Analyzing Evidence Flashcards
Ashton, a digital forensic examiner for Cadence Irrigation, is conducting an internal investigation into the alleged theft of trade secrets from Cadence. Kirby, a Cadence employee, is the prime suspect. Ashton decides to seize Kirby’s work computer for forensic examination. If, at the time of seizure, Kirby’s computer is off, then Ashton should turn it on before seizing it.
A. True
B. False
B. False
See pages 3.818 in the Fraud Examiner’s Manual
A computer system that is off should not be turned on during the seizure process. Turning on a system might damage and taint any evidence that it contains.
Which of the following is an example of a data analysis function that can be performed to help detect fraud through examination of fixed asset accounts?
A. Compare book and tax depreciation and indicate variances
B. Recalculate expense and reserve amounts using replacement costs
C. Select samples for asset existence verification
D. All of the above
D. All of the above
See pages 3.730 in the Fraud Examiner’s Manual
The following are examples of data analysis queries that can be performed by data analysis software on fixed asset accounts to help detect fraud:
- Generate depreciation to cost reports.
- Compare book and tax depreciation and indicate variances.
- Sort asset values by asset type or monetary amount.
- Select samples for asset existence verification.
- Recalculate expense and reserve/provision amounts using replacement costs.
A fraud examiner discovers a paper document believed to include both the suspect’s indented writings and latent fingerprints. Which of the following is the BEST preservation method to use when collecting the document?
A. Insert the document into a plastic bag using a pair of tweezers.
B. Put the document in a briefcase for analysis at a later time.
C. Leave the document in place for a forensic document examiner to collect later.
D. Place the document into a sealable, acid-free paper envelope while handling it with protective gloves.
D. Place the document into a sealable, acid-free paper envelope while handling it with protective gloves.
See pages 3.224-3.225 in the Fraud Examiner’s Manual
Fraud examiners should preserve evidentiary documents that contain latent fingerprints by placing them into labeled protective containers, such as sealable, acid-free paper envelopes. Many types of paper and plastic containers can leach acids that damage originals over long periods of storage. While some plastic containers, such as those made of polyethylene or polypropylene, do not leach acid, they might cause harmful condensation to develop on the document. To avoid smudging and contamination of the fingerprints, fraud examiners should wear protective gloves or carefully use tweezers when handling latent fingerprint evidence. However, tweezers should not be used on documents if indented writing or photocopier examinations are planned.
A fraud examiner is conducting textual analytics on journal entry data and runs a keyword search using the terms override, write off, and reserve/provision. With which component of the Fraud Triangle are these fraud keywords typically associated?
A. Capability
B. Opportunity
C. Rationalization
D. Pressure
B. Opportunity
See pages 3.740 in the Fraud Examiner’s Manual
In conducting a textual analytics examination, the fraud examiner should create a list of fraud keywords that are likely to suggest suspicious activity. This list will depend on the industry, the suspected fraud schemes or types of fraud risk present, and the data set the fraud examiner has available. In other words, if they are running a search through journal entry details, they will likely search for different fraud keywords than if they were running a search of emails.
The components identified in the Fraud Triangle are helpful when coming up with a fraud keyword list. One of these components is opportunity; consequently, the fraud examiner should consider how someone in the entity might have the opportunity to commit fraud. Examples of keywords that indicate the opportunity to commit fraud include override, write off, recognize revenue, adjust, discount, and reserve/provision.
Which of the following is a limitation of Benford’s Law?
A. Benford’s Law applies best to data sets with three-digit numbers.
B. Benford’s Law cannot be applied to data sets with non-natural numbers, such as invoice numbers or inventory prices.
C. Benford’s Law only works on data sets with assigned numbers, such as bank account or telephone numbers.
D. Benford’s Law can only be applied to data sets listed in currency amounts.
B. Benford’s Law cannot be applied to data sets with non-natural numbers, such as invoice numbers or inventory prices.
See pages 3.723 in the Fraud Examiner’s Manual
Benford’s Law distinguishes between natural and non-natural numbers, and it is important to understand the difference between the two types because Benford’s Law cannot be applied to data sets with non-natural numbers. Natural numbers are those numbers that are not ordered in a particular numbering scheme and are not human-generated or generated from a random number system. For example, most vendor invoice totals or listings of payment amounts will be populated by currency values that are natural numbers. Conversely, non-natural numbers (e.g., employee identification numbers and telephone numbers) are designed systematically to convey information that restricts the natural nature of the number. Any number that is arbitrarily determined, such as the price of inventory held for sale, is considered a non-natural number.
Which of the following is NOT an example of a data analysis function that can be performed to detect fraud through examination of accounts payable?
A. Audit paid invoices for manual comparison with actual invoices.
B. Identify debits to expense accounts outside of set default accounts.
C. Create vendor detail and summary analysis reports.
D. Sort asset values by asset type or monetary amount.
D. Sort asset values by asset type or monetary amount.
See pages 3.730 in the Fraud Examiner’s Manual
The following are typical examples of data analysis queries that can be performed by data analysis software on accounts payable:
- Audit paid invoices for manual comparison with actual invoices.
- Summarize large invoices by amount, vendor, etc.
- Identify debits to expense accounts outside of set default accounts.
- Reconcile payment registers to disbursements by vendor invoice.
- Verify vendor tax forms (e.g., U.S. Form 1099 or value-added tax [VAT] forms).
- Create vendor detail and summary analysis reports.
- Review recurring monthly expenses and compare to posted/paid invoices.
- Generate a report on specified vouchers for manual audit or investigation.
Victoria, a fraud examiner, is concerned that employees are abusing their expense accounts and are spending more than the amount allowed per day for meals. Which of the following is the MOST APPROPRIATE data analysis function for locating meal expenses greater than thirty dollars?
A. Gap testing
B. Duplicate testing
C. Multi-file processing
D. Compliance verification
D. Compliance verification
See pages 3.719 in the Fraud Examiner’s Manual
Compliance verification determines whether company policies are met by employee transactions. If a company limits the amount of its reimbursements, the software can check to see that this limit is being observed. Many times, fraud examiners can find early indications of fraud by testing detail data for values above or below specified amounts. For example, when employees are out of town, do they abide by company policy of not spending more than the amount allowed per day for meals? To start, fraud examiners can look at all expense report data and select those with daily meal expenses exceeding the amount allowed. With the information returned from this simple query, there is a starting point for suspecting fraud.
A fraud examiner needs to protect an evidentiary document with a latent fingerprint on it by placing it into a protective container. Which of the following should the fraud examiner include on the container’s label?
A. The date the item was placed in the container
B. The fraud examiner’s initials
C. The location where the document was obtained
D. All of the above
D. All of the above
See pages 3.224-3.225 in the Fraud Examiner’s Manual
Fraud examiners should preserve evidentiary documents that contain latent fingerprints by placing them into labeled protective containers, such as sealable, acid-free paper envelopes. To avoid smudging and contamination of the fingerprints, fraud examiners should wear protective gloves or carefully use tweezers when handling latent fingerprint evidence. Also, fraud examiners should label the item’s container with their initials, the current date, where the document was obtained, and an identifying exhibit number (if any).
When collecting physical documents, a fraud examiner should limit their contact with original documents as much as possible to preserve their forensic integrity.
A. True
B. False
A. True
See pages 3.202 in the Fraud Examiner’s Manual
The following general rules are important in the collection of documents:
- Obtain original documents where feasible. Make working copies for review, and keep the originals segregated.
- Do not touch originals any more than necessary, as they could undergo forensic analysis at a later time.
- Maintain a dependable filing system for the documents. This is especially critical when large numbers of documents are obtained. Losing a key document is very problematic and can damage the case. Working copies can be stamped sequentially for easy reference.
When seizing a computer for examination, the seizing party should look around the area for passwords because many people leave passwords written down near their computers.
A. True
B. False
A. True
See pages 3.818 in the Fraud Examiner’s Manual
Because many people write down or record their passwords near their computers, fraud examiners should look around for notes that might appear to be passwords. This might aid in discovering passwords needed to access encrypted or password-protected data if the individual who knows the password is uncooperative and will not divulge it. Although there are ways to access encrypted information without an encryption key (e.g., decryption, emergency keys, forcing cooperation), having the passwords for protected files will save time and reduce efforts.
Link analysis is particularly useful when investigating which type of fraud scheme?
A. Fictitious vendor
B. Shell company
C. Money laundering
D. All of the above
D. All of the above
See pages 3.743 in the Fraud Examiner’s Manual
Link analysis software is used by fraud examiners to create visual representations (e.g., charts with lines showing connections) of data from multiple data sources to track the movement of money; demonstrate complex networks; and discover communications, patterns, trends, and relationships.
Link analysis is very effective for identifying relationships that are not closely related. For this reason, link analysis is particularly useful when conducting a money laundering investigation, since it can track the placement, layering, and integration of money as it moves around unexpected sources. It could also be used to detect a fictitious vendor (shell company) scheme. For instance, the investigator could map visual connections between a variety of entities that share an address and bank account number to reveal a fictitious vendor created to embezzle funds from a company.
Which of the following statements is TRUE regarding data mining?
A. Data mining is an effective way for fraud examiners to develop fraud targets for further investigation
B. Data mining can be used to streamline raw data into understandable patterns
C. Data mining is the science of searching large volumes of data for patterns
D. All of the above
D. All of the above
See pages 3.701, 3.703-3.704 in the Fraud Examiner’s Manual
Data mining is the science of searching large volumes of data for patterns. It combines several different techniques that are essential to detecting fraud, including the streamlining of raw data into understandable patterns. Data mining can also help prevent fraud. Additionally, it is an effective way for fraud examiners to develop fraud targets for further investigation.
Which of the following is a data analytics approach involving layered artificial neural networks that are used to identify complex patterns in data sets by accommodating more data and more sophisticated algorithms?
A. Deep learning
B. Unsupervised machine learning
C. Artificial learning
D. Supervised machine learning
A. Deep learning
See pages 3.727-3.728 in the Fraud Examiner’s Manual
Deep learning refers to a subset of artificial intelligence that uses artificial neural networks—systems that simulate the processes and functions of a brain—with many layers to accommodate more data and more sophisticated algorithms to identify complex patterns. Deep learning is capable of learning from unstructured and unlabeled data.
Which of the following is an example of a data analysis function that can be performed to detect fraud through an examination of the general ledger?
A. Calculate financial ratios
B. Analyze and confirm specific ledger accounts for legitimate transaction activity
C. Create actual-to-budget comparison reports
D. All of the above
D. All of the above
See pages 3.729 in the Fraud Examiner’s Manual
The following are typical examples of data analysis queries that can be performed by data analysis software on the general ledger:
- Select specific journal entries for analysis.
- Create actual-to-budget comparison reports.
- Analyze and confirm specific ledger accounts for legitimate transaction activity.
- Speed account reconciliation through specialized account queries.
- Calculate financial ratios.
- Calculate percentage comparison ratios between accounts.
- Prepare custom reports, cash flow, profit/loss, and asset and liability total reports.
- Compare summaries by major account in any order (low-high, high-low).
- Create reports in any format by account, division, department, etc.
Which of the following is a matter that fraud examiners should consider when engaging in examinations involving computers?
A. Whether law enforcement should be notified
B. Whether an outside digital forensic expert is needed
C. What to look for and where to look for it
D. All of the above
D. All of the above
See pages 3.802, 3.804, 3.808 in the Fraud Examiner’s Manual
Once an organization has received evidence that misconduct involving digital devices has occurred, it should determine the need for law enforcement assistance. If it is determined that the victim organization will make a formal referral to law enforcement or a prosecuting agency, then the organization should notify the authorities before conducting an investigation to determine whether law enforcement personnel should participate in the examination.
When conducting an examination involving computers, fraud examiners should determine whether they need a digital forensic expert. Digital forensic experts are trained professionals who specialize in identifying, recovering, collecting, preserving, processing, and producing digital data for use in investigations and litigation.
To conduct a successful examination, fraud examiners must know what to look for and where to look for it, but this can be difficult because digital data can be stored in large volumes and in numerous locations. For example, the fraud examiner should know where to look for information on any suspect computer systems, information on a suspect’s workstation (including any peripherals or other portable media devices that contain data), information stored on any network from which the suspect’s traffic flows, and information stored in cloud storage services.
Cleansing and normalizing data during a data analysis engagement includes reviewing data to ensure that any inconsistencies are fixed, isolated, or eliminated.
A. True
B. False
A. True
See pages 3.708-3.710 in the Fraud Examiner’s Manual
The results of a data analysis test will only be as good as the data used for the analysis. Before running tests on the data, the fraud examiner must make certain the data being analyzed are relevant and reliable for the objective of the engagement.
Depending on how the data were collected and processed, as well as the results of the data verification process, the fraud examiner might need to cleanse and convert the data to a format suitable for analysis before executing any data analysis tests. For example, certain field formats (e.g., date, time, or currency) might need to be modified to make the information consistent and ready for testing. The data must also be normalized so that all data being imported for analysis can be analyzed consistently. Common data fields from multiple systems must be identified, and data must be standardized. In normalizing the data for analysis, table layout, fields/records, data length, data format, and table relationships are all important considerations.
Additionally, the following inconsistencies in the data must be addressed:
- Known errors
- Special/unreadable characters in the data
- Other unusable entries
When possible, such situations should be addressed by fixing, isolating, or eliminating them. Any issues that cannot be cleaned up will require special consideration during the testing and interpretation phase.
Hafsa, a fraud examiner, collects a computer hard drive as potential evidence in an investigation. She creates a memorandum to record the chain of custody and documents what item was received, when it was received, and from whom it was received. To meet the minimum standard for a chain of custody memorandum, what else would Hafsa need to include?
A. The name of the judge who signed the seizure order, if applicable
B. An explanation of why the item was collected
C. Where the item is maintained
D. The value of the noncash item received
C. Where the item is maintained
See pages 3.207-3.208 in the Fraud Examiner’s Manual
From the moment evidence is received, its chain of custody must be maintained for it to be accepted by the court. The chain of custody is both a process and a document that memorializes who has had possession of an object and what they have done with it. Essentially, the chain of custody is a recordkeeping procedure similar to physical inventory procedures.
In general, to establish the chain of custody, fraud examiners must make a record of when they, or any other member of the fraud examination team, receive an item and when it leaves their care, custody, or control. This is best handled by creating a memorandum with the custodian of the records when the evidence is received. The memorandum should state:
- What items were received
- When they were received
- From whom they were received
- Where they are maintained
Black, a fraud examiner, is conducting textual analytics on emails sent to and from specific employees that her client has identified as fraud suspects. She is using the Fraud Triangle to create a list of fraud keywords to use in her search. Which of the following words found in email text might indicate a fraudster is rationalizing their actions?
A. Write off
B. Override
C. Deserve
D. Quota
C. Deserve
See pages 3.740 in the Fraud Examiner’s Manual
In conducting a textual analytics examination, the fraud examiner should create a list of fraud keywords that are likely to suggest suspicious activity. This list will depend on the industry, the suspected fraud schemes or types of fraud risk present, and the data set the fraud examiner has available. In other words, if they are running a search through journal entry details, they will likely search for different fraud keywords than if they were running a search of emails.
The components identified in the Fraud Triangle are helpful when coming up with a fraud keyword list. One of these components is rationalization; consequently, the fraud examiner should consider how someone in the entity might be able to rationalize committing fraud. Because most fraudsters do not have a criminal background, justifying their actions is a key part of committing fraud. Some keywords that might indicate a fraudster is rationalizing their actions include reasonable, deserve, and temporary.
Other keywords can be used to identify the other components indicated by the Fraud Triangle. For example, write off and override would indicate opportunity to commit fraud, while quota suggests pressure to commit fraud.
Which of the following is an example of a data analysis function that can be performed on cash disbursements to help detect fraud?
A. Identify disbursements by department, supervisor approval, or amount limits
B. Verify audit trail for all disbursements by purchase order, vendor, department, etc.
C. Generate summary of vendor cash activity for further analysis
D. All of the above
D. All of the above
See pages 3.730 in the Fraud Examiner’s Manual
The following are examples of data analysis queries that can be performed by data analysis software on cash disbursements to help detect fraud:
- Summarize cash disbursements by account, bank, department, vendor, etc.
- Verify audit trail for all disbursements by purchase order, vendor, department, etc.
- Generate summary of vendor cash activity for analysis.
- Identify disbursements by department, supervisor approval, or amount limits.
Tangible evidence is more volatile than digital evidence because tangible information is subject to claims of spoliation whereas digital evidence is not.
A. True
B. False
B. False
See pages 3.805-3.806 in the Fraud Examiner’s Manual
Digital evidence is more volatile than tangible evidence because digital data can be altered or destroyed more easily than tangible information. Additionally, both digital and tangible evidence are subject to claims of spoliation (the act of intentionally or negligently destroying documents relevant to litigation). If proven, such claims could lead to monetary fines and sanctions, adverse inference jury instruction sanctions, or dismissal of claims or defenses.
Which of the following data analysis functions can be used to determine the relationship between two variables in raw data?
A. Correlation analysis
B. Duplicate testing
C. Gap testing
D. Benford’s Law analysis
A. Correlation analysis
See pages 3.717 in the Fraud Examiner’s Manual
By using the correlation analysis function, fraud examiners can determine the relationships among different variables in the raw data. Fraud examiners can learn a lot about data files by learning the relationship between two variables. For example, one should expect a strong correlation between the following independent and dependent variables because a direct relationship exists between the two variables. Hotel costs should increase as the number of days traveled increases. Gallons of paint used should increase as the number of houses painted increases.
A statement collected by a fraud examiner during an interview would be considered an example of which of the following types of evidence?
A. Digital evidence
B. Testimonial evidence
C. Inconclusive evidence
D. Documentary evidence
B. Testimonial evidence
See pages 3.201 in the Fraud Examiner’s Manual
Testimonial evidence involves statements made by witnesses, neutral third parties, and suspects during interviews and/or when testifying at trial.
Which of the following is TRUE concerning the volatility of digital evidence?
A. The failure to preserve the integrity of digital evidence could result in evidence being deemed inadmissible in a legal proceeding
B. Once the integrity of digital evidence has been violated through alteration or destruction, it usually cannot be restored
C. Digital evidence is more volatile than tangible evidence because data can be altered or destroyed more easily than tangible information
D. All of the above
D. All of the above
See pages 3.805-3.806 in the Fraud Examiner’s Manual
Digital evidence is more volatile than tangible evidence because digital data can be altered or destroyed more easily than tangible information. Because digital evidence can be easily altered or destroyed, the integrity of digital evidence must be preserved. Data that have been altered or destroyed are considered violations of data integrity. What is more, the alteration or destruction of digital evidence is typically irreversible; therefore, once the integrity of digital evidence has been violated, it usually cannot be restored.
Additionally, the failure to preserve the integrity of digital evidence could result in evidence being deemed inadmissible in a legal proceeding, or even if admitted, it might not be given much weight because evidence of questionable authenticity does not provide reliable proof.
A fraud examiner is planning a data analysis engagement. Which of the following should the fraud examiner understand prior to determining which tests to run on the data?
A. Areas of data at risk for being overlooked
B. The structure of the data
C. What data are available for analysis
D. All of the above
D. All of the above
See pages 3.705-3.706 in the Fraud Examiner’s Manual
Although the purpose of data analysis involves running targeted tests on data to identify anomalies, the ability of such tests to help detect fraud depends greatly on what the fraud examiner does before and after performing the data analysis techniques. Without sufficient time and attention devoted to planning, the fraud examiner risks analyzing the data inefficiently, lacking focus or direction for the engagement, encountering avoidable technical difficulties, and possibly overlooking key areas for exploration.
As a first step in the planning process—before determining which tests to run—the fraud examiner must know what data are available to be analyzed and how those data are structured. Understanding the structure of the existing data will not only help ensure that the fraud examiner builds workable tests to be run on the data but might also help identify additional areas for exploration that might otherwise have been overlooked.
During which phase of the data analysis process does the fraud examiner identify, obtain, and verify the relevant or requested data?
A. The testing and interpretation phase
B. The planning phase
C. The preparation phase
D. The post-analysis phase
C. The preparation phase
See pages 3.708-3.710 in the Fraud Examiner’s Manual
The second phase of the data analysis process is the preparation phase. The results of a data analysis test will only be as good as the data used for the analysis. Before running tests on the data, the fraud examiner must make certain the data being analyzed are relevant and reliable for the objective of the engagement. During the preparation phase of the data analysis process, the fraud examiner must complete several important steps, including:
- Identifying the relevant data
- Obtaining the requested data
- Verifying the data
- Cleansing and normalizing the data
The information in a computer system’s event logs can yield valuable evidence because such logs record events and transactions that have occurred on the computer.
A. True
B. False
A. True
See pages 3.810 in the Fraud Examiner’s Manual
Every operating system generates event logs, which are files that record events or transactions on a computer. In fact, a log entry is created for each event or transaction that takes place on any computer, and consequently, there are numerous types of event logs. Some common types of logs include system logs, application logs, and security logs. System logs record events executed on an operating system, including miscellaneous events and those generated during system start-up, such as hardware and controller failures. Common types of system events include starting up and shutting down, configuration updates, and system crashes. Application logs record the events regarding access to application data. Such events would include data files being opened or closed; specific actions such as reading, editing, deleting, or printing of application files; or the modification of records in an application file. Security logs track security-related events like log-on and log-off times and changes to access rights.
Robotic process automation (RPA) is a data analytics approach that uses historical data, analyses, statistics, and machine learning components to build a mathematical model that depicts important trends and creates a quantitative projection or prediction about future events or outcomes.
A. True
B. False
B. False
See pages 3.728 in the Fraud Examiner’s Manual
Predictive analytics uses historical data, analyses, statistics, and machine learning components to build a mathematical model that depicts important trends. This model is then used to process current data to create a quantitative projection or prediction about future events or outcomes.
Robotic process automation (RPA) is a technology that allows for the configuration of a program that imitates and integrates the actions of a human to execute certain business processes. RPA is useful for organizations that wish to increase efficiency and automate repetitive manual tasks. One of the benefits that RPA provides in fighting fraud is the lessening of human interaction in day-to-day tasks. When employees are responsible for inputting data into systems, there is an opportunity for them to manipulate the data for personal gain. By fully automating certain tasks, employees are turned into reviewers rather than inputters. Also, by limiting human interaction, RPA mitigates the risk caused by human error.
In which of the following situations would a fraud examiner MOST LIKELY need to obtain a court order to access a suspect’s financial records?
A. A fraud examiner would likely need to obtain a court order if the suspect provides both oral and written consent.
B. A fraud examiner would likely need to obtain a court order if the suspect only provides written consent.
C. A fraud examiner would likely need to obtain a court order any time that records are requested from a financial institution.
D. A fraud examiner would likely need to obtain a court order if the suspect refuses to provide consent.
D. A fraud examiner would likely need to obtain a court order if the suspect refuses to provide consent.
See pages 3.202-3.203 in the Fraud Examiner’s Manual
Documentary evidence can be obtained in several ways. The preferred method is to obtain evidence by consent if both parties agree. In some cases, consent can be oral, but when information is obtained from possible adverse witnesses or the target of the examination, it is recommended that the consent be in writing.
Certain types of records can be obtained by consent only if the subject of the records consents in writing. Accessing a subject’s bank records from financial institutions, for instance, generally requires written consent. If no consent is given and evidence is held by other parties or in uncontrolled locations, specific legal action might be required. Most often, the legal process used takes the form of a subpoena or other court order to produce the documents and records (including electronic records). Other forms of court orders can be used to obtain witness evidence and statements.
Understanding the data, determining whether predication exists, and building a profile of potential frauds are all steps of which phase of the data analysis process?
A. The post-analysis phase
B. The testing and interpretation phase
C. The preparation phase
D. The planning phase
D. The planning phase
See pages 3.705-3.706 in the Fraud Examiner’s Manual
As with most tasks, proper planning is essential in a data analysis engagement. Without sufficient time and attention devoted to planning, the fraud examiner risks analyzing the data inefficiently, lacking focus or direction for the engagement, encountering avoidable technical difficulties, and possibly overlooking key areas for exploration.
The first phase of the data analysis process is the planning phase. This phase consists of several important steps, including:
- Understanding the data
- Defining examination objectives
- Building a profile of potential frauds
- Determining whether predication exists
Jones, a Certified Fraud Examiner (CFE) and director of security for ABC Inc., obtained several boxes of documents while conducting a fraud examination. While inventorying the boxes and marking the evidence, Jones discovers a stock certificate he feels will be damaged if he marks it with his initials and the date. To maintain the proper chain of custody, Jones should:
A. Mark the document regardless of the potential for damage.
B. Copy the document, and initial and date the copy.
C. Photograph and store the document.
D. Place the document in a marked envelope.
D. Place the document in a marked envelope.
See pages 3.207 in the Fraud Examiner’s Manual
To preserve the chain of custody, all evidence received should be marked so that it can later be identified. The most common way to mark the evidence is with the date and initials of the person obtaining the documents. If it is not practical to mark the document, or if marking it would damage the document, then it should be placed in an acid-free envelope that has been marked and sealed. To avoid creating indentations on the original document, do not write on the envelope after the document has been placed inside of it.
During the analysis phase in digital forensic investigations, the fraud examiner’s primary concern is to protect the collected information from seizure.
A. True
B. False
B. False
See pages 3.829 in the Fraud Examiner’s Manual
The primary concern when analyzing digital evidence is to always maintain the integrity of the data. Fraud examiners must be especially careful with computer equipment because a careless fraud examiner might inadvertently alter important evidence. Therefore, it is helpful to develop procedures to prevent the opposing party from raising allegations that the methodology used to collect or analyze data was improper and could have damaged or altered the evidence.
Christie is undertaking a data analysis engagement to identify potential fraud at XYZ Corporation. Which of the following lists the MOST APPROPRIATE order in which she should conduct the steps involved in the data analysis process?
I. Cleanse and normalize the data.
II. Build a profile of potential frauds.
III. Analyze the data.
IV. Obtain the data.
V. Monitor the data.
A. II, IV, I, III, V
B. IV, I, III, V, II
C. II, IV, III, I, V
D. IV, II, I, V, III
A. II, IV, I, III, V
See pages 3.705-3.706 in the Fraud Examiner’s Manual
To ensure the most accurate and meaningful results, a formal data analysis process should be applied that begins several steps before the tests are run and concludes with active and ongoing review of the data. While the specific process will vary based on the realities and needs of the organization, the following approach contains steps that should be considered and implemented, to the appropriate extent, in each data analysis engagement:
- Planning phase
- Understand the data.
- Define examination objectives.
- Build a profile of potential frauds.
- Determine whether predication exists.
- Preparation phase
- Identify the relevant data.
- Obtain the data.
- Verify the data.
- Cleanse and normalize the data.
- Testing and interpretation phase
- Analyze the data.
- Post-analysis phase
- Respond to the analysis findings.
- Monitor the data.
Black, a Certified Fraud Examiner (CFE), has obtained an oral confession from Green, a fraud suspect. Black wants to examine Green’s bank accounts. Which of the following would be the LEAST EFFECTIVE way to obtain permission to examine Green’s bank records?
A. Obtain a court order.
B. Obtain Green’s oral consent.
C. Obtain a subpoena.
D. Obtain Green’s written consent.
B. Obtain Green’s oral consent.
See pages 3.202-3.203 in the Fraud Examiner’s Manual
Documentary evidence can be obtained in several ways. The preferred method is to obtain evidence by consent if both parties agree. In some cases, consent can be oral, but when information is obtained from possible adverse witnesses or the target of the examination, it is recommended that the consent be in writing.
Certain types of records can be obtained by consent only if the subject of the records consents in writing. Accessing a subject’s bank records from financial institutions, for instance, generally requires written consent. If no consent is given and evidence is held by other parties or in uncontrolled locations, specific legal action might be required. Most often, the legal process used takes the form of a subpoena or other court order to produce the documents and records (including electronic records). Other forms of court orders can be used to obtain witness evidence and statements.
Which of the following is an example of a data analysis function that can be performed to help detect fraud through examination of payroll accounts?
A. Check proper supervisory authorization on payroll disbursements.
B. Generate depreciation to asset cost reports.
C. Compare customer credit limits and current or past balances.
D. Compare approved vendors to the cash disbursement payee list.
A. Check proper supervisory authorization on payroll disbursements.
See pages 3.730-3.731 in the Fraud Examiner’s Manual
The following are examples of data analysis queries that can be performed by data analysis software on payroll accounts to help detect fraud:
- Summarize payroll activity by specific criteria for review.
- Identify changes to payroll or employee files.
- Compare time card and payroll rates for possible discrepancies.
- Identify paychecks with amounts over a certain limit.
- Check proper supervisory authorization on payroll disbursements.
Generally, the rules of admissibility for digital evidence are stricter than such rules for tangible evidence.
A. True
B. False
B. False
See pages 3.807 in the Fraud Examiner’s Manual
Although digital evidence is different from—and more volatile than—tangible evidence, the rules regarding the admissibility of digital evidence in court are no different from the rules regarding the admissibility of any other type of evidence.
