria decision making method and exponential generalized beta two (EGB2). Logistic
model is a generalized linear model that is used for binomial regression in which the predictor
variables can be either numerical or categorical . It is principally used to solve problems caused
by insurance and corporate fraud. Some of the research has suggested logistic regression based
model to predict the presence of financial statement fraud. Statistical method of logistic
regression can detect falsified financial statements efficiently . Some researchers have also
developed generalized qualitative response model based on Probit and Logit techniques to
predict financial statement fraud. That model was based on a dataset collected by an
international public accounting company and needs testing for generalization. Cascaded Logit
model has also proposed to investigate the relationship between insider trading and possibility
of fraud. The study in found that, when the fraud is being executed, insiders, i.e. top executives
and managers, reduce their stock holdings through high stock selling activity. The other
methods like statistical regression analysis are also useful to test if the existence of an
independent audit committee mitigates or reduces the likelihood of fraud. Literature also
describes that organizations with audit committees, formed by independent managers, meeting
no more than twice per year, are less likely to be sanctioned for fraudulent financial reporting.
The regression analysis using Logit model can be used for empirical analysis of financial indexes
which can significantly predict financial fraud. Logistic analysis and clustering analysis jointly
can be used to establish a detecting model of fraud from four aspects of financial indexes,
company governance, financial risk and pressure and related trading. After cluster filtering
significant variables, prediction model can be established with methods of Standardization, nonStandardization Bayes and Logistic.
Genetic programming with fuzzy logic production rules is used to classifying data. The study in
has proposed and tested a system to detect frauds on real home insurance claims and credit
card transaction data. The study on genetic programming for fraud detection lacks
benchmarking with the existing methods and techniques. A genetic algorithm based approach to
detect financial statement fraud. It was found that exceptional anomaly scores are valuable
metrics for characterizing corporate financial behavior and that analyzing these scores over
time represents an effective way of detecting potentially fraudulent behavior.
33 | P a g e
Expert Systems: Researchers in the field of Expert systems have examined the role of Expert
Systems in increasing the detecting ability of auditors and statement users. By using expert
system, they could have better detecting abilities to accounting fraud risk under different
context and level and enable auditors give much reliable auditing suggestions through rational
auditing procedure. The research has confirmed that the use of an expert system enhanced the
auditors‟ performance. With assistance from expert system, the auditors discriminated better,
among situations with different levels of management fraud-risk. Expert System aided in
decision making regarding appropriate audit actions. The financial accounting fraud detection
research is classified as per data mining application and data mining techniques. Some
researchers have tried to apply a combination of many data mining techniques like decision
trees, neural networks, Bayesian belief network, K-nearest neighbor. The main objective is to
apply a hybrid decision support system using stacking variant methodology to detect fraudulent
financial statements. (G.Jyotsna, 2013)
Forensic Audit on the CAAT
Forensic investigations consist of three phases: acquiring the evidence, analyzing results, and
reporting results. Below is a description of each. (Purita , Ryan, Sept 2006)
Acquiring the Evidence
The process of securing or acquiring evidence starts with previewing the contents of a
computer's hard drive or other media. To acquire the electronic data, including deleted
information, the storage device must be mirrored or duplicated exactly bit by bit. The actual size
or space of the storage device and transfer speed over a network cable will dictate the length of
time needed to image the drive. Once the storage device is secured, a second device may be
needed as a working copy if the original storage device was not seized or secured. This allows
the examiner access to an unaltered copy of the electronic data.
The second step to collecting the evidence is the preview stage. Here, the auditor performs a
simple check to determine the current status of data files. This can provide useful information
about ownership of the data and its relevance to a particular investigation, as well as help to
focus the subsequent investigation.
The third step when collecting evidence is to protect the data by capturing an exact copy of the
original information. This is done through a process known as imaging. An image is an exact
replica of the computer's hard drive or other media, and should include any slack space (for
more information, see "What is Slack Space?iv" at right). The image is then investigated, rather
than the original, to avoid altering the original data, which would make any evidence gathered
inadmissible in court. Imaging is a vital step in a computer forensic investigation and is accepted
as the best method for capturing computer evidence that may be presented in a court of law.
Having captured an exact image of the data, the fourth step is to process it. All data must be
processed, including deleted or partially overwritten files, information hidden outside normal
storage areas, and data in virtual memory and slack space. The most common method used by
forensic examiners to capture this data is by using a write-blocking device. This device prevents
the forensic examiner's machine from writing or altering the data on the suspect drive.
Windows operating systems are notorious for this problem.
34 | P a g e
Typically, the suspect drive is removed from the machine if possible and plugged directly into
the write-blocking device. Once this has occurred, an examiner can make what is called a "bitstream" image of the drive. This is an exact bit-for-bit copy of the drive's contents, including
deleted space, file slack, and logical files. Another method of capturing this data is using a Linux
live CD or a boot disk, which allow the investigator to view the files on the drive, including
deleted space and unallocated clusters, without altering the drive's contents. The examiner can
then copy the files onto an external hard drive and view them. Hidden data often contains the
most vital evidence to prove or disprove a case. In some cases, a file extraction may be
appropriate. In other situations, a data index may be created to support powerful search tools.
After auditors have a complete image of the drive, they can start collecting the evidence. Most
forensic software includes ready-made scripts for a variety of operating systems that automate
certain functions such as encrypted registry parser, file finder, and file mounter. Because
different programs may work better for different tasks, auditors should ensure organizations
are using the right product based on their data analysis needs. For additional tips on how to
gather evidence, refer to the "Additional Steps and Techniques" section below or "Steps to
Handle Evidence During a Forensic Examination" sidebar at left.
Analyzing the Results
The second phase, analyzing the results, takes place after all the evidence is acquired and
imaged properly. Because every case is different, auditors need to be fully trained when
conducting a data analysis, or they should recommend a trained forensic examiner performs the
evaluation if they lack the professional training to do so.
To analyze the evidence, auditors should use the working copy of retrieved, deleted, electronic
data only, including files and folders. Auditors also need to maintain a chain of custody when
handling the evidence. This enables them to ensure the legitimacy of the evidence presented in
court is unquestionable and provides an audit trail of who accessed the data and when. To
maintain a digital chain of custody, all images should be hashed — the process of creating a
small digital fingerprint of the data.
During the data analysis stage, software also is used to inspect the raw data and organize it into
an understandable report. As a result, the auditor must be able to tell the computer what to look
for by using text-string search terms that will identify data pertaining to the specific incident
under investigation. A search term should be created for each individual investigation and may
be modified for each specific storage device within that investigation. Text strings could have as
many as 500 words or phrases. The more text strings used, the better the results will be. Using
more text strings, however, requires more work: As more text strings are used, results may
contain a higher number of false positives or unrelated data that need to be examined. In
addition, this process may take considerable time depending on the size of the storage device
and the amount of data on that device.
Once the data is analyzed, auditors should review any information stored in special folders and
files created by the operating system, in addition to folders and files created by the user. After
this stage is completed, the evidence must be recorded, sorted into different classifications, and
stored.
Reporting Results
The final phase of the forensic examination is creating the report and reporting the evidence.
Final reports of the investigation should include a list of all the evidence gathered, a copy of
printed documents listed as appendices, and an executive summary. In certain cases, (e.g., to
obtain a search warrant or make a criminal charge), auditors may need to create interim
reports. These reports are updated as new information is gathered and until the investigation is
completed.
35 | P a g e
Report findings need to be ready to be used in a court of law. For instance, reports should
clearly explain what made the company or auditor suspicious of the hard drive, how the hard
drive was imaged, how the data was handled prior to the analysis, where within the hard drive
the evidence was found, and what the evidence means. Internal auditors who conduct the
forensic examination should expect to be called to provide expert testimony during the court
case and help the organization review the opposing counsel's evidence. Other Steps are inculted
on endnote.v
♣ Stock market transaction
Usually stock market is moving on random walk, investors price the underlying stock on the
basis of the future cash flow and return that the investments usually make. If overall market
thinks that price of stock of particular corporation if overpriced then they may be under some
conclusion from the Financial analyst that have dig into the pattern of stock and performance
that is inconsistent from the estimated data so significantly that causes red alert from them and
thus stock price will fall down. Under the efficient market hypothesis they exist a concept that
market has all the information necessary to price the stock available at hand and they try to
value the underlying stock on the basis of the information being up to date on real time basis.
There exists only about 5-10 minutes time on which after the sensitive information is relayed on
the news or other informal source market makes correct assumption about the stock prices.
Usually if the big capital market institution (mutual fund, hedge fund, investment bankers,
pension fund) makes a certain transaction they always consider information either given by
Financial Analyst (quants) using technical and fundamental analysis, or from insiders
information that either we deduce from recent news or whistle blower/spy that work on the
industry for them.
♣ Tax filing (report, sales to sales tax, income to income tax etc)
We can see the actual tax filed by the corporate house to the balance sheet that management has
prepared and can analyze that if there if significant deviation on the reported amount that
management has reported to the Inland Revenue Department. Many management usually have
audited financial statements on many parts like one for shareholders, another for tax
authorities, next for board of directors and others for general public and investors. Usually
excise report; indirect tax report (VAT/Sales Tax/Customs) is undervalued to pay less tax. If the
auditors asks from these government institution that filing document of the corporate, then
some red flags can be noticed and detected timely. These way auditors can dig into the fact if the
balance sheet and financial statements are significantly deviated from what is reported to the
authorities.
36 | P a g e
Other Qualitative Means for analyzing the fraud on Financial
Statements are
Examination methods are:
Tests of reasonableness:
 Check weaknesses in internal controls
 Identify questionable transactions – indicating wide fluctuations from the normal
ones and not, in general, related to main objectives.
 Review questionable transaction documents for peculiarities, like improper account,
classifications, pricing, invoicing, or claims, etc.
Historical Comparisons
 Develop a profile of the entity under investigation, its personnel and beneficiaries,
using available information.
 Identify questionable accounts, account balances, and relationships between
accounts, for finding out variances from current expectations and past relationships.
 Gather and preserve evidence corroborating asset losses, fraudulent transactions,
and financial misstatements.
Off-Balance Sheet Transactions
There are certain transactions not prima facie discussed in the financial statements and nor
suitable disclosures made. Since these are intangible in financial statement, or auditor may not
consider these as significant or material, no statement/qualification is normally made in
auditors’ report. These may encompass:
 Significant purchases/sales of raw materials and/or finished goods with only a
particular dealer or group companies of such vendor which might suggested significant
related party transactions.
 Pattern of consumption of major raw materials/components, indicating excess
consumption or under consumption without the correlating management or operational
indicators for so.
 Over/under-invoicing for capital goods, raw materials/ components, services, etc. as
compared to normal arms’ length prices for the same. (both in related party transactions
and in general)
 Alteration (amendment and deletion) of contractual terms, and ratification of to pass on
otherwise accrued benefit, to holding/group companies.
 Diversion of funds through group companies and setting off such debits as expenditure
in accounts with proper authorization before closure of accounts to avoid detection.
 Cost over–runs in major capital expenditure without corresponding benefit or
convincing reasons, for future benefit that might be considered elsewhere.
 Justifications for non-maintenance of certain basic records, on technical grounds, but
with intention to defraud.
Aspects to be covered Objective of forensic audit is to find whether or not a fraud has taken
place. Forensic auditor shall have to examine voluminous and in totality, records and witnesses,
if permitted by law. Proper documentation is vital in substantiating the findings. The outcome
shall focus on the following, in case of frauds:
 Proving the loss
 Proving the responsibility for the loss
 Proving the method/motive
37 | P a g e
 Establishing guilty knowledge
 Identifying other beneficiaries.
(Vasudevan, 2004)
Key Qualitative indicators
1. Falling of Stock prices on market and increase on short selling activities of the company
2. Resignation of the senior personnel of the company for personal reasons or other
diplomatic reasons
3. Selling of large number of shares by promoters, company officers and major trading
house to the effect of insider's information and trading.
4. Using complicated disclosure and accounting practices to make naive and novice
investors fooled into believing the statements.
5. Audit fees are far less in comparison to the other management, legal fees paid to
auditors.
The auditor can spot the red flag on risky area by putting an analytical procedure e.g.:
 Revenue is growing without significant and co relational growth in operation
cash flows, or cash flow is being generated from other sources like financing
activities and investing activities,
 Consistent sales growth whereas the competitors are experiencing weak
performance and economy is under recession,
 A rapid and unexplainable rise in the number of day's sales in receivables in
addition to growing inventories,
 A significant surge in the company's performance within the final reporting
period of fiscal year, without correlating increase in the marketing affect,
demand increase if unjustified,
 The company maintains consistent gross profit margins while its industry is
facing pricing pressure.
 A large buildup of fixed assets. It may refer to operating expense capitalization,
rather than expense recognition.
 Depreciation methods and estimates of assets' useful life. An overstated life of an
asset will decrease the annual depreciation expense, and underestimated life of
assets causes increase depreciation expenses, thus reducing profit. Many other
factors that require diligent estimate can be made to misapprehension to create
fabricated statements. e.g.: estimate for provision for bad debts, provision for
reserve to transfer to balance sheet estimate etc.
 A weak system of internal controls, where there is perceived opportunity of
committing fraud and deception.
 Outsized frequency of complex related-party or third-party transactions, many
of which do not add tangible value (can be used to conceal debt off the balance
sheet) to the corporation, and seems unjust to the benefit to the company.
INVESTIGATION OF VENDORS
Vendor information setup in the company’s master file data for the accounts payable system •
Contracts, purchase orders, invoices, and documents used to accumulate payment approvals,
receiving documents, correspondence concerning credits, billing errors, or other matters, •
38 | P a g e
Internal reviews of vendor quality and the results of public record searches performed to
qualify the vendor
INVESTIGATIONS OF IMPROPER RELATED-PARTY ACTIVITY
Related party transaction occurs in the scope of corruption and commission where one party
obtains unjust benefit from performing the transactions. This type of work is done when
transaction are not performed owing to the fact that that ought to be done to be best interest of
the shareholders, and are performed to the benefit of the management. E.g. purchase of
significant raw materials from family members and relatives as defined by the act.
INVESTIGATIONS OF EMPLOYEE MISAPPROPRIATIONS
Employees usually perform embezzlement of petty cash and misappropriation of assets of the
company. They usually commits this kind of fraud by deliberately write off of inventories as
consumed during production, mis-totaling on ledger, not recording inventory received on full
value and quantity, and recording fictious petty cash expenses. This type of fraud can be tested
by using substantive procedure, internal control model analysis and audit trail of complete flow
of materials.
Evidence collection for forensic auditing
Working papers
Accounting records, other documents. General ledger, sub ledgers, financial management
reports, reconciliations, journal entries, internal audit reports, purchase orders, vendor
information, accounting journals, management reports, contracts, telephone, computer system
and security system records, desk files, e-mail files, Web sites—and still other types of records
and documents are collected for using as a criminal or civil trial where alteration, fabrication,
cosmetics and other type of acts are performed that create the real performance of corporation
in disguise and dark.
Public record searches. Reports from third-party investigations, such as related-party evidence,
Dun & Bradstreet reports, and investigative reports and information from Internet sites :the
information may be as varied as newspaper articles, chat room discussions, links to hobbies,
and philanthropic and other outside interests and investments. Sources of this material may
include filings with the U.S. Securities and Exchange Commission (SEC), accessed through
EDGAR.3
 Electronic computer files. E-mail (copies of To, From, cc, and bcc), computer files or
imaged records of entire drives, and data stored in handheld personal digital
assistants.
 Photographs or digital photos, preferably with a date/time stamp.
 Chain-of-custody documentation.
 Interview notes and audio recordings. Interview notes taken by you and your staff
professionals during the investigation of witnesses—both targets and company
personnel.
 Third-party information. Provided by legal counsel or other interested third parties,
this material might include external audit reports, management letters and reports,
records of non-audit services, bank statements (canceled checks, bank advices, and
other supporting documentation), and documents obtained by subpoena or search
warrants.
 Court pleadings and deposition transcripts.
39 | P a g e
Annex 1
SAMPLE TABLE OF CONTENTS (FORENSIC AUDIT REPORT)
EXECUTIVE SUMMARY
1.0 BACKGROUND
1.1 Origin of the Audit
1.2 Audit Objective
1.3 Proposed Audit Outputs
1.4 Audit Implementation Approach
2.0 RISK ANALYSIS
2.1 Internal Environment Risk
2.1.1 Financial Management
2.1.2 Customers, Products and Competitors
2.1.3 Information technology
2.1.4 Business Process
2.1.5 Human Resource Management
2.2 External Environment Forces
2.2.1 Influence of Economics and Loans Market
2.2.2 Political and Legal Scenario
2.2.3 Technology in Banking
3.0 EVIDENCE OF RISK EVENTS
3.1 Conflicts of interest
3.2 Bribery
3.3 Extortion
3.4 Cash theft
3.5 Fraudulent disbursements
3.6 Inventory frauds
3.7 Misuse of assets
3.8 Financial Statement fraud
4.0 AUDIT RECOMMENDATIONS
4.1 Logical Framework Approach
4.2 Preconditions and Risks
5.0 GOVERNANCE ON RECOMMENDATION IMPLEMENTATION
5.1 Stakeholders
5.2 Budget Considerations
40 | P a g e
List of Annexes
Annex 1: Members of the Interviews
Annex 2: Organization Chart of Bank
Annex 3: Financial Performance (YYYY to YYYY)
Annex 4: Audit Recommendation Logical Framework
Annex 5: Analysis of Key Risk Events
Many Others:
(Accountants, Association of Chartered Certified, 2009)
Annex II
Works Cited
Accountants, Association of Chartered Certified. (2009). UK Technical Paper. UK.
BASIC INC. ET AL.v. LEVINSON ET AL., 485 US 224 (Supreme Court of United States. March 7, 1988).
Coopers & Lybrand . (May 1994). INTERNAL CONTROL – INTEGRATED FRAMEWORK (Vol. 2). Jersey ,
New Jersey, USA: American Institute of Certified Public Accountants.
Dilts, Robert. (n.d.). The Article of the Month/ Eye Movements and NLP. Retrieved 3 08, 2014, from
NPL University: http://www.nlpu.com/Articles/artic14.htm
Financial Statement Analysis. (n.d.). Retrieved from Accounting Tools:
http://www.accountingtools.com/financial-statement-analysis
41 | P a g e
G.Jyotsna, S. S. (2013). Application of Data Mining Techniques for Financial Accounting Fraud
Detection Scheme. International Journal of Advanced Research in Computer Science and Software
Engineering , 3 (11), 717-724.
Hugh, G., & Tom, C. (2004). Lessons for Auditors (Vols. 1524-5586). USA: Journal of Forensic
Accounting.
London & General Bank, Justice Lopes (2 1895).
Odei-Kissi, A. (2013, April 7 ). Auditing- Substantive Procedures. Retrieved from
http://studyresort.blogspot.com/
Shapiro v. UJB Financial Corp, 964 F.2d 272 (1992) (United States Court of Appeals May 20, 1992).
THOMAS W. GOLDEN, S. L. (2006). A GUIDE TO FORENSIC ACCOUNTING INVESTIGATION. New Jersey:
John Wiley & Sons, Inc.
Vasudevan, S. (2004). Forensic Auditing. ICAI Journal , 359-364.
Bibliography
Accountants, Association of Chartered Certified. (2009). UK Technical Paper. UK.
BASIC INC. ET AL.v. LEVINSON ET AL., 485 US 224 (Supreme Court of United States. March 7, 1988).
Coopers & Lybrand . (May 1994). INTERNAL CONTROL – INTEGRATED FRAMEWORK (Vol. 2). Jersey ,
New Jersey, USA: American Institute of Certified Public Accountants.
Dilts, Robert. (n.d.). The Article of the Month/ Eye Movements and NLP. Retrieved 3 08, 2014, from
NPL University: http://www.nlpu.com/Articles/artic14.htm
Financial Statement Analysis. (n.d.). Retrieved from Accounting Tools:
http://www.accountingtools.com/financial-statement-analysis
G.Jyotsna, S. S. (2013). Application of Data Mining Techniques for Financial Accounting Fraud
Detection Scheme. International Journal of Advanced Research in Computer Science and Software
Engineering , 3 (11), 717-724.
Hugh, G., & Tom, C. (2004). Lessons for Auditors (Vols. 1524-5586). USA: Journal of Forensic
Accounting.
London & General Bank, Justice Lopes (2 1895).
42 | P a g e
Odei-Kissi, A. (2013, April 7 ). Auditing- Substantive Procedures. Retrieved from
http://studyresort.blogspot.com/
Shapiro v. UJB Financial Corp, 964 F.2d 272 (1992) (United States Court of Appeals May 20, 1992).
THOMAS W. GOLDEN, S. L. (2006). A GUIDE TO FORENSIC ACCOUNTING INVESTIGATION. New Jersey:
John Wiley & Sons, Inc.
Vasudevan, S. (2004). Forensic Auditing. ICAI Journal , 359-364.
i
International Financial Reporting Standards
IAS 1: Presentation of Financial Statements
IAS 2: Inventories
IAS 7: Cash Flow Statements
IAS 8: Net Profit or Loss for the Period, Fundamental Errors and Changes in Accounting Practices
IAS 10: Events After the Balance Sheet Date
IAS 11: Construction Contracts
IAS 12: Income Taxes
IAS 14: Segment Reporting
IAS 15: Information Reflecting the Effects of Changing Prices
IAS 16: Property, Plant and Equipment
IAS 17: Leases
IAS 18: Revenue
IAS 19: Employee Benefits
IAS 20: Accounting for Government Grants and Disclosure of Government Assistance
IAS 21: The Effects of Changes in Foreign Exchange Rates
IAS 22: Business Combinations
IAS 23: Borrowing Costs
IAS 24: Related Party Disclosures
IAS 26: Accounting and Reporting by Retirement Benefit Plans
IAS 27: Consolidated Financial Statements
IAS 28: Investments in Associates
IAS 29: Financial Reporting in Hyperinflationary Economies
IAS 30: Disclosures in the Financial Statements of Banks and Similar Financial Institutions
IAS 31: Financial Reporting of Interests in Joint Ventures
IAS 32: Financial Instruments: Disclosure and Presentation
IAS 33: Earnings per Share
IAS 34: Interim Financial Reporting
43 | P a g e
IAS 35: Discontinuing Operations
IAS 36: Impairment of Assets
IAS 37: Provisions, Contingent Liabilities and Contingent Assets
IAS 38: Intangible Assets
IAS 39: Financial Instruments: Recognition and Measurement
IAS 40: Investment Property
IAS 41: Agriculture
IFRS 1 First-time Adoption of International Financial Reporting Standards
IFRS 2 Share-based Payment IFRS 3 Business Combinations
IFRS 4 Insurance Contracts
IFRS 5 Non-current Assets Held for Sale and Discontinued Operations
IFRS 6 Exploration for and Evaluation of Mineral Resources
IFRS 7 Financial Instruments: Disclosures
Source: International Accounting Standards Board (2007): International Financial Reporting
Standards
(IFRSs®) 2007 (including International Accounting Standards (IASs™).
ii
. The general groups of ratios are:
 Liquidity ratios. This is the most fundamentally important set of ratios, because they
measure the ability of a company to remain in business.
a. Cash coverage ratio. Shows the amount of cash available to pay interest.
b. Current ratio. Measures the amount of liquidity available to pay for current
liabilities.
c. Quick ratio. The same as the current ratio, but does not include inventory.
d. Liquidity index. Measures the amount of time required to convert assets into
cash.
 Activity ratios. These ratios are a strong indicator of the quality of management, since
they reveal how well management is utilizing company resources.
a. Accounts payable turnover ratio. Measures the speed with which a company
pays its suppliers.
b. Accounts receivable turnover ratio. Measures a company's ability to collect
accounts receivable.
c. Fixed asset turnover ratio. Measures a company's ability to generate sales from a
certain base of fixed assets.
d. Inventory turnover ratio. Measures the amount of inventory needed to support a
given level of sales.
e. Sales to working capital ratio. Shows the amount of working capital required to
support a given amount of sales.
f. Working capital turnover ratio. Measures a company's ability to generate sales
from a certain base of working capital.
 Leverage ratios. These ratios reveal the extent to which a company is relying upon debt
to fund its operations, and its ability to pay back the debt.
a. Debt to equity ratio. Shows the extent to which management is willing to fund
operations with debt, rather than equity.
44 | P a g e
b. Debt service coverage ratio. Reveals the ability of a company to pay its debt
obligations.
c. Fixed charge coverage. Shows the ability of a company to pay for its fixed costs.
 Profitability ratios. These ratios measure how well a company performs in generating a
profit.
a. Breakeven point. Reveals the sales level at which a company breaks even.
b. Contribution margin ratio. Shows the profits left after variable costs are
subtracted from sales.
c. Gross profit ratio. Shows revenues minus the cost of goods sold, as a proportion
of sales.
d. Margin of safety. Calculates the amount by which sales must drop before a
company reaches its breakeven point.
e. Net profit ratio. Calculates the amount of profit after taxes and all expenses have
been deducted from net sales.
f. Return on equity. Shows company profit as a percentage of equity.
g. Return on net assets. Shows company profits as a percentage of fixed assets and
working capital.
h. Return on operating assets. Shows company profit as percentage of assets
utilized. (Financial Statement Analysis)
iii
Examples of Digital Analysis audit findings
In an accounts payable audit there were several first-two digit spikes (excesses) and the number
duplication table showed large frequencies for several low-value numbers. This pointed to several
processing inefficiencies such as individual invoices for courier charges and for employee business
cards. The internal auditor suggested ways to consolidate the low-value invoices and significant
processing time was saved thereby allowing accounts payable personnel to focus on large dollar
invoices. In an employee reimbursements audit, the auditor detected abnormal first-two digit
excesses at 95, 99, and 10. The follow-up showed that employees were excessively claiming
breakfast expenses of $9.50, $9.90, and $10.00. The corporate policy was that meal expenses of $10
and under did not need a supporting voucher. While the amounts were small, the value-added
conscious auditor reported the finding to management and noted that any increase in the voucher
cut-off amount could potentially increase amounts claimed by employees.
A bank auditor found that credit card balances written off as uncollectible had an excessive level of
numbers with first-two digits 49. The investigation found that $5,000 was an internal write-off limit
for internal collections employees. One employee was responsible for most of the 49s by working
with friends and having them apply for a card and then running up a balance to just below $5,000.
The employee would then write the debt off. The systematic nature of the fraud was evident from
the first-two digits graph.
An accounts payable audit at a utility showed excessive 50s on the first-two digits graph. The auditor
found that many of the numbers starting with 50 were for car batteries costing $50. The
45 | P a g e
investigation work showed that the number of car batteries paid for during the year was twice the
number of cars in the fleet.
A company had an internal purchasing limit of $1,000 for most managers and for capitalizing
expenses. The auditor noted that first-two digits showed no significant excesses for 95 to 99 which
would occur if managers were breaking up purchases to below their limit. Not finding violations of
the control procedure was deemed by management to be useful value-added information.
At an accounts payable audit of a large conglomerate, the auditors noted that the number
duplication table included many large odd numbers that occurred exactly twice. The investigation
showed that the divisional databases were incorrectly merged and that the invoices of one division
were included twice, and the invoices of another division were omitted. Without this finding the
auditors would have had a zero sample for the omitted division.
In an audit of inventory the external auditors detected that the number duplication table included
many large odd numbers that occurred exactly twice. The finding was error-related in that the
inventory in three large sections of the warehouse was included twice on the inventory count
sheets. The double count would have materially overstated earnings.
iv
WHAT IS SLACK SPACE?
When an e-mail message is created, space is reserved in small sections. As the message grows,
sections are added one at a time. These sections are of a specific size. When e-mail data is deleted,
the space is available for use again, and new e-mails can use the sections as needed. If the new email is shorter than the deleted e-mail, the storage device will contain sections with the previous
data. This old written data is referred to as slack space. Here's a more general analogy: A person
goes to the video store to buy a movie. The VHS tape allows for two hours of video to be recorded
on it. The person decides that the movie is not worth keeping and uses the tape to record a 90minute show. After taping over the original movie, the VHS tape still has 30 minutes of tape
remaining, which contains the old movie.
ADDITIONAL STEPS AND TECHNIQUES
Before and during the forensic investigation, internal auditors can take additional steps to
ensure evidence is court-ready. Prior to the forensic examination, the auditor should physically
secure the system in question and take pictures of the room, the area surrounding the system,
and the system itself. In addition, the auditor needs to secure the evidence onsite or in a
laboratory to ensure a proper chain of custody is followed and digital evidence is secured
effectively. The auditor should also document all system details and any connections to the
system, such as network cables and 802.11x connections.
The following actions should be avoided at all cost prior to collecting the evidence:
Modifying the time and date stamps of the system(s) containing the evidence before duplication
takes place.
Executing nontrusted binaries by double-clicking or running any executable files that are on the
computer (e.g., evidence.exe could be a wiping program that, when run, can destroy all the
evidence on the drive).
Terminating the rogue process. This pertains to processes on the computer that are displayed
when users press Ctrl+Alt+Delete. In hacking cases, it's common for people to press
v
46 | P a g e
Ctrl+Alt+Delete and kill any processes they are unsure about. This may have adverse effects,
such as wiping the drive or log files and notifying the attacker that the process has been
discovered.
Updating the system before the forensic investigation takes place.
Not recording executed commands.
Installing software on the system.
Live Analysis
While collecting the evidence, a live or offline analysis can be performed as part of the gathering
process. A live analysis takes place when the forensic investigation is conducted on the live
system (i.e., the system is not powered down). Due to the volatile nature of digital media,
auditors need to document all the steps taken while collecting the evidence during a live
analysis. Besides refraining from installing software on the system, the auditor should not
update the system with any security patches or hot fixes prior to imaging the drive. If the
computer has any active windows open, pictures should be taken of the monitor as part of the
examination's documentation, as well as the area by the system's clock to determine whether
there are encrypted containers and, if so, whether they are open.
Internal auditors may encounter problems during any live analysis. Some of these problems
include:
Destruction or alteration of digital evidence by the auditor. Because computer files only get
overwritten when data needs to take its place on the hard drive, clicking on files or folders on a
computer will result in information being written to the drive, potentially overwriting valuable
evidence. During a live analysis, this is unavoidable. To capture potentially overwritten data, the
auditor should write every action performed on the system so that the forensic examiner can
rule out that activity.
Logic bombs and slag code. This refers to a piece of code or application that does something
based on a condition. For example, wiping software commonly erases the drive on startup or
shutdown. Therefore, the auditor can trigger a logic bomb or slag code simply by clicking on
Start>Shutdown. The best way to avoid this situation is to unplug the machine from the wall.
This will prevent software code from running, because the machine will have no electricity to
run. If the investigation involves a laptop, after unplugging the machine, the investigator can
shutdown the laptop by pressing the power button and holding it down for approximately five
to 10 seconds. This will cut all power to the machine and force it to shutdown.
Trojan binaries and root kits. Trojans and root kits are installed by the attacker. When
operational, they send alerts to the hacker after a specific action takes place. Some Trojans even
allow the attacker to view the computer screen in real time. Properly shutting down the
machine, will prevent the hacker from seeing what the forensic investigator is doing. At a
minimum, the computer's Internet connection must be disabled so that information is not sent
to the attacker.
No access to slack space, pagefile/hibernation files, Windows NT file system transaction logs,
and print spoolers. Sometimes, these files may contain just the right evidence needed to prove a
case. For instance, in cases involving the use of forged checks, printed files could have all the
evidence needed. However, if the investigator is unable to access these files, the evidence could
be lost as the investigation moves forward and files are imaged.
Once the data is gathered during the live analysis, the system must be imaged. Depending on the
type of operating system, the auditor may need to shut down the system properly without
damaging the evidence, while still allowing the system to boot up.
47 | P a g e
Offline Analysis
An offline analysis is when the investigation takes place on the imaged copy. When preparing
the evidence, auditors need to know how to power down the system correctly. Some systems
must be shut down properly, while others can be turned off by pulling the plug
(refer to Table 1).
Table Error! Main Document Only.: Comparison of systems that can be turned off through the shut-down
method or pull-the-plug method
When taking the system down, auditors need to make sure they remove the plug from the back
of the computer and not the wall, because the computer may be plugged into an uninterruptible
power supply. All cords attached to the computer, such as USB devices or network Ethernet
cables, must be documented. Once the system is turned off and the information is recorded, the
auditor might want to make an image of the system.
Auditors always should check to ensure duplication procedures and tools used meet the
country's legal requirements. Otherwise, evidence may not be admissible in a court of law. For
example, in the United States the National Institute of Standards and Technology requires that
disk imaging tools used during the forensic examination meet certain standards, such as not
altering the original disk in any way and logging all input and output errors.
48 | P a g e