Group Members :
Rifda Nadifah (C1I016020)
Fatikhah Geya Rizki Syah Putri (C1I016035)
Safira Ulfa (C1I016049)
Khoirunnisa Abidah (C1I016050)
Top Five Fraud Axioms IT Auditors Should Know
1 .
Professional Skeptism
Professional skepticism is a critical component of an
auditor's duty of care that applies throughout any engagement. It's an attitude that includes a questioning
mind and a critical assessment of the appropriateness and sufficiency of audit
evidence. It requires being alert to
conditions that may indicate possible misstatement due to error, neglect or
fraud, and a critical assessment of audit evidence.
Therefore One of
the first things with which IT auditorscneed to get comfortable is the
realistic view of th scope of fraud. According to the Association of Certified
Fraud Examiners (ACFE), the total loss from fraud in any one year in the US is
between 5 and 7 percent of gross revenues, with the latest statistic estimating
total losses in the US economy at almost US $1 billion. So, the conclusion is
twofold: Fraud has a vast scope, and it can happen anywhere. Therefore, it is
important to be consistent with professional skepticism. Also, the fraudster
(white-collar criminal) is usually someone that is least suspected. In fact, fraudsters
frequently do not look like crooks at all. Statistical profiles of white-collar
criminals describe them as tending to be tenured at the entity, in a trusted
position because they earned the trust of management, and relatively well
educated.2 Again, professional skepticism is necessary to prevent one from
being fooled, and, even then, there is a chance a fraudster can get away with a
crime.
In the
International Standards on Auditing 200 (IAASB, 2009) too emphasized the
importance of professional skepticism. It was stated that the auditor must plan
and carry out the audit process based on scepticism professionals by being
aware of possible material errors financial statements. The auditor's work is
always related to proof and search for the truth of the evidence from documents
and working papers, and from the procedure the standards they adhere to, but
this does not mean the auditor only works to fulfill existing standard
procedures, especially when important evidence is found, because without the courage
to compete arguments about management assertions, the auditor will not be able
to run its function as prevention and detection of fraud (Financial Reporting
Council,2010). For this reason, the auditor must be able to apply the right
level of professional skepticism.
2.
Toe
In The Water
Toe
in the water means trial and error, like a finger dipped in water to test and
find out the temperature of the water. One theory of fraud suggests that
fraudsters begin their slippery slope into crime with a “test.” That is, they
put together a fraudulent transaction or event and “float” it out into the
entity’s environment to see if they can get away with the fraud.
If
they get a notification, they will apologize "oops, I made mistake"
to defend themselves and cover up their actions. and if they don't get a
notification they will continue the fraudulent action. IT Auditors must know
actions like this and must be able to handle them properly, for example if the
IT Auditor encounters irregularities, then the IT Auditor must meet the
responsible party and follow up firmly. The IT auditor should
exercise due diligence in obtaining independent verification where feasible and
should
obtain it before approaching the party responsible for the transaction, where
feasible—
Especially
where circumstances increase suspicion. For example, in one fraud case, the
auditor came to the responsible party and asked why a certain account amount
was exactly double what it should have been. The accounting clerk stuttered,
having been surprised, and the auditor himself gave the person an opportunity
to use the “oops” defense, as he said to her, “You must have accidentally
double paid the vendor.” In reality, it was a fraud scheme and not an
overpayment.
3.
Escalation
Of The Crime
Most fraudsters who get caught tend
to escalate their crime. the fraudster who floats the test and finds that it
goes unnoticed will decide to take more from the victim. That can be done by
committing more fraudulent transactions in a shorter period of time, taking
larger amounts in each transaction or adding a new scheme. But, this escalation
is good news to those looking for evidence of fraud because it makes it easier
to discover. for example IT Auditors can see from a significant increase in
purchases from one vendor suspected of having a red flag.
4.
Tip
From Iceberg
Often, fraud is discovered
accidentally as the
result of a deliberate procedure. In such cases, usually clever auditors see an
event or transaction (for example, a check worth US $ 2,000), become suspicious
for one reason or another (often described by experts as a "smell
test"), and choose to dig deeper (for example, to find dozens of other
checks totaling US $ 400,000 and other fraud schemes). This is the "tip of
the iceberg" theory or what we often know as iceberg theory. The
understanding of the tip of the iceberg theory states that behavior is
determined by the subconscious which contains instincts or natural instincts
and human biological impulses.
While in the unconscious mind we can
never see the biggest part of the human mind. If this is related to the theory
of success, we cannot argue that someone usually gets success after making
various choices of actions or words that can be seen or actually done as in the
theory of decision making in psychology.
Psychological conditions that are not
always seen by Freud are divided into three structures of human consciousness,
namely: conscious, conscious (unconscious), unconscious.
a. Conscious
At this level, awareness contains
all the things that have been observed at a certain time. It's just that a
small part of mental life (memory, perception is fulfilled by things, feelings
and thoughts) that will enter into this level of consciousness.
In all processes that occur at this
level of consciousness (memories, perceptions, feelings and thoughts) are the
results of screening which is regulated by stimulus and will not last long. So
that the mental processes that occur will then be suppressed and enter into
prejudice (preconscious) or unconscious (unconscious).
b. Consciousness
Awareness or preconscious is part
of available memory, where at this level it becomes a bridge between conscious
and unconscious. Because its function is to become a bridge then at the level
of the prasadar contains material that comes from conscious (unconscious)
(unconscious).
When what has happened and experienced
is no longer observed, all processes will be moved into the prasadar then then
unconscious. But at any time, memories from the unconscious can appear to the
preamble in symbolic form in the form of dreams, wrong speech or reflex
movements and self-defense mechanisms.
c. Unconscious
This part is the deepest level of
the structure of human consciousness according to Freud. In particular,
according to Freud he proved that unconsciousness is not hypothetical
abstraction but an empirical reality.
On this unconscious level or more
commonly known as the human subconscious it contains instincts or instincts,
stimuli, natural impulses brought by humans from birth, and traumatic
experiences that can be repressed or suppressed from the conscious level to the
unconscious. All mental processes that are suppressed into unconscious thinking
can last long and can affect human behavior without realizing it.
This certainly becomes a symbol that the
ice that is always on the surface of the water will only leave a few parts that
appear to the surface and most are below the surface of the water. This is the
same as the level of human consciousness where more mental processes occur at
the unconscious level and only a few are at the conscious level in the
psychology of communication.
Ice which is mostly below the surface of
the water is likened to the level of human unconscious thinking, while the
parallel part of the ice on the surface of the water is the level of prejudice
and ice that is at the top of the surface of the water is human consciousness.
In addition to dividing this mental
process into three levels of consciousness, in its development Freud also
divided the process of dynamics of human psychology into three important
components that are interrelated and related to each other in producing
behavior.
For example, if an IT auditor pays
attention in data that an employee receives two checks in one pay period for
the same gross amount and company policy does not allow more than one check per
payment period, that would be an anomaly (red) flag). Someone might give
reasons that sound legitimate for duplication ("oops"), but IT
auditors should consider tracing these facts to see if there is more fraud and
/ or suspicious data there.
This concept extends to the invention of
fraudsters. It is very common for fraudsters who are caught and choose to
confess, recognizing the amount of fraud known to date, or a number far below the
actual number (that is, claiming to be at the tip of the iceberg or
significantly smaller than the entire iceberg). Obviously, fraudsters hope the
victims will stop looking for and deal with lower amounts. For example,
fraudsters can decide that it is easier to claim to be US $ 30,000 and repay
it, rather than recognizing the actual US $ 400,000 fraud. Thus, IT auditors
and fraud investigation teams must consider a thorough fraud audit to determine
the amount of loss independent of the fraudster, to the extent practicable.
Subsequent fraud audits will likely benefit from data mining and data analysis
by IT auditors.
5. Data Mining And Analysis
Data can be invaluable
in a fraud investigation.
Proper data mining and data analysis can lead to a proper description
of the fraud, how it took place, what controls were thwarted, the approximate
level of loss and even
who committed the fraud. So the IT auditor can play an invaluable role in
gathering data, mining it, analyzing it, and providing the lead
investigator with evidence and information. Also, the IT auditor
can be an invaluable resource to convert the mass of data into
something that a judge or members of a jury can easily understand and
assimilate into their thought processes
(e.g., charts, diagrams, other high-tech visual aids).
But,
usually, the data alone are insufficient to make a case, even if it is a
corporate investigation. A court case will likely require more than just
the data. Therefore, the IT auditor needs to work closely with the lead investigator
and others on the
investigation team, as the team will likely need to conduct interviews and perform
other tasks to collect more evidence and information.
Witten
and Frank defined data mining as the process of discovering patterns in data.
The process must be automatic or (more usually) semi automatic. The patterns
discovered must be meaningful in that they lead to some advantages, usually an
economic advantage. The data is invariable present in substantial quantities. In other words, we
could describe data mining as the use of sophisticated data search in order to
discover patterns and connections in large pre-accessible databases.
In
general, data mining techniques can be classified into two categories according
to the type of the machine learning techniques as:
1)
Supervised Learning for
Fraud Detection
This method uses supervised
learning in which all the available records are classified as „fraudulent‟ and
„non-fraudulent‟. Then machines are trained to identify records according to
this classification. However, these methods are only capable of identifying
frauds that has already occurred and about which the system has been trained.
2) Unsupervised
Learning for Fraud Detection
This
method only identifies the likelihood of some records to be more fraudulent
than others without
statistical analysis assurance.
Fraud possibilities co-evolve with
technology, esp. Information technology Business reengineering,
reorganization or downsizing may weaken or eliminate control, while new information systems may present additional
opportunities to commit fraud.
Traditional methods of data analysis have
long been used to detect fraud.
They require complex and time-consuming investigations that deal with different
domains of knowledge like financial, economics, business practices and law.
Fraud often consists of many instances or incidents involving repeated
transgressions using the same method. Fraud instances can be similar in content
and appearance but usually are not identical.
The first industries to use data analysis
techniques to prevent fraud were the telephone companies, the insurance companies and the banks (Decker 1998).
One early example of successful implementation of data analysis techniques in
the banking industry is the FICO Falcon fraud assessment system, which is based
on a neural network shell.
Retail industries also suffer from fraud
at POS. Some supermarkets have started to make use
of digitized closed-circuit television (CCTV)
together with POS data of most susceptible transactions to fraud.
Conclusion
The
IT auditor has a key role in fraud detection, prevention and investigation in
today’s business world. It is important for the IT auditor to
understand the key aspects of antifraud as it relates to IT audit.
This knowledge could help the IT auditor be prepared to
recognize a piece of fraud evidence, develop a sense of red flags and
understand how certain fraud schemes are perpetrated. These five issues are a
start in developing the
knowledge and skills to be effective at detecting and investigating frauds.
