（2008）Practicing Information Technology Auditing for Fraud.pdfVIP

Copyright © 2008 Information Systems Audit and Control Association. All rights reserved. . Practicing Information Technology Auditing for Fraud By Dale Johnstone and Ellis Chung Yee Wong, CISA, CFE, CISSP IT Processes raud is often difficult to detect and even harder to prove Control Objectives for Information and related Technology 4 in a court of law. This paper provides insight into (COBIT) provides excellent coverage of IT processes. An IT Fcommon practices applicable to practicing professionals process, according to COBIT, can be classified into one of four who are auditing for fraud in an information technology specific domains: (IT) environment. • Plan and Organize (PO) The term “occupational fraud” is defined as “the use of • Acquire and Implement (AI) one’s occupation for personal enrichment through the deliberate • Deliver and Support (DS) misuse or misapplication of the employing organization’s • Monitor and Evaluate (ME) 1 resources or assets.” The study used as the basis for this A total of 34 IT processes are listed within these four definition was compiled from data associated with 1,134 domains, as shown in figure 1. occupational fraud investigation cases that occurred between January 2004 and January 2006. Selected key findings of this Figure 1