Forensic and Investigative Accounting Chapter 13 Computer Forensics: A Brief Introduction © 2005, CCH INCORPORATED 4025 W. Peterson Ave. Chicago, IL 60646-6085 http://tax.cchgroup.com A WoltersKluwer Company Definition of Computer Forensics Computer forensics is the analysis of electronic data and residual data for the purposes of its recovery, legal preservation, authentication, reconstruction, and presentation to solve or aid in solving technology-based crimes. Chapter 13 Forensic and Investigative Accounting 2 SAS 31 – Evidential Matter Provides guidelines for audit engagements encountering electronic documents. It may not be practical or possible to reduce detection risk to an acceptable level using only substantive tests. In these cases, must perform tests of system controls to show they are strong enough to mitigate the risks inherent in electronic audit evidence. May require use of CAATs or GAS. Chapter 13 Forensic and Investigative Accounting 3 SAS 80 – Amendment to SAS 31 Under situations where detection risk cannot be satisfactorily reduced by substantive testing, requires auditor to use tests of systems controls. Defines evidential matter as written and electronic documents. Notes that time lapse is important as electronic evidence can be quickly destroyed or is not retrievable after a certain time. Auditor needs an understanding of how information is extracted from the network. Chapter 13 Forensic and Investigative Accounting 4 SAS No. 99 Guidelines for Testing Digital Data SAS No. 99 states: In an IT environment, it may be necessary for the auditor to employ computer-assisted audit techniques (for example, report writers, software or data extraction tools, or other system-based techniques) to identify the journal entries or other adjustments to be tested. Chapter 13 Forensic and Investigative Accounting 5 Sarbanes-Oxley 2002 If there are design failures or weaknesses in the financial reporting of digital data, it may mean there is a significant deficiency or material weakness. Chapter 13 Forensic and Investigative Accounting 6 PCAOB Has taken over setting audit standards for auditors. Supports Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting in Conjunction with An Audit of Financial Statements. A company’s use of information technology in its IS affect the company’s internal control over financial reporting. Chapter 13 Forensic and Investigative Accounting 7 IT Guidelines under COSO Framework Guidelines have been established for these areas: 1. Internal control environment 2. Objective setting 3. Event identification 4. Risk assessment 5. Risk response 6. Control activities 7. Information and communication 8. Monitoring Chapter 13 Forensic and Investigative Accounting 8 COBIT’s Goals COBIT’s goals are to set control objectives for IT compliance using a strategic planning perspective and at the same time to outline, in detail, the proper procedures to be followed for specific compliance measures. Chapter 13 Forensic and Investigative Accounting 9 Restrictions Computer and database searches may come under First Amendment privileges and protection. Restrictions on wide seizures are protected by the Fourth Amendment. Cautions must be performed when electronic evidence is collected (13-14). Chapter 13 Forensic and Investigative Accounting 10 Chapter 13 Forensic and Investigative Accounting 11 Technical Skills for Digital Evidence Collection Necessary skills are based on the following requirements: 1. Understanding of various operating systems 2. Quickly identifying pertinent digital data 3. Properly preserving data 4. Properly securing data 5. Properly collecting data 6. Maintaining a proper chain of custody Chapter 13 Forensic and Investigative Accounting 12 Forensic Investigative Tools Imaging software: EnCase SafeBack Data extraction or data mining software: ACL Data Extraction and Analysis (IDEA) Chapter 13 Forensic and Investigative Accounting 13 Chapter 13 Forensic and Investigative Accounting 14 Chapter 13 Forensic and Investigative Accounting 15 Chapter 13 Forensic and Investigative Accounting 16 Chapter 13 Forensic and Investigative Accounting 17 Chapter 13 Forensic and Investigative Accounting 18 Chapter 13 Forensic and Investigative Accounting 19