1. Technical Field
The invention relates to fraud prevention and detection in information systems. More particularly, the invention relates to a method and apparatus for maintaining high data integrity and providing a secure audit for fraud prevention and detection.
2. Description of the Background Art
The Vulnerability of Digital Systems
Much internal organizational fraud is facilitated by the manipulation of digital data. Such data includes email, documents, spreadsheets, databases and, of course, accounting records. Changes of digital data over time, particularly deletions, are extremely difficult to discover or track. For example, a missing digital document or email may not be noticeable precisely because the object no longer exists. Something that does not exist, where a trail is not noticeable or nonexistent, is difficult or impossible to see.
Tampering with organizational information, while not necessarily classified as fraud, is often caused by modification of digital data. The collateral damage from tampering can be significant, even if tampering is ultimately not determined to exist. This damage may take the form of public relations nightmares, exposure to penalties, lawsuits, intellectual property damage, and poor decision-making based on inaccurate data.
Prior to the early 1980's, many organizations were less vulnerable to tampering and fraud than they are today. Why? Partly because of three things: unerasable ledger paper, sequentially numbered pages in ledgers, and indelible ink. These techniques, especially when used in combination, have been proven over hundreds of years to prevent fraud because it is difficult or impossible to modify the data. Even thousands of years ago, prior to the invention of paper, the ancient Egyptians used technologies, such as carved marks on stone tablets, to serve a similar purpose. Unerasable ledger paper, sequentially numbered pages, and indelible ink disappeared almost overnight in many organizations when digital computers were invented, and particularly, when micro-computers or so called personal computers were invented.
Digital systems now predominate for recording transactions, recording documents, sending and receiving written communication, and performing data analysis and accounting. Yet, digital systems have storage that is composed of modifiable and deletable bits and bytes of information, mostly stored in magnetic or other digital media formats which may be readily changed. The manipulation of digital data need not require the skills of a software programmer or computer genius. Many of the tools for ease of tampering are supplied by, surprisingly, software system manufacturers themselves.
It is of particular note that the most popular accounting system in current use for small businesses in America is called Quickbooks. Quickbooks' manufacturer, Intuit, also supplies a popular check register software package called Quicken. Yet, unlike unerasable paper ledger systems that preceded it, and indeed most digital accounting systems which preceded Quickbooks and Quicken, important data recorded into these software systems may be changed after it is recorded. Unlike traditional digital or paper ledger accounting systems, prior historical periods, such as months, are not closed in Quickbooks to prevent changes or tampering with historical information. The unerasable, unchangeable nature of accounting systems used to be a hallmark of the genre. Yet this staple feature of record keeping systems has been pilloried by the consumer-valued mantra of ease-of-use. When Quicken was introduced in the 1980's, accounting professionals were aghast at the lack of accounting control in this disruptive technology system. As Intuit's product line increased tremendously in market share to become the dominant product in its space, the accounting profession was forced to give in to this lack of control because the customers of accounting firms could not be dissuaded from purchasing the software program due to its ease of use combined with its low cost. Instead of fighting what looked like a losing battle, the accounting profession gave in. Because the average size company in the U.S. has approximately ten employees, and because a significant percentage of U.S. firms of that size use Quickbooks, the current digital accounting environment in the U.S. has become effectively an embezzler's dream come true. In a striking reversal of historical precedent, it seems to be more valuable today to have an accounting system that is easy to use and inexpensive than one that is secure against tampering and fraud.
The growth of the Internet has fueled the sharing of information among criminals and prospective criminals about how to commit fraud. Criminals have been known to organize on the Internet and teach each other how to perform acts of digital fraud. In a recent occurrence communicated to the inventors of the subject invention, a forensic accountant described a web site that took credit cards, charged their customers thousands of dollars, and taught them on-line classes in how to defraud their employers and not be caught. Knowledge about how to commit fraud has increased along with the growth in knowledge about how digital systems may be used and manipulated. In the early days of widespread computer use, there was a myth that computers were complex, accurate, and above manipulation. As knowledge about digital systems grows, more people are learning the fallacy of such thinking. Consequently, data of all sorts is less secure from tampering and fraud today than it was in many previous periods.
Scope of the Problem and Lack of Attention by Technology Service Providers
Internal fraud is fraud by employees where money or assets are taken for personal profit. How big of a problem is this? It's big. The Association of Certified Fraud Examiners, in their 2010 Report to the Nation, reports this as a $994 Billion annual problem. Worldwide, the ACFE reports this as a $2.9 Trillion problem. Further, the ACFE reports that the typical organization loses 5% of their annual revenue to fraud. That means that for organizations, eliminating fraud could significantly increase their profit or effectiveness.
External fraud is fraud by people outside an organization. These are so called cyber criminals, people such as hackers, virus writers, credit card thiefs, and the like. To stop these criminals, all sorts of technology is employed such as firewalls, anti-virus systems, anti-spyware, encryption, web filtering, patch management, unified threat management, and similar systems.
In the United States, private companies spend about $60 Billion annually on systems to prevent external fraud and small businesses spend approximately 10% of their entire information technology budget on crime prevention.
Yet, in sharp contrast, how much money is spent on technology systems for internal fraud prevention? Surprisingly, almost nothing is spent. This is the case even though the Computer Security Institute reported in their 2007 report, “12th Annual Computer Crime and Security Survey,” that fraud overtook virus attacks as the source of the greatest financial losses reported by surveyed organizations. According to the Association of Certified Fraud Examiners in their “2010 Report to the Nations,” the average U.S. fraud loss per incident is a whopping $160,000. Small businesses are especially vulnerable. The average loss for a U.S. small business with fewer than 100 employees is, per incident, $200,000.
Technology systems for detecting fraud do exist. For example, ACL Services Ltd. in Vancouver Canada provides data extraction and analysis software. Systems of this type are primarily detective in nature, not preventative. They operate by examining historical data and performing pattern analysis to look for anomalies indicating changes in behavior or processes which may be indicative of fraud.
Yet, prevention is often of greater value and practicality than detection because detection may help to solve a crime after its been committed. Prevention, in contrast, stops a crime before it ever happens, and often for less cost. Ask any cop what deters crime more, police presence on the street or unseen detectives back at the office? The answer you almost always get is “prevention.” In the 1990's the New York City Police Department became the envy of the world when NYPD created a dramatic drop in crime in New York. How did they do it? It was stunningly simple. NYPD changed their focus from detection to prevention. They publicized the physical presence of police. If a potential criminal is tempted but knows he is being watched, guess what, he won't commit a crime. Simple. Likewise, detective focused technology service programs related to fraud are consequently not very effective at preventing fraud.
It is notable that the ACFE reports most organizational fraud incidents, i.e. 85%, are performed by first time offenders. Most internal fraudsters are not career criminals. Consequently, human behavior being what it is, prevention is likely to be especially effective against an individual with no prior history or experience of crime. Yet technology focused anti-fraud systems focused on prevention are extremely rare or nonexistent.
There is value to fraud prevention in other, perhaps unexpected areas, including saving human lives and preserving healthy families and a healthy society. It is an unfortunate fact that a significant number of fraudsters who are caught commit suicide. While the reasons for this are not entirely clear, some believe that it is due to the societal shame of being known as a fraudster. Others believe that it is because the typical fraudster, being a first time offender, does not think of himself as a criminal. Once he is caught, he is confronted with this fact and he perceives this as the opposite of his self-view, leading to an emotional implosion. There may be other motivations as well. For whatever reason, it is clear that the internal emotional pressure of being found out causes many fraudsters to end their lives. This has tremendous cost to the fraudster's family, his friends, his church, his social organizations, his co-workers in the organization that he defrauded, a tipster, and even the detective who discovered the fraud. One of the co-inventors of the invention knows an ex forensic accountant who left the profession because of the emotional anguish he felt over the death of fraudsters he identified. There would be human value and societal value if fraudsters were kept from temptation and prevented from committing fraud in the first place, rather than simply providing improved methods of detection to catch fraudsters so they may be given the opportunity to kill themselves.
The Need to Expand Fraud Detection
In May, 2005 the Gartner Research Group wrote a study entitled “Introducing the High-Performance Workplace: Improving Competitive Advantage and employee Impact.” In this study they mention that 80% of enterprise content—such as e-mails, user documents, presentations, and Web material—is unstructured in nature. Yet, the Gartner Group points out that most internal audit testing focuses only on the remaining 20% of data that is structured, such as financial accounting systems or databases.
E-mail and Fraud
“Research indicates that E-mail communications can be a strong indicator of an employee's incentive/pressure, opportunity and rationalization—the three points of the Fraud Triangle.”                Dan Torpey, CPA; Vince Walden, CFE, CPA; and Mike Sherrod CFE, CPA.        
Torpey, Walden, and Sherrod point out in their Fraud Magazine article of July/August 2009, Fraud Triangle Analytics—Applying Cressey's Theory to E-mail Communications, that E-Mail is an under utilized data source in forensic investigations. Cressey's Theory was created by Dr. Donald Cressey, one of the co-founders of the Institute for Financial Crime Prevention. Dr. Cressey's theory attempts to explain why people commit fraud. His theory is that three components, opportunity, incentive/pressure, and rationalization are all present where fraud exists. This theory is referred to as Cressey's Fraud Triangle.
Torpey, Walden, and Sherrod tested Dr. Cressey's theory and reported their results in the Fraud Magazine article. First, they created three sets of key words people use in email conversation that might indicate if a person is experiencing each of the three components of Cressey's Fraud Triangle. The key word sets were created by an Ernst & Young fraud investigation team and an ACFE research team with assistance from the FBI and several unnamed Fortune 500 companies.
Second, they took two known fraud cases where there was an available E-mail trail during the period before the fraud took place, as well as during the period of fraudulent activity. The hypothesis considered by the authors was whether they could analyze the E-mail trail of individuals known to have committed fraud and see an increase in usage frequency of keywords from each of the three Fraud Triangle components during the period of alleged fraudulent activity.
Torpey, Walden, and Sherrod's results indicated a strong increase in the usage of words in all three keyword sets by fraudsters during the period of fraudulent activity. The usage of all three sets of words spiked compared with previous time periods. The authors conclude that this sort of E-mail key word analysis may be performed on organizational email systems and be predictive for fraudulent behavior or may reduce fraud risk. Using E-mail for fraud detection may become a valuable new tool in the quiver of fraud investigators and auditors.
Documents and Fraud
Missing or altered documents of many types may be indicators of fraud. Phony documents may be created and then deleted. Dishonest individuals may attempt to hide evidence of fraudulent activity by omitting certain documents from a folder or including outdated information. Similarly, corrupt individuals may attempt to hide inflated or other fraudulent pricing in a contract by either destroying existing documents or preventing the creation of documents during pre-solicitation activities. Consequently, auditors should be alert to situations where documents are incomplete or contain outdated documentation.
Joseph R. Dervaes, CFE, ACFE Fellow, CIA, mentions in a Fraud Magazine article of July/August 2009 entitled Missing Disbursement Documents, Part 1, that “missing disbursement documents are a red flag indicating disbursement fraud. But discovering them isn't as easy as it sounds.”
It can be difficult to see if a document is missing simply because it is not there. Something that is missing is more difficult to notice than something that exists. Humans tend to trust what we see rather than look for things we don't see. Technology tools may be developed that help identify documents that are missing or have been altered. These sorts of tools would help auditors and fraud investigators uncover fraud. As more and more documents are digital in nature, such as PDF files and Word documents, digital tools should be an area of focus.
Unstructured data such as E-mails and documents are a fertile area for fraud investigation. Analysis of such data would expand the historical detective focus on accounting and database information. Consequently, it stands to reason that new investigative tools need to be developed and applied for use in these new areas.
Most importantly, preventative focused technology systems to prevent fraud and tampering are currently lacking in the marketplace yet would have tremendous value for organizations, societies, and governments. Digital systems and the technology industry created this mess. Digital systems and the technology industry should clean it up.