With the growing use of
Computers in every aspect of business, the role of auditors in Banking and
other Corporate environments have undergone a sea change.
In the manual era, the
auditor was required to look at the accuracy of the accounting. Hence the
auditor's main role was to certify "Accuracy" of financial information. With
the use of Computers, accuracy of figures is no longer the prime concern of
the auditors. However to the extent that Computers work on GIGO principle,
there is still some requirement to check the accuracy of data input and
therefore "Accuracy Audit" continues to be the first priority of auditors.
The second most important
auditing objective has been to check "Compliance" of the working with a given
benchmark which could be the manual of the controlling office or the taxation
law requirements or the Corporate Governance requirements. The "Compliance
Audit" continues to be important today though the scope of such an audit is
gradually expanding with multifarious legal requirements being hoisted on the
"Accounting Auditors".
Recognizing the "Risks" that
have an impact on "Accuracy" and "Compliance", it is now recognized that
Information Security Audit with a view to identify the risks and measures
taken to control them in an organization has also become an important function
of "Audit". However, since it is often beyond the scope of the "Financial
Auditors" to undertake effective audit of Information Security, it is often
handled by "EDP Auditors" or auditors specially qualified for the purpose with
say CISA certification. However for the auditors whose primary concern is
financial accuracy, IS audit is still an alien subject and expertise available
for the purpose is still low.
Under these circumstances, a
need has been felt for specialized "Fraud Auditors" whose primary focus is to
identify and analyse "Fraud Risks" in a Computerized accounting environment.
Such a fraud audit undertaken by "Certified Fraud Examiners" need a different
approach to audit which can be referred to as "Forensic Audit".
The principle of "Forensic
Audit" is that " Data presented by the unit to be audited is amenable for
having been manipulated and any audit of such data to be credible has to be
based on a Forensic examination of data to identify manipulation".
Forensic audit requires using
of "Data Analysis Tools" that interact with the data submitted for audit and
extract deleted data or altered data. If in the process, some manipulation is
detected, it is also the responsibility of the auditor to capture the fraud
evidence and present it in a manner that would stand in a Court of Law. If
not, an auditor who accuses a person of fraud which cannot be proved and the
Company which takes any action there of against the person so accused, may be
liable for a defamation suit by the accused.
There are some "Network based
Concurrent Audit Tools" which can be used to connect to the network and
observe the transactions. These do not interrupt the ongoing work on the
Computer. However, these depend on connectivity and cannot always be able to
extract and preserve for evidence, data which has been deleted or over
written data..
Forensic Quality Data Capture
In most of the incidents of
suspected Fraud investigation by Internal Auditors the it becomes necessary to
analyze the hard disk of a suspect for a detailed examination.
The practical problem in most
such cases is that if the auditor has to take over the computer immediately,
it may disrupt the operations of the enterprise seriously.
It therefore becomes
necessary for the auditor to make a "Copy" of the original "Evidence" and
carry on his investigations on the "Copy". The question then arises that if he
stumbles upon some evidence during his examination and then comes back to
seize the original hard disk, the data on the original hard disk may no longer
contain the evidence he had unearthed during the investigation.
Even assuming that the
"Original Hard Disk" itself had been taken over and the investigations have
unearthed some evidence, there would be a charge from the accused that the
evidence was in the custody of the Auditor and could have been tampered with.
It becomes absolutely
essential therefore for the investigator to preserve the original evidence and
at the same time subject it to any type of analysis he may like without
disrupting the regular user of the system and the hard disk.
A device required for this
purpose is one which makes one or more "Bit Image” copies of the suspect hard
disk in the presence of the asset owner which can later be used for invasive
analysis without jeopardizing the evidentiary value of the data.
For this purpose it would
also be necessary to create a "hash code" for the "original" being copied so
that the duplicates can be proved to contain the exact data as found in the
original and any analytical result arising out of the duplicate is acceptable
against the original also.
Intelligent Computer
Solutions (ICS) a company based in USA manufactures the necessary tools that
ideally fit the requirements of the Law Enforcement Authorities.
ICS has developed the hard
drive duplication technology (patented under US patent no C,131,141) that has
been in use by Law Enforcement agencies in several countries and Commercial
enterprises including companies such as Intel. These devices are now available
in India for the first time.
The two key products offered
by ICS are the
Solo2
and Link Mater.
Solo2 is a handheld
software duplication device made for computer disk drive data seizure. Image
capture operations can be performed from a suspect's drive to another hard
drive with duplication speeds in excess of 1.8 GB/Min.
This is powered by the
Company's patented Image MASSter technology and provides for MD5 and SHA1
hashing (approved by ITA-2000) for data integrity checking. Upon copying of
the suspect disk to an evidence disk, a report can be generated along with the
hash code which can be jointly authenticated by the system owner and the
investigator to avoid any disputes on the integrity of the data transfer.
Since the copying is a "Bit
Image Copy Process", the evidence disk can be analysed with data recovery
tools for recovering deleted information. Multiple clones can be generated so
that different investigators can simultaneously work on the copies all of
which are legally acceptable clones of the original.
Solo 2 is connected directly
to the suspect drive and in order to prevent accidental writing on the suspect
drive, an accessory namely "Drive Lock" is used in between
the
suspect disk and Solo2.
The Link Masster is a
software acquisition device made for seizing data from computers that cannot
be opened in the field. It is ideally suited for acquiring data from a Laptop.
This can perform high-speed data transfer (upto 3.5 GB per minute) between any
suspect hard disk drives through the computer's USB/Firewire port. It
Supports MD5 and, SHA1 hashing during and after the acquisition. A bootable CD
is supplied to boot the suspect's computer and run the LinkMASSter acquisition
program.
Both devices captures data
from suspect's hard drive in Single Capture mode and Multi Capture mode (which
can capture more than one source drive to a single evidence drive).
Additionally, there are desk
top models of disk duplication which will enable creation of multiple evidence
disks which can be sent for Forensic Analysis to different labs.
These devices are the primary
hardware requirements for data capture and disk duplication and have been
forensically tested and industrially accepted as reliable for judicial
evidence.
Once Data is captured using
these devices, with a Certificate recording the hash code at the time of
seizure, the data can be subjected to analysis using standard software such as
ACL or IDEA.
There are also data analysis
tools such as “Encase” or “Cyber Check” which are capable of “Un-deleting” the
deleted files, reading hidden files, recovering passwords, searching through a
mass of data for key words and so on which can be used on the copied disk.
Auditors who need to conduct
Forensic audit or Fraud audit need to utilize these tools so that evidence
located during such audits can be preserved for the purpose of further legal
action. Not using such tools may result in the Fraud charges being dismissed
in the Courts leading to the accused filing a counter suit for defamation on
the Company.
Forensic Audit System in
Banking, Financial and e-Government Institutions
Sensitive records in Banks,
Financial Institutions and Government are today mostly in the form of
electronic documents. Audit of such institutions today is therefore entirely
dependent on the Computerized records.
Auditing the print outs and
computer screens as presented by the Branch Management which is the standard
practice today is logically ineffective in case of any frauds done by the
Branch staff themselves since the data being audited may be manipulated. In
these records, deletions and interlineations do not show up as it would have
in a manual record and are therefore not available as audit alerts.
These records also can raise
the bogey of “Invalid Self Incriminating Evidence” when a criminal prosecution
is to be launched based on the evidence produced by the accused who himself is
a branch manager or a system administrator.
The system therefore needs a
modified approach which is suggested below and is based on the use of some
tools. This is ideal for Banks which maintain branch level servers and any
other institution with a similar IT setup. A modified system can also be
structured for Institutions which run on the Central server based systems
running on a dedicated network or Internet.
The following audit system is
suggested for Indian Banks and similar institutions using client server model
of software at the branch level.
1. Each
Branch will be provided with an “Audit Assistance Tool” with which they
can send a “Forensic Quality Hard Disk Clone “ of the data base server every
month to the central audit unit of the institution in the form of a “Monthly
Return”.
2. The Hard
disk will be accompanied by a Certificate which indicates the “Hash Value” of
the disk on MD5 hash (Legally accepted in India under ITA-2000) and signed by
the Branch Manager and the System Administrator as per an approved procedure.
3.
Alternatively, the Inspection department will organize a “Roving Data
Collector” who is equipped with the “Mobile Audit Assistance Tool” and
will collect the necessary disk copy under the authentication of the branch
authorities under his presence.
4. The Disk
will be sent securely to the central audit unit which will be equipped with a
"Set of data analysis tools" capable of undertaking normal audit as
well as fraud audit.
5. After
analysis the disk will be wiped clean and recycled.
The above system not only
enables the auditor to look for fraudulent file erasures and modifications but
also cuts down the time taken by the senior auditors at the branch location
drastically.
Naavi
April 7, 2004
