With the growing use of Computers in every aspect of business, the role of
auditors in Banking and other Corporate environments have undergone a sea
change.
In the manual era, the auditor was required to look at the accuracy of the
accounting. Hence the auditor's main role was to certify "Accuracy" of financial
information. With the use of Computers, accuracy of figures is no longer the
prime concern of the auditors. However to the extent that Computers work on GIGO
principle, there is still some requirement to check the accuracy of data
input and therefore "Accuracy Audit" continues to be the first priority of
auditors.
The second most important auditing objective has been to check "Compliance" of
the working with a given benchmark which could be the manual of the controlling
office or the taxation law requirements or the Corporate Governance
requirements. The "Compliance Audit" continues to be important today though the
scope of such an audit is gradually expanding with multifarious legal
requirements being hoisted on the "Accounting Auditors".
Recognizing the "Risks" that have an impact on "Accuracy" and "Compliance", it
is now recognized that Information Security Audit with a view to identify the
risks and measures taken to control them in an organization has also become an
important function of "Audit". However, since it is often beyond the scope of
the "Financial Auditors" to undertake effective audit of Information Security,
it is often handled by "EDP Auditors" or auditors specially qualified for the
purpose with say CISA certification. However for the auditors whose primary
concern is financial accuracy, IS audit is still an alien subject and expertise
available for the purpose is still low.
Under these circumstances, a need has been felt for specialized "Fraud Auditors"
whose primary focus is to identify and analyse "Fraud Risks" in a Computerized
accounting environment. Such a fraud audit undertaken by "Certified Fraud
Examiners" need a different approach to audit which can be referred to as
"Forensic Audit".
The principle of "Forensic Audit" is that " Data presented by the unit to be
audited is amenable for having been manipulated and any audit of such data to be
credible has to be based on a Forensic examination of data to identify
manipulation".
Forensic audit requires using of "Data Analysis Tools" that interact with the
data submitted for audit and extract deleted data or altered data. If in the
process, some manipulation is detected, it is also the responsibility of the
auditor to capture the fraud evidence and present it in a manner that would
stand in a Court of Law. If not, an auditor who accuses a person of fraud which
cannot be proved and the Company which takes any action there of against the
person so accused, may be liable for a defamation suit by the accused.
There are some "Network based Concurrent Audit Tools" which can be used to
connect to the network and observe the transactions. However, these depend on
connectivity and cannot always be able to extract deleted and over written data
which needs a thorough investigation.
It is in this context that the benefits of "Hard Disk Cloning Devices" become
extremely important. These devices can make perfect bit image copies of the
evidence hard disks which can be subjected to intense examination in a lab
environment by the "Fraud Examiners". If the cloning device is also capable of
satisfying the evidentiary requirements such as with a digital signature or hash
code, any fraud unearthed during the examination in the audit office can also be
proved in a Court of law.
A "Forensic Audit" is therefore required to use "Data Capture" devices which can
effectively create duplicates of evidence data to be examined.
Use of such devices will be considered part of "Due Diligence" on the part of
the auditors and Companies.
These are of particular relevance to Banks and e-Governance centers where the
need for fraud resistant audit is paramount.
Na.Vijayashankar
March 30, 2004
