«Item type text; Dissertation-Reproduction (electronic) Authors DUNN, THURMAN STANLEY. Publisher The University of Arizona. Rights Copyright © is ...»
Other applications of computer audit programs include preparation of financial statements, preparation of accounts receivable aging analysis, printing and addressing confirmation requests, comparison of budgetal and actual amounts, computation of ratios and other statistics, listing slow moving inventory items, matching credit limits to receivable balances, comparing physical inventory counts with master files, etc.
For computer fraud investigations, as with general audits, generalized computer audit packages can provide valuable assistance.
However, they should be viewed as tools which can facilitate the investigative process rather than a means for actually performing the investigation.
Further discussion of computer audit programs is provided in Appendix B.
Investigation Of Threats From The Typology In the remainder of this chapter an attempt will be made to provide some insight into the investigation of the computer fraud threats identified in the typology. Recall that twenty-one scheme/perpetrator threats were identified in the typology. These threats and their associated threat values are shown in Chapter 3 Figure 13. The threats in Figure 13 may be grouped into the following
1. Transaction Manipulation Schemes
2. Unauthorized Program Modification Schemes
3. File Manipulation Schemes
4. Improper Operation The approach for investigating these schemes from the typology varies as does the applicability of the above audit approaches. The relationship between these schemes and the above audit approaches and
other suggested investigative schemes is provided below:
Transaction Manipulation Schemes Recall that transaction manipulation schemes may be further
1. Transactions Added
2. Transactions Altered
3. Transactions Deleted A primary factor in determining the investigative approach for transaction manipulation schemes is the existence or nonexistence of transaction registers. If the system automatically records critical information anytime a transaction is processed whether it is added, altered or deleted, it may be feasible to "Audit Around the Computer".
However, the mere existence of a transaction register providing an apparent audit trail may not be adequate. If the transaction register can be bypassed or manipulated its use would be questionable.
If there is not a transaction register, or if the register may be bypassed or manipulated it will probably be necessary to use more stringent investigative procedures. The use of IIAuditing Through the Computer" with Test Data or Reprocessing schemes might be adequate.
However, in certain cases it might be possible for the computer fraud perpetrator to distort the results of this approach. For example, program. changes or "patches" might have been invoked when certain data was originally processed allowing transactions to process fraudulently.
These changes or "patches" may have since been removed causing Test Data to process accurately.
It is suggested that a more aggressive investigative approach might be required. This approach which will be entitled "Live Monitoring" would select certain 1ive transactions as they are being processed for investigation. Since these transactions would be randomly selected and unannounced it is possible that, in the above instance, a transaction being processed whi le the fraudulent program changes or "patches" were in place would be investigated, leading to the disclosure of fraudulent activity.
In summary, Transaction Manipulation - the most common type of computer fraud reported, may require any or all of several investigative approaches. Although the less aggressive approaches might be adequate in certain situations, their use should always be evaluated from the viewpoint of the fraud perpetrator who quite possibly is clever enough to cover up his or her tracks.
Unauthorized Program Modification Schemes Program Modification Schemes are, perhaps,. the most insidious of schemes and the most difficult to investigate. Program patches may be included in a "special" run, then removed so that the programs behave appropriately for normal operations. Further, part of the patch may be a special process to wipe out any evidence of the special run.
Obviously, the typical perpetrator, clever enough to invoke such a scheme,. is not going to leave a documented record of his or her activities for an auditor to review after the fact. Thus, it is suggested that a ilL ive Monitoring" approach simi lar to that described above for difficult Transaction Manipulation Schemes will be required to effectively investigate Unauthorized Program Modification Schemes.
File Manipulation Schemes File Maniputation Schemes are typically variants of Transaction Manipulation and Program Modification Schemes. Thus, the investigative approaches described in those sections generally apply. Once again, it may be necessary to invoke a ilL ive Monitoring" approach since "dummiedup files" can be run, then replaced with authentic files with no trace of the activity. The ilL ive Monitoring" approach enables the investigator to catch the perpetrator "red-handed" during the fraudulent process.
Improper Operation The "Live Monitoring" approach is probably the only reasonable approach to investigating the Improper Operations Scheme. It is doubtful that any scheme involving the improper operation· of the computer system wi 11 be documented for the benefit of the auditor or investigator. Thus, it is suggested that random, surprise visits whereby the current operations are investigated be used.
Summary At the beginning of this chapter a distinction was drawn between an "Investigation" and an "Audit" in order to explain entitling the chapter liThe Investigation" rather than liThe Audit". It should be evident at this point that in dealing with computer fraud the examination more clearly resembles an investigation than a traditional audit. This is not to say that the examination should not be conducted by auditors. To the contrary, it most likely will be. However, in conducting the examination it is suggested that, in addition to possessing or having access to significent expertise in EDP, the auditor must think like an investigator. No longer is it adequate to come in after the fact and methodically pour through reams of source documents constituting an audit trail to piece together activities surrounding an organization and comment on their appropriateness.
"Live Monitoring" is suggested as an essential next step in the evolution of the audit process as it pertains to automated systems.
The methodologies for computer fraud detection presented in this thesis may be facilitated to varying degrees by automated analysis. The specific threat assessment in Chapter Five contains several steps such as the completion of the threat matrix and, certainly the manipulations in the Churchman-Ackoff Rank ing Process, which would benefit from automation. The Resource Optimization Model in Chapter Seven which utilizes the solution to the Combinatorial Dilemma presented in Chapter Six literally demands the use of automation.
The purpose of this chapter is to suggest specific techniques of automated analysis to support the above methodologies and provide information on available audit packages.
Threat Assessment The process of identifying and evaluating threats described in Chapter Five - "Specific Threat Assessment" lends itself quite well to automated support. The processes which would benefit the most from automation follow.
Churchman-Ackoff Process Referring back to Figures 24, 25 and 26 it is apparent that the Churchman-Ackoff process of first ranking the threats in the order of their importance; then, iteratively comparing threat values of specific threats to combinations or other threat values based on these comparisons is both labor intensive, if accomplished manually, and quite amenable to automation.
The suggested approach is an interactive computer program whereby the decision-maker or group enters their identified threats and initial values into a terminal. Then, have the computer offer the choices between the identified threats and the various combinations of other threats described in Chapter Five. Finally, the computer program should check for inconsistencies and automatically adjust threat values to correct for them, replacing the manual process demonstrated in Figures 25 and 26.
Threat Matrix Following the identification of system scheme and perpetrator threats and their ranking using the Churchman-Ackoff Method, a threat matrix such as that in Figure 29 must be developed. This process combines scheme/perpetrator combinations and their associated threat values in matrix cells. In addition it is the beginning point for the Controls Annalysis also discussed in Chapter Five.
Automation of the threat assessment routines including the Churchman-Ackoff, Threat Matrix and Controls Analysis processes should be relatively straight-forward, following the descriptions in Chapter Five.
Resource Optimization Model Automation of the Resource Optimization Model is considered a virtual necessity. Although the model might conceivably be performed manually in certain situations, its labor intensity would probably preclude manual application in all but the simplest of systems.
Following the solution to the Combinatorial Dilemma presented in the flow charf in Figure 32 (Chapter Six) and the description of the Resource Optimization Model in Chapter Seven, automation should not be too difficult.
The Iterative Discovery Sampling Technique is fairly straightforward. The process will be simplified significantly through the use of a "Random Number Generator" software package since the process requires random selection of potentially thousands of combinations.
Internal Control Lieberman (1977) developed a "Methodology for the Automation of the Internal Control." Lieberman proposed a methodology for aiding by computer an analysis of a plan of internal control. The methodology consists of three major steps. First, a formal documentation of the company being audited is prepared. This document describes those functions of the client that will be evaluated by computer. This documentation serves as a model, representing processes, people, data and their associated interrelationships. The model is constructed in a formal language called "PSL/A" and stored in a computer data base.
The second major step in Lieberman's methodology is a set of rules defined by the auditor. These rules take the form of search operations representing the evaluation criteria that the auditor uses during the audit process. The rules which are stated in a formal language called "Rules" describe allowable and required entities, conditions and relations in the model of the cl ient. The rules, in effect, describe an ideal plan of internal control and subsequently will be compared to the documented plan of internal control.
The final step in Lieberman's approach is an evaluation process wh i ch reads through each ru 1e and searches through the data base under control of that rule. Any conditions in the data base that are in violation of the rule are reported as possible weakness in the plan of internal control evaluation as performed in an interactive mode, allowing the auditor to discover possible weaknesses and then exploring them further with additional rules.
The Investigation Numerous automated systems exist which can facilitate the investigative process described in Appendix A. Many of these systems are available "off-the-shelf" for general use.
Recall that the investigation encompasses such techniques as;
Evaluation of Internal Control; Auditing Around the Computer; Auditing Through the Computer; Auditing With the Computer; processing of Test Data; Reprocessing and Live Monitoring. All of these techniques may be facilitated by existing softward packages.
Audit software provides the auditor or investigator with numerous capabilities for performing the actual investigation once systems threats have been identified, categorized and ranked. Perry
and Kuory (1980) break these capabilities into fourteen categories:
Analyzing Records Performing Computations Comparing Two Files Comparing Two Fields Stratifying Files Selecting a Random Sample Resequencing Data Summarizing Data Preparing Data for Printing Bui lding Files Restructuring Information Updating Files Statistical Analysis Simulating Portions of a Whole System (by Parallel Simulation).
These capabi 1ities relate, to varying degrees to the different techniques of auditing or investigating a system for computer fraud. A
brief discussion of the capabilities from Perry and Kuory follows:
Audit Software Analyzes Records. Audit software provides the ability to perform an analysis on the information in records and data bases. The purpose of this analysis is normally to identify certain information for audit follow-up purposes. For example, audit software could analyze accounts receivable records to determine if the balances were positive or negative.
The result of this analysis would be a listing of all of the accounts receivable records that carry a negative balance. The analyst looks at one field at a time and makes decisions bases on that examination. The types of analysis that can be
performed on a specific field include:
Whether it is positive or negative Whether it has a specific value (e.g., the state of Florida) Whether it is greater, equal, or less than a specified value (e.g., greater than $1,000) Whether it is numeric or alphabetic Whether it is zero Information in data bases frequently cannot be accessed directly by audit software. However, the information in data bases can usually be converted to a "flat file" (i.e., a sequential record file) and then analyzed through the use of audit software.