Forensics, Fraud and Analytical Techniques - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Forensics, Fraud and Analytical Techniques

Description:

... asking price for temporary use of an army of 20,000 zombie PCs today is $2000 to ... SANS (SysAdmin, Audit, Network, Security) Institute: ... – PowerPoint PPT presentation

Number of Views:193
Avg rating:3.0/5.0
Slides: 43
Provided by: chriswe7
Category:

less

Transcript and Presenter's Notes

Title: Forensics, Fraud and Analytical Techniques


1
Forensics, Fraud and Analytical Techniques
  • Computer Forensics (Chapter 12)
  • Practicum Dell Computer Corporation
  • (Planning Materiality and Tolerable Misstatement)

2
Schedule (revised)
3
For next week
  • Comprehensive review of ISMT300T IS Audit course
    Materials
  • Example question for test
  • Suggested review readings

4
Dell Computer
  • Materiality and Tolerable Error

5
Crime Doesnt Pay?
  • As Willie Sutton the bank robber said when asked
    why he robbed banks
  • 'because that's where the money is
  • Sutton robbed banks and he was good at it. He
    made no bones about that. He usually packed a
    gun, either a pistol or a Thompson submachine gun
  • "You can't rob a bank on charm and personality"
  • "Why did I rob banks? Because I enjoyed it. I
    loved it. I was more alive when I was inside a
    bank, robbing it, than at any other time in my
    life. I enjoyed everything about it so much that
    one or two weeks later I'd be out looking for the
    next job. But to me the money was the chips,
    that's all."
  • From Where the Money Was The Memoirs of a Bank
    Robber (Viking Press, New York, 1976)

6
Why Computer Crime?
  • Because that's where the money is (c. 2005)
  • Money is no longer held in physical form
  • How much money is being handled daily by computer
    exchange systems in 2005?
  • Foreign exchange 2 trillion daily
  • Derivatives markets 5 trillion daily
  • Outstanding derivatives positions 200 trillion
  • NYSE daily activity 1.6 trillion daily

7
Types of Computer CrimeBusiness as a Victim
  • Employee Thefts
  • Payroll Fraud
  • Fraudulent
  • Billing Schemes
  • Fraud
  • Committed by outsiders
  • Management Thefts
  • Corporate Thefts

8
Types of Computer CrimeBusiness as a Vehicle
  • Organized Crime
  • Money laundering
  • Theft from Minority Shareholders
  • Other Stock Market Fraud
  • Bankruptcy Fraud

9
Crimes new venue
  • The Internet (With an estimated 1 billion people
    ) is now in a golden age of criminal invention.
  • It's a "dot-con" boom, in which electronic crime
    runs rampant in a frantic search for business
    models.
  • Even encryption, supposedly a defensive measure,
    has become a tool for extortion
  • witness the weird new crime of breaking into a
    computer, encrypting its contents, and then
    demanding a payoff to supply a password to the
    victim's own data.
  • The crime's so new, it doesn't even have a name
    yet.
  • All the classic scams and rackets that city
    sharpies push on rubes can be digitized
  • once there were a few relatively uncomplicated
    viruses, now there are torrents of fast-evolving,
    multifaceted viruses.
  • Where once there was just small-time credit-card
    fraud, now there is international credit-card
    racketeering.
  • Computer-network password theft has turned into
    sophisticated ID fraud that robs patrons of banks
    and online auction sites.
  • Spam, once an occasional rude violation of
    "netiquette," now arrives by the ton (12.9
    billion pieces a day worldwide last May,
    according to the e-mail security firm IronPort)
  • Then there are the newer electronic crimes,
    proliferating so fast that even experts have
    trouble keeping up with the jargon. Phishing.
    Spear phishing. Pharming. DDOS. DDOS protection
    rackets. Spyware. Scumware. Web site defacement.
    Botnets. Keylogging.

10
FBI 2005 Computer Crime and Security Survey
  • Companies with sales of less than 10 million per
    year
  • spent 643 per employee on computer security each
    year.
  • For companies with more than 1 billion in annual
    revenue
  • the amount spent on security dropped to 247 per
    employee.
  • The survey found that companies in the utilities
    business spent the most on computer security
  • on average, 190 per employee per year.
  • Next highest on the list were transportation and
    telecommunication companies, with average annual
    costs per employee of 187 and 132, respectively.

11
Computer Criminals Today
  • The largest class of crime is Internet based
  • Generally, there is a form of compartmentalization
    , from the top down
  • At the top of the food chain is someone who has
    the financial means to organize a group
  • This individual, acting as the criminal kingpin,
    puts together a plan and then assembles the
    necessary technologically savvy individuals.
  • These groups work together without central
    organization
  • Many members are recruited through acquaintances
    others are found online
  • Individuals use Web sites, online forums, and IRC
    channels to advertise their services and meet
    their colleagues. Many others visit these sites
    to learn how to get started in the business.
  • The scene is always looking for rooters,
    scanners, curriers various hacking specialties
  • Once they've learned those skills, hackers
    commonly operate as freelancers, working on
    projects in an area of expertise--whether it be
    writing exploits, building botnet networks, or
    designing fake Web sites
  • And like legitimate businesspeople and
    freelancers, they must build a reputation before
    they can get hired for lucrative work.

12
Hotspots for Internet crime
  • Brazil, Bulgaria, China, Estonia, Hungary,
    Indonesia, Japan, Latvia, Malaysia, North Korea,
    Romania, Russia, and the United States are major
    centers for organized hacking
  • Why are certain areas hotspots?
  • Places where there's a significant amount of
    activity usually have a technically advanced
    population and a large population of computer
    users.
  • You also have a poor economy, so you have people
    with the technical skills to do good work, but
    they can't find a job that will provide for them,
  • so they may have to resort to doing things that
    are against the law
  • These hotspots (other than the United States and
    Japan) also tend to be countries where laws and
    law enforcement lag
  • hackers will find the weakest link, the country
    with no laws

13
Denial-of-service (DoS attack)
  • A "denial-of-service" attack is characterized by
    an explicit attempt by attackers to prevent
    legitimate users of a service from using that
    service. Examples include
  • attempts to "flood" a network, thereby preventing
    legitimate network traffic
  • attempts to disrupt connections between two
    machines, thereby preventing access to a service
  • attempts to prevent a particular individual from
    accessing a service
  • attempts to disrupt service to a specific system
    or person
  • Details are at http//www.cert.org/tech_tips/denia
    l_of_service.html

14
Zombies
  • Zombies do a lot of the heavy lifting
  • malware-infected computers that an online puppet
    master controls
  • Set to work in thousands or even tens of
    thousands, the machines in a zombie network or
    "botnet" attempt to carry out the high-tech money
    grab.
  • Botnets are popular because of their increasing
    sophistication and multiple uses.
  • versatile zombie armies pull in cash for their
    controllers in a variety of ways.
  • Sending spam (a big money-maker)is one common
    use.
  • Zombie networks can also steal personal
    information for purposes of identity theft.
  • When botnets are used to launch a DDoS attack,
  • the ringleader instructs each zombie computer to
    send a flood of data to a particular Web site.
  • By itself, the data from a single PC can't hurt a
    site.
  • But multiply that traffic by 10,000 or more
    computers, and a Web site can easily be
    overwhelmed and cut off from the Internet.
  • E.g., MyDoom had a rather unsophisticated means
    of controlling host machines.
  • Once it insinuated itself into an unprotected PC,
  • anyone who knew a not-so-secret five-digit code
    could commandeer the computer for any desired
    purpose
  • As a result, MyDoom-compromised computers were
    very popular with online criminals for a while

15
Botnets
  • Malware turned an average of 172,009 previously
    healthy computers into zombies every day during
    May 2005
  • CipherTrust, an e-mail security company that
    tracks botnets
  • As processing power improves and broadband
    Internet connections become more widespread,
    zombie computers will be able to send more spam
    or hit Web sites harder
  • and botnets will become more powerful.
  • Also, the ability to shuffle funds
  • including ransom payments
  • anonymously through convoluted Internet paths
    using human mules (in much the same way as in the
    drug trade) and online payment services
  • means that criminals can revisit old approaches.

16
Cops and Robbers
  • Some botnets consist of phalanxes of from 15,000
    to 50,000 zombie PCs that are controlled by
    groups of people dispersed around the world
  • Christopher Painter, deputy chief of the Computer
    Crime section of the U.S. Department of Justice.
  • Most perpetrators are adults who execute
    extremely sophisticated assaults. "They don't
    brag, and they cover their tracks very well,"
    (Painter)
  • One notorious cybergang, called Shadowcrew,
    reportedly had 4000 members scattered across the
    United States, Brazil, Spain, and Russia.

17
Objectives
  • Money is these cybergangs' primary motivation
  • The asking price for temporary use of an army of
    20,000 zombie PCs today is 2000 to 3000,
    according to a June posting on SpecialHam.com, an
    electronic forum for hackers
  • Marshaling their armies of zombie PCs, online
    extortionists may threaten to crash a company's
    Web site unless they are paid off.
  • Hackers are not shy about asking for 20,000 to
    30,000 from companies.

18
Payoffs
  • Companies know it's far cheaper to pay the
    hackers than to get knocked offline and lose
    hundreds of thousands of dollars in lost business
  • Many extortionists go unreported because
    businesses are unwilling to volunteer evidence of
    their coercion to law enforcement officials,
  • corporations don't want to admit to their
    customers, stockholders, and business partners
    their networks were ever vulnerable to an attack.
  • only about 20 percent of computer intrusions are
    ever reported to law enforcement agencies.
  • The US Secret Service receives between 10 and 15
    inquiries per week from businesses owners who
    believe they may be the target of a cyberattack.
  • 2004 survey conducted by the Computer Security
    Institute

19
Case Study Protx
  • When the first extortion e-mail popped into
    Michael Alculumbre's inbox, he had no idea it was
    about to cost his business nearly 500,000.
  • The note arrived in early November of last year,
    as Alculumbre's London-based transaction
    processing company, Protx was being hit by a
    nasty distributed denial of service (DDoS)
    attack.
  • Zombie PCs from around the world were flooding
    Protx.com (the company's Web site) and the
    transaction processing server that was the
    commercial heart of the business.
  • In extortion e-mail's broken English, someone
    identifying himself as Tony Martino proposed a
    classic organized-crime protection scheme.
  • "You should pay 10,000," Martino wrote. "When we
    receive money, we stop attack immediately.
  • The e-mail even promised one year's protection
    from other attackers for the 10,000 fee.
  • "Many companies paid us, and use our protection
    right now," Martino said. "Think about how much
    money you lose, while your servers are down."
  • A 2004 PriceWaterhouseCoopers survey of more than
    1000 businesses in the UK found that,
  • on average, companies spent more than 17,000 on
    their worst security incident that year.
  • For large companies, that amount was closer to
    210,000, the study found.
  • For companies of either size, most of the loss
    was due to the disruption in their ability to do
    business, with expenses for troubleshooting the
    incident and actual cash spent responding to it
    accounting for considerably less.

20
Case Study Protx
  • By scrambling its IT staff and prohibiting
    traffic from zombie servers
  • at one point, Protx.com simply blocked all
    traffic originating from the Western United
    States
  • that company managed to survive the first wave of
    the attack against it.
  • But the 13-person company's biggest cost involved
    preparing for the next assaults, consisting of
    thousands of server requests, which came in
    January and April of 2005.
  • The April attack, which lasted for more than five
    days, was the most severe,
  • as Protx and the attackers engaged in a kind of
    online cat and mouse
  • Just as Alculumbre's technicians found one way to
    block the flood of unwanted server messages, the
    attackers would switch to another tack.
  • At one point, the cybercrooks used a new exploit
    of Microsoft's Microsoft Internet Information
    Services server that caused the Protx Web site to
    crash whenever certain types of secure messages
    got through.
  • Protx responded by installing an SSL accelerator
    and analyzing the messages before letting them
    through.
  • On the final day of the April assault, the
    attackers hit Protx with everything they had.
  • At the peak of the assault, the company's servers
    were processing 800 megabits of traffic per
    second, the equivalent of more than 530 T1 lines
    firing at full capacity.

21
Case Study Protx
  • Just a few years ago, financially motivated
    attackers tended to focus on fringe businesses
    like online gaming sites.
  • Transaction processors like Protx are now choice
    prey for extortionists,
  • If you bring down your payment processor, you can
    bring down hundreds of online processors
  • Transaction processors like Protx will do
    everything in their power not to be offline
  • therefore, they are investing heavily in security
    and bandwidth.
  • Protx ended up spending a whopping 38,000 per
    employee on security in 2004

22
Client-side Targets
  • About 60 percent of new vulnerabilities now
    affect client-side applications
  • like Web browsers and media players
  • And those vulnerabilities are drawing all the
    wrong sorts of attention
  • In 2005, unwanted network traffic targeting
    Symantec Veritas BackupExec
  • rocketed to 500,000 instances within days of an
    announced security hole in the product,
  • up from a previous maximum of about 50,000
    instances.
  • Microsoft Office, Internet Explorer, Firefox, and
    AOL Instant Messenger also suffered from serious
    reported vulnerabilities, as did RealPlayer and
    iTunes

23
Focus of Client-side Attacks
  • Attackers now target
  • backup and recovery programs,
  • as well as "the antivirus and other security
    tools that most organizations think are keeping
    them safe
  • SANS Top 20 report for 2005 on the most critical
    Internet vulnerabilities
  • The shift toward finding and exploiting
    vulnerabilities in programs represents a major
    change from past years,
  • when Windows and other operating systems and
    Internet services like Web and e-mail servers
    were the preferred targets.

24
Client-side CrimeRecent Problem Software
  • Some of the latest application holes
  • Sony BMG's XCP copy protection Used ham-fisted
    rootkit code to hide every file name that began
    with the characters "sys" virus writers soon
    released worms and Trojan horse programs to
    leverage the XCP cloaking features
  • Symantec/Veritas NetBackup A buffer overflow
    vulnerability in a file used by NetBackup clients
    and servers
  • Macromedia Inc.'s Flash Player A buffer
    overflow in some versions of the Macromedia Flash
    Player
  • Skype Technologies S.A.'s Skype A critical
    buffer overflow vulnerability in versions of the
    free Internet phone app

25
SANS (SysAdmin, Audit, Network, Security)
Institute The 20 Most Critical Internet
Security Vulnerabilities
  • Top Vulnerabilities in Windows Systems
  • W1. Windows Services
  • W2. Internet Explorer
  • W3. Windows Libraries
  • W4. Microsoft Office and Outlook Express
  • W5. Windows Configuration Weaknesses
  • Top Vulnerabilities in Cross-Platform
    Applications
  • C1. Backup Software
  • C2. Anti-virus Software
  • C3. PHP-based Applications
  • C4. Database Software
  • C5. File Sharing Applications
  • C6. DNS Software
  • C7. Media Players
  • C8. Instant Messaging Applications
  • C9. Mozilla and Firefox Browsers
  • C10. Other Cross-platform Applications
  • Top Vulnerabilities in UNIX Systems
  • U1. UNIX Configuration Weaknesses

26
Phishing
  • California has passed an antiphishing law,
  • the Anti-Phishing Act of 2005
  • With the passage of the Anti-Phishing Act of
    2005, California joins such states as Texas, New
    Mexico, and Arizona, all of which adopted
    antiphishing legislation earlier this year.
  • Phishing victims are typically sent fraudulent
    e-mail designed to trick them into revealing
    personal information, like bank account numbers,
    user names, and passwords.
  • Under the Anti-Phishing Act, these victims may
    seek to recover either the cost of the damages
    they have suffered or 500,000, whichever is
    greater government prosecutors can also seek
    penalties of up to 2500 per phishing violation.
  • Phishing attacks have been on the rise. Research
    firm Gartner estimates that 73 million U.S.
    Internet users received phishing e-mails during
    the 12 months ended May 2005, up 28 percent from
    the previous year.

27
Malware
  • The mischief-making hacker of the 1990s gives way
    to the determined high-tech thief of the 21st
    century
  • The 2005 E-Crime Watch survey of security and law
    enforcement
  • estimated an average loss of 506,670 per
    organization due to malware
  • It's gotten so bad that the U.S. Secret Service
    and Carnegie Mellon University's Computer
    Emergency Response Team (CERT)
  • last year stopped publishing the number of
    computer crime incidents, saying
  • "Given the widespread use of automated attack
    tools, attacks against Internet-connected systems
    have become so commonplace that counts of the
    number of incidents reported provide little
    information with regard to assessing the scope
    and impact of attacks."

28
How to Build a Legal Case
29
Inference Network Analysis
  • Legal cases are proved through inferences.
  • These inferences, built in chains, must lead
    logically from point A to point B
  • He strength (or weakness) of these inferences
    determines the strength of the legal case

30
Chain of Inferences
  • Suppose we want to link the defendant (and
    ex-football player and aspiring movie star) to
    the murder of his ex-wife
  • Initially the evidence is weak (dotted line)
  • The defendant and victim were divorced, and that
    may have been motive for the murder, but that is
    a weak case

31
The Bloody Glove
  • Our investigation has uncovered a bloody glove at
    the crime scene
  • Immediately there is an inference that the glove
    is somehow involved in the murder. If we later
    learn that DNA from the bloody glove matches the
    victim
  • The inferential relationship between murder and
    glove become strong
  • Although the connection between the defendant and
    the victim is still tenuous,
  • The connection between the victim and the glove
    is strong.
  • We re not yet satisfied, and the investigation
    continues

32
Establishing Ownership
  • The forensic examiners at the crime lab have
    determined that the gloves are in fact a very
    expensive brand sold only in movie-star /
    football players. They are so unique that only
    25 pairs have been sold in the past year.
  • This information alone does mot necessarily
    strengthen the inferential relationship to the
    defendant.
  • However, taken in combination with the fact that
    a par of these gloves was purchased on the
    ex-football players credit card two months
    earlier,
  • we are strengthening our chain of inference.

33
Uniquely Connecting the Gloves to their Owner
  • Finally our forensic experts compare the DNA from
    the skin cells found on the glove's lining with
    those of the defendant they match
  • Up until now, we have only bee able to link the
    defendant inferentially as the owner of similar
    gloves.
  • Now we can link him as the owner of these
    particular gloves (the dotted arrow becomes solid)

34
Analytical and Automated Fraud Auditing Approaches
35
Computer Assisted Techniques for Fraud Detection
  • Audit software has commands that support the
    auditor's requirement to review transactions for
    fraud such as the existence of duplicate
    transactions, missing transactions, and
    anomalies. Some examples of these commands
    include
  • comparing employee addresses with vendor
    addresses to identify employees that are also
    vendors
  • searching for duplicate check numbers to find
    photocopies of company checks
  • searching for vendors with post office boxes
    for addresses
  • analyzing the sequence of all transactions to
    identify missing checks or invoices
  • identifying vendors with more than one vendor
    code or more than one mailing address
  • finding several vendors with the same mailing
    address and
  • sorting payments by amount to identify
    transactions that fall just under financial
    control on contract limits.
  • Audit software can be used to interrogate a
    company's data files and identify data patterns
    associated with fraud.
  • Patterns such as negative entries in inventory
    received fields, voided transactions followed by
    "No Sale,"
  • or a high percentage of returned items may
    indicate fraudulent activity.
  • Auditors can use these data patterns to develop
    a "fraud profile" early in their review of
    operations.
  • The patterns can function as auditor-specified
    criteria and transactions fitting the fraud
    profile can trigger auditor reviews.
  • Systems can even be built to monitor transactions
    on an ongoing basis.
  • Continuous monitoring is a proactive approach to
    the early detection of fraud.

36
Fraud Detection Using Digital Analysis
  • A growing area of fraud prevention and detection
    involves the examination of patterns in data
    i.e., Digital Analysis
  • The rationale is that unexpected patterns can be
    symptoms of fraud. A simple example of the
    application of this technique is a search for
    duplicate transactions, such as identical invoice
    or vendor numbers for the same amount.
  • A simple digital analysis technique is to search
    for invoices with even dollar amounts, such as
    200.00 or 5,000.00.
  • The existence of particular even amounts may be a
    symptom of fraud and should be examined.

37
Digital Analysis Case Study Even Amounts
  • Travel expenses had always been a concern for the
    auditors of X Company since it was an area where
    the controls were weak.
  • Employees had a maximum per diem rate when
    traveling but had to submit receipts to cover the
    actual expenses.
  • Maximums were also established for meals
    breakfast 10.00, lunch 20.00, dinner 30.00,
    and hotel lodging 100.00.
  • The auditors configured the audit software to
    identify meal expenses that were multiples of
    10.00.
  • These transactions were compared to receipts to
    ensure that the amounts expensed were
    appropriate.
  • A detailed review determined that many travelers
    were charging the maximum rates for meals even
    though their receipts did not justify the
    amounts.

38
Ratio Analysis
  • Another useful fraud detection technique is the
    calculation of data analysis ratios for key
    numeric fields.
  • Like financial ratios that give indications of
    the financial health of a company, data analysis
    ratios report on the fraud health by identifying
    possible symptoms of fraud.
  • Three commonly employed ratios are
  • the ratio of the highest value to the lowest
    value (max/min)
  • the ratio of the highest value to the second
    highest value (max/max2) and
  • the ratio of the current year to the previous
    year.
  • For example, auditors concerned about prices
    customers were being charged for products could
    calculate the ratio of the maximum sales price to
    the minimum sales price for each product.
  • If the ratio is close to 1.0, they can be sure
    that there is little variance between the highest
    and lowest prices charged to customers.
  • However, if the ratio is large this could
    indicate that a customer was being charged too
    much or too little for the product.

39
Ratio Analysis Case Study Doctored Bills
  • The auditors reviewed the patient billing system
    at Company Y to determine if the appropriate
    charges were being assessed by health care
    providers. An initial analysis of the data was
    performed to calculate the ratio of the highest
    and lowest charges for each procedure. A judgment
    was made that procedures with a max/min ratio of
    greater than 1.30 be noted and subjected to
    additional review.
  • For a particular quarter, three procedures had
    ratios higher than 1.30, the highest being 1.42.
    A filter was used to identify the records related
    to the three procedures in question, and
    additional analysis was performed. This quickly
    determined that one doctor was charging
    significantly more than the other doctors for the
    same procedures. A comparison of charges from the
    billing system with payments in the accounts
    receivable system revealed that the doctor was
    skimming off the patient payments. The amount
    recorded in the receivable system was in line
    with the usual billing amount for the procedures.
    The doctor was unable to justify the higher
    prices or explain the difference in the billing
    and the receivable systems.
  • The third ratio compares data from different
    years, departments or operating areas, and the
    like. For example, the ratio of last year's
    purchases to current year's purchases for each
    supplier can point to symptoms of fraud such as
    kickbacks in the contracting section. If the
    total purchases from a supplier has gone from
    100,000 to 400,000--a ratio of 4.0--further
    analysis may be in order.

40
Ratio Analysis Case Study Contracting Kickbacks
  • Jonathan, one of the contracting officers, had
    devised a great win/win kickback scheme. The
    auditors decided to use digital analysis as part
    of their review of the contracting section. One
    of the analyses calculated the total contract
    amount by supplier for each of the past two
    years. A ratio of current year to previous year
    was calculated and the minimum, maximum, average,
    and highest and lowest five ratios were
    displayed. While the average was close to 1.0,
    the highest and lowest five values showed that
    some companies had significant decreases in
    business, while others had experienced
    significant increases in business.
  • The auditors reviewed the details of all
    companies that had a ratio of less than 0.7 or
    more than 1.30. Totals were calculated by a
    contracting officer. For companies with an
    increase in business, the results revealed that
    Jonathan had raised many of the contracts. In
    comparison, Jonathan had raised no contracts with
    the companies that had seen a decrease in
    business. The auditors learned of Jonathan's
    kickback scheme when they interviewed salesmen
    from the companies that had ratios less than 0.7.
    Interviews with salesmen from the firms that had
    increased sales by 1.30 or more added credence to
    the fraud accusations. Both groups of salesmen
    said that they were told they would only get
    business if they paid Jonathan a kickback.

41
Benford's Law
  • Benford's Law, developed by Frank Benford in the
    1920s, predicts the occurrence of digits in data.
    Benford's Law concludes that the first digit in a
    large population of transactions (10,000 plus)
    will most often be a 1. Less frequently will the
    first digit be a 2 even less frequently a 3.
  • An analysis of the frequency distribution of the
    first or second digits can detect abnormal
    patterns in the data and may identify possible
    fraud. An even more focused test can be used to
    examine the frequency distribution of the first
    two digits (FTD). The formula for the expected
    frequencies is
  • Expected FTD Frequency log(11/FTD)
  • Therefore, the expected frequency of 13 is
    log(11/13). The expected frequencies range from
    0.041 for 10, to 0.004 for 99.
  • Some audit software programs can be used to
    determine the frequency distribution for first
    digits, first two digits, and second digits.
  • Note not all data will have distributions as
    predicted by Benford's Law. Sometimes there is
    valid rationale for certain numbers occurring
    more frequently than expected. For example, if a
    company sends a large amount of correspondence
    via courier, and the cost is a standard rate
    (6.12) for sending a package of under one pound,
    then the first digit (6) or the first two digits
    (61) may occur more often than predicted by
    Benford's Law.

42
Benford's Law Case Study Signature Authority
  • The auditors for Z Company were investigating
    possible fraud in the contracting section, where
    thousands of contracts were raised every month.
    They used Benford's Law to examine the first two
    digits of the contract amount. The results of
    their analysis revealed that the digits 49 were
    in the data more often than expected.
  • Classifying on the contracting officer for all
    contracts with 49 as the first two digits
    determined that the contracting manager was
    raising contracts for 49,00049,999 to avoid
    contracting regulations.
  • Contracts under 50,000 could be sole-sourced
    contracts greater than 50,000 had to be
    submitted to the bidding process. He was raising
    contracts just under the financial limit and
    directing them to a company owned by his wife.
Write a Comment
User Comments (0)
About PowerShow.com