If you work in Internal audit department, below are ideas on how you can have your Audit committee commit funds to establishing a robust computer forensic investigations department. Remember, the same tools can help you undertake proactive forensics. And in your justification, error on proactive forensics — getting to the bottom of past frauds so that they are never repeated. When you catch a fraudster, they usually think twice!
Below is a justification statement to your Audit Committee of the Board. Remember, your CEO may see no need to empower you with all the skills and tools you need. The ultimate business owner has. If you can have a lunch talk with them, take your chances.
Today, over 95% of all documents are created using computers. This is true in any business. Daily electronic mail and telephone usage traffic far outstrips postal mail and other hard copy documents (notwithstanding these mails are written using computers). Computer technology impacts every facet of modern life, and the crimes, torts and disputes, which carry us to the courthouse, are no exception.
The new field of computer forensic entails the identification, preservation, extraction, interpretation and presentation of computer-related evidence. A lot information is processed and retained by a computer than many people realize.
Without using the right tools and techniques to preserve, examine and extract data, auditors, investigators, legal officers and or security managers run the risk of losing something important, rendering what you find inadmissible, or even causing spoliation of evidence.
With the increasing need to provide accountability and professional due diligence, any business worth its name must empower its Internal Audit and legal departments with adequate resources to attain the right tools and skills to provide assurance to the Board and senior management over the integrity of the organization’s critical systems and processes, of which IT systems are key.
[In case you are an auditor in a government institution, the below information is critical. But use your creativity supported with internal data to sell your point.]
The Government of Uganda through the Ministry of Finance Planning and Economic moved away from the traditional (manual) accounting systems to automated systems including the integrated financial management systems (IFMS). The Government has also to date implemented the Electronic Funds Transfer (EFT) and the Integrated Payroll and Personal System (IPPS). In all ministries, government has invested heavily in personal computers, network infrastructure and internet access, among others. Senior staff nowadays uses mobile phones, flash disks and DVDs to store and transfer data and information.
Taken together, the use of computers and other digital tools to collect, store, process and produce data is on the rise. This electronically stored information (ESI) is mission critical to any business — private or public. Your board rely on it to make decisions that are critical for the growth of the institution.
Research shows that an average organisation loses over 5-15% of her annual revenue to fraud annually, of which 70% is IT related. This means, with a turnover of say UGX.10billion, an average company loses about Ugx.1.5billion to fraud. Digital forensics and e-discovery helps you know who, what, how, why, and when it all happened, and can go a long way to preventing future occurance. Fraud occurs because fraudsters know that they will not be caught, and if caught, they will not be prosecuted. And if prosecuted, the punishment will be minimal compared to the proceeds from their fraud. Investing in robust forensic tools can help bring culprits to book. They also must be made to refund the money to make it less profitable for them to defraud.
This process automation by the Government, and private businesses is commendable. However, such level of automation of critical processes may be prone to abuse, fraud, waste, and inefficiencies by those with skills. The challenge with automation is that it significantly increases the scale of fraud and related risks, and may go on undetected for long periods. In the end, key stakeholders will ask, where was the Board? Where was Internal Audit? Today, there is a big risk of cyber crime, automated frauds and malicious attacks, where internal or external people might stealthily use computers to steal government and tax payer money. The audit reports will continue coming out.
But of what use is an audit report that delivers no tangible value? How come same problems keep coming up again and again?
Because a company’s Internal Audit lacks the necessary skills, tools and software to undertake forensic investigations with objective of determine the what, who, where, how, when and why in respect to each incident, such fraudsters usually go scot free. Given the nature of IT fraud, it is concealed, and if you don’t have the right tools, you may never detect it.
In order for the internal audit to remain more relevant and effective, there is need to be more pro active in the away it full fills its mandate of providing an independent objective assurance and consulting activities. The department of internal audit and risk management in any company is desirous of implementing digital forensic investigation tools to ensure that potential ICT related fraud are identified, investigated, and proactive measures implemented. This will promote accountability and confidence in the implemented ICT systems, and gives assurance to Government and all development partners of the capacity of the Senior management team and the Board to provide adequate oversight role.
You need on going training in computer forensics. You need resources to investigate.
You are free to modify the above to write to your Audit Committee a justification for increased funding to your internal audit or investigations department. There is no reason how you can add value in a highly computerised environment without having the right tools and skills to obtain first hand information.
The age of an Internal Auditor going to IT manager and requesting: “print for me an audit trail”, “print for me a list of all customers with a negative balance”, are long gone. If you are still doing like that, you deserve no respect and you are a liability to the business as you cannot add any value.
Copyright MMugisa 2013. All rights reserved. Your success partner.