San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing
1. G32
The Changing Influences of Social
Media, WikiLeaks and Whistleblowers
Future of IT Auditing: A Definitive
Landscape
2. Agenda:
• Part One: Social Media
– Bart (The Metaphor), WikiLeaks, OpenLeaks,
LulzSec, and Anonymous et al. . .
• Part Two: Whistleblowers - A Growth Industry
• Part Three: Auditors and Their Reputation
When Dealing With Fraud
• Part Four: What’s Over The Horizon
• Part Five: Take Aways (aka: Tool Time)
2
3. Bart: The Metaphor
• Bart The Story
– Who was impacted
• Commuters, Police, Employee’s of BART and Protesters
– Friend’s and Family
• Tools Used
– Social media, Facebook, Twitter, et al. . .
– Side Bar: Facebook handed $40,000 to hackers for finding
flaws in its website as part of its Bug Bounty scheme.
Facebook joins a growing list of companies, including Google,
which pays independent hackers for this sort of information.
3
4. WikiLeaks, Its Influence. . .:
• Leaked Documents Suggest China Might Have
The Upper Hand in Cyber War. . .
– “According to US investigators, China has stolen terabytes of
sensitive data, from user names and passwords from State
Dept. computers to designs for multi-billion-dollar weapons
systems,” wrote Brian Grow & Mark Hosenball in a report for
Reuters.
– They credit WikiLeaks for revealing previously secret details
about China’s ongoing cyber assault, which the US
government has code named Byzantine Hades. Specifically,
they wrote, the State Dept. cables that WikiLeaks published
show that the Chinese military was the source of those
attacks, not some rogue hacker group. . .
4
5. WikiLeaks:
• A Tool For Whistleblowers
• “A senior advisor to Gordon Brown put pressure on the
commander of NATO forces in Afghanistan to play down
the “bleak and deteriorating” situation to reduce
criticism of his government, leaked documents disclose.
Brown, the prime minister at the time, visited the
country and met General Stanley McChrystal, the US
military commander . . .”
5
6. OpenLeaks Joins The Crowd. . .:
• 26th January 2011, OpenLeaks goes public
• OpenLeaks considers itself a non-profit community and
service provider for whistleblowers and organizations,
media, and individuals who engage in promoting
transparency. It makes leaking at a local, grassroot level
possible and allows for certain scalability.
– OpenLeaks will not accept or publish documents on its own
platform, but rather create many "digital dropboxes" for its
community members, each adapted to the specific needs of
our members so that they can provide a safe and trusted
leaking option for whistleblowers. . . .
6
7. OpenLeaks:
– Besides developing and building the technical
platform, we want to encourage leaking all over
the world while minimizing risks for
whistleblowers.
• The split between submission and publication of leaked
documents makes the whole process safer for all who
participate in it, and at the same time makes scaling so
much easier. Watch our video, which explains this
concept visually.
7
8. LulzSec: Another Member of The Social Media
‘Hive’. . .
• LulzSec 'takes down' CIA website
• The hacker group Lulz Security claims it temporarily
brought down the public-facing website of the US
Central Intelligence Agency.
• Lulz Security attacks
» May 10: Fox.com user passwords,
» May 15: Database listing locations of UK cash machines,
» May 23: Sony music Japan website,
» May 30: US broadcaster PBS. Staff logon information,
» June 2: Sonypictures.com user information,
» June 3: Infragard website (FBI affiliated organization),
» June 3: Nintendo.com,
» June 13: Senate.gov - website of US Senate,
» June 13: Bethesda software website, user information
8
9. LulzSec:
LulzSec Opens A Hack Request Hot Line. . .
• Callers are met with a recorded message, in a heavy
French accent, by an individual named Pierre Dubois.
The (614) area code appears to relate to the state of
Ohio. . .
– LulzSec accesses 62,000 email addresses and passwords
belonging to victims such as IBM, as well as state and federal
governments. Affected agencies include but not limited to: US
Army, Navy, and Air Force, FCC, US National Highway Traffic
Safety Administration, Veteran’s Administration and the US
Coast Guard.
9
10. Anonymous: One Among Many. . .
• Sets An Example:
– The HBGary hack
• HBGary Federal position themselves as experts in
computer security. . .
• HBGary Federal CEO Aaron Barr thought he had
unmasked the hacker hordes of Anonymous and was
preparing to name and shame those responsible for co-
ordinating the group's actions, including the denial-of-
service attacks that hit MasterCard, Visa, and other
perceived enemies of WikiLeaks late last year. . .
10
11. Anonymous. . . All Ages, All Walks of Life:
• Here’s What They Can Do
• When Barr told one of those he believed to be an
Anonymous ringleader about his forthcoming exposé,
the Anonymous response was swift and humiliating.
– HBGary's servers were broken into,
– its e-mails pillaged and published to the world,
– its data destroyed,
– its website defaced.
• As an added bonus, a second site owned and operated
by Greg Hoglund, owner of HBGary, was taken offline
and the user registration database published.
11
13. Part Two:
Whistleblowers A Growth Industry
• Enron Whistleblower. . . The Use of Dodd-
Frank Whistleblower Provisions
– Sherron Watkins, former Vice President at Enron discussing the Dodd-
Frank Whistleblower Provisions at an event held by the New York State
Society of Certified Public Accountants on January 28th, 2011.
• Corporate Whistleblowers
– Will hand over corporate fraud evidence to media such as
WikiLeaks rather than the SEC thereby allowing them to
continue employment in the corporate world without the
stigma of being a whistleblower.
13
14. Whistleblowers & The SEC, Too:
• EFFECTIVE DATE: August 12, 2011
• SECURITIES AND EXCHANGE COMMISSION
– Dodd-Frank requires the Commission to pay an award, subject
to certain limitations, to eligible whistleblowers who
voluntarily provide the Commission with original information
about a violation of the federal securities laws that leads to
the successful enforcement of a covered judicial or
administrative action, or a related action. . .
– Dodd-Frank also prohibits retaliation by employers against
individuals who provide the Commission with information
about possible securities violations. . .
14
15. Whistleblowers: Cut Across All Sectors
• Swiss Bank HSBC Whistleblower. . .
– Assets of about £13bn, could net millions in pounds in unpaid
tax revenues. . .
– A disk leaked to the French authorities, is said to contain the
names of 79,000 HSBC clients in 180 countries.
– An employee for HSBC in Geneva, leaked the data to French
officials, who passed it onto the UK. A spokesperson for HSBC
said: “HSBC in no way condones tax evasion and in no way
do we assist it”. . .
• SEC
» A whistleblower at the SEC has accused the agency of
destroying more than 9,000 files related to preliminary
investigations into SAC Capital, Bernard Madoff, Goldman
Sachs and other financial groups. . . (To Be Continued).
15
16. Part Three: Auditors, Their Reputation When
Dealing With Fraud. . .
“Because the determination of abuse is
subjective, auditors are not required to detect
abuse in financial audits. However. . .”
A May 2010 COSO Study Dealing With Fraud from 1998 thru
2007 for US companies:
» The most common fraud involved improper revenue
recognition, next in-line was the overstatement of existing
assets or capitalization of expenses
» 89% of these incidents of fraud involved executive
management at the C-Level (aka: CEO’s and/or CFO’s)
» 347 alleged cases dealt with financial reporting
» Dollar amount of these misstatements and/or
misappropriations---nearly $120bn USDs
16
17. Auditors & Their Reputation When Dealing
With The Global Fraud Economy. . .
Global Patterns of Fraud – 2011
• Acts of fraud are rarely one-offs, 96% of fraudsters
carried out fraud on a repeated basis, up from 91% in
2007
– Fraud at the Board level increased to 18% while fraudulent
activities at the C-level increased to 26%
– 87% were male, between the ages of 36 to 45, and committed
fraud against their own employer
– 32% work in a Finance function
– 60% worked for the company more than 5 years, 33% 10 years
and most colluded with others
• So. . .where were the auditors?
17
18. Auditors & Their Reputation When Dealing
With Fraud
• Motivation for Fraud
– Personal financial gain followed by fraudulent
financial reporting. . .
– 43% misappropriate of assets (mostly due to
embezzlement and procurement fraud)
– On avg. it took 3 years from fraud inception to detection
– 50% were detected through tip-offs, both formal and informal
or by accident. . .
– 77% of investigations were not reported to the public
– 50% of the cases revealed that a red flag had existed but was
not acted upon. . .
18
19. Part Four: What’s Over The Horizon?
• “Negligence” vs “Gross Negligence”. . .
• And Negligence wins by a nose. . .
• Clawbacks. . .
• In the last meeting under chief Sheila Bair, The Federal
Deposit Insurance Corp. (FDIC) voted five to one in
favor of a “clawback” clause in new regulations, which
will allow the government to reclaim compensation
paid to executives whose banks have to be taken over
and wound up by the state.
19
20. What’s Over The Horizon?
• Increasing Liability Financial and Otherwise:
– In a 2008 report issued by the GAO, between 1998
and 2008 “audit firms may have paid at least 10
settlements or awards of $100 million or more
from private litigation”. . .
• In mid-2008, the six largest US auditing firms were
defendants in 90 audit-related suits, each of which
involved damage claims in excess of $100 million---
ranging up to $10 billion. . .
20
21. What’s Over The Horizon?
• Changing Expectations of The Auditors
– Internal Auditors Rule 1210.A2
• Internal auditors must have sufficient knowledge to
evaluate the risk of fraud and the manner in which it is
managed by the organization, but are not expected to
have the expertise of a person whose primary
responsibility is detecting and investigating fraud. . .
21
22. What’s Over The Horizon: Changing
Expectations. . .
• External Auditors Rule ISA 240
• The objectives of the external auditor; to identify and
assess the risks of material misstatement of the
financial statements due to a fraud:
– Obtain understanding of the internal controls in respect of those assertions
which are subject to fraud (e.g., revenue) and ensure those controls are
designed effectively. If not. . . report to the audit committee. . .
– To obtain sufficient appropriate audit evidence regarding the assessed risks
of material misstatements due to a fraud, through designing and
implementing appropriate responses; and such responses should at a
minimum include the following:
– Testing the appropriateness of journal entries, especially at the end of the
reporting period. Make inquiries of individuals involved in financial
reporting process. . .
– Communicate fraud or suspected fraud to those charged with governance
22
23. What’s Over The Horizon?
• In the past, generally, the auditor did not have
an obligation to disclose possible or actual
fraud to third parties, unless the matter is
already reflected in the audit report
• However. . .
Not any more:
• See the moving target referred to as Dodd-Frank. . .
– US Regulatory Agencies Modify The Rules. . .
– US Judiciary Modifies The Rules. . .
» Lets all go to court. . .
23
24. What’s Over The Horizon?
– The Securities Exchange Act of 1934 Should Be
Extended to Cover Transnational Securities Fraud
[Release No. 34-631374; File No. 4-617]
24
25. Part Five:
Technical Take Aways---Benford’s Law
More numbers begin with 1 than with larger numbers (2 - 9)
– Benford Analysis is likely to be useful with sets of numbers that result from
mathematical combinations of numbers where the result comes from two
distributions
» Accounts receivables (number sold x price)
» Accounts payable (number bought x price)
» Most sets of accounting numbers
25
26. Technical Take Aways: When Not to Apply
Benford’s Law
• When Benford Analysis is not likely to be
useful:
• Data set is comprised of assigned numbers:
– Check numbers, invoice numbers, Zip codes
• Numbers that are influenced by human thought:
– Prices set at psychological thresholds ($1.99)
– ATM withdrawls, eg $20, $40, $60, $80, $100
• Accounts with a large number of firm specific numbers:
– Accounts specifically set up to record $100 refunds
• Where no transaction is recorded:
– Thefts, kickbacks, contract rigging, et cetera . . .
26
27. Technical Take Aways: Computer Aided Audit
Techniques (CAATs)
– Benford’s Law in conjunction with the following
tools:
• SAP & Oracle’s EGRCM (Enterprise Governance, Risk
and Compliance Manager)
– Asking questions such as:
– Any changes in the top 10% of transactions by value (year to
year) by quarter, by month?
– Greatest number of changes made to a customer’s details file
(year to year) by quarter, by month?
– Any outliers/unusual data values?
– Any unusual or suspicious patterns with data, dates, returns,
end-of-month closeout transactions?
27
28. Technical Take Aways: SAP
» Risk Analysis and Remediation (RAR)
» Superuser Access Management (SPM)
» Compliant User Provisioning (CUP)
» Enterprise Role Management (ERM)
28
29. Technical Take Aways: SAP’s Backdoors
• Backdoors. . .
– BACKDOORS--come about in two ways. First, they can
represent access into a system that is created during the
application development process and is never removed, or.
– Secondly, after an application is put into production and sold
to the customer in the field, it can represent an unauthorized
and/or undetected compromise of the system for the sole
purpose of securing future access to data/information for
industrial or financial espionage. . .
• At a Black Hat Conference, Europa, 2010 demonstrated
multiple backdoors into SAP
29
30. Technical Take Aways: Oracle
– Easily set the scope of the AS5 Audit within Oracle Enterprise
GRC Manager (EGRCM)
– Pre-packaged reports showing Audit coverage, status and
findings
30
31. Technical Take Aways: Oracle’s Backdoors
• Backdoors. . .
– A number of modules remain un-patched and vulnerable due
in part to a difficult patch & upgrade process involving
complex applications in addition to an attitude that if its
working, don’t touch it. . .
» For example: National Vulnerability Database (NVD)
» Description: Unspecified vulnerability in the Database
Control component in EM (Enterprise Manager) Console
in Oracle Database Server…Oracle Fusion Middleware…
allows remote attackers to affect confidentiality, integrity
and availability via unknown vectors……(under review)
31
32. Technical Take Aways: In Their Defense
• Backdoors---Created and used by the vendor
and created and used by individuals with
criminal intent. . .can and do threaten every
information system CONNECTED TO THE
INTERNET. This is NOT simply a problem
unique to SAP or Oracle. . .
• Going forward are two questions you may want to ask:
are there any backdoors to your system and what are
they used for?
– View a list of your vendor’s backdoors. . .
32
33. Technical Take Aways: KDD, OLAP, Data Mining
and Heuristic Analysis
• KDD (Knowledge Discovery in Databases),
• OLAP (On-line Analytical Processing),
• Data Mining
• Multiple vendors, bumping up against a clients:
– Lack of Confidence/Trust in the Numbers
– Belief that data collection methodologies are flawed and that
the use of the data will threaten their decision-making
authority.
– Defense against charges of negligence or gross negligence
– Weakens the claims of plausible deniability.
– Impacts independence and integrity of auditor’s claims of
non-bias, impartiality.
33
34. Technical Take Aways: Heuristic Analysis
• Heuristic Analysis is defined by the act(s) and/
or processes associated with discovering the
unknown thereby making it known…
• Such Tools require TESTING. . .such as EICAR:
• EICAR is a uniquely formatted program file, is not a
virus which most AV (Anti Virus) programs recognize as
a test program. See also:
– AV Comparatives
– AV-Testing
– ICSA Labs
– SC Magazine/West Coast LabsVirus Bulletin?
34
35. Non-Technical: Using Your Amgydala
The Six Principles of An Auditor’s Achilles Heel
• A lack of sufficient professional skepticism
• Lack of support (real or imagined) @ the C-level
• Not controlling the confirmation process especially at
month end, ending quarter and year end
• Not ascertaining whether the financial statements
agree with or reconcile with accounting records
• Over-relying on management (i.e., insufficient evidence
to corroborate management’s representations
• Not testing accuracy of computer-prepared data
35
36. Non-Technical: Using Your Amgydala & Have
We Got A Tool For You. . .
• The Vulnerability Assessment and
Mitigation (VAM) Methodology. . .
• RAND Corporation developed a methodology to help
analysts in:
» Understanding these relationships. . .
» Facilitating the identification and/or discovery of system
vulnerabilities. . .
» Suggesting relevant mitigation techniques. . .
• The VAM methodology takes a top-down approach
uncovering vulnerabilities that are known, exploited or
revealed today but also vulnerabilities that exist, yet
have not been exploited or encountered to date. . .
36
37. Non-Technical: Using Your Amgydala
• Is there a Major Disconnect between the C-
Level folks and their employees. . .?
– E.g. What motivates their employees…?
• Their answers are almost always facing 180° in the
opposite direction. . .
• See also “Kiss Up, Kick Down” corporate culture.
– “Social Intelligence”, “Emotional Intelligence”
– “Blink”, “Mind Rules”, and “Outliers”. . .
– The concept of Synchronicity, (aka: your gut. . .)
37
38. In Summary: What You Have Heard Today. . .
• What steps you must take. . .to:
• Ensure your independence, as an Auditor. . .?
• Ensure your findings are:
– timely, concise, clear, convincing, complete, objective,
accurate and correct, with emphasis on CORRECT.
• Analyze and re-visit your First Impressions
(when necessary). . .First, Last and Always. . .
38
39. Questions?:
– Please Note: We’ll be happy to discuss any of the issues
raised this morning & best wishes the rest of the way. . .
• In closing, thank you for your time and attention…
• Respectfully yours:
Pw Carey
Consultant CISA SAP GRC
Compliance Partners, LLC
Suite 200
Barrington, Illinois 60010
www.complysys.com
pwc.pwcarey@gmail.com or
pwcarey@complysys.com
1-650-267-3130 or 1-224-633-1378
39
CITYAM August 31st, 2011 Facebook has handed $40,000 to hackers for finding flaws in its website as part of its Bug Bounty scheme. Facebook joins a growing list of companies, including Google, which pays independent hackers for information
Lamp Virus Maybe linked to China & What It Can Do: The Lamp Trojan, which according to some researchers may have been developed in China, contains an MS-Office Suite "Document Grabber,"--- a specific command designed for the sole purpose of collecting Microsoft Office Suite documents. This is an unusual feature among private Trojans which typically focus on collecting financial and banking information. This implies that the Lamp Trojan collects Word files, Excel spreadsheets, and PowerPoint presentations. Lamp may be one of the only examples of a Trojan that, in addition to collecting financial information from more than two dozen US financial institutions, may be specifically interested in industrial espionage...(aka: DoD Aerospace & Defense airfoil diagrams/schematics et cetera stolen...) from defense contractor(s).... Leaked documents suggest China might have the upper hand By Michael Hardy, Apr 21, 2011 The Cold War took its name from the relative lack of shooting that characterized it. The United States and Soviet Union fought one another politically, diplomatically and economically but rarely with guns or tanks. It was not a hot war. We have a couple of hot wars going on now, but there's another cold war under way, too — one being fought between the United States and China, primarily using IT. And it looks as though China has the upper hand at the moment. "According to U.S. investigators, China has stolen terabytes of sensitive data, from user names and passwords for State Department computers to designs for multibillion-dollar weapons systems," write Brian Grow and Mark Hosenball in a report for Reuters. "And Chinese hackers show no signs of letting up." Grow and Hosenball credit WikiLeaks for revealing many previously secret details about China's ongoing cyber assault, which the U.S. government has code named Byzantine Hades. Specifically, they write, the State Department cables that WikiLeaks published show that the Chinese military was the source of those attacks, not some rogue hacker group.
Government Documents Leaked: CITYAM Feb. 9th, 2011---As Reported in The Daily Telegraph WikiLeaks: No. 10 Urged Commander to Play Down Afghanistan Failures A senior adviser to Gordon Brown (UK Prime Minister) put pressure on the commander of NATO forces in Afghanistan to play down the "bleak and deteriorating" situation to reduce criticism of his government, leaked documents disclose. Brown, the prime minister at the time, visited the country and met General Stanley McChrystal, the US military commander.
Q&A: Lulz Security 06 JUNE 2011, TECHNOLOGY Nintendo server hit by hackers 06 JUNE 2011, BUSINESS More Technology stories RSS LulzSec 'takes down' CIA website The hacker group Lulz Security claims it temporarily brought down the public-facing website of the US Central Intelligence Agency. Duke Nukem PR firm publicly axed Rioting Canadians exposed online
BBC Technology, 15 June 2011---LulzSec opens hack request line. . . It claims to have launched denial of service attacks on several websites as a result, although it did not detail which ones. The unspecified hacks formed part of a wave of security breaches that the group called Titanic Takeover Tuesday. The group publicised the telephone hotline on its Twitter feed. LulzSec has risen to prominence in recent months by attacking Sony, Nintendo and several US broadcasters. Lulz Security's request line features the voice of Pierre Dubois - possibly the name of its comic icon. Lulz Security said it had used distributed denial of service attacks (DDoS) against eight sites suggested by callers.
The Register UK Newspaper Original URL: http://www.theregister.co.uk/2011/07/07/anonymous_feature/ ANONYMOUS: Behind the mask, inside the Hivemind Where and who are the Anons? Everywhere and everyone By Trevor Pott ----- Posted in Security , 7th July 2011 10:00 GMT
Enron Whistleblower Discusses Use of Dodd-Frank Whistleblower Provisions Sherron Watkins, former vice president at Enron, Marion Koenigs, deputy director in PCAOB's Division of Enforcement and Investigations, and Paul Atkins, former SEC commissioner, served as a panel of experts discussing the Dodd-Frank whistleblower provision at an event held by the New York State Society of Certified Public Accountants on January 28, 2011. During the discussion, Watkins, an accountant and Enron whistleblower, predicted that corporate whistleblowers will start to hand over evidence of corporate fraud to media such as WikiLeaks rather than use the SEC's whistleblower provisions. Watkins said that anonymously leaking documents to WikiLeaks will allow individuals to continue with employment in the corporate world without having the stigma of being a whistleblower.
17 CFR Parts 240 and 249, [Release No. 34-64545; File No. S7-33-10] RIN 3235-AK78 Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 AGENCY: Securities and Exchange Commission (“Commission”). ACTION: Final rule. SUMMARY: The Commission is adopting rules and forms to implement Section 21F of the Securities Exchange Act of 1934 (“Exchange Act”) entitled “Securities Whistleblower Incentives and Protection.” The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted on July 21, 2010 (“Dodd-Frank”), established a whistleblower program that requires the Commission to pay an award, under regulations prescribed by the Commission and subject to certain limitations, to eligible whistleblowers who voluntarily provide the Commission with original information about a violation of the federal securities laws that leads to the successful enforcement of a covered judicial or administrative action, or a related action. Dodd-Frank also prohibits retaliation by employers against individuals who provide the Commission with information about possible securities violations.
June 6 th , 2011- Swiss Bank HSBC Accounts in question hold assets of about £13bn and could net millions in pounds in unpaid tax revenues. The British customers’ details were found on a disk leaked to the French authorities, which is said to contain the names of 79,000 HSBC clients in 180 countries . Mr. Herve Falciani, an IT expert worked for HSBC in Geneva, leaked the data to French officials, who passed it onto the UK. A spokesperson for HSBC said: “HSBC in no way condones tax evasion and in no way do we assist it”. August 18th, 2011 CITYAM,GRASSLEY QUZZES SEC ON FILE PURGING--A whistleblower at the Securities an Exchange Commission has accused the agency of destroying more than 9,000 files related to preliminary investigations into SAC Capital, Bernard Madoff, Goldman Sachs and other financial groups, according to Charles Grassley, senior Republican on the Senate Judiciary Committee. Grassley wrote to Mary Shapiro, SEC chairman yesterday.
Because the determination of abuse is subjective, auditors are not required to detect abuse in financial audits. However. . .GAO 2011 Government Auditing Standards Yellow Book COSO study regarding fraud of (publicly traded) US companies from 1998 to 2007: The most common fraud technique involved improper revenue recognition, then overstatement of existing assets or capitalization of expenses. 89% of the incidents of fraud involved were at the C-level (aka: CEO and/or CFO) 347 alleged cases of public traded companies dealt with financial reporting from 1998 to 2007 compared with 294 cases from 1987 to 1997. The total for these misstatements and/or misappropriations reached nearly $120bn USDs.
KPMG Analysis of Global Patterns of Fraud – 2011 Executive Whitepaper KPMG Analysis of Global Patterns of Fraud Who is the typical fraudster 2011 Executive Summary kpmg.com/cee 2011 Fraud Demographics: Acts of fraud are rarely one-offs: 96% of fraudsters in the 2011 survey carried out fraud on a repeated basis – up from 91% in 2007. At The Board level, increased from 11% in 2007 to 18% in 2011 At the C level, CEO fraudulent activities increased from 11% in 2007 to 26% in 2011 Typically Reside In The Following Categories: 87% were male, although Females are demanding access to the club Between the ages of 36 and 45 Commits fraud against his own employer 32% works in the Finance function or in a finance related role 25% work in Operations & Sales, followed by Procurement, Back Office, Research & Development & Legal Is a member of senior management 60% worked for the company more than 5 years 33% worked for the company for more than 10 years Most often colludes with others Females prefer not to collude
Motivation for fraud: Personal financial gain followed by Fraudulent financial reporting 43% misappropriate of assets (mostly due to embezzlement and procurement fraud) On average it took 3 years from fraud inception to fraud detection Exploitation of internal controls by fraudsters increased significantly from 49% in 2007 to 74% by 2011. Nearly 50% of frauds were detected through tip-offs (read whistleblowers) both formal and informal or by accident suggesting that internal controls are either lacking, or are not functioning appropriately. Most of the frauds investigated, involved the exploitation of weak internal controls. 77% of the fraud investigations undertaken were not reported to the public. Internal communication of the matter dropped to 46%, compared to 50% polled in 2007. Internal announcements regarding fraud fell from 35% in 2007 to 13% in 2011. In 2011, 50% of the cases revealed that a red flag associated with a fraud existed but had not been acted upon – up from 21 percent in 2007. Employee awareness of other behaviors can help businesses identify frauds earlier. be alert to the following employee behavioral red flags: • Refuses or does not seek promotion and gives no reasonable explanation. • Has opportunities to manipulate personal pay and reward. • Rarely takes holidays. • Is suspected to have over-extended personal finances. • Does not or will not produce records/information voluntarily or on request. • Persistent rumors/indications of personal bad habits/addictions/vices. • Unreliable and prone to mistakes and poor performance. dot Cuts corners and/or bends rules. • Tends to shift blame and responsibility for errors. seems unhappy at work and is poorly motivated. • Surrounded by “favorites” or people who do not challenge them. • Accepts hospitality that is excessive or contrary to corporate rules. • Level of performance or skill demonstrated by new employees does not reflect past experience detailed on CVs • Seems stressed and under pressure. • Bullies or intimidates colleagues. Volatile and melodramatic, arrogant, confrontational, threatening, or aggressive when challenged. • Vendors/suppliers will only deal with this individual. Self-interested and concerned with own agenda. • Lifestyle seems excessive for income. • Micro-manages some employees; keeps others at arm’s length.
In the last meeting under its current chief Sheila Bair, the Federal Deposit Insurance Corp (FDIC) voted five to one in favor of a "clawback" clause in new regulations, which will allow the government to reclaim compensation paid to executives whose banks have to be taken over and wound up by the state. The rule puts flesh on the bones of a proposal included in the 2010 Dodd-Frank Act, which overhauls American Financial regulation. It gives some clarity to a major question as to when circumstances determine when executives pay should be confiscated, with the broader "negligence" favored over "gross negligence". The vote also established a debt hierarchy in winding up a firm, with the FDIC's costs incurred in resolving the company and debt to the government topping the list, along with any money owed to employees. Other creditors will be paid off afterwards. The status of clawback clauses in Europe is unclear at present, with EU authorities suggesting that firms write them into contracts. Regulation By Juliet Samuel CITYAM UK
Audit firms’ litigation exposure in connection with securities class actions is, of course, a significant part of the broader litigation risk that accompanies audit work. In the 12 years after the enactment of the Private Securities Litigation Reform Act of 1995,12 the six largest U.S. auditing firms paid out $5.66 billion to resolve 362 securities class actions and other suits related to public company audits, private company audits, and all other non-audit services, with 65% of the total ($3.68 billion) related to public company audits.13 And in mid-2008, the six largest U.S. auditing firms were defendants in 90 audit-related suits, each of which involved damage claims in excess of $100 million—ranging up to $10 billion.14
International Standards for the professional practices of internal auditing, 1210.A2- Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. ISA 240, Revised: The objectives of the external auditor: To identify and assess the risks of material misstatement of the financial statements due to a fraud: Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not=> report to the audit committee... To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and Such responses should at a minimum include the following: -testing of the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process; -review the accounting estimates for bias (e.g., provisions, valuation allowances, percentage of completion of sales transactions, results of the impairment tests); -analyze significant unusual transactions outside of the normal course of business. To respond appropriately to fraud or suspected fraud identified during the audit: Communicate fraud or suspected fraud to those charged with governance.
ISA 240, Revised: The objectives of the external auditor: To identify and assess the risks of material misstatement of the financial statements due to a fraud: Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not=> report to the audit committee... To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and Such responses should at a minimum include the following: -testing of the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process; -review the accounting estimates for bias (e.g., provisions, valuation allowances, percentage of completion of sales transactions, results of the impairment tests); -analyze significant unusual transactions outside of the normal course of business. To respond appropriately to fraud or suspected fraud identified during the audit: Communicate fraud or suspected fraud to those charged with governance.
GAO High Risk Series February 2011: The Dodd-Frank Act includes many provisions that are intended to improve the U.S. financial regulatory system. However, many of the act's changes, including new regulatory structures, agencies, and requirements, are yet to be implemented, and many decisions by regulators as to how new regulations will address various problem areas are forthcoming. For example, the new oversight council has only recently begun meetings to fulfill its mission. Similarly, financial regulators have yet to develop and issue many of the rules necessary to fully implement various changes, including those related to proprietary trading, trading and clearing of over-the-counter derivatives, and others. Until these new structures, requirements, and entities are in place, fully staffed, and functioning effectively, the act's intent to reform the financial system will not be achieved.
At the Building Public Trust Awards dinner in September 2010, Ian Powell outlined the following five-point plan: raising the standard of all the work we do to the standard of the best; improving transparency of the scope, processes and decision-making in an audit; extending the scope of the auditor’s report without changing the corporate reporting model to provide further assurance over narrative reporting; changing the reporting model and changing the scope of the auditor’s report as a consequence; and working for longer-term reform. As Professor John C. Coffee, Jr. of Columbia Law School noted in 2004, “the most ominous fact [for the future] may be that accounting irregularities tend increasingly to be the primary focus of securities class actions.”9 Recent statistics show the continuation of this trend: according to Cornerstone, “[i]n 2009 allegations related to violations of Generally Accepted Accounting Principles (GAAP) were included in more than 65 percent of settled cases. These cases continued to be resolved with larger settlement amounts than cases not involving accounting allegations.”10 And audit firms were named in a number of recent high-profile securities class actions stemming from the financial crisis. For example, according to Audit Analytics, as of late 2009, eight accounting firms had been named as defendants in eleven securities class actions based on allegations relating to Bernard Madoff’s Ponzi scheme, and six firms had been named as defendants in nine securities class actions relating to the credit crisis generally.
When Benford Analysis is likely to be useful will be sets of numbers that result from mathematical combinations of numbers where the result comes from two distributions: Accounts receivables (number sold x price) Accounts payable (number bought x price) Transaction level data - No need to sample: Disbursements Sales Expenses Large data sets - with more observations the better:
Other types of fraud exist that cannot be detected by Benford analysis: duplicate addresses duplicate bank accounts ghost employees shell companies duplicate purchase orders duplicate invoice numbers duplicate payments contract rigging defective deliveries defective shipments defective returns Use Benford's law to assist and audit in conjunction with other tools both technical and non-technical such as: Experience based Intuition, (aka: trust your gut & verify) Social Intelligence & Emotional Intelligence Surveys and interviews Corporate Culture (Kiss Up/Kick Down) Confirmation and Verification Professional Skepticism Use Benford's law to assist and audit in conjunction with other tools both technical and non-technical such as: Intuition, Social Intelligence, Emotional Intelligence Surveys and interviews Corporate Culture (Kiss Up/Kick Down) Confirmation and Verification Professional Skepticism
WizRule, Numara Software, TopCAATs, IDEA, ACL, SAP, Oracle. . .
SAP GRC Access Control comes with the following four main product capabilities: Risk Analysis and Remediation (RAR): SAP GRC Access Control supports real-time compliance around the clock to detect, remove, and prevent access and authorization risk and stops security and controls violations before they occur. Using live data to assess risk, SAP GRC Access Control enables your organization to identify conflicts immediately, drill down into root causes, and achieve resolutions. x Superuser Access Management (SPM): The application enables users to perform emergency activities outside their roles under a “privileged user,” but in a controlled and auditable environment. x Compliant User Provisioning (CUP): As companies provision and de-provision access to enterprise systems, they often overlook how these changes can impact SoD requirements. SAP GRC Access Control can automate provisioning, test for SoD issues, streamline approvals, review and reaffirm access and reduce the workload for IT staff. x Enterprise Role Management (ERM): This functionality standardizes and centralizes role creation, eliminating manual errors and making it easier to enforce best practices. The application prevents SoD violations by performing a real-time simulation of the data in a production system and testing the entire SAP software landscape.
SAP Backdoors Black Hat Conference Europa 2010 Oracle Backdoors Black Hat Conference Washington, DC 2011 A backdoor can come about in two ways. First it can represent access to a system created during the application development process and is never removed or secondly, after an application is put into production in the field, or it can represent an unauthorized and/or undetected compromise of the system for the sole purpose of securing future access to data/information for industrial and financial espionage.
Integrated, Efficient, and Effective The FAST Blueprint for Oracle GRC Applications integrates the Oracle Enterprise Governance, Risk, and Compliance Manager (EGRCM) with Hyperion Financial Management (HFM) to automate assessment scoping and preparation. The blueprint enables both a top-down, risk-based approach and a bottom-up controls-coverage based approach to audit scoping. Key Features: • Easily set the scope of the AS 5 Audit within Oracle Enterprise GRC Manager • One-way synch utility for Hyperion Financial Management accounts to Oracle Enterprise GRC Manager • Ability to specify and select Controls to be included in audit scope • Pre-packaged reports showing Audit coverage, status and findings
Oracle Backdoors Black Hat Conference Washington, DC 2011 Black Hat Conference, Washington DC 2011 A lot of Oracle is un-patched and vulnerable because support and patches cost and must pay for extended advisory information (aka: metalink).... Example: CVE-2010-2390 (under review) National Vulnerability Database (NVD) Description---Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Difficult patch & upgrade process... Complex applications....if it works don't touch it mentality...
Examples of backdoors potentially impacting in the following areas: SAP Business Modules Authentication Procedures Please note: Backdoors can threaten every information system, and are not simply a problem for Oracle and/or SAP Oracle Backdoors Black Hat Conference Washington, DC 2011 Black Hat Conference, Washington DC 2011 A lot of Oracle is un-patched and vulnerable because support and patches cost and must pay for extended advisory information (aka: metalink).... Example: CVE-2010-2390 (under review) National Vulnerability Database (NVD) Description---Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Difficult patch & upgrade process... Complex applications....if it works don't touch it mentality...
See Anderson Consulting desire to use an automated deterministic/predictive tool when auditing Enron and Enron’s Legal Dept. refusing to allow it to be used based upon plausible deniability. . .
EICAR test file Is a uniquely formatted program file, which most AV programs recognize as a test program, and respond to in a very similar way to that in which they respond to viruses. The EICAR file is not a virus and presents no malicious threat: if executed, it simply displays a screen identifying itself as a test file. AV Comparatives (http://www.av-comparatives.org/) AV-Test.org ( http://www.av-test.org/ ) ICSA Labs ( http://www.icsalabs.com/ ) SC Magazine/West Coast Labs (http://www.westcoastlabs.org/) Virus Bulletin (http://www.virusbtn.com/) Mail gateway filters use rules to specify what file types and file names are permitted as attachments. Such filters are very good at countering obvious threats such as files with extensions like .LNK or .JPG, and .EXE, but can be rather inflexible in their rejection of whole classes of executable files. 1 Some filters use more advanced techniques, such as checking that the headers of the fi le scanned match the filename extension. This can significantly reduce the risk of false positives (and false negatives). 1 Why are these obvious threats? In the first case, because the .LNK suffix denotes a program shortcut, which doesn’t usually make sense as an email attachment because there is no direct link between the shortcut and the program to which it should be linked: however, a shortcut file in an email attachment is often simply a Windows executable file, renamed to evade filters intended to block executable attachments. In the second case, the double extension suggests an attempt to pass off an executable file as a non-executable (graphics) file, a common virus writer’s trick.
SIX Guiding Principles for Auditors A lack of sufficient professional skepticism Intentional lack of support (real or imagined) @ the C-level Not controlling the confirmation process or not confirming the terms of large or unusual sales transactions, especially those that occurred at year end. Not ascertaining whether the financial statements agreed or reconciled with the accounting records Over relying on management's representations (i.e., not obtaining sufficient evidence to corroborate or refute management representations, such as management's explanations for unusual fluctuations noted when performing analytical procedures) Not testing the accuracy of computer-prepared schedules
The Vulnerability Assessment and Mitigation (VAM) Methodology. The RAND Corporation has developed and evolved a methodology to help analysts to understand these relationships, facilitate the identification or discovery of system vulnerabilities, and suggest relevant mitigation techniques... The VAM methodology takes a top-down approach and seeks to uncover not only vulnerabilities that are known and exploited or revealed today but also the vulnerabilities that exist yet have not been exploited or encountered during operation. Sophisticated adversaries are always searching for new ways to attack unprotected resources ("the soft underbelly" of the information systems); thus, the methodology can be valuable as a way to hedge and balance current and future threats This report should be of interest to individuals or teams conducting vulnerability assessments and planning mitigation responses. Because it facilitates the identification of new vulnerabilities, it should be of particular interest to designers building new systems, as well as to security specialists concerned about highly capable and well-resourced system attackers, such as nation-states or terrorists motivated to identify new security holes and exploit them in subtle and creative ways. http://www.rand.org/content/da/rand/pubs/monograph_reports/2005/MR1601.pdf
Develop and trust your intuition. This can be challenging for high-level financial services professionals, who naturally tend towards facts, figures and other hard factors, but soft factors are equally important. Start with your intuition and then make sure it is backed by a strong business case. Understand the power of "no". Many of us find this one of the most difficult things to say, but it is actually on of the most powerful words in business and often much more effective than "yes", particularly when backed by a sound judgement. Understand and be true to yourself. At the risk of sounding like a personal development coach, far too few people in the financial services sector embrace self-awareness despite the benefits it brings. Everything you do must be congruent with who you are; incongruity increases stress, hampers performance and simply cannot last. Make time to stop and think. Evaluate where you are, what you like and what you do not. Ask yourself whether you are doing the right job in the right environment; whether that be country, company or culture. If you are not totally happy with the way things are, make changes. Do not let your job define you. Too many people allow themselves to become trapped in careers they no longer enjoy. If you do not like what you do, have the courage to be true to yourself and walk away; allowing a job to define your life risks years of compromise and missed opportunity. There are always other options. Trust me. . .PwC
Trust me. . .PwC
1. “A Short Course on Computer Viruses 2nd Edition”, pp 2, 49 (Dr Frederick B Cohen): Wiley, 1994. See AICPA AU Section 240, Consideration of Fraud in a Financial Statement Audit (Redrafted). See AICPA AU Section 250, Consideration of Laws and Regulations in an Audit of Financial Statements.