The Association of Digital Forensics, Security and Law (ADFSL)
Enterprise systems, real time recording and real time reporting pose new and significant challenges to the accounting and auditing professions. This includes developing methods and tools for continuous assurance and fraud detection. In this paper we propose a methodology for continuous fraud detection that exploits security audit logs, changes in master records and accounting audit trails in enterprise systems. The steps in this process are: (1) threat monitoringsurveillance of security audit logs for ‘red flags’, (2) automated extraction and analysis of data from audit trails, and (3) using forensic investigation techniques to determine whether a fraud has actually occurred. We demonstrate how mySAP, an enterprise system, can be used for audit trail analysis in detecting financial frauds; afterwards we use a case study of a suspected fraud to illustrate how to implement the methodology.
Albrecht, W.S., Albrecht, C.C., Albrecht, C.D. and Zimbelman, M. (2009), Fraud Examination, Third Edition, Thomson/South-Western, Mason OH.
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2002), “Feasibility and Economics of Continuous Assurance”, Auditing, 21(1): 126-138.
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2004), “Restoring Auditor Credibility: Tertiary Monitoring and Logging of Continuous Assurance Systems”, International Journal of Accounting Information Systems, 5: 183- 202.
Alles, M., Brennan, G., Kogan, A. and Vasarhelyi, M.A. (2006), “Continuous Monitoring of Business Process Controls: A Pilot Implementation of a Continuous Auditing System at Siemens”, International Journal of Accounting Information Systems, 7: 137-161.
Bae, B. and Ashcroft, P. (2004), “Implementation of ERP systems: Accounting and Auditing Implications”, Information System Control Journal, 5: 43-56.
Baker, K. (1999), Internal Control and Fraud Prevention in Hospitality Operations, Pearson Education - Hospitality Press, Sydney.
BDO (2008), ‘BDO Not-For-Profit Fraud Survey’, www.bdo.com.au, 15/1/2009.
Best, P.J., Mohay, G. and Anderson, A. (2004), “Machine-Independent Audit Trail Analysis – A Decision Support Tool for Continuous Audit Assurance”, International Journal of Intelligent Systems in Accounting, Finance and Management, 12: 85-102.
Bologna, J.G. and Lindquist, R.L. (1995), Fraud Auditing and Forensic Accounting: New Tools and Techniques, Wiley, New York.
Chapman, C., and Chua, W.F. (2003), ‘Technology-driven integration, automation and standardisation of business process: Implications for accounting’, in Management Accounting in the Digital Economy, ed. Bhimani, A., Oxford University Press, Oxford, 74-79.
Chapman, C. (2005), “Not Because They are New. Developing the Contribution of Enterprise Resource Planning Systems to Management Control Research”, Accounting, Organizations and Society, 30: 685–689.
Debreceny, R.S., Gray, G.L., Jun-Jin Ng, J., Siow-Ping Lee, K. and Yau, W. (2005), “Embedded Audit Modules in Enterprise Resource Planning Systems: Implementation and Functionality”, Journal of Information Systems, 19(2): 7-27.
Du, H. and Roohani, S. (2007), “Meeting Challenges and Expectations of Continuous Auditing in the Context of Independent Audits of Financial Statements”, International Journal of Auditing, 11(2): 133-146.
Elliot, R.K. (2002), “Twenty-First Century Assurance”, Auditing, 21(1): 139- 146.
Groomer, S.M., and Murthy, U.S. (1989), “Continuous Auditing of Database Applications: An Embedded Audit Module Approach”, Journal of Information Systems, 3(2): 53-69.
Groomer, S.M. and Murthy, U.S. (2003), “Monitoring High Volume On-line Transaction Processing Systems Using a Continuous Sampling Approach”, International Journal of Auditing, 7: 3-19.
Institute of Internal Auditors (2003), Proactively Detecting Occupational Fraud Using Computer Audit Reports, Institute of Internal Auditors Research Foundation, Altamonte Springs, Florida.
ITGI – IT Governance Institute (2006), IT Control Objectives for SarbanesOxley, Second Edition.
IT Governance Institute, Rolling Meadows IL, www.isaca.org, 21/4/2008.
Jones, J.M. and Xiao, J.Z. (2003), “Internet Reporting: Current Trends and Trends by 2010”, Accounting Forum, 27(2): 132-165.
Koletar, J.W. (2003), Fraud Exposed: What You Don’t Know Could Cost Your Company Millions, Wiley, New York.
KPMG (2008), ‘KPMG 2008 Fraud Survey’, www.kpmg.com.au, 20/1/2009.
Kuhn, J.R. and Sutton, S. (2005), ‘Learning from WorldCom: Implications for Fraud Detection Through Continuous Assurance’, 10th World Continuous Auditing and Reporting Symposium, November, Newark, NJ.
Kuhn, R. and Sutton, S. (2006), Commentary On “Embedded Audit Modules In Enterprise Resource Planning Systems: Implementation And Functionality”, Working Paper, Kenneth G. Dixon School of Accounting, University of Central Florida.
Li, Y., Roget, J.N., Rydl, L. and Hughes, J. (2007), “Achieving SarbanesOxley Compliance with XBRL-Based ERP and Continuous Auditing”, Issues in Information Systems, 8(2): 430-436.
Little, A.G. and Best, P.J. (2003), “A Framework for Segregation of Duties in an SAP R/3 Environment”, Managerial Auditing Journal, 13(5): 419-430.
Nelson, L. (2004), “Stepping into Continuous Audit”, Internal Auditor, April, 27-29.
Norris, G., Wright, I., Hurley, J.R., Dunleavy, J. and Gibson, A. (1998), SAP: An Executive’s Comprehensive Guide, Wiley, New York.
Murthy, U. and Groomer, S.M. (2004), “A Continuous Auditing Web Service Model for XML-Based Accounting Systems”, International Journal of Accounting Information Systems, 5: 138-163.
PCAOB (2007), Auditing Standard No. 5 An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements.
Rezaee, A., Sarbatoghlie, A., Elam, R. and McMickle, P.L. (2002), “Continuous Auditing: Building Automated Auditing Capability”, Auditing, 21(1): 145-163.
Rikhardsson, P.M. and Kraemmergaard, P. (2006), “Identifying the Impacts of Enterprise System Implementation and Use: Examples from Denmark”, International Journal of Accounting Information Systems, 7(1): 36-49.
Searcy, D. and Woodroof, J.B. (2003), “Continuous Auditing: Leveraging Technology”, The CPA Journal, May: 46-48.
Shanks, G., Seddon, P.B. and Willcocks, L.P. (2003), ‘ERP – The Quiet Revolution?’ in Second-Wave Enterprise Resource Planning Systems: Implementing for Effectiveness, eds.Shanks, G., Seddon, P.B. and Willcocks, L.P., Cambridge University Press, Cambridge, 1-22.
Srinidhi, B. (1994), “The Influence of Segregation of Duties on Internal Control Judgements”, Journal of Accounting, Auditing & Finance, 9(3): 423- 444.
Spathis, C. (2006), “Enterprise Systems Implementation and Accounting Benefits”, Journal of Enterprise Information Management, 19(1): 67-82.
Standards Australia (2008), ‘Australian Standard AS 8001-2008 - Fraud and Corruption Control’, www.saiglobal.com/shop/Script/search.asp, 10/2/2009.
Sutton, S. (2006), “Extended-Enterprise System Impact on Enterprise Risk Management”, International Journal of Accounting Information Systems, 19(1): 97-114.
Vasarhelyi, M.A., Alles, M. and Kogan, A. (2004), “Principles of Analytic Monitoring for Continuous Assurance”, Journal of Emerging Technologies in Accounting, 1: 1-21.
Vasarhelyi, M.A. and Halper, F.B. (1991), “The Continuous Audit of Online Systems”, Auditing: A Journal of Practice and Theory, 10(1):110-125.
Yu, C.-C., Yu, H.-C. and Chou, C.-C. (2000), “The Impact of Electronic Commerce on Auditing Practices: An Auditing Process Model for Evidence Collection and Validation”, International Journal of Intelligent Systems in Accounting, Finance & Management, 9: 195-216.
Zack, G.M. (2003), Fraud and Abuse in Non-Profit Organizations, Wiley, New York.
Best, Peter J.; Rikhardsson, Pall; and Toleman, Mark
"Continuous Fraud Detection in Enterprise Systems through Audit Trail Analysis,"
Journal of Digital Forensics, Security and Law: Vol. 4
, Article 2.
Available at: http://commons.erau.edu/jdfsl/vol4/iss1/2