GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic - - PowerPoint PPT Presentation

1

PRESENTS :

FORENSIC Forensic Audits-Help for Today’s Entity

PRESENTER : Thursday, October 27, 2016 COLLIN A. A. GREENLAND, Forensic Accountant, MBA, FJIM, CFE, CFSA, CFC.

GOJ Audit Commission Conference 2016

 To Sensitize / Review the essential aspects of Forensic Accounting, Definition, Nature, etc.  To Expose / Review the Need / Demand for Forensic Accounting Generally.  To Expose and Explain to Attendees the types of Forensic Assignments / Applications, the Main Elements of a Forensic Audit.  To Introduce “Cutting Edge” Forensic Accounting Methodologies, Techniques and Technology

WHAT IS FORENSIC ACCOUNTING ?

DEFINITION 1. : The application of financial skills and an investigative mentality to unresolved issues, conducted within the context of the rules of

• evidence. As a discipline, it encompasses financial expertise,

Fraud knowledge, and a strong knowledge and understanding of Business reality and the working of the legal system. (SOURCE : Fraud Auditing and Forensic Accounting : New Tools And Techniques, by Jack Bologna and Robert J. Lindquist, John Wiley & Sons, New York, 1987.)

WHAT IS FORENSIC ACCOUNTING (contd.)?

DEFINITION 2. :

Forensic accounting (or auditing) is the integration

• f

accounting, auditing and investigative skills in order to provide an accounting analysis suitable for the resolution of disputes (usually but not exclusively) in the courts. (SOURCE : “Demystifying Forensic Accounting,” by Collin Greenland, The Weekend Observer, Pg. 5, December 7, 2001).

WHAT IS FORENSIC ACCOUNTING (contd.)?

THE NATURE OF FORENSIC ACOUNTING

Forensic accountants are required to be familiar with legal concepts and procedures and must be able to identify substance over form when dealing with an issue. Forensic engagements usually require the analysis, interpretation, summarization and presentation of complex financial and business-related issues in a manner which is both understandable and properly supported.

WHAT IS FORENSIC ACCOUNTING (contd.)?

THE NATURE OF FORENSIC ACOUNTING According to the American College of Forensic Examiners Institute, (ACFEI) a group of their educators have broken forensic accounting into 75 topics as Follows (in alphabetical order) :

• 1. Accounting systems and the detection of fraud
• 2. Analytical procedures
• 3. Analyzing financial statements
• 4. Antitrust
• 5. Bankruptcy
• 6. Billing schemes
• 7. Bribery and corruption investigation
• 8. Business interruption

THE NATURE OF FORENSIC AUDITING (contd.)

• 9. Business valuations and cost estimates
• 10. Check tampering
• 11. Civil and criminal fraud statutes and regulations
• 12. Common fraud schemes
• 13. Compliance with applicable laws and regulations
• 14. Computers and computer fraud
• 15. Concealing fraud in accounting
• 16. Concealment investigative methods
• 17. Conflicts of interest investigative techniques
• 18. Conversion investigative methods
• 19. Corporate governance
• 20. Criminology and white-collar and economic crimes

7

THE NATURE OF FORENSIC AUDITING (contd.)

• 21. Cyber fraud and computer topics
• 22. Detecting management and employee fraud
• 23. Document collection and analysis
• 24. Elements of fraud, pressure, opportunity, and rationalization
• 25. Environmental and personal red flags
• 26. Expert witness and expert testimony techniques

27 Financial statement fraud

• 28. Financial reporting process
• 29. Finding assets and people
• 30. Forensic accounting practices
• 31. Forensic and general accounting

32.Forensic and general accounting

• 32. Fraud auditing methodology

8

THE NATURE OF FORENSIC AUDITING (contd.)

• 33. Fraud perpetrators and their motivations
• 34. Fraud prevention and fraud policies
• 35. Fraud schemes
• 36. Fraud statistics
• 37. Fraud symptoms and computer-aided fraud auditing techniques
• 38. Fraud symptoms
• 39. Fundamentals of fraud
• 40. Hidden assets
• 41. Internal control evaluation
• 42, Interrogation
• 43. Interview principles and methods to evaluate deception
• 44. Inventory and asset theft
• 45. Investigation of financial crimes and legal elements
• 46. Kiting

9

THE NATURE OF FORENSIC AUDITING (contd.)

10

• 47. Knowledge of the legal system
• 48. Legal elements of fraud
• 49. Litigation consulting techniques
• 50. Loss prevention investigation
• 51. Loss prevention programs
• 52. Money laundering
• 53 Occupational fraud
• 54. Off-book accounting and financial statement fraud
• 56. Overview of ethics
• 57. Overview of fraud auditing and fraud investigation
• 58. Overview of the legal elements of fraud
• 59. Payroll and expense reimbursement
• 60. Phases of forensic accounting

11

• 61. Principles of ethics and corporate code of conduct
• 62. Professional liability
• 63. Resolution of allegation of misconduct
• 64. Rules of evidence
• 65. Skills required of the forensic accountant
• 66. Statistical sampling
• 67. Tax consequences
• 68. Techniques in locating hidden assets
• 69. The civil justice system
• 70. The criminal justice system
• 71. Theft and skimming
• 72.

Theft act investigative methods

• 73. Theory of fraud examination and prevention
• 74. Trial and cross-examination
• 75. Who commits fraud

THE NATURE OF FORENSIC AUDITING (contd.)

the Need / Demand for Forensic Accounting

• In 2012, IBISWorld reported revenue in forensic accounting in the United States was

expected to grow 6.8% annually from $4.3 billion in 2012 to $6.0 billion in 2017, with a 7.0% increase in forensic accounting revenue expected for 2013 alone.

• In 2014, IBISWorld confirmed that over the previous five years, demand for forensic

accounting services surged as financial regulation increased and the number of bankruptcies and corporate restructures rose sharply. Businesses turned to the industry for aid in assessing and correcting the damage inflicted during the recession as well as for assistance with litigation. Though internal competition and competition from other industries’ in-house forensic accounting services were forecast to rise over the next five years, growth continue as opportunities arise in niche and emerging markets....

the Need / Demand for Forensic Accounting (contd.)

• Today, forensic accounting is now regarded worldwide as one of the

“20 hot job tracks of the future” and job opportunities abound in law firms, financial

• rganizations,

insurance companies, and Government agencies like the FBI, the Internal Revenue Service, and the Bureau of Alcohol, Tobacco and Firearms who constantly investigate everything from money laundering and identity-theft- related fraud to arson and tax evasion.

the Need / Demand for Forensic Accounting (contd.)

• The consensus amongst both researchers and practitioners

today, is that board members, management and

• ther

stakeholders continue to expect assurances that an

• rganization is adhering to industry best practices regarding

governance and internal controls and that the organization is

• n sound financial footing.

Increasingly, in light of ongoing financial scandals, new and more stringent legal requirements, and the increasing complexity of financial reporting, this places higher demands

• n internal audit, and all stakeholders’ awareness for risk

management is growing.

the Need / Demand for Forensic Accounting (contd.)

• Deloitte Touche for example, in their 2012 survey reported that

since their last Internal Audit Fraud Survey in 2010, the mandate and role of Internal Audit functions have continued to evolve, in respect

• f

both fraud risk management and investigation responsibility. Management are still dependent on Internal Audit to provide them with assurance over the anti-fraud controls in place across their businesses, together with the ability to detect and investigate fraud, should it occur. These are important pre-conditions and strong incentives for the inclusion of forensic accounting techniques in internal audit functions.

the Need / Demand for Forensic Accounting (contd.)

• The Deloitte report also pointed out that a robust anti-fraud culture

is being promoted by senior management with 98% of respondents stating senior management endorse and offer some, or extensive encouragement of a strong approach to fraud risk management. These are important pre-conditions and strong incentives for the inclusion of forensic accounting techniques in internal audit functions.

the Need / Demand for Forensic Accounting (contd.)

The Deloitte report also predicted that over the next 12 months, the three key areas of focus in Internal Audit were to be firstly the inclusion (or continued inclusion) of fraud in the scope of reviews undertaken (53%), secondly the increased coverage of fraud risk in the audit plan (40%), and thirdly performing fraud risk assessments (36%). Interestingly, 28% of respondents anticipate the implementation of fraud data mining tools, critical components in forensic accounting. Again, these are important pre-conditions and strong incentives for the inclusion of forensic accounting techniques in internal audit functions.

the Need / Demand for Forensic Accounting (contd.)

In the matter of the initial detection of frauds, internal audit has consistently been exceeded by the categories of “Tips,” and “Management Review” according to the most comprehensive and widely accepted survey on occupational fraud known as “Report To The Nation On Occupational Fraud and Abuse,” researched, compiled and presented by the Association of Certified Fraud Examiners (ACFE) in 1996, 2002, 2004, 2006, 2008, 2010 , 2012, 2014 and 2016. Below is an excerpt of the 2014 report - the inclusion of forensic accounting techniques in internal audit functions will assist in improving its effectiveness in this area.

19

FRAUD PREVENTION (contd.)

ACCOUNTANTS’ PERCEPTION ((contd.)

In an article authored by James L. Bierstaker, Richard G. Brody, and Carl Pacini, C. titled, "Accountants’ perceptions regarding fraud detection and prevention methods,” published by Emerald Group Publishing Limited, they contend that although organisational use of forensic accountants and digital analysis were the least often used of anti-fraud methods, they had the highest effective mean effectiveness ratings. The lack of use of these highly effective methods have been blamed on lack or organizational resources. The following table summarizes the procedures in terms of their percentage usage and level of effectiveness:

20

21

FRAUD PREVENTION (contd.)

ACCOUNTANTS’ PERCEPTION ((contd.) PRACTICAL IMPLICATIONS

Based on the above therefore, organizations should consider the cost / benefit tradeoff in investing in highly effective but potentially underutilized methods to prevent or detect fraud. While the costs may seem prohibitive for small

• rganizations, substantial cost savings from reduced fraud losses may also be

significant.

22

the Need / Demand for Forensic Accounting (contd.)

The need for the use of Forensic Accounting by internal auditors has been further enhanced by the increased use of “Anti-Forensic” actions as the market has seen a flood of new Windows-based software offering to delete files securely and inhibit their recovery by digital forensic programs. These frustrate forensic tools, investigations and investigators by erasing or altering information; creating “chaff,” that waste time and hide information; implicate innocent parties by planting fake evidence; exploiting implementation “bugs” in known tools; and leaving “tracer” data that cause computer forensic tools to inadvertently reveal their use to the attacker.

ANTI-FORENSICS (contd.)

GOALS OF ANTI-FORENSICS The primary goas of anti-forensics include the following :  Avoiding detection that some type of event has taken place.  Disrupting the collection of information.  Increasing the time that an examiner / analyst needs to spend on a case.  Casting doubt on a forensic report or testimony.

24

ANTI-FORENSICS (contd.)

GOALS OF ANTI-FORENSICS (Contd.) Other goals may include the following:  Forcing the forensic tool to reveal its presence.  Subverting the forensic tool (for eg. Using the forensic tool itself to attack the organization in which it is running).  Mounting a direct attack against the forensic examiner (eg. Discovering and disconnecting the examiner’s network, or bombing the building in which the examiners is working.  Leaving no evidence that an anti-forensic tool has been run.

25

ANTI-FORENSICS (contd.)

ANTI-FORENSICS TECHNIQUES  Overwriting Data and Metadata – There are programs that overwrite useful information on a storage device so that it is difficult or impossible to recover.  Cryptography – The art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text. Used often to hide data but is easy to detect.

26

ANTI-FORENSICS (contd.)

ANTI-FORENSICS TECHNIQUES (contd.)  Program Packers – Packed programs are tools used that are not subject to reverse engineering or detection by scanning.  Steganography - the process of hiding data inside of a picture or digital

• image. An example would be to hide pornography images of children or
• ther information that a given criminal does not want to have

discovered.  Generic Data Hiding – Data hidden in unallocated or otherwise unreachable locations that are ignored by the current generations of forensic tools.

27

types of Forensic Assignments / Applications

The Forensic accountants are engaged in a wide range of investigations, spanning many different industries . The practical and in-depth analysis that a forensic accountant will bring to a case helps to uncover trends that bring to light the relevant issues in various areas such as :

 FORENSIC / CRIMINAL INVESTIGATIONS  SHAREHOLDERS’ AND PARTNERSHIP DISPUTES  PERSONAL INJURY CLAIMS / MOTOR VEHICLE ACCIDENTS  BUSINESS INTERRUPTION / OTHER TYPES OF INSURANCE CLAIMS  BUSINESS / EMPLOYEE FRAUD INVESTIGATIONS  MATRIMONIAL DISPUTES  BUSINESS ECONOMIC LOSSES  PROFESSIONAL NEGLIGENCE  MEDIATION & ARBITRATION

CONDUCTING Forensic AuditS

AUDIT VS. INVESTIGATION

It is essential that internal auditors realize that their “mind set” in an forensic audit should be one more of an investigation, than that of an audit. Unlike a regular internal audit that focuses mainly on compliance of auditees to established policies / procedures, a forensic audit is more investigative designed mainly to get the facts, find out what happened and gather sufficient evidence to allow management / client to take corrective (or punitive) action.

CONDUCTING Forensic AuditS

AUDIT VS. INVESTIGATION

Clearly this may be more adversarial than routine audits that depend most times on a consultative approach. This is not to say however, that experienced forensic auditors do not use consultative or cooperative approaches but the difference between their approach and that of routine auditors must be generally understood.

“Cutting Edge” Forensic Accounting Methodologies

EARLY FORENSICS ANALYSES (PRE-COMPUTER) Forensic Accountants utilized advanced forensic financial analyses even before the proliferation of Computers. Admittedly, these techniques and methodologies were more time consuming, required more “elbow Grease,” and in some instances less accurate especially where large scale sampling was unavoidable. The analytical and investigative process usual utilized horizontal and vertical trending relationship assessment of innumerable financial and Statistical

• variables. The most common of which included :

“Cutting Edge” Forensic Accounting

Methodologies (CONTD.)

EARLY FORENSICS ANALYSES (PRE-COMPUTER):  Historical analyses of Balance Sheet and Income Statements  Common sizing historical statistics by percentages  Comparative analysis by Industry standards  Cash flow trending analysis trending consistency of net sales, gross profit, operating income and net income  Benchmarking product pricing  Inventory Valuation  EBIT (Earnings before interest)  Accounts receivable / payable turnover  Net Worth changes  Debt / equity  Benford’s Law

33

EARLY DATA ANALYTICS

For example, one of the classical example is the conviction of Al Capone by The FBI’s accountant Frank J. Wilson, the man who spearheaded the campaign to convict “Scarface” Capone of tax evasion in 1931 using the Net Worth method. Wilson data analytics also pioneered the use of recording and analysing serial numbers to prosecute criminals, became the chief of the US Secret Service, and was also credited for pioneering work in trying to eliminate counterfeiting.

34

EARLY DATA ANALYTICS

The main Accounting Ratios used by early days analysts are still used today and analysed mainly on:  INCOME  PROFITABITY  LIQUIDITY  WORKING CAPITAL  BANCRUPTCY  LONG-TERM ANALYSIS  COVERAGE  LEVERAGE

35

EARLY DATA ANALYTICS

These main Accounting Ratios are used even up to today and were utilised in analytical tasks to :  RETRIEVE VALUE.  FILTER  COMPUTE DERIVED VALUE  FIND EXTREMUM  SORT  DETERMINE RANGE  CHARACTERIZE DISTRIBUTION  FIND ANOMALIES  CLUSTER  CORRELATE

MODERN DATA ANALYTICS

In addition to the having the benefit of computerization, modern day analysts such as Forensic Accountants, after ascertaining these fundamentals, are able to apply more complex assessments by drawing from the over 250 or so ratios to delve more incisively into a wider scale of concerns. For example, in alphabetical order, these include:  Accounts Receivable Turnover,  Advertising to Net Income,  Advertising to Sales,  Age of Inventory,  Atman’s z-score (both Manufacturing and Non- Manufacturing),

36

MODERN DATA ANALYTICS

 Audit Ratio,  Average Collection Period,  AverageInventory Period,  Average Obligation Period,  Average Wage and Benefit Cost per Employee,  Bad Debts Ratio,  Breakeven Point,  Capital Acquisition Ratio,  Capital Employment Ratio,  Capital Reinvestment Ratio,  Capital Structure Ratio,  Capital to Non-Current Assets,  Cash and Marketable Securities to Current Liabilities (Acid Test),  Cash and Marketable Securities to Working Capital,  Cash Balance,  Cash Breakeven,

37

MODERN DATA ANALYTICS (Contd.)

 Point, Cash Debt Coverage,  Cash Dividend Coverage,  Cash Flow from Operations to Net Income,  Cash Flows from Investing vs. Finance,  Cash Flow from Sales to Total Sales,  Cash Flow Ratio, Cash Flow to Debt,  Cash Flow to Long Term Debt,  Cash Flows from Investing vs. Finance,  Cash Flows from Operations to Current Portion of Long Term Debt,  Cash Flows from Operations to Total Debt and Equity,  Cash Maturity Coverage,  Cash Return on Assets (Including and Excluding Interest),  Cash Return to Shareholders, Cash Turnover,  Collection Period, Collection Period to Payment Period,  Contribution Margin, Contribution Margin Ratio,  Current Ratio, Current Liabilities to Sales,

38

MODERN DATA ANALYTICS (Contd.)

 Current Return on Training and Development,  Daily Savings in Delayed Cash Payments,  Days of Liquidity,  Debt to Assets,  Debt to Equity Ratio,  Defensive Interval Period,  Discretionary Costs as a Percent of Sales,  Dividend Yield,  EBIT to Sales,  Employment Change,  Equipment Replacement Ratio,  Equipment Upkeep Ratio,  Equity Multiplier,  Expenses to Current Assets,

39

“Cutting Edge” Forensic Accounting Methodologies (CONTD.)

Modern day “CUTTING EDGE” Forensic Accounting, as mentioned previously still use many of the traditional methods mentioned above but increasingly utilize a plethora

• f

COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs) and / or other specific tools and techniques such as for example, Data Mining, Full-and-False Inclusion, Genogram, Entity(s) Charts, Timeline Analysis, Link Analysis, Item Listing, (Modified) Net Worth Method, Source and Use of Cash Method, Proof-of-Cash Method, and Digital Analysis - such as : – Duplicate Numbers Test – Rounded Numbers Test – Stratification Percentage Comparison – Benford’s Law et al.

“Cutting Edge” Forensic Accounting Methodologies (CONTD.)

DATA MINING In the world of forensic accounting, Data Mining provides a type of DNA assurance in evidence gathering as auditors / investigators search for exceptions, oddities, irregularities, patterns, and suspicious transactions. What is Data Mining? PricewaterhouseCoopers defines Data Mining as the “art of analyzing large amounts

• f data in a Manner that detects obscure facts, trends, or inconsistencies in a complete

and efficient manner utilizing "intelligent" computer applications.”

“Cutting Edge” Forensic Accounting Methodologies (CONTD.)

DATA MINING (CONTD.) A more comprehensive definition by professional journal “The Chartered Accountant” regards Data Mining as “a technique with an objective to mine large amount of data to discover previously unknown, action oriented, hidden trends, patterns and complex

• relationships. The technique studies past data, operates on all the variables and entire

population, extracts variables of importance and uncovers patterns in the form of rules, and formulates models by using different techniques.” Data Mining therefore can greatly assist internal auditors, investigators or analysts to discover previously unknown and actionable trends, patterns and relationships in their company data during routine decision making, investigations or even modeling predictions.

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC. For example, investigations regarding business operations and investment matters may involve use of related analytical tools and techniques like Altman Z-Score, Piotroski F-Score and Beneish’s M-Score.

43

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

For example, in testing the probability that a firm will experience bankruptcy within two years, a formula developed by NYU Professor Edward Altman, called a “Z-Score” could be used. This “Z-Score” was established to measure financial distress along a number of objective metrics which includes five easily derived business ratios, weighted by coefficients. Given its simplicity and accuracy, it is a common calculation used by Investment analysts and can be applied relatively easy to a company’s Investment prospect checklist. Though Altman’s research has been added upon in later years as new coefficients were created for more accuracy in various industries, the original formula, widely applicable, is as follows :

44

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

.

Z = 1.2X1 + 1.4X2 + 3.3X3 + 0.6X4 +0.99X5. Where; X1 = Working Capital / Total Assets (Measure the liquidity of the company’s asset base); X2 = Retained Earnings / Total Assets (Measure cumulative profitability relative to firm size) X3 = EBIT / Total Assets (Measure how efficiently the company uses its assets to generate earnings from its operations. X4 = Market Value of Equity / Book Value of Total Liabilities (Consideration of the market’s view of the company relative to its liabilities). X5 = Sales / Total Assets (Measures asset turnover).

45

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

To interpret the resultant Z-Score, a company would be placed in one of three categories:

• 1. SAFE – If with a Z-Score greater than 2.99 and thus have a relatively

remote risk of bankruptcy;

• 2. LESS CLEAR - With a Z-Score between 1.81 and 2.99, and existing in a grey

area where a clear statement cannot be made.

• 3. IN DISTRESS - With a Z-Score less than 1.81 and thus at A high risk of

bankruptcy. In its initial test in 1968, the Altman Z-Score was found to be 72% accurate in predicting bankruptcy two years prior to the event, the model was found to be approximately 80–90% accurate in predicting bankruptcy one year prior to the event.

46

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

Sceptics or detractors who find limitations in Altman’s Z-score, may prefer to find comfort in a companys “F-Score” developed by Joseph Piotorski in 2000 while at the University of Chicago. Compared to Altman’s Z-score which test 5 inputs, the F-score tests nine, but does not weight them. Accordingly, Piotorski’s F- Score is calculated as follows :

The F-sc ore is t he sum t he sc ores for eac h of nine t est s. Eac h t est sc ores one for a pass and zero for a fail.

The tests are profitability related and are as follows:

47

CONDUCTING A FORENSIC AUDIT (Contd.)

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

• 1. Net profit is positive;
• 2. Operating cash flow is positive;
• 3. Net profit ÷ total assets at beginning of year, minus the same number for the

previous year is positive;

• 4. Operating cash flow is greater than net profit, capital structure and debt

service;

• 5. Long term debt ÷ by average assets has not increased;
• 6. The Current ratio has increased (the change is more then zero, so even a

negligible increase asses the test!);

• 7. No raising of ordinary (common) equity over the previous year: this test is

passed if the company did not issues any ordinary shares;

• 8. Gross margin has improved over the previous year;
• 9. Asset turnover has increased.

48

CONDUCTING A FORENSIC AUDIT (Contd.)

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

Although Piotroski’s research in the US concentrated mainly in identifying strong companies for investing on stocks, the American Association of Individual Investors revealed that the F Score was the only one of its 56 screening methodologies that had positive results in 2008 (up 32.6% on average across 5 stocks, versus -41.7% for all of the AAII’s strategies over the same period.

49

CONDUCTING A FORENSIC AUDIT (Contd.)

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

The more skeptics amongst us who feel that a company’s earnings may be manipulated so the above analyses may not be valid, should also know that any possible manipulations can be tested by applying the “Beneish Model,” a mathematical model that uses financial ratios and eight variables to identify whether a company has manipulated its earnings. The variables are constructed from the data in the company’s financial statements and, once calculated, create an “M-Score” to describe the degree to which the earnings have been manipulated. The original M-Score formula is as follows: M-Score = -4.84 + 0.92*DSRI + 0.528*GMI + 0.404*AQI + 0.892*SGI + 0.115*DEPI – 0.172*SGAI + 4.679*TATA – 0.327*LVGI Where,

50

CONDUCTING A FORENSIC AUDIT (Contd.)

ANALYSING BALANCE SHEETS / INCOME STATEMENTS, ETC.

• 1. DSRI - Days’ sales in receivable index
• 2. GMI - Gross margin index
• 3. AQI - Asset quality index
• 4. SGI - Sales growth index
• 5. DEPI - Depreciation index
• 6. SGAI - Sales and general and administrative expenses index
• 7. LVGI - Leverage index
• 8. TATA - Total accruals to total assets

Once calculated, the eight variables are combined together to achieve an M- Score for a company and one less than -2.22 would suggests that it will not be a manipulator, whereas an M-Score of greater than -2.22 would signal the possibility that it is likely to be a manipulator.

51

52

Computer forensics

Although modern day analysts still use many of the traditional methods mentioned above, increasingly they are now utilizing plethora of COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs) pursued mainly through COMPUTER FORENSICS defined below by the National Institute of Standards and Technology as follows : . . . the application of science to the identification, collection, examination, and analysis of data while preserving the

• f the information and maintaining a strict

chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way. . .

COmputer FORENSICS (Contd.)

According to NIST the process of computer forensics has four basic phases: Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data. Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting of particular interest, while preserving the integrity of the data. Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination. Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

53

COMPUTER FORENSICS (CONTD.)

COMPUTER FORENSICS is regarded as a branch of Digital Forensic Science, pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information.

Computer FORENSICS (Contd.)

CAATS are used to apply DATA MINING to extract and interrogate the plethora of electronic data stored in their many different electronic locations such as their e-mail virus scanner server, mail server, a firewall log, and their many personal computers or workstations. These many sources can assist in provide the “Smoking Gun” type of evidence that can be delved out of financial data emanating from journal entries, check registers, general ledger transactions, customer, vendor, and employee master file data, to perform a series of procedures to identify high- risk and suspicious transactions.

55

56

Computer Forensics (Contd.)

FORENSIC PROCESS

Computer forensic investigations usually follow the standard digital forensic process or phases: acquisition, examination, analysis and reporting. Investigations are performed

• n static data (i.e. acquired images) rather than "live" systems. This is a change from

early forensic practices where a lack of specialist tools led to investigators commonly working on live data. TECHNIQUES The techniques are used during computer forensics investigations include the following:  Cross-drive analysis forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.  Live analysis - Examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. (A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers). The practice is useful when dealing with Encryption Fie Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

57

Computer Forensics (Contd.)

TECHNIQUES (Contd.)  Deleted files - A common technique used in computer forensics is the recovery of deleted files used by modern forensic software which have their own tools for recovering or carving out deleted data. File carving, for example, involves searching for known file headers within the disk image and reconstructing deleted materials. Demand for this software has emerged because traditional file deletion does not actually remove the file data from the media, but rather marks the space as available to be used

• again. While such secure delete programs often erase the actual contents of the file,

most leave behind digital artifacts on the file system. This trace evidence can be used by forensic examiners to determine whether a secure delete program was employed, in addition to providing additional information about the original file (metadata).

58

Computer Forensics (Contd.)

TECHNIQUES (Contd.)  Stochasted forensics – a method which uses stochastic properties of the computer system to investigate activities lacking digital artifacts. (Physical systems in which we are uncertain about the values of parameters, measurements, expected input and disturbances are termed Stochastic Systems. In probability theory, a purely stochastic system is one whose state is randomly determined, having a random probability distribution or pattern that may be analyzed statistically but may not be predicted

• precisely. In this regard, its chief use is to investigate data theft.

59

COmputer forensics (Contd)

PRACTICAL FORENSICS Qualified forensic auditors have some legal training and this Include knowledge of what constitutes evidence in a legal sense. Recognizing evidence and knowing where to find it is partly art and partly science. However, a structured, methodical approach and the proper tools will eliminate much of the guesswork. Regardless of the CAAT used, electronic forensic accounting is conducted by hardware or software devices that facilitate the PRESERVATION, COLLECTION, ANALYSIS, and DOCUMENTATION

• f evidence.

DIGITAL EVIDENCE

Internal auditors should be aware that the inventory should include the location and storage formats of all electronic data and any information stored and or used by computer technology is considered to be electronic evidence discoverable in litigation. Relevant information may exist in a variety of locations and various forms and basic categories should not be overlooked. Digital Evidence comes in numerous form factors, and can include the following:

“Cutting Edge” Forensic Accounting Methodologies (CONTD.)

“Cutting Edge” Forensic Accounting Methodologies (CONTD.)

WHICH ARE THE “BEST” TOOLS? In many instances, companies, indeed internal auditors operate on limited budgets, so it is unlikely that one company will invest in multiple forensic software. The following table displays some of the best available forensic tools researched by this presenter:

EVIDENCE RECOGNITION, COLLECTION, AND ANALYSIS TOOLS

EVIDENCE RECOGNITION, COLLECTION, AND ANALYSIS TOOLS (Contd.)

EVIDENCE RECOGNITION, COLLECTION, AND ANALYSIS TOOLS (Contd.)

“Cutting Edge” Forensic Accounting Methodologies (CONTD.)

WHICH ARE THE “BEST” TOOLS? (Contd.)

My experience and research of the software brands engaged in forensic accounting work reveal that EnCase is one of the most multifaceted, popular, effective, reputedly used by over 75% of the world’s forensic and amongst my personal favorite.

CONDUCTING – Practical Forensics (Contd.)

ACL is very popular audit tool and with innovative and Creative manipulations, internal auditors have been able to do impressive forensic work that probably were not even envisaged by the

• manufacturers. The key point to note is that using the right

Investigative tools can help to maximize the effectiveness of computer forensic work.

67

68

CYBER SECURITY

BACKGROUND The harsh reality of today’s world is that cybercrimes continue to rise in epidemic proportions. Statistics provided from organizations concerned with cyber security are frightening and many companies fail to grasp sufficiently the compelling imperatives for organizations to apply stringent Vulnerability Management techniques.

69

CYBER SECURITY

COST OF CYBER CRIMES In 2015 for example, the British insurance company Lloyd’s estimated that cyber-attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of

• business. Forbes magazine has projected cyber-crime costs to reach 2

trillion (US) dollars by 2019. In a study of US companies titled “2015 Cost of Cyber Crime Study: United States, sponsored by Hewlett Packard Enterprise, a representative sample of 58 organizations found that the mean annualized cost $15 million per year, a $2.7 million (19 percent) increase in mean value over 2014. They point out that the net increase over six years in the cost of cyber-crime is 82 percent.

SOURCE : CYBEREDGE GROUP’S THIRD ANNUAL CYBERTHREAT DEFENSE REPORT 70

“Given the num ber

• f

easy-to-use, feature-rich, and relatively affordable solutions available in the m arket, it is som ew hat inexplicable to us that laptop backup practices are currently so lackluster – and w e hope to see this change w hen w e ask again next year!”

Percentage of mobile users’ laptops backed up regularly

SOURCE : CYBEREDGE GROUP’S THIRD ANNUAL CYBERTHREAT DEFENSE REPORT 71

72

CYBER SECURITY

SECURITY CONSIDERATIONS Before and during the design and installation of websites, particularly Large, commercial ones, contractors should be asked to provide documented and contractual assurances of the type, nature and extent of the following security measures accompanying their installation operations:  Identification and Validation of possible risks,  The appropriate Assessment and Prioritization methods,  The relevant Remediation measures,  The Maintenance / Improvement actions suggested.

73

CYBER SECURITY

SECURITY CONSIDERATIONS (contd.) Some of critical questions to ask, and secure the relevant answers from the contractors, are the following risk considerations: (a) Bugs or Misconfiguration problems in the server that allow unauthorized remote users to:

• Steal confidential documents not intended for their eyes.
• Execute commands on the server host machine, allowing them to modify the

system.

• Gain information about the Web server’s host machine that will allow them to

break into the system.

• Launch denial-of-service attacks, rendering the machine temporarily unusable.

74

CYBER SECURITY

SECURITY CONSIDERATIONS (contd.) (b) Browser-side risks, including;

• Active content that crashes the browser, damages the user’s system,

breaches the user’s privacy, or merely creates an annoyance.

• The misuse of personal or business information, knowingly or

unknowingly, provided by the end user.

75

CYBER SECURITY

SECURITY CONSIDERATIONS (contd.) (c) Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:

• The network on the browser side of the connection.
• The network on the server’s side of the connection (including

intranets such as TIPS).

• The end- user’s Internet service provider (ISP).
• The server’s ISP.
• Either ISP’s regional access provider.

76

CYBER SECURITY

SECURITY CONSIDERATIONS (contd.) Penetration Tests Penetration Tests are conducted to determine the feasibility of any attack and the amount of business impact of any such successful exploits, if discovered. A Penetration Test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user, sometimes known as Black Hat Hacker or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process

77

CYBER SECURITY

SECURITY CONSIDERATIONS (contd.) Penetration Tests (contd.) On the other hand, the term "white hat" in Internet slang refers to an ethical computer hacker,

• r

a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security

• f an organization’s information systems.

Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing. Contrasted with black hat, a malicious hacker, the name comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat respectively. White-hat hackers may also work in teams called "sneakers", red teams, or tiger teams.

78

CYBER SECURITY

ADVANCED PERSISTENT THREATS In modern times, these crimes are increasingly including some form of advanced persistent threat (APT) - a set of stealthy and continuous computer hacking processes, often

• rchestrated by criminals targeting a

specific entity. These threats often include unknown and undocumented malware, and are designed to be evolving, polymorphic (occurring in different forms) and dynamic.

79

CYBER SECURITY

ADVANCED PERSISTENT THREATS (CONTD.) Alarmingly, they are targeted to extract

• r compromise sensitive data, including

identity, access and control information. While these types of attacks are less common than automated or commoditized threats that are more broadly targeted, APTs pose clear, present and serious dangers that must not be ignored or underestimated.

80

CYBER SECURITY

VULNERABILITIES MANAGEMENT Accordingly, enlightened organizations, public or private, are strongly advised to engage in the effective application of Vulnerabilities Management, which is defined by the Institute of Internal Auditors, Inc. as: “The processes and technologies that an organization employs to identify, assess, and remediate IT vulnerabilities – weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.”

81

CYBER SECURITY

SANDBOXING Effective Vulnerabilities Management for example, involve the design of a process to detect, access, and mitigate vulnerabilities continually by utilizing security mechanisms that include “Sandboxing.” We are familiar with a "sandbox," which is a play area for young children, designed to be safe for them since they cannot hurt themselves and safe from them since it is sand and they cannot break it.

82

CYBER SECURITY

WHAT IS SANDBOXING? In the context of IT security, "sandboxing" means isolating some piece of software in such a way (such as separating running programs) to ensure prevent or mitigate possible damage or spreading havoc elsewhere. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.

83

CYBER SECURITY

APT DETECTION / PREVENTION To better detect APTs, the more proficient security professionals are deploying advanced threat detection technologies, often including virtual sandboxes that analyze the behavior of suspicious files and uncover hidden, previously unknown malware. However, like so many other types of white-collar criminals, cyber criminals are getting smarter, and many vendors’ sandbox techniques simply have not kept up with the growing number of attacks successfully penetrating traditional sandboxes to infect their targets.

84

CYBER SECURITY

APT DETECTION / PREVENTION (CONTD.) In the ongoing efforts to stay ahead of APTs and minimizing sandbox damages, cyber security experts have developed multi-layered protection mechanisms that allow organizations for example, to pre-emptively sandbox email attachments before they are delivered to employees. This helps defend against “weaponized” attachments, but introduces some delay to email delivery. Additional protection features can also be employed to ensure that safe attachments are delivered to employees without delay by combining attachment conversion, or transcription, with on-demand sandboxing to provide comprehensive, multi-layered protection. .

85

Conclusion

The scope and mandate of forensic accounting is broad and entities might not have the budget to permanently employ an internal forensic accountant. However, organizations can secure training for critical personnel such as their accountants and internal auditors to utilize forensic accounting techniques and methodologies that the entity’s ability in fraud deterrence / prevention / detection / investigations; strengthening Internal Controls; enhancing cost savings; reduce external audit / other consultants’ fees; and

• verall add incalculable value to overall corporate governance.

86

Conclusion (contd.)

However, if and when required, despite the training of your internal officers in forensic accounting, please do not hesitate to contract a qualified and experienced professional, not only for the cost vs. benefits considerations, but also to avoid possible irreparable costs that legal hazards may present.

REMEMBER :

PRAY, AS IF EVERY THING DEPENDS ON GOD, BUT, WORK, AS IF EVERYTHING DEPENDS ON YOU !!

THANK YOU FOR LISTENING !