Today’s Risk of Fraud: Forensic Accountants Help Protect Identity Theft

Megan Laughman
Financial Accounting Theory
Michael Miller
4/7/15

Abstract The purpose of this study is to explore the recent cyber breaches that have occurred within companies throughout the United States and to look at the different ways these cyber breaches could have been prevented. The research also examines the need for forensic accountants within the business field, as they are able to help protect a company’s credibility and reputation. The study looks at the different internal controls a forensic accountant can incorporate into a company to help prevent cyber breaches and fraud from taking place. The results of the research provide confirmation that forensic accountants are essential in every company in order to help prevent and detour cyber breaches and fraud.

Table of Contents
Introduction……………………………………………………………………………………4
Literature Review………………………………………………………………………………7
Data Analysis........................................................................................................................…...14
Results and Conclusion…………………………………………………………………………17
References………………………………………………………………………………………19

Today’s Risk of Fraud: Forensic Accountants Help Protect Identity Theft
Introduction
Technology today is more advanced than it ever has been and almost everyone this day and age owns a computer, tablet, or smart phone. Most Americans utilize their computers, tablets, or phones to pay bills, shop, play games, and the list could be endless, technology has allowed us the ability to live our lives through the internet. The internet can be a wonderful tool to have, but, on the other hand, it can be very chilling as it allows for people on the outside to access our personal information. In recent years, there have been several security breaches or system hacks occurring among different companies. In 2013, Target’s network was hacked. Cybercriminals for 18 straight days were able to steal around 40 million credit and debit card numbers from Target’s point of sale system (Cohen, 2014). Most recently, cyber criminals hacked into Anthem, Inc. The Anthem hack is the latest of security breaches affecting tens of millions of customer’s information going clear back to 2004 (Kieler, 2015). The cybercriminals were able to obtain present and past members’ names, date of birth, social security numbers, health care ID numbers, home addresses, email addresses, and work information, for example income data. Anthem does not believe that credit card, banking information, or medical information, such as claims, test results, or diagnostic codes were compromised (Anthem, 2015). Although, Anthem is offering two years of free identity protection through AllClear ID, it does not protect someone from having his or her identity stolen or keep fraud from occurring. Research shows one in ten people have become a victim of identity theft. Identity theft occurs when “one’s personal information is stolen for the purpose of impersonating that person, making unauthorized purchases, taking money from bank accounts, opening new lines of credit with the stolen information, or using that information for other financial gain,” such as committing fraud (Sanchez, 2012). Security breaches or hacking a company through a computer network is known as committing a cyber-crime. According to Pearson and Singleton (2008), the Department of Justice defines a cybercrime “as any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution.” Cybercrimes include obtaining digital information without prior authorization, obtaining classified information without authorization, access to any non-public computer and access to a protected computer. These types of cyber-crimes include credit card fraud, extortion, money laundering, and identity theft (Pearson, 2008). There are ways companies can try and help prevent and detect fraud, and that is by hiring forensic accountants. Forensic accountants not only help to prevent and detect fraud, but they also provide assistance in protecting confidential personal information that companies store, collect, and are used by different organizations (Robbins, 2011). Forensic accountants can help implement and develop a privacy protection program within a company to ensure confidential information is safe and secure.
Purpose Statement The purpose of this research is to identify what a forensic accountant is and what their role is within a company. The research will also provide an explanation of how forensic accountants can help detect and prevent fraud from occurring. The research is based on studies performed by various individuals and accounting standards of Generally Accepted Privacy Principles (GAPP), American Institute of Certified Public Accountants (AICPA), and the Federal Trade Commission (FTC).

Research Questions The research questions to be examined in this study are as follows: (1) What is a forensic accountant, and what role do they play when a cyber-breach occurs? (2) How can a forensic accountant protect confidential personal information within a company? (3) What characteristics and skills should a forensic accountant possess? (4) What causes or allows hackers to access a business, or personal network? (5) What are the threats most common to network security? (6) What steps can a company take to keep their system secure? (7) What training should a forensic accountant obtain to be able to detect fraud?
Accounting Rules The AICPA and Canadian Institute of Certified Accountants (CICA) established the accounting rules that apply to forensic accounting in relation to fraud or identity theft. In 2003, they formed a Privacy Task Force to publicize a global privacy framework, known as GAPP. The AICPA also enacted AU Section 316, noting the procedures that should be taken if there is fraud suspected in a financial statement. The U.S. Department of Justice establishes guidelines for the collection and handling of electronic evidence (Bressler, 2011). The Federal Rules of Evidence, rule 702 explains the rules and requirements of testimony by expert witnesses. The U.S. Federal Trade Commission (FTC) is the primary force when it comes to consumer data security (Cohen, 2014). The FTC makes sure companies and businesses maintain data security practices to be sure confidential information is being protected. Another accounting rule is the Sarbanes-Oxley Act of 2002 (SOX) as it helps protect the public from fraud activity. Lastly, the Public Company Accounting Oversight Board (PCAOB) provides rules and regulations when it comes to auditing; to be sure, fraud is prevented or detected.
Literature Review
Fraud Risks Fraud has existed for many years throughout the world and occurs very often. According to Wolfe and Hermanson (2004), they stated in 2003 the most common form of fraud was employee fraud. There have been numerous studies conducted and found that fraud is most likely to occur when an employee or outside source has an incentive to commit fraud, weak controls, and oversight can provide opportunity for a person to commit fraud, and the person can rationalize the fraudulent behavior or attitude (Wolfe, 2004). Individuals who commit fraud are characteristically very intelligent, experienced, creative, and possess a solid understanding of the company’s controls and vulnerabilities. Wolfe and Hermanson (2004) created a four-sided “fraud diamond” that reviews a person’s capability of committing fraud, while looking at different personality traits and abilities that play a role in committing fraud. The four-element fraud diamond looks at the individual thought process when considering committing fraud. The four elements consist of having an incentive; he or she wants or has a need to commit fraud. Opportunity; this could be a weakness in the system that the person committing the fraud is able to break into. Rationalization; the person committing the fraud is able to rationalize the fraudulent behavior, convincing themselves that it is worth the risk. Lastly, capability; the individual believes he or she has the necessary traits and abilities to commit fraud (Wolfe, 2004). Capabilities are the primary influence in the fraud diamond. Capabilities are typically explicit and individually measured in fraud risk. A person with the capability shows several different characteristics for committing fraud. One characteristic consist of an individual’s position or function within a company that may provide the ability to create or exploit an opportunity to commit fraud. A person that commits fraud is also smart enough to understand and exploit internal control weaknesses and use his or her position, function, or authorized access to his or her advantage. Another characteristic of an individual, who commits fraud, is someone who has a strong ego or a great deal of confidence that he or she will not be caught. A successful fraudster can be considered a bully as he or she can persuade others to commit or hide fraud. Additionally, someone who commits fraud is a very good liar; he or she has the ability to lie effectively and consistently. Lastly, a fraudster is very good at handling stress, as committing and managing the fraud they committed over a period can become extremely stressful (Wolfe, 2004).
Requirements for a Forensic Accountant Identity theft and fraud are a widespread problem in the United States, and transpires when one’s “personal information is stolen for the purpose of impersonating that person, making unauthorized purchases, taking money from bank accounts, opening new lines of credits with the stolen information, or using that information for other financial gain” (Sanchez, 2012). Studies show one in ten people have been victimized by identity theft and fraud, including check fraud, credit card fraud, financial identity theft, criminal identity theft, governmental identity theft, healthcare fraud, and identity theft (Sanchez, 2012). Companies hire forensic accountants to try to help prevent and detect identity theft and fraud, as forensic accountants are “trained to respond to complaints, arising from criminal matters, civil litigation, and inquiries arising in corporate investigations” (Smith, 2012). Forensic accountants will utilize different resources to acquire pertinent financial evidence and to understand and present the evidence in a manner that will assist both individuals and companies in a dispute. Forensic accountants typically have an accounting degree and can be employed by insurance companies, banks, police forces, government agencies, and different organizations. In order to become a forensic accountant, the candidate must obtain their Certified Public Accountants (CPA) license. A forensic accountant’s certification goes beyond the typical requirements of a CPA. The forensic accountant must not only hold their CPA license, but also be registered with the State Board of Accountancy, and be in compliance with all local ordinances, state and federal laws and regulations. A forensic accountant applicant must submit an application to the American Board of Forensic Accounting (ABFA), pay the fees involved, send in, a current resume, degrees, copy of one’s CPA license, and have at least two professional references. Once the ABFA has approved the application, the next step is taking the exam. The exam consists of one hundred multiple-choice and true-or-false questions and the candidate is only allowed to retake the exam twice. Once the exam is passed, a certificate of completion will be sent to the new forensic accountant. An important requirement for a forensic accountant to remember, is not only does the CPA require additional education hours, becoming a Certified Forensic Accountant also requires fifteen hours of forensic accounting related education each year (ABFA, n.d.).
Characteristics and Skills for a Forensic Accountant The AICPA defines forensic accounting, as involving “special skills in accounting, auditing, finance, quantitative methods, the law, and research. It also requires investigative skills to collect, analyze, and evaluate financial evidence, as well as the ability to interpret and communicate findings” (Bhasin, 2013). A forensic accountant should possess skills not just in financial accounting, but also in internal control systems, the law, other institutional requirements, investigative proficiency, and interpersonal skills (Bhasin, 2007). Some key characteristics a forensic accountant should possess are objectivity and independence. These two skills are vital for a successful forensic accountant. A forensic accountant should also be able to identify the possibility of a scheme occurring by having very little information; this requires having good investigative skills. They should be able to detect any financial issues with the financial information. Forensic accountants need to have knowledge of investigative techniques so they can obtain the necessary information needed to prove or disprove the issues found. They need to understand what information is considered evidence and how it would apply if the case would go to court. Another key characteristic knows how to interpret financial information. Forensic accountants must be sensible of the natural bias that could occur within the interpretation process. They also need to view each transaction or sequences of events from different viewpoints to ensure the interpretation is correct. Forensic accountants must be able to present their findings of their investigation to the company and/or courts. Lastly, not only must a forensic account possess knowledge of accounting, forensic accountants must develop an investigative mentality in order to look beyond the rules and regulations given by the GAAP, generally accepted auditing standards (GAAS), or any other basis of accounting (Smith, 2012). In order for a forensic accountant to be successful, they must possess certain personal skills. Those skills include having patience and having an analytical mindset. A forensic accountant must look past the numbers and understand the material of the situation. “The ability to pay attention to the smallest detail, investigate data thoroughly, think creatively, possess common business sense, be proficient with a computer, and have excellent communication skills are all necessary skills to become a successful forensic accountant” (Bhasin, 2013). When a forensic accountant attends court, he or she needs to be able to maintain composure when providing the details of the case on the witness stand. They also need to be insensitive to personal attacks on his or her professional credibility. To become an even better forensic accountant, skills such as having a photographic memory can help when visualizing present and past events, having the ability to reconstruct details of past accounting transactions, and being able to listen and observe carefully are also key. As this would allow the forensic accountant to be able to detect lies regarding fraud (Bhasin, 2007, 2013).
Financial Reporting Regulations Forensic accountants provide the assistance of protecting sensitive personal information that companies collect, store, and use. They are able to use the AICPA/CICA’s set of Generally Accepted Privacy Principles (GAPP) rules and regulations in developing and implementing a protection program for companies (Robbins, 2011). Typically, companies store confidential information on their system’s mainframe and even portable devices, which is being distributed using the internet and other wireless technologies. Confidential information being stored on mainframes and portable devices has become very easy for individuals to target and the loss or theft of this information has been shown to jeopardize the financial well-being of a company. Forensic accountants are hired by companies to help assist in developing privacy policies and procedures that can help promote the safety and confidentiality of individuals personal information, they are also able to assist in monitoring the system of safeguards to ensure continued effectiveness (Robbins, 2011). In 2009, the AICPA and CICA developed a framework consisting of common privacy principles known as the GAPP.
The framework defines ten principles that allow the forensic accountant to set up privacy and security practices of confidential information protection among companies. The first factor of the GAPP requires a plan for assigning accountability for privacy policies and procedures. The principle also requires notice about an organization’s privacy policies and procedures are provided to all employees and customers. The third principle states, individuals have the right to be provided with clear, visible, and readily available devices to exercise his or her choice regarding the collection, use, and disclosures of his or her confidential information. The fourth principle is the collection principle. This principle requires a company to collect personal information only for the purposes noted within the privacy notice. A company should also limit the use of someone’s personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. Principle 6 consists of providing individuals with access to their personal information, in order for them to review, verify, and update when necessary. Disclosure is an important principle of the GAPP, this principle requires that disclosure of personal information to third parties are for the purposes identified in the privacy notice and only when an individual provides consent. The eighth principle requires companies to protect personal and confidential information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. Principle 9 requires personal or confidential information that is collected, stored, and used to be accurate, complete, and relevant for the purpose noted within the privacy notice. Additionally, the tenth principle addresses monitoring and enforcement. This GAPP principle focuses on a company’s responsibility to monitor compliance with its privacy policies and procedures and to have procedures in place to address privacy-related inquiries, complaints, and disputes (Robbins, 2011).

Computer Security Identity theft and fraud not only affect individuals, but it also affects the corporate world. Fraudulent activity can be an embarrassment to both the company in which the fraud occurred as well as the auditors that did not catch the fraudulent activity sooner. After the Enron and WorldCom scandals, companies have realized the need for skilled forensic accountants that can identify, expose, and prevent weaknesses in the following three key areas: poor corporate governance, flawed internal controls, and fraudulent financial statements (Ramaswamy, 2005). Forensic accountant’s skills have become very important within the corporate accounting information systems in order to help protect their confidential information, emphasize its accountability, and responsibility to stakeholders. Researchers have shown that poor corporate governance is a primary element in poor performance, manipulated financial reports, and unhappy stakeholders (Ramaswamy, 2005). The Securities and Exchange Commission (SEC), PCAOB, and Financial Accounting Standards Board (FASB) hold companies responsible for their accounting and disclosure standards, and hold company’s auditors to audit, independence, ethical, and quality control standards (Ramaswamy, 2005). Companies are finding forensic accountants should be well educated with Accounting Information Systems (AIS) as these systems are designed to help assist in the protection of confidential information. Understanding an AIS system is especially important when forensic accountants are investigating fraud and who within the organization might be capable of bypassing or removing red flags from the AIS system (Bressler, 2011). Companies who are looking to realign their accounting information systems are finding three main weaknesses that are occurring within their current system, lack of a well-developed and implemented policy of corporate governance, lack of honesty and transparency in reporting, and an ineffective and inefficient system of internal control (Bressler, 2011). In order to help protect confidential information from hackers, companies, and forensic accountants need to be sure the following policies and procedures are in place. First, is to review the service provider’s data protection policies to be sure they are adequate and up to date. In addition, a company should decide who should have access to company servers, and make sure it is well documented. Next, be sure there is a well thought out internet data security policy put into place. Companies will need to update all software, and use an industry standard network data security firewall. Additionally, be sure companies are using new network backup strategies, such as remote data backups and data copying. Be sure all personal information is encrypted that is stored on laptops or other portable devices. Companies need to be sure they are changing passwords periodically using a mixture of alphabet letters, numbers, and symbols. Lastly, companies should consider keeping all valuable information off the network. (Holtfreter, 2014).
The focus of corporate governance is to improve the value of a company through ethical behavior, adopting a policy of honesty and fairness, and safeguarding informed decision making throughout the company. A good system will also have good internal control, as this will assist the company to achieve its objectives and profitability and minimize loss of resources. Forensic accountants are needed now more than ever to help companies develop a strong, comprehensive data protection plan to help defend against hacker attacks (Holtfreter, 2014).
Data Analysis
Benefits of a Forensic Accountant Fraud and identity theft have become an issue of major significance within the public and private sectors since the Enron and WorldCom scandals. These scandals along with the scandals occurring currently today through security breaches have created a continued need for forensic accountants. Forensic accountants are educated to detect the potential for fraudulent activity as well as being responsible for trying to prevent fraud from occurring (Apostolou, 2005). Companies hire forensic accountants to try to be proactive in preventing fraud, the proactive approach allows the company to be preventative and instill internal controls to help prevent fraud from occurring. Forensic accountants are utilized to apply their financial skills and investigative mentality to determine if fraud has occurred. They also support criminal or civil action against dishonest individuals, support insurance claims, and support the defense of an accused employee. Forensic accountants form a basis for terminating a dishonest employee, along with determining whether assets or income was hidden from a specific legal case (Apostolou, 2005). Research has repeatedly proven preventing fraud and exposing misleading accounting practices are in strong demand in all companies, as they respond to scrutiny of their financial activities by shareholders and government agencies (Digabriele, 2008). Forensic accountants have special skills that allow them to gather evidence to determine if fraud has occurred. Those special skills include the following, obtaining public documents to review and conduct background investigations, conduct interviews of knowledgeable employees, accessing confidential sources, utilizing laboratory analysis of physical and electronic evidence, conduct undercover operations, and forensic accounts possess the skills of analyzing financial transactions (Apostolou, 2005). Possessing these skills is beneficial to all companies to detect and determine if fraud is occurring within their organization. Based on the research, it is safe to say there will be a continued need for forensic accountants to help detect, prevent, and detour fraud and identity theft from occurring.

Data Breach Prevention It seems as though almost every week there is an announcement on national television or the internet informing the world about a company’s system, which stored confidential information, being hacked into and now millions of Americans are at risk of identity theft. In order for companies to help prevent security breaches and protect Americans, they must have internal controls in place. Internal controls help prevent attackers from breaking into a company’s secure system. All companies should instill good internal access controls within their company, such as regular automated monitoring and verifying of access configurations, and auditing user access to data (Sampemane, 2015). Internal controls with the right granularity, combined with access logging and auditing, can help detect and prevent security breaches from occurring (Sampemane, 2015). To help ensure companies confidential information is being protected companies need to incorporate hardware security. For example, the use of strong passwords, having a random combination of different characters or numbers helps provide a higher level of security. Hard drives should also be encrypted, this helps ensure confidential information remains private even if the hard drive ends up stolen (Allen, 2013). Companies should have policies and procedures in place to ensure employees are protecting office networks and drives, protecting confidential information stored on smartphones, laptops, and home computers. Employees with access to confidential information on their phones or laptops should be backing up data which help provide security if the device would fail (Allen, 2013).
Companies will often put digital forensics tools into place to help investigators or forensic accountants gather evidence if a security breach has occurred. Some of those tools include making sure the digital forensic tools are rigorous in reporting the time and date of information, tools should be particularly competent in handling log files, be able to produce significant evidence in case the security breach becomes a legal matter and is able to recover deleted files (Brozovsky, 2013). Implementing these tools into a company’s security system also helps the prevention of fraud occurring, and if it would this provides a quick way for an investigative team to gather the necessary information to prosecute those involved.
Results and Conclusion Cyber-attacks and cyber breaches are occurring more frequently all over the world. Most cyber-attacks or cyber-breaches are committed by someone who is typically very intelligent, experienced, and has a solid understanding of a company’s controls and vulnerabilities. Research has found cyber breaches occur when an employee or outside source is given an incentive to commit fraud, has weak controls, or is someone who is able to rationalize committing the cyber breach. Companies are looking for forensic accountants to help incorporate policies and procedures of internal controls to help assist in detouring cybercriminals from hacking into their computer systems.
Forensic accounting is defined as “the specialty practice area of accounting that describes engagements that result from actual or anticipated disputes (2015).” Forensic accountants focus on fraud prevention and detection, they must be able to run to the extent of investigative assignments, and try to help companies instill internal controls to help prevent cyber-attacks from occurring. In order for a forensic accountant to be successful, one must be knowledgeable of professional responsibilities and practice management, laws, courts, and dispute resolution, planning and preparation, information gathering and preservation, discovery, and reporting, experts and testimony (Davis, n.d.). Companies who have been affected by cyber breaches have found they don’t have the proper policies and procedures in place to protect the confidential data stored in the company’s computer systems. Forensic accountants help companies develop Accounting Information Systems (AIS) and the AICPA and CICA have incorporated GAPP rules and regulations for forensic accountants to incorporate within companies. The AIS and GAPP rules and regulations help company’s define the terms of security, details how confidential information is to be protected and explains how the company should be monitoring and enforcing the rules and regulations incorporated into their system. The GAPP puts the responsibility for the company to monitor its privacy policies and procedures to help protect their employee’s confidential information. It is imperative companies have policies and procedures in place to help ensure confidential information is being protected from criminals. Companies who incorporate policies and procedures, or internal controls within their organization are less likely to endure a cyber-breach.
Based on the study conducted, a forensic accountant plays a key role within a company by helping educate management about cyber-breaches and fraud. Forensic accountants also help companies protect employees or customers confidential information. Most companies just hire auditors to help and detect fraud, but forensic accountants not only help detect fraud, they also help prevent cyber-breaches and fraud from occurring. Companies looking to enhance their security information system or need to investigate a cyber-breach should look at hiring a forensic accountant, as they have the knowledge and ability to locate the originating source.

References
Allen, J., & Hallene, A. (2013). Protecting your data in cyberspace. American Journal of
Family Law, 27(3), 198-207.

American Board of Forensic Accounting (CR.FA.). (n.d.) About the program. Retrieved
February 20, 2015, from, http://certfa.org/about-the-program/

Anthem. How to access and sign up for identity theft repair and credit monitoring services.
(2015, February 13). Retrieved February 25, 2015, from https://www.anthemfacts.com/

Apostolou, N.G., & Cubmley, L. (2005). The expanding role of the forensic accountant.
Forensic Examiner, 14(3), 39-43.

Bhasin, M.L. (2013). Corporate governance and forensic accountant: an exploratory study.
Journal of Accounting, Business & Management, 20(2), 55-83

Bhasin, M.L. (2007). Forensic accounting: A new paradigm for niche consulting. The
Chartered Accountant, 55(7), 1000-1010.

Bressler, L. (2011). Forensic investigation: The importance of accounting information systems.
International Journal of Business, Account, & Finance, 5(1), 67-77.

Brozovsky, J., & Jie, L. (2013). Digital Forensics. Strategic Finance, 95(5), 37-43.
Cohen, B. 2014. The law of securing consumer data on networked computers. Journal of
Internet Law, 18(2), 3-12.

Davis, C., Farrell, R., & Ogilby, S. (n.d.). Characteristics and skills of the Forensic Accountant.
Retrieved March 9, 2015, from http://www.aicpa.org/InterestAreas/ForensicAndValuation/Resources/PractAidsGuidance/DownloadableDocuments/ForensicAccountingResearchWhitePaper.pdf

Digabriele, J.A. (2008). An empirical investigation of the relevant skills of forensic accountants.
Journal of Education for Business, 83(6), 331-338.

Forensic Accounting. (n.d.). In Wikipedia.

Holtfreter, R.E., & Harrington, A. (2014). Will hackers win the battle? Strategic =
Finance, 96(1), 27-34.

Kieler, A. (2015, February 13). Anthem says data from as far back as 2004 exposed during hack, offering free identity theft protection. Retrieved February 25, 2015, from http://consumerist.com/2015/02/13/anthem-says-data-from-as-far-back-as-2004-exposed-during-hack-offering-free-identity-theft-protection/

Pearson, T.A., & Singleton, T.W. (2008). Fraud and forensic accounting in the digital environment. Issues in Accounting Education, 23(4), 545-559.
Ramaswamy, V. (2005). Corporate governance and the forensic accountant. CPA Journal,
75(3), 68.

Robbins, W.A. (2011). AICPA/CICA’s generally accepted privacy principles: A tool for
Forensic Accountants. Forensic Examiner, 20(2), 12-20.

Sampemane, G. (2015). Internal Access Controls. Communication of the ACM, 58(1), 62-65.

Sanchez, M. (2012). The role of the forensic accountant in a Medicare fraud identity theft case.
Global Journal of Business Research (GJBR), 6(3), 85-92.

Smith, E. P. (2012). The basic of business valuation, fraud and forensic accounting, and dispute resolution services. CPA Journal, 82(6), 6-11.

Smith, G.S. (2015). The past, present, and future of forensic accounting. CPA Journal, 85(3),
16-21.

Weisbaum, H. (2015, February 18). Millions of children exposed to ID theft through Anthem breach. Retrieved February 25, 2015, from http://www.nbcnews.com/business/personal-finance/millions-children-exposed-id-theft-through-anthem-breach-n308116

Wolfe, D.T., & Hermanson, D.R. (2004). The fraud diamond: Considering the four elements of fraud. CPA Journal, 74(12), 38.