forensics, fraud and analytical techniques computer forensics (chapter 12) practicum: burlington...
Post on 19-Dec-2015
228 views
TRANSCRIPT
Forensics, Fraud and Analytical Techniques
Computer Forensics (Chapter 12)
Practicum: Burlington Bees(Analytical Procedures as Substantive Tests)
Crime Doesn’t Pay?
As Willie Sutton the bank robber said when asked why he robbed banks
'because that's where the money is‘
Sutton robbed banks and he was good at it. He made no bones about that. He usually packed a gun, either a pistol or a Thompson submachine gun
"You can't rob a bank on charm and personality"
"Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I'd be out looking for the next job. But to me the money was the chips, that's all."
From Where the Money Was: The Memoirs of a Bank Robber (Viking Press, New York, 1976)
Why ‘Computer’ Crime?
‘Because that's where the money is‘ (c. 2005)
Money is no longer held in physical form
How much money is being handled daily by computer exchange systems in 2005? Foreign exchange $2 trillion daily Derivatives markets $5 trillion daily Outstanding derivatives positions $200 trillion NYSE daily activity $1.6 trillion daily
Types of Computer Crime:
Business as a Victim
Employee Thefts Payroll Fraud Fraudulent Billing Schemes Fraud Committed by outsiders Management Thefts Corporate Thefts
Types of Computer Crime:
Business as a Vehicle
Organized Crime Money laundering Theft from Minority Shareholders Other Stock Market Fraud Bankruptcy Fraud
Crime’s new venue
The Internet (With an estimated 1 billion people ) is now in a golden age of criminal invention. It's a "dot-con" boom, in which electronic crime runs rampant in a
frantic search for business models.
Even encryption, supposedly a defensive measure, has become a tool for extortion witness the weird new crime of breaking into a computer,
encrypting its contents, and then demanding a payoff to supply a password to the victim's own data.
The crime's so new, it doesn't even have a name yet.
.
Crime’s new venue
All the classic scams and rackets that city sharpies push on rubes can be digitized
once there were a few relatively uncomplicated viruses, now there are torrents of fast-evolving, multifaceted viruses. Where once there was just small-time credit-card fraud, now there is
international credit-card racketeering. Computer-network password theft has turned into sophisticated ID
fraud that robs patrons of banks and online auction sites. Spam, once an occasional rude violation of "netiquette," now arrives
by the ton (12.9 billion pieces a day worldwide last May, according to the e-mail security firm IronPort)
Then there are the newer electronic crimes, proliferating so fast that even experts have trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging
FBI Computer Crime and Security Survey
Companies with sales of less than $10 million per year spent $643 per employee on computer security each year. For companies with more than $1 billion in annual revenue the amount spent on security dropped to $247 per
employee. The survey found that companies in the utilities
business spent the most on computer security on average, $190 per employee per year. Next highest on the list were transportation and
telecommunication companies, with average annual costs per employee of $187 and $132, respectively.
Computer Criminals Today
The largest class of crime is Internet based Generally, there is a form of compartmentalization, from the
top downAt the top of the food chain is someone who has the
financial means to organize a groupThis individual, acting as the criminal kingpin, puts together
a plan and then assembles the necessary technologically savvy individuals.
These groups work together without central organization
Computer Criminals Today
Many Criminals are recruited through acquaintances; others are found online Individuals use Web sites, online forums, and IRC channels to
advertise their services and meet their colleagues. Many others visit these sites to learn how to get started in the business.
The scene is always looking for rooters, scanners, curriers [various hacking specialties]
Once they've learned those skills, hackers commonly operate as freelancers, working on projects in an area of expertise--whether it be writing exploits, building botnet networks, or designing fake Web sites
And like legitimate businesspeople and freelancers, they must build a reputation before they can get hired for lucrative work.
Hotspots for Internet crime
Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan, Latvia, Malaysia, North Korea, Romania, Russia, and the United States are major centers for organized hacking
Why are certain areas hotspots? Places where there's a significant amount of activity usually have
a technically advanced population and a large population of computer users.
You also have a poor economy, so you have people with the technical skills to do good work, but they can't find a job that will provide for them,
so they may have to resort to doing things that are against the law
These hotspots (other than the United States and Japan) also tend to be countries where laws and law enforcement lag hackers will find the weakest link, the country with no laws
Denial-of-service (DoS attack)
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include 1. attempts to "flood" a network, thereby preventing legitimate
network traffic
2. attempts to disrupt connections between two machines, thereby preventing access to a service
3. attempts to prevent a particular individual from accessing a service
4. attempts to disrupt service to a specific system or person Details are at
http://www.cert.org/tech_tips/denial_of_service.html
Zombies Zombies do a lot of the heavy lifting
malware-infected computers that an online puppet master controls Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet"
attempt to carry out the high-tech money grab. Botnets are popular because of their increasing sophistication and multiple uses.
versatile zombie armies pull in cash for their controllers in a variety of ways. Sending spam (a big money-maker)is one common use.
Zombie networks can also steal personal information for purposes of identity theft.
When botnets are used to launch a DDoS attack, the ringleader instructs each zombie computer to send a flood of data to a particular Web site. By itself, the data from a single PC can't hurt a site. But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and
cut off from the Internet.
E.g., MyDoom had a rather unsophisticated means of controlling host machines. Once it insinuated itself into an unprotected PC, anyone who knew a not-so-secret five-digit code could commandeer the computer for any
desired purpose As a result, MyDoom-compromised computers were very popular with online criminals for a
while
Botnets & Zombies
Malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005
CipherTrust, an e-mail security company that tracks botnets
As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder
and botnets will become more powerful. Also, the ability to shuffle funds
including ransom payments anonymously through convoluted Internet paths using human
mules (in much the same way as in the drug trade) and online payment services
means that criminals can revisit old approaches.
Cops and Robbers Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs
that are controlled by groups of people dispersed around the world Christopher Painter, deputy chief of the Computer Crime
section of the U.S. Department of Justice.
Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," (Painter)
One notorious cybergang, called Shadowcrew, reportedly had 4000 members scattered across the United States, Brazil, Spain, and Russia.
Objectives
Money is these cybergangs' primary motivationThe asking price for temporary use of an army of
20,000 zombie PCs today is $2000 to $3000, according to a June posting on SpecialHam.com, an electronic forum for hackers
Marshaling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off.
Hackers are not shy about asking for $20,000 to $30,000 from companies.
Payoffs
Companies know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business Many extortionists go unreported because businesses are
unwilling to volunteer evidence of their coercion to law enforcement officials, corporations don't want to admit to their customers,
stockholders, and business partners their networks were ever vulnerable to an attack.
only about 20 percent of computer intrusions are ever reported to law enforcement agencies.
The US Secret Service receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack.
Survey by the Computer Security Institute
Payoffs
A PriceWaterhouseCoopers survey of more than 1000 businesses in the UK found that, on average, companies spent more than $17,000 on their
worst security incident that year. For large companies, that amount was closer to $210,000, the
study found. For companies of either size, most of the loss was due to the
disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less.
Case Study: Protx When the first extortion e-mail popped into Michael
Alculumbre's inbox, he had no idea it was about to cost his business nearly $500,000. The note arrived in early November of last year, as Alculumbre's
London-based transaction processing company, Protx was being hit by a nasty distributed denial of service (DDoS) attack.
Zombie PCs from around the world were flooding Protx.com (the company's Web site) and the transaction processing server that was the commercial heart of the business.
In extortion e-mail's broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. "You should pay $10,000," Martino wrote. "When we receive money,
we stop attack immediately.“ The e-mail even promised one year's protection from other attackers
for the $10,000 fee. "Many companies paid us, and use our protection right now,"
Martino said. "Think about how much money you lose, while your servers are down."
Case Study: Protx By scrambling its IT staff and prohibiting traffic from zombie servers
at one point, Protx.com simply blocked all traffic originating from the Western United States
that company managed to survive the first wave of the attack against it. But the 13-person company's biggest cost involved preparing for the next
assaults, consisting of thousands of server requests, which came in January and April of 2005.
The April attack, which lasted for more than five days, was the most severe, as Protx and the attackers engaged in a kind of online cat and mouse: Just as Alculumbre's technicians found one way to block the flood of unwanted server
messages, the attackers would switch to another tack. At one point, the cybercrooks used a new exploit of Microsoft's Microsoft Internet
Information Services server that caused the Protx Web site to crash whenever certain types of secure messages got through.
Protx responded by installing an SSL accelerator and analyzing the messages before letting them through.
On the final day of the April assault, the attackers hit Protx with everything they had.
At the peak of the assault, the company's servers were processing 800 megabits of traffic per second, the equivalent of more than 530 T1 lines firing at full capacity.
Case Study: Protx
Just a few years ago, financially motivated attackers tended to focus on fringe businesses like online gaming sites.
Transaction processors like Protx are now choice prey for extortionists, If you bring down your payment processor, you can bring down
hundreds of online processors Transaction processors like Protx will do everything in their
power not to be offline therefore, they are investing heavily in security and bandwidth.“
Protx ended up spending a whopping $38,000 per employee on security in 2004
Client-side Targets
About 60 percent of new vulnerabilities now affect client-side applications like Web browsers and media players And those vulnerabilities are drawing all the wrong sorts of
attention In 2005, unwanted network traffic targeting Symantec Veritas
BackupExec rocketed to 500,000 instances within days of an announced
security hole in the product, up from a previous maximum of about 50,000 instances.
Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes
Focus of Client-side Attacks
Attackers now target backup and recovery programs, as well as "the antivirus and other security tools that
most organizations think are keeping them safe SANS Top 20 report for 2005 on the most critical Internet
vulnerabilities
The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, when Windows and other operating systems and Internet
services like Web and e-mail servers were the preferred targets.
Client-side Crime:Recent Problem Software
Some of the latest application holes:
* Sony BMG's XCP copy protection Used ham-fisted rootkit code to hide every file name that began with the characters "$sys$"; virus writers soon released worms and Trojan horse programs to leverage the XCP cloaking features
* Symantec/Veritas NetBackup A buffer overflow vulnerability in a file used by NetBackup clients and servers
* Macromedia Inc.'s Flash Player A buffer overflow in some versions of the Macromedia Flash Player
* Skype Technologies S.A.'s Skype A critical buffer overflow vulnerability in versions of the free Internet phone app
SANS (SysAdmin, Audit, Network, Security) Institute:
The 20 Most Critical Internet Security Vulnerabilities Top Vulnerabilities in Windows Systems
W1. Windows Services W2. Internet Explorer W3. Windows Libraries W4. Microsoft Office and Outlook Express W5. Windows Configuration Weaknesses
Top Vulnerabilities in Cross-Platform Applications C1. Backup Software C2. Anti-virus Software C3. PHP-based Applications C4. Database Software C5. File Sharing Applications C6. DNS Software C7. Media Players C8. Instant Messaging Applications C9. Mozilla and Firefox Browsers C10. Other Cross-platform Applications
Top Vulnerabilities in UNIX Systems U1. UNIX Configuration Weaknesses U2. Mac OS X
Top Vulnerabilities in Networking Products N1. Cisco IOS and non-IOS Products N2. Juniper, CheckPoint and Symantec Products N3. Cisco Devices Configuration Weaknesses
Phishing California has passed an antiphishing law,
the Anti-Phishing Act of 2005 With the passage of the Anti-Phishing Act of 2005, California joins such
states as Texas, New Mexico, and Arizona, all of which adopted antiphishing legislation earlier this year.
Phishing victims are typically sent fraudulent e-mail designed to trick them into revealing personal information, like bank account numbers, user names, and passwords. Under the Anti-Phishing Act, these victims may seek to recover either
the cost of the damages they have suffered or $500,000, whichever is greater; government prosecutors can also seek penalties of up to $2500 per phishing violation.
Phishing attacks have been on the rise. Research firm Gartner estimates that 73 million U.S. Internet users received phishing e-mails during the 12 months ended May 2005, up 28 percent from the previous year.
Malware
The mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century The E-Crime Watch survey of security and law enforcement estimated an average loss of $506,670 per organization due to
malware It's gotten so bad that the U.S. Secret Service and Carnegie
Mellon University's Computer Emergency Response Team (CERT)
last year stopped publishing the number of computer crime incidents, saying: "Given the widespread use of automated attack tools, attacks
against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."
How to Build a Legal Case
Inference Network Analysis
Legal cases are proved through inferences. These inferences, built in chains, must lead logically from
point A to point B He strength (or weakness) of these inferences determines the
strength of the legal case
E v id en c e P r o o fI n f e r en c e
Chain of Inferences
Suppose we want to link the defendant (and ex-football player and aspiring movie star) to the murder of his ex-wife
Initially the evidence is weak (dotted line) The defendant and victim were divorced, and that may have
been motive for the murder, but that is a weak case
D ef en d en t Vic timm u r d er
The Bloody Glove Our investigation has uncovered a bloody glove at the crime scene Immediately there is an inference that the glove is somehow involved in the
murder. If we later learn that DNA from the bloody glove matches the victim The inferential relationship between murder and glove become strong Although the connection between the defendant and the victim is still
tenuous, The connection between the victim and the glove is strong. We re not yet satisfied, and the investigation continues
D ef en d en t G lo v em u r d er
Vic timD N A
Establishing Ownership The forensic examiners at the crime lab have determined that the gloves are
in fact a very expensive brand sold only in movie-star / football players. They are so unique that only 25 pairs have been sold in the past year.
This information alone does mot necessarily strengthen the inferential relationship to the defendant.
However, taken in combination with the fact that a par of these gloves was purchased on the ex-football players credit card two months earlier,
we are strengthening our chain of inference.
D ef en d an t O w n er s h ipm u r d er
D N AG lo v e Vic tim
Un iq u e
Uniquely Connecting the Gloves to their Owner
Finally our forensic experts compare the DNA from the skin cells found on the glove's lining with those of the defendant – they match
Up until now, we have only bee able to link the defendant inferentially as the owner of similar gloves.
Now we can link him as the owner of these particular gloves (the dotted arrow becomes solid)
D ef en d an t O w n er s h ip
D N AG lo v e Vic tim
Un iq u eD N A
Analytical and Automated Fraud Auditing Approaches
Objectives of Analytical Techniques
Looks at the general (qualitative) factors of a company. Based on tangible and measurable factors (quantitative).
Used in conjunction with tests of transactions and substantive tests Analytical techniques provide an important, macro-level,
detective control over fraud and misstatement in financial statements
Analytical Technique(ratio analysis, fundamental analysis)
Goals Such an analysis has for objective to assess the firm's:
performance, for the management to improve it, solvency, so as for a bank or a supplier to grant a credit, potential value to decide an investment or divestment. Then it is
called fundamental analysis and is linked to business valuation and stock valuation
How to: Analytical Techniques Compare financial ratios (of solvency, profitability, growth...)
between several periods (the last 5 years for example) and between similar firms.
Those ratios are calculated by dividing a (group of) account balance(s), taken from the balance sheet and / or the income statement, by another,
for example : Net profit / equity = return on equity Gross profit / balance sheet total = return on assets Stock price / earnings per share = P/E-ratio
Where to find the data Company websites almost every public company has a website or investor relations department.
For the most current quarterly or annual report you might want to check in these places first.
http://www.gm.com/company/investor_information/stockholder_info/
Securities and Exchange Commission (SEC) - The information posted in the "EDGAR" database includes the annual report (known as the 10-K), quarterly report (10-Q), and a myriad of other forms that contain every type of financial data.
http://www.edgar-online.com/products/edgarpro.aspx
Hoovers.com - another source for company analysis (some of the data requires a subscription)
http://www.hoovers.com/free/
Analyzing the Financial Statements
19 Key Ratios for Analytical TechniquesPerformance Activity
Average Interest Rate Asset Turnover
Book Value Per Share Collection Ratio
Cash Flow to Assets Inventory Turnover
Common Size Analysis Financing
Dividend Payout Ratio Debt / Asset Ratio
Earnings Per Share Debt / Equity Ratio
Gross Profit Margin Liquidity Warnings
Price/Earnings Ratio Acid Test
Profit Margin Interest Coverage
Return on Assets Working Capital
Return on Equity
Average Interest Rate=(Interest Expense - Accounts Payable) / Liabilities
Objectives: There are several versions of this ratio, some people prefer to
just use interest bearing liabilities such as the bonds and other short term loans.
This formula won't give you the exact interest rate they are paying, but it is useful in an interest rate sensitive environment.
And if you compare it to previous years then you are able to tell what rate the company had to take on more debt at. If you will notice from the balance sheet above,
Book Value Per Share - BV
=Stockholders Equity - Preferred Stock
Things to remember Comparing the market value to the book value can indicate whether or not the stock in
overvalued or undervalued.
During bull markets the stock price is more likely to trade significantly higher than book value, and in a bear market the two value's may be close to equal.
Objectives For the most part the book value really doesn't tell us a whole lot. BV is considered to be the accounting value of each share, drastically different than
what the market is valuing the stock at. And the truth is that market and book value have nothing in common. Market value is what the investment community's expectations are and book value is based on costs and retained earnings. One situation where BV can be useful is if the market value is trading below the book value, this rarely happens, but if it does it could mean that the company is undervalued and might be an attractive buy.
Cash Flow to Assets
=(Cash from Operations)/(Total Assets)
Things to remember Comparing to previous years is important, if the company's ratio
is decreasing then they may eventually run into cash problems.
Objectives: Cash flow is often overlooked when people analyze a company.
You can be a profitable company but if you don't have cash moving around to pay bills then you are really in trouble. It relates a company's ability to generate cash compared to its asset size. When the ratio declines below 10% then there may be some cause for concern.
Common Size Analysis=Entity / Total Entity
Basically the reason for stating COGS, OM, etc. as a percentage of Sales
E.g., comparing one class of current assets like cash to the whole CA total
Things to remember Compares what proportion that an expense reduces sales,
especially useful when comparing previous years.
It is also useful when comparing similar companies of different sizes to see if they have the same financial structure.
Dividend Payout Ratio =(Yearly Dividend per Share) / (Earnings per Share )
Things to remember A reduction in dividends paid is looked poorly upon by investors,
and the stock price usually depreciates as investors seek other dividend paying stocks.
Indicates the proportion of earnings that are used to pay dividends to shareholders
A stable dividend payout ratio indicates a solid dividend policy by the company's board of directors.
Earnings Per Share =(Net Income - Dividends on Preferred Stock) / (Average OS Shares)
Things to remember Diluted EPS means that the outstanding shares includes
any convertible's or warrants outstanding.
If the company issues more shares then EPS are much harder to compare to previous years.
Asset Turnover =Revenue / (Total Assets)
Indicates the relationship between assets and revenue.
Things to remember Companies with low profit margins tend to have high asset turnover, those with high profit margins
have low asset turnover - it indicates pricing strategy.
This ratio is more useful for growth companies to check if in fact they are growing revenue in proportion to sales.
Objective This ratio is useful to determine the amount of sales that are generated from each dollar of assets.
As noted above, companies with low profit margins tend to have high asset turnover, those with high profit margins have low asset turnover.
Collection Ratio =(Accounts Receivable) / (Revenue/365)
This indicates the average number of days it takes a company to collect unpaid invoices.
Things to remember A high ratio indicates that the company is having problems getting paid
for services or products.
The ratio is sometimes seasonally affected, rising during busy seasons and falling during the off-season. To account for this seasonality, the average accounts receivable ((beginning + ending accounts receivable)/2) could be used instead.
Inventory Turnover =(Cost of Goods Sold) / (Average or Current Period Inventory)
An important and often overlooked ratio that indicates inventory levels.
Things to remember A low turnover is usually a bad sign because products tend to
deteriorate as they sit in a warehouse.
Companies selling perishable items have very high turnover.
For more accurate inventory turnover figures, the average inventory figure, ((beginning inventory + ending inventory)/2), is used when computing inventory turnover. Average inventory accounts for any seasonality effects on the ratio.
Debt-Asset Ratio=Total Liabilities / Total Assets
Indicates what proportion of the company's assets are being financed through debt.
Things to remember This ratio is very similar to the debt-equity ratio.
A ratio under 1 means a majority of assets are financed through equity, above 1 means they are financed more by debt. Furthermore you can interpret a high ratio as a "highly debt leveraged firm".
Computer Assisted Techniques for Fraud Detection Audit software has commands that support the auditor's requirement to review transactions for
fraud such as the existence of duplicate transactions, missing transactions, and anomalies. Some examples of these commands include:
* comparing employee addresses with vendor addresses to identify employees that are also vendors; * searching for duplicate check numbers to find photocopies of company checks; * searching for vendors with post office boxes for addresses; * analyzing the sequence of all transactions to identify missing checks or invoices; * identifying vendors with more than one vendor code or more than one mailing address; * finding several vendors with the same mailing address; and * sorting payments by amount to identify transactions that fall just under financial control on contract
limits.
Audit software can be used to interrogate a company's data files and identify data patterns associated with fraud.
Patterns such as negative entries in inventory received fields, voided transactions followed by "No Sale,"
or a high percentage of returned items may indicate fraudulent activity. Auditors can use these data patterns to develop a "fraud profile" early in their review of
operations. The patterns can function as auditor-specified criteria; and transactions fitting the fraud profile
can trigger auditor reviews. Systems can even be built to monitor transactions on an ongoing basis. Continuous monitoring is a proactive approach to the early detection of fraud.
Fraud Detection Using Digital Analysis
A growing area of fraud prevention and detection involves the examination of patterns in data – i.e., Digital Analysis
The rationale is that unexpected patterns can be symptoms of fraud. A simple example of the application of this technique is a search for duplicate transactions, such as identical invoice or vendor numbers for the same amount.
A simple digital analysis technique is to search for invoices with even dollar amounts, such as $200.00 or $5,000.00. The existence of particular even amounts may be a symptom of
fraud and should be examined.
Digital Analysis Case Study: Even Amounts
Travel expenses had always been a concern for the auditors of X Company since it was an area where the controls were weak.
Employees had a maximum per diem rate when traveling but had to submit receipts to cover the actual expenses.
Maximums were also established for meals: breakfast $10.00, lunch $20.00, dinner $30.00, and hotel lodging $100.00.
The auditors configured the audit software to identify meal expenses that were multiples of $10.00.
These transactions were compared to receipts to ensure that the amounts expensed were appropriate.
A detailed review determined that many travelers were charging the maximum rates for meals even though their receipts did not justify the amounts.
Ratio Analysis Another useful fraud detection technique is the calculation of data analysis ratios
for key numeric fields. Like financial ratios that give indications of the financial health of a company,
data analysis ratios report on the fraud health by identifying possible symptoms of fraud.
Three commonly employed ratios are: * the ratio of the highest value to the lowest value (max/min); * the ratio of the highest value to the second highest value (max/max2); and * the ratio of the current year to the previous year.
For example, auditors concerned about prices customers were being charged for products could calculate the ratio of the maximum sales price to the minimum sales price for each product.
If the ratio is close to 1.0, they can be sure that there is little variance between the highest and lowest prices charged to customers.
However, if the ratio is large this could indicate that a customer was being charged too much or too little for the product.
Ratio Analysis Case Study:
Doctored Bills The auditors reviewed the patient billing system at Company Y to determine if the
appropriate charges were being assessed by health care providers. An initial analysis of the data was performed to calculate the ratio of the highest and lowest charges for each procedure. A judgment was made that procedures with a max/min ratio of greater than 1.30 be noted and subjected to additional review.
For a particular quarter, three procedures had ratios higher than 1.30, the highest being 1.42. A filter was used to identify the records related to the three procedures in question, and additional analysis was performed. This quickly determined that one doctor was charging significantly more than the other doctors for the same procedures. A comparison of charges from the billing system with payments in the accounts receivable system revealed that the doctor was skimming off the patient payments. The amount recorded in the receivable system was in line with the usual billing amount for the procedures. The doctor was unable to justify the higher prices or explain the difference in the billing and the receivable systems.
The third ratio compares data from different years, departments or operating areas, and the like. For example, the ratio of last year's purchases to current year's purchases for each supplier can point to symptoms of fraud such as kickbacks in the contracting section. If the total purchases from a supplier has gone from $100,000 to $400,000--a ratio of 4.0--further analysis may be in order.
Ratio Analysis Case Study:
Contracting Kickbacks Jonathan, one of the contracting officers, had devised a great win/win kickback
scheme. The auditors decided to use digital analysis as part of their review of the contracting section. One of the analyses calculated the total contract amount by supplier for each of the past two years. A ratio of current year to previous year was calculated and the minimum, maximum, average, and highest and lowest five ratios were displayed. While the average was close to 1.0, the highest and lowest five values showed that some companies had significant decreases in business, while others had experienced significant increases in business.
The auditors reviewed the details of all companies that had a ratio of less than 0.7 or more than 1.30. Totals were calculated by a contracting officer. For companies with an increase in business, the results revealed that Jonathan had raised many of the contracts. In comparison, Jonathan had raised no contracts with the companies that had seen a decrease in business. The auditors learned of Jonathan's kickback scheme when they interviewed salesmen from the companies that had ratios less than 0.7. Interviews with salesmen from the firms that had increased sales by 1.30 or more added credence to the fraud accusations. Both groups of salesmen said that they were told they would only get business if they paid Jonathan a kickback.
Benford's Law
Benford's Law, developed by Frank Benford in the 1920s, predicts the occurrence of digits in data. Benford's Law concludes that the first digit in a large population of transactions (10,000 plus) will most often be a 1. Less frequently will the first digit be a 2; even less frequently a 3.
An analysis of the frequency distribution of the first or second digits can detect abnormal patterns in the data and may identify possible fraud. An even more focused test can be used to examine the frequency distribution of the first two digits (FTD). The formula for the expected frequencies is:
Expected FTD Frequency = log(1+1/FTD) Therefore, the expected frequency of 13 is log(1+1/13). The expected
frequencies range from 0.041 for 10, to 0.004 for 99. Some audit software programs can be used to determine the frequency
distribution for first digits, first two digits, and second digits.
Note: not all data will have distributions as predicted by Benford's Law. Sometimes there is valid rationale for certain numbers occurring more frequently than expected. For example, if a company sends a large amount of correspondence via courier, and the cost is a standard rate ($6.12) for sending a package of under one pound, then the first digit (6) or the first two digits (61) may occur more often than predicted by Benford's Law.
Benford's Law Case Study: Signature Authority
The auditors for Z Company were investigating possible fraud in the contracting section, where thousands of contracts were raised every month. They used Benford's Law to examine the first two digits of the contract amount. The results of their analysis revealed that the digits 49 were in the data more often than expected.
Classifying on the contracting officer for all contracts with 49 as the first two digits determined that the contracting manager was raising contracts for $49,000 $49,999 to avoid contracting regulations. Contracts under $50,000 could be sole-sourced; contracts
greater than $50,000 had to be submitted to the bidding process. He was raising contracts just under the financial limit and directing them to a company owned by his wife.