4838 Wilkinson Apps pp 203-241 8/9/99 10:04 AM Page 206
CD–206
•
APPENDIX 7.2
A Certified Fraud Examiner (CFE) is often contacted
to conduct a scientific fraud investigation. The CFE’s first
step is to gather and analyze the relevant data to determine whether predication is sufficient to proceed further. Sufficient predication is the basis for creating a
hypothesis of a specific fraud. That is, the CFE, based on
an evaluation of the initial fraud indicators, decides
whether enough evidence exists to proceed further. The
next step is to test the hypothesis by gathering sufficient
evidence through interviews, document examinations,
and observation. At the conclusion of evidence gathering, the CFE prepares a written report that does or does
not support the allegation of fraud or is inconclusive. If
warranted, the case is turned over to an attorney, who
works closely with the CFE to prosecute the case.
Fraud and Computer Crime Prevention Safeguards
With the massive number of cases of insider theft, fraud,
embezzlement, and other crimes reported in the media,
management should take proper action to prevent, detect, and deter these risk exposures. Firms should establish and enforce strong soft controls, including a written
code of professional conduct, ethics, and personnel
policies. Ethical principles should receive increased attention throughout the organization. Sound personnel
policies and controls, such as reference checks on employment applications, should be enforced. The corporate audit committee should be independent of
management and should closely monitor stakeholders’
interests. A properly developed internal audit function,
adequately staffed, can significantly reduce the probability of fraud and other computer crimes. Internal auditors should complete training courses on fraud and
computer crime, such as those offered by the Association of Certified Fraud Examiners of Austin, Texas. In addition, internal auditors and other accountants involved
in the audit function should be encouraged to become
Certified Fraud Examiners. A CFE is trained in criminology, legal elements of fraud, interrogation and investigative matters, and financial fraud.
Respondents to KPMG’s 1998 Fraud Survey have documented policies and procedures they follow for dealing
with fraud. The reported safeguards and controls and the
percentage of responding firms reporting them are as
follows.*
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
A corporate code of conduct (75%)
Reference checks on new employees (65%)
Employment contracts (48%)
Review and improvement of internal controls (47%)
Fraud audit (42%)
Ethics training (41%)
Training courses in fraud prevention and detection
(31%)
Surveillance equipment (30%)
Increased focus of senior management on the problem (29%)
Enhanced surveillance equipment (27%)
Code of sanctions against suppliers/contractors (26%)
Increased role of audit committee (16%)
Surveillance of electronic correspondence (15%)
Increased budget for internal audit (13%)
Staff rotation policy (11%)
Increased budget for security department (9%)
Although such crimes can never be eliminated, organizations that adopt the above safeguards can dramatically reduce their vulnerability.
*http://www.us.KPMG.com, p. 1.
APPENDIX 7.2
COMPUTER VIRUSES AND RELATED RISKS
A potentially significant risk exposure to information
stored on microcomputers and local-area networks
(LANs) is a computer virus. More than 17,000 computer
virus strains have been documented, and new ones appear daily. Most viruses have static or unchanging structures that render them relatively easy to detect and
destroy with the use of anti-virus software. Anti-virus software checks for, finds, and removes most types of viruses.
A computer virus is a computer program that copies
or attaches itself to a program file and causes either the
display of prankish messages or the destruction of data,
such as erasing all the files on a hard disk. Most com-
puter viruses attach themselves to either executable or
document program files.
Currently, macro viruses, which attach to document
files of word processing software packages, such as Microsoft Word, are the fastest growing viruses with thousands of documented strains. These viruses are easy to
write and easy to spread; they usually enter a PC via
e-mail attachments received from the Internet. They,
along with other types of viruses, can also be introduced
into a microcomputer or a LAN when an infected floppy
disk is copied onto a hard disk. Once attached to an executable or document file, a computer virus can remain