The Association of Digital Forensics, Security and Law (ADFSL)
Fraud is a multi-billion dollar industry that continues to grow annually. Many organizations are poorly prepared to prevent and detect fraud. Fraud detection strategies are intended to quickly and efficiently identify fraudulent activities that circumvent preventative measures. In this paper, we adopt a DesignScience methodological framework to develop a model for detection of vendor fraud based on analysis of patterns or signatures identified in enterprise system audit trails. The concept is demonstrated by developing prototype software. Verification of the prototype is achieved by performing a series of experiments. Validation is achieved by independent reviews from auditing practitioners. Key findings of this study are: (a) automating routine data analytics improves auditor productivity and reduces time taken to identify potential fraud; and (b) visualizations assist in promptly identifying potentially fraudulent user activities. The study makes the following contributions: (a) a model for proactive fraud detection; (b) methods for visualizing user activities in transaction data; and (c) a stand-alone Monitoring and Control Layer (MCL) based prototype.
ACFE (2010). Report to the nation on occupational fraud and abuse. Retrieved from http://www.acfe.com/rttn on 6/10/2010.
ACFE (2012). Report to the nation on occupational fraud and abuse. Retrieved from http://www.acfe.com/rttn on 27/02/2013.
Albrecht, W. S., Albrecht, C. C., & Albrecht, C. D. (2009). Fraud examination, 3 rd ed. USA: Thomson/South-Western.
Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2006). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems, 7(2), 137-161.
Alles, M. G., Kogan, A., & Vasarhelyi, M. A. (2008). Putting continuous auditing theory into practice: Lessons from two pilot implementations. Journal of Information Systems, 22(2), 195-214.
Asur, S., & Hufnagel, S. (1993, 28-30 Jun 1993). Taxonomy of rapidprototyping methods and tools. Paper presented at the Rapid System Prototyping, 1993. Shortening the Path from Specification to Prototype. Proceedings of 4th International Workshop.
AuditNet (2011). Study shows auditors slow to adopt hi-tech fraud detection strategies. Retrieved from http://cpatrendlines.com/2011/12/05/study-showsauditors-slow-to-adopt-hi-tech-fraud-detectionstrategies/?utm_source=dlvr.it&utm_medium=twitter on 17/01/2012.
AuditNet (2012). AuditNet 2012 state of technology use by auditors. Retrieved from http://www.auditnet.org/ on 27/02/2013.
Best, P. J. (2000). SAP R/3 audit trail analysis. Paper presented at the Sapphire 2000. 4th Annual SAP Asia Pacific Institute of Higher Learning Forum, Brisbane, Australia, 23-25 July 2000.
Best, P. J. (2005). Audit trail analysis for fraud control with SAP R/3. Paper presented at the Oceania Computer Audit, Control and Security Conference (CACS) 2005 Conference.
Best, P. J. (2008). SAP–Accounts payable. On ACC3101–Accounting Information Systems: USQ.
Best, P. J., Mohay, G., & Anderson, A. (2004). Machine-independent audit trail analysis – A decision support tool for continuous audit assurance. International Journal of Intelligent Systems in Accounting, Finance & Management, 12(2), 85-102.
Best, P. J., Rikhardson, P., & Toleman, M. (2009). Continuous fraud detection in enterprise systems through audit trail analysis. Journal of Digital Forensics, Security and Law, 4(1).
BOS (2009). Benefits of using SAP for your business. Retrieved from http://www.bos.com.np/index.php?option=com_content&view=article&id=61: benefits-of-using-sap-for-your-business&catid=34:articles&Itemid=72 on 08/11/2010.
Broady, D. V., & Roland, H. A. (2008). SAP GRC for dummies. Available from http://library.books24x7.com.ezproxy.usq.edu.au/toc.asp?bkid=25161
Budde, R., & Zullighoven, H. (1990). Prototyping revisited. Paper presented at the CompEuro '90. Proceedings of the 1990 IEEE International Conference on Computer Systems and Software Engineering, 8-10 May 1990.
CMU (2011). Companies using SAP? Retrieved from http://sapua.cba.cmich.edu/sap_usersDB/ on 19/12/2012.
Coderre, D., & Warner, P. D. (1999). Computer-asisted techniques for fraud detection. CPA Journal, 69(8), 57.
Cojocariu, A., Munteanu, A., & Sofran, O. (2005). Verification, validation and evaluation of expert systems in order to develop a safe support in the process of decision making. Computational Economics. Retrieved from http://ideas.repec.org/p/wpa/wuwpco/0510002.html on 10/11/2011.
Cressey, D. R. (1953). Other people's money: A study of the social psychology of embezzlement. New York, NY US: Free Press. Davis, A. M. (1992). Operational prototyping: A new development approach. Software, IEEE, 9(5), 70-78.
Debreceny, R. S., Gray, G. L., Jun-Jin Ng, J., Siow-Ping Lee, K., & Yau, W.-F. (2005). Embedded audit modules in enterprise resource planning systems: Implementation and functionality. Journal of Information Systems, 19(2), 7-27.
Du, H., & Roohani, S. (2007). Meeting challenges and expectations of continuous auditing in the context of independent audits of financial statements. International Journal of Auditing, 11(2), 133-146.
Edge, M. E., & Falcone Sampaio, P. R. (2009). A survey of signature based methods for financial fraud detection. Computers & Security, 28(6), 381-394.
Fama, E. F., & Jensen, M. C. (1983). Separation of ownership and control. Journal of Law & Economics, XXVI.
Fetaji, B. (2011). Development and analyses of dynamical visualization process tool in run time and its usability evaluation. Technics Technologies Education Management, 6(2), 447-454.
Gartner (2010). Gartner says worldwide business intelligence, analytics and performance management software market grew 4 Percent in 2009 2010. Retrieved from http://www.gartner.com/it/page.jsp?id=1357514 on 27/10/2010.
GraphViz (2010). Graphviz - Graph visualization software. Retrieved from http://www.graphviz.org/About.php on 21/12/2011.
Groomer, S. M., & Murthy, U. S. (1989). Continuous auditing of database applications: An embedded audit module approach. Journal of Information Systems, 3(2), 53.
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science In Information Systems Research. [Article]. MIS Quarterly, 28(1), 75-105.
Hirao, J. (2009). SAP security configuration and deployment: The IT administrator's guide to best practices. Burlington, MA: Syngress Publishing.
IEEE (2004). Guide to the software engineering body of knowledge (SWEBOK). Retrieved from http://www.computer.org/portal/web/swebok/html/ch11 on 14/11/2011.
Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: Managerial behaviour, agency costs and ownership structure. Journal of Financial Economics, 3(4), 305-360.
Kuhn Jr, J. R., & Sutton, S. G. (2010). Continuous auditing in ERP system environments: The current state and future directions. Journal of Information Systems, 24(1), 91-112.
Kuhn, J. R., & Sutton, S. G. (2006). Learning from WorldCom: Implications for fraud detection through continuous assurance. Journal of Emerging Technologies in Accounting, 3(1), 61-80.
Lager, M., & Tsai, J. (2008). SAP retains market-share lead in CRM. Customer Relationship Management, (October 2008), 17-18.
Lanza, R. B. (2003). Proactively detecting occupational fraud using computer audit reports. Florida: The IIA Research Foundation.
Lanza, R. B. (2007). Auditing vendor accounts forfraud or at least some cash recovery.
Fraud Magazine, 15-17. Li, N., Tripunitara, M. V., & Bizri, Z. (2007). On mutually exclusive roles and separation-of-duty. ACM Transactions on Information and System Security, 10(2), 5.
Liang, L. Y., & Miranda, R. (2001). Dashboards and scorecards: Executive information systems for the public sector. Government Finance Review.
Little, A., & Best, P. J. (2003). A framework for separation of duties in an SAP R/3 environment Managerial Auditing Journal, 18(5), 419-430.
Luqi, L., & Steigerwald, R. (1992). Rapid software prototyping. Paper presented at the System Sciences, 1992. Proceedings of the Twenty-Fifth Hawaii International Conference, 7-10 January 1992.
Narayan, V. (2008). Financial Accounting (FI). SAP FI/CO questions and answers. Sudbury: Infinity Science Press.
NIST (2005). An Introduction to computer security: The NIST handbook, Special Publication, 800(12). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.
O'Gara, J. D. (2004). Corporate fraud case studies in detection and prevention. Hoboken, NJ: Wiley & Sons.
Padhi, S., N (2010). SAP ERP financials and FICO handbook. Burlington, MA: Jones and Bartlett.
Potla, L. (2003). Detecting accounts payable abuse through continuous auditing. ITAudit, 6(3). Retrieved from http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5458.
Rezaee, Z., Sharbatoghlie, A., Elam, R., & McMickle, P. L. (2002). Continuous auditing: Building automated auditing capability. Auditing, 21(1), 147.
Romney, M. B., & Steinbart, P. J. (2009). Accounting Information Systems, 11th ed. Upple Saddle River, NJ: Pearson.
SAP-AG (2009). SAP library. Retrieved from http://help.sap.com/erp2005_ehp_04/helpdata/EN/e1/8e51341a06084de100000 09b38f83b/frameset.htm on 23 March 2010.
SAP (2010). SAP named worldwide market share leader in business intelligence, analytics and performance management software by top industry analyst firm 2010. Retrieved from http://www.sap.com/australia/search/index.epx?q1=fraud+detection&num=10 on 27/10/2010.
Singh, K. H., Best, P. J., & Mula, J. M. (2011). Proactive fraud detection in enterprise systems. Paper presented at the ICBI 2011. Retrieved from http://eprints.usq.edu.au/21706/.
Singleton, T., Singleton, A., Bologna, J., & Lindquist, R. (2008). Fraud auditing and forensic accounting. Hoboken, NJ: John Wiley & Sons.
Tatum, M. (2010). What is an audit trail 2010. Retrieved from http://www.wisegeek.com/what-is-an-audit-trail.htm on 11/112010.
TechTarget (2010). Data visualization. Retrieved from http://searchbusinessanalytics.techtarget.com/definition/data-visualization on 21/12/2011.
USDoHHS (1997). General principles of software validation: Final guidance for industry and FDA staff. Retrieved from http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidanc e/GuidanceDocuments/ucm085371.pdf.
Vasarhelyi, M. A., Alles, M. G., Kogan, A., & O'Leary, D. (2004). Principles of analytic monitoring for continuous assurance. Journal of Emerging Technologies in Accounting, 1, 1-21.
Wallace, D. R., Ippolito, L. M., & Cuthill, B. (1996). NIST special publication 500-234. Reference information for the software verification and validation process. Retrieved from http://hissa.nist.gov/HHRFdata/Artifacts/ITLdoc/234/val-proc.html on 14/11/2011.
Weber, R., A (1999). Information systems control and audit. Upper Saddle River, NJ: Prentice Hall.
Webster (2001). Webster's new world college dictionary, 4 th ed. Cleveland, OH: IDG Books Worldwide.
Wells, J. T. (2002a). Billing schemes, part 1: Shell companies that don't deliver. Journal of Accountancy, 194(1), 76-79.
Wells, J. T. (2008). Principles of fraud examination, 2 nd ed. Hoboken, NJ: John Wiley & Sons.
Wells, J. T. (2011). Principles of fraud examination, 3 rd ed. Hoboken, NJ: John Wiley & Sons.
Singh, Kishore; Best, Peter; and Mula, Joseph
"Automating Vendor Fraud Detection in Enterprise Systems,"
Journal of Digital Forensics, Security and Law: Vol. 8
, Article 1.
Available at: http://commons.erau.edu/jdfsl/vol8/iss2/1