Andrew Sanford and Dr. Conan Albrecht, Information Systems
It is generally accepted that the American public expects auditors to find fraud. While detecting both fraud and errors are official SAS 99 expectations, auditors spend the overwhelming majority of their time on finding only errors. This focus, in part, has allowed frauds such as Enron to be perpetrated and has caused nearly $1 trillion in annual losses in the United States, or roughly 7 percent of Gross Domestic Product (Chui and Pike 2013).
One reason auditors don’t focus more on fraud detection is because no intuitive framework exists to help auditors think about how fraud could be committed by a given audit client (Wilks and Zimbelman 2004). SAS 99 instructs the audit planning committee to brainstorm how fraud could be perpetrated by the audit client, but the standard provides no official guidelines for how it should be done. A framework for fraud-detection brainstorming sessions would help auditors better accomplish this difficult task and better meet public expectations.
Threat modeling is a methodology used within the information security field. It enables security teams to effectively understand their organization’s greatest security risks, how those risks could be exploited, and brainstorm solutions to mitigate those risks (Shostack 2014). The methodology has proven to be effective in the information security field and is used by most large organizations (Shostack 2008).
Threat modeling has been successful because it’s flexible and highly adaptable. The methodology enables organizations’ security teams to consider how their organization is vulnerable through a focus on the organization’s assets, potential attackers, and the organization’s software (Shostack 2014). Threat models have been adapted for specific situations and technologies, including RFID technology (Thompson et al. 2006), email phishing (Olivo et al. 2013), and the Internet of Things (Babar et al. 2010).
The fields of information security and fraud detection are similar in that (1) both fields seek to prevent ill-intentioned actors from causing harm and (2) these actors’ techniques evolve and adapt as new preventive measures are put in place. Therefore, we adapt threat modeling to fraud detection and take key concepts, namely attack trees and attack vectors, and rename them as risk trees1 and risk vectors2, since auditors view frauds more as risks than attacks.
Because accountants already base much of their analysis on company assets (in addition to liabilities and owner’s equity), we believe an asset-based approach is best suited as a framework for SAS 99’s brainstorming requirement. An audit planning committee will follow the steps outlined in Figure 1. The outcome of this process is a risk tree with risk vectors.
This methodology lays the groundwork for improved detection of fraud by auditors. Further research is needed to (1) adapt it to liability- and owner’s equity-related fraud and (2) to conduct real-world tests.
- Babar, S., Mahalle, P., Stango, A., Prasad, N., & Prasad, R. (2010). Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT). Conference: Recent Trends in Network Security and Applications.
- Chui, Lawrence and Pike, Byron, “Auditors’ responsibility for fraud detection: New wine in old bottles?” (2013). Accounting Faculty Publications. 56.
- Olivo, C. K., Santin, A. O., & Oliveira, L. S. (2011). Applied Soft Computing.
- Shostack, A. (2014). Threat modeling: designing for security. Indianapolis: Wiley.
- Shostack, A. (n.d.). Experiences Threat Modeling at Microsoft.
- Thompson, Dale & Chaudhry, Neeraj & Thompson, Craig. (2006). RFID SECURITY THREAT MODEL.
- Wilks, T. J., & Zimbelman, M. F. (2004). Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud. Accounting Horizons,18(3).
1Risk tree: Hierarchy of an organization’s important assets and those assets’ associated risk vectors.
2Risk vectors: Ways an asset could have fraud perpetrated against it.