Upload
buithuan
View
213
Download
0
Embed Size (px)
Citation preview
ICAI-WIRC
Trends in Business & IT
Forensics
Presented by,
Prashant BhatSenior Manager, Mumbai
Saturday, January 21, 2012
Agenda
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 2
What is Fraud?
Need for Forensics
Common Fraud Scenarios
What Does Fraud Cost You?
Forensic Audits Approach & Methodology
Types of Forensic Audits?
Computer Forensics - Methodology
Special Investigative Unit
Case Studies
What is Fraud?
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 4
Institute of Internal Auditors defines fraud as:
Any illegal acts characterized by deceit, concealment or violation of trust. These acts are
not dependent upon the application of threat of violence or of physical force. Frauds are
perpetrated by parties and organizations to obtain money, property or services; to avoid
payment or loss of services; or to secure personal or business advantage.
Fraud Detection and management framework
What Does Fraud Cost You?
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 6
5%of annual revenues are lost to occupational fraud*
2010 Report to the Nations: ictim Organizations - # Case / Avg. Loss
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 7
Victim Organization# Case / Avg.
Loss
Mining 12 / $1M
Wholesale Trade 42 / $513K
Oil and Gas 57 / $478K
Real Estate 57 / $ 475K
Agriculture, Forestry, Fishing and Hunting 27 / $320K
Manufacturing 193 / $300K
Transportation and Warehousing 62 / $300K
Technology 65 / $250K
Construction 77 / $200K
Communication / Publishing 16 / $110K
Religious, Charitable or Social Services 41 / $75K
Insurance 91 / $197K
Healthcare 107 / $150K
Education 90 / $71K
Telecommunications 37 / $131K
Arts, Entertainment and Recreation 57 / $475K
Victim Organization# Case / Avg.
Loss
Retail 119 / $85K
Government and Public Administration 176 / $81K
Services (Professional) 51 / $110K
Utilities 45 / $120K
Services (Other) 89 / $109K
Banking / Financial Services 298 / $175K
0
10
20
30
40
50
60
70
80
90
Legend
2010
2008
Asset
Misappropriation
Corruption Financial
Statement Fraud
No
. o
f F
rau
ds
What Does Fraud Cost You?
Percentage of Companies* Reporting Indicated Frauds
Legend
2009
2010
Percentage
Types o
f F
raud
Top Fraud Type
27 % of the companies
reported Information
theft, loss or attack in
2010, a 34% increase
from 2009
* Results are based on survey of companies in USA
What Does Fraud Cost You?
Percentage of companies* within industry reporting information theft, loss
or attack
Percentage
Type o
f In
dustr
y
Legend2009
2010
Top Affected Industry
Sector
42 % of the Financial
services companies
reported Information theft,
loss or attack in 2010, a
43% increase from 2009
40 % of the professional
services companies
reported Information theft,
loss or attack in 2010, a
32% increase from 2009
37 % of the technology,
media & distribution
companies reported
Information theft, loss or
attack in 2010, a 22%
increase from 2009* Results are based on survey of companies in
USA
What Does Fraud Cost You?
Categories of Fraud
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 11
• Misappropriation of Assets
• Improper or unauthorized expenditures (including bribery and other
improper payment schemes)
• Self-dealings (including kickbacks)
• Violations of laws and regulations
• Fraudulent financial reporting
The various categories of fraud that are relevant for consideration by
management in identifying risks of fraud include:
Common Fraud Scenarios: Cross-Industry Risks
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 12
• Fraudulent financial reporting
– Earnings management
– Improper revenue recognition
– Overstatement of assets
– Understatement of liabilities
– Fraudulent journal entries
– Round-trip or “wash” trades
• Misappropriation of assets
– Billing schemes
– Collusion
– Concealment
– Embezzlement
– Forgery
– Ghost employees
– Kiting
– Lapping
– Larceny
– Misapplication
– Payroll fraud
– Theft
• Expenditures and liabilities incurred
for improper or illegal purposes
– Bribes
– Corrupt payments
– FCPA violations
– Concealment
– Related party payments
• Violations of Laws & Regulations
– Compliance violations
– Tax fraud
– Money laundering
– Anti-trust violations
• Self Dealings
– Kickbacks
– Conflicts of interest
– Related Party Transactions
– Misuse of position
Categories of Fraud
Financial Service Industry
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 13
• Bank Fraud
– Loan fraud
– Fraudulent loan applications
– Account takeover
– Wire Fraud
– Check fraud
– Counterfeiting
– Payment card fraud
– Phishing
– Identity theft
– Kiting
– Money laundering
– Demand draft fraud
– Forged documents
– Skimming
– Structuring
– Terrorist Financing
• Common types of investment fraud:
– Unsuitable investments
– Ponzi scheme
– Affinity fraud- investment made because of
recommendation by a “trusted” friend based
on similar backgrounds
– Unregistered investments
– Unlicensed salespeople
– Rogue traders
• Insurance Companies
– Bribery / Kickbacks / Gifts to adjusters
– Conflict of Interest / Related Party
Transactions
– Collusion of internal and external
perpetrators
– Double Billing / Double Processing of
Claims
– False Billings by Claims Processers
– Identity Theft by internal perpetrators
– Overbilling of Underlying Procedures
Can Frauds Happen ? Red Flags / Key Indicators – Entity Level
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 14
Internal control gaps, deficiencies, weaknesses
Business results that continually outperform expectations
Management override of controls
Rapid or significant turnover of resources
– Senior management
– Key financial positions
– Key employees
Inadequate segregation of duties
– Turnover
– Cut-backs / lay-offs
Unusual end-of-month or end-of-quarter journal entries or topside entries
High-level of related-party transactions
Employee, customer or vendor complaints
Repeated changes of independent public accountants
Disclosures
– Investigations
– Suspicion of illegal activities
Red Flags
Process Level – Red Flags
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 15
Cash
• High volume of manually prepared
checks
• Unrestricted access to blank checks,
signature plates, and check signing
equipment
• Improper segregation of duties
• Improper authorization or weak
controls over wire transfers
• Unexplained items when preparing
bank reconciliation
• Excessive number of unexplained
voided checks
• Excessive number of bank accounts
and activity between these accounts
as to make it difficult to follow the flow
of funds
Accounts Receivable Process
• Lack of accountability for invoice numbers
issued
• Lack of segregation of duties between the
following:
– Processing of accounts receivable
invoices and posting to sub-ledger
– Posting to accounts receivable sub-
ledger and cash receipts
• Lack of policies and procedures regarding
write-offs
• Frequent undocumented and/or unapproved
adjustments, credits, and write- off’s
• Low turnover or slow collection cycle
• Dramatic increase in allowance for doubtful
accounts
• No reconciliation of AR sub-ledger to GL
control account
• Unrestricted access to sub-ledgers and
general ledger
Process Level – Red Flags
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 16
Inventory/Production Process
• Credit balances in inventory accounts
• Consistent fluctuations in inventory accounts between months
• Excessive inventory write-offs without documentation or approvals
• Unusual volume of adjustments, write-offs, and disposal of material, inventory, or fixed assets
• Unrestricted access to inventory storage
• No policy regarding identification, sale, and disposal of obsolete and surplus materials
• FG inventory turnover rate does not correlate with operating cycle
• No segregation of duties between:
– Receipt of inventory and issuing of materials
– Recording of inventory accounts and ordering materials
– Identification of obsolete and surplus materials and sale and disposal of such materials
Distribution
• Substantial cash payments, price
discounts, rebates, or other concessions to
distributors to induce continued buying as
well as promise not to return goods
• Payments or concessions to distributors
that are recorded as expenses rather than
reductions in revenue
• Inventory sent to distributors include rights
of return
• Distributors sell goods on consignment but
revenue is recognized immediately
• Recognizing revenue before the risk of
loss has passed to the customer
• Distributors are nothing more than
warehouses where inventory is stored but
sale is recorded
Process Level – Red Flags
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 17
Fixed Assets
• Expenses are inappropriately
capitalized
• Leased assets are recorded as fixed
assets
• Incorrectly classified assets (short-
term vs. long-term)
• Fixed assets classified at market
value rather than historical cost
• Unexplained discrepancies between
the fixed asset register and the
general ledger
Accounts Payable
• Recurring identical amounts from the same vendor
• PO Boxes or multiple remittance addresses for the same vendor
• Sequential invoice numbers from the same vendor or invoice numbers with an alpha suffix
• Lack of segregation of duties
• Processing AP invoices and updating vendor master file
• Preparing checks and posting to vendor accounts
• Preparing and mailing signed checks
• No proper documentation of changes to vendor master file
• Suspicious/excessive adjustments for returned goods
Process Level – Red Flags
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 18
Purchasing
• Turnover among buyers within the purchasing department significantly exceeds attrition rates throughout the organization
• Purchase order proficiency rates fluctuate significantly among buyers within comparable workload levels
• Dramatic increase in purchase volume per certain vendor(s) not justified by competitive bidding or changes in production specifications
• Unaccounted purchase order numbers or physical loss of purchase orders
• Rise in the cost of routine purchases beyond the inflation rate
• Unusual purchases not consistent with the categories identified by prior trends or operating budget
Bidding Process
• Costs for work performed by certain contractors are coded differently (e.g. by an unusual project number or general ledger account) than for similar work performed by other contractors
• Certain contractors are typically allowed to overrun their bid amount without proper authorization or change order documentation
• Existence of conflicts of interest (e.g. a company employee having a financial interest in a contractor’s business)
• Contractor who consistently submits the lowest bid after all other bids have been submitted
• Inappropriate interaction between purchasing department personnel and contractors
• Background checks indicate that the contractor has numerous DBAs and those other companies compete against the contractor during the bidding process
Process Level – Red Flags
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 19
Payroll
• Dramatic increase in labor force or overtime not justified by production or sales volume
• Turnover within the payroll department significantly exceeds attrition rates throughout the organization
• Missing or easy access to blank checks, facsimile, and manual check preparation machine
• Tax deposits are substantially less than those required by current payroll expenses
• High volume of manually prepared payroll checks
Finance Process
• Significant adjustments to accrued liabilities, accounts receivable, contingencies, and other accounts prior to acquisition of new financing
• Dramatic change in key leverage, operating, and profitability ratios prior to obtaining financing
• Adopting a change in accounting principle or revising an accounting estimate prior to obtaining financing
• Increase in short-term cash and a decrease in receivables while sales are increasing prior to seeking new financing
• A change in external activities, legal counsel, or treasury department head prior to obtaining new financing
• A delay in issuance of monthly, quarterly, or annual financial reports prior to seeking new financing
What is Fraud Auditing?
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 21
• Anomalies
• Exceptions
• Irregularities
• Oddities
• Patterns
Combination of tools and techniques used to detect indicators of fraud and
misconduct, including:
Fraud auditing : Be Skeptical!
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 22
• Always request originals.
• Ask yourself whether transactions make sense.
• Have documents been altered?
• Look to see where the documents are maintained.
• Do employees have close personal relationships with vendors?
• Is there a lack of supporting documentation?
• Do background checks identify related parties and DBAs?
• Does an answer not make sense?
• Are you avoided more than usual?
• When asking a relatively simple question, are you unexpectedly referred
to someone high up in the organization?
• Go with your gut!
Fraud Auditing : Rules for focus
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 23
• Where are the weakest links in the system’s
controls?
• What deviations from conventional good
accounting practices are possible?
• How are off-line transactions handled and who
has the ability to authorize these transactions?
• What would be the simplest way to compromise
the system?
• What control features in the system can be
bypassed by higher authorities?
• What is the nature of the work environment?
Protiviti’s Forensic Audit Lifecycle
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 24
Sources of Investigation
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 25
• Tips
• By Accident
• Internal Audit
• Data Analytics
• Monitoring
• External Auditors
• Government
Investigative Techniques
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 26
• Interviewing
• Evidence Collection
• Collaboration
• Research
• Evidence Analysis
• Documentation
• Report
Issues to Consider in Initiating and Conducting an Investigation
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 27
• Evaluation of the Allegation
• Scope of the Investigation
• Investigative Expertise
• Internal and External Perpetrators
• Preservation of Evidence
• Chain of Custody
• Document Management
• Reports
Investigative Techniques - precautions
Types of Forensic Audits?
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 29
Where is Electronic
Evidence ?
Forensic Accounting
ActivitiesComputer Forensics
Activities
Types of Forensic Audits / Reviews
• Identifying
Accounting
irregularities
• Performing
Wrongdoing
investigations
• Asset tracing
• Performing
Regulatory
investigation
• Forensic data
Acquisitions
• Forensic Data
analysis
• Forensic data
preservation
• Litigation support
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 30
Computer forensics is a discipline that combines elements of law and computer
science to collect and analyze data from computer systems, networks, wireless
communications, and storage devices in a way that is admissible as evidence in a
court of law.
It is the specialist process of imaging and processing computer data which is
reliable enough to be used as evidence in court.
Computer Forensics – What is it?
Computer Forensics ushers digital information case solving with
traditional forensics !!
Data Talks and Data Doesn't Lie
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 31
Forensics vs. Computer Forensics?
FORENSICS
The use of science and
technology to investigate and
establish facts in criminal or civil
courts of law
COMPUTER FORENSICS
The acquisition, analysis, and
reporting of digital evidence
Forensics vs. Computer Forensics?
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 32
• Any internal investigation where computer plays a key role
Ninety percent of U.S. companies are involved in litigation (Jaworski & Fulbright).
Computer data plays a critical role in virtually every internal investigation or litigation.
Electronically stored information is able to reveal much more than just the contents of
a file.
Where is Computer Forensics used ?
• Any government probe or financial investigation
• Any litigation where electronically stored information is requested or produced.
Where is the Electronic Evidence ?
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 33
• Laptops/Desktops• PDA’s/Cell phones• Printers• Servers• CD’s/DVD’s• USB Thumb Drive
Where is Electronic Evidence ?
Some Storage Devices are Less Obvious Than Others
Computer Forensics Illustrative Methodology
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 35
Preservation and
CollectionExamination
Computer Forensics Analysis
Reporting and Testimony
Acquisition Analysis Reporting
Media Data Information Evidence
Data Acquisition
Data collection & preservation
Data Analysis
Computer forensic analysis/examination
Acquisition-Preservation and Collection
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 36
• Take authority to undertake the
Forensic investigation from the
client
Legal Document
Chain of Custody
is used in court as
evidence of
Integrity
Authorization
Chain of
Custody
• Documents chain of events
•Who – Names of people involved
•What – Information about the
device being acquired
•When – Dates/Times of
possession
•Where – Location of the device
•How – Details about the imaging
process
Acquisition-Preservation and Collection
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 37
An improperly filled out CoC can hurt the case !
Acquisition-Preservation and Collection
Video tape and photographs are
good supplements to handwritten
notes.
The following is an indicative list –
•Physical surrounding of the
Machine
•State of the machine
•Computers Make
•Model Number
•Serial Number
•Photographs of the back of the
PC
•List of attachments to the target
device
Document
Surroundings
Target computer
location photograph
Target computer model
number photograph
Target computer on state front
and back photograph
Prevent evidence
tampering & have
adequate
documentation
•Restrict access to
the equipment /
target machine to
avoid tampering
•Document the
scene in as much
detail as possible.
Acquisition-Preservation and Collection
Media
Extraction
• Extract Media
• Take a Photograph
• Document
Acquisition-Preservation and Collection – Initial
Reaction – Key Points
Determine if a destructive script is active on the system. If yes, remove
the power cord from the back of the system.
Document the target machine and the surrounding
If the computer is running take a photograph of the screen.
Take photographs of the back, front, side and inside of the computer.
Bag and tag all potential evidences.
Search for sticky notes, pieces of paper and bag all evidences.
In case a confiscation is needed secure the evidence and transfer the
same to a secure location.
Acquisition-Examination
For examination of data , the first step is to create unaltered images ( at least 2) of the
whole HDD and other data sources. This image is called a Bit Stream Image or a forensic
image.
Bit by bit/sector by sector copy of the data is
performed.
Read-Read-Copy is the cycle, NO Write !!
Use write-blockers especially for Windows.
Copy the data
Verify the data – Compare Hashes
MD5 Hash of the original Media MD5 Hash of the copied data
Typical Tools Used:
Encase & FTK
Encase FTK
Success !
Forensic Analysis
Keyword Searches
Email Searches
index.dat INFO2
The Windows Swap File
Print spool files
Analysis of the following can be performed
Temporary Files
Signature Analysis
Slack Space
Signature Analysis
Cookies Metadata Analysis
Forensic Analysis – Where does the Evidence Hide ?Two categories of data as evidence
• System Files
• User Data Files
• Word, Excel, etc.
• Company issued e-mail address
• Data that the user can “see”
Active Data
• Hidden Files
• Deleted Files
• Unallocated File Space
• Internet History
• Web Based E-Mail Activity
• Yahoo!, Hotmail, etc.
• Data user cannot “see”
Passive Data
NOT Usually Backed UpUsually Backed Up
Forensic Analysis – Where does the Evidence Hide ?Evidence Extraction
Deleted Files
• Secrets.doc
• ClientList.doc
• Spreadsheet.xls
Why DELETE does not mean DELETE
“Deleting” a file changes the
first character in the file name;
the data for the file remains on
the drive until overwritten.
Hiding Files
Changing the extension is
the most common way of
hiding the file from preying
eyes
Forensic Analysis – Where does the Evidence Hide ?Evidence Extraction
Temporary Internet files
Stock Trading Records Web Based Banking &
Forensic Analysis – Where does the Evidence Hide ?Evidence Extraction
Analysis using Encase
Searching for the
term “Hacking” using
Encase to scavenge
for evidences from
the data dump
Forensic Analysis – Where does the Evidence Hide ?Evidence Extraction
Analysis using FTK
Searching for the
term “Hacking” using
FTK to scavenge for
evidences from the
data dump
Reporting and LitigationEvidence Extraction
Reporting
To be admissible in the Courts of law, evidence and reporting typically undergos a pre trial
(called “Daubert Hearing” in USA). Four categories determine the success/failure of
evidences viz.
•Testing
•Error Rate
•Publication
•Acceptance
Testing
False Positives False Negatives
Error Rate
Tool
Implementation
Error Rates
Abstraction
Error
Reporting and LitigationEvidence Extraction
Publication
• Documentation in a public place
• Undergone a peer review
• Technical procedures used to extract the data must be addressed in the publication
• Most important and difficult aspect of the general acceptance of a tool/technique used
by the tool.
Acceptance
• Closed source tools use
the testimony of the users
using them.
• Open source tools have
their codes released for
the review of the extraction
procedures.
Reporting and LitigationAvoid Spoliation
A quick internal investigation may make the
evidence inadmissible !!
Special Investigative Units
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 55
Steering Committee
Board of Directors
• Client FTE
OR
• Consultants
Telecoms
(if required)
• Client FTE
OR
• Consultants
• Client FTE
OR
• Consultants
• Client FTE
OR
• Consultants
• Client FTE
OR
• Consultants
Software:
Applications
• Sponsor project and set targets
• Approve key objectives
• Drive change and arbitrate
differences
Software:
Storage
Hardware:
ApplicationsHardware:
Storage
• Provide category
specific expertise &
assistance
• Advise & update
teams on key
strategies &
benchmarks
• Cross-functional experts and
key stakeholders
• Senior Resources
• Junior Resources
Special Investigative UnitInternal Audit Team
• Senior Resources
• Junior Resources
• Provide category
specific expertise &
assistance
• Participate in periodic
meetings/ sanction
interim deliverables
• Assist in change
management activities
How Organizations have Embedded Forensics Capabilities within the IA teams
Case 1 - Harassment Case and the application of Forensics
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 57
The Victim The Accused
•Claimed was Harassed
by CEO
•Married, Loyal Woman
•Files $10M Suit
•CEO of the leading
company
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 58
Initial Evidence Initial Investigation
•Produces 18-month
chronology
•Produces damaging e-mail
•Corporation discusses
$1.5M settlement
•Forensics Process is
initiated
Recovered Searches
for:
“Harassment”
“Harassment
Settlements” “Big
Harassment
Claim”
Case 1 - Harassment Case and the application of Forensics
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 59
Investigation - Analysis of
data
•Instant Messages:
•Berating the CEO.
•Confession of poor
performance
•Deleted Emails discussing
the planning for the wrongly
accusing the CEO
Case 1 - Harassment Case and the application of Forensics
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 60
Investigation – Fabricated
MS word files which were
later printed as threats
Counsel decides to analyze PC belonging to “co-worker”
Case 1 - Harassment Case and the application of Forensics
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 61
Charges Dropped
Company sues for Fraud and
Embezzlement
Case 1 - Harassment Case and the application of Forensics
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 62
Major Biochemistry Research
Organization
Case 2 - Theft of Intellectual Property
•Team of Scientists Leave the Company
•Launch New Organization•Receive Lab Funding •Announce Discoveries
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 63
Initial
InvestigationInitial Evidence
•Files copied to removable
media?
•Files e-mailed as
attachments?
•Collaborating on company
time?
•Forensics Process is
initiated
Case 2 - Theft of Intellectual Property
XX
•No evidence of
file copying
•No evidence of
files sent by e-
•No incriminating
activity on
company server X
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 64
Initial
Investigation
• Recovered Internet-based
E-mail Accounts
Case 2 - Theft of Intellectual Property
• Communications between
Involved Parties
• Web e-mails with
attachments
Case Study
© 2011 Protiviti Inc. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue
opinions on financial statements or offer attestation services. 65
Result of
investigation
• Temporary Internet Files
revealed
• Theft of IP through
web-based e-mail
• Elaborate planning and
coordination
• Months of preparation
Case 2 - Theft of Intellectual Property
Case Study