Академический Документы
Профессиональный Документы
Культура Документы
MODULE NO. 4
This module covers Document Examination-
keeping the chain of custody, External
Confirmations, Fraud Risk Assessment.
This can safely be defined as a record of the movement and location of physical evidence from
Judges in bench trials and jurors in jury trials are obligated to decide cases on the evidence that is
presented to them in court the of law. The judges or jurors do not conduct their own
investigations into the underlying facts of a given case. Most states and federal courts rules
prohibit judges and jurors from being swayed away, meaning, all confirmations evidence that is
not properly admitted into the record pursuant to the rule of evidence/ confirmations in giving
Likewise, those involved in the civil and criminal litigation depend on judges and the jury to
independently weigh the confirmation, and only the confirmation, which is correctly admitted
into the record(s). Each day, all across the U.S, litigants stake their livelihoods, bank accounts,
and freedom on the premise that the outcome to their judicial proceedings will be one that is
Court-rendered judgments and jury verdicts that are based on contaminated, undependable, or
changed confirmations would undermine the integrity of the entire legal system if such outcomes
1
All copy and transmission rights reserved by the IICFIP USA, Incorporation
became commonplace. One way in which the law tries to ensure the integrity of evidence is by
requiring proof of the chain of custody by the party who is seeking to introduce a particular piece
of evidence.
Proof of a chain of custody is required when the evidence that is sought to be introduced at a trial
is not unique or where the relevance of the evidence depends on its analysis after an attack. A
2. Testimony of continuous possession by each individual who has had possession of the
evidence from the time it was seized until the time it is presented in court.
3. Testimony by each person who has had possession of that particular piece of evidence that it
remained in substantially the same condition from the moment one person took possession
until the moment that person released the evidence into the custody of another until
Proving a chain of custody is essential to "lay a foundation" for the evidence, simply by showing
the absence of alterations. Particularly, base testimony for tangible evidence requires that
exhibits be identified as being in substantially the same condition as they were at the time the
evidence was detained, and that the exhibit has remained in that condition through an unbroken
chain of custody. Suppose that in a prosecution for possession of illegal drugs, forensic
investigator A recovers drugs from the defendant then gives the next forensic investigator B the
drugs; B then gives the drugs to law enforcer scientist C, who does the analysis of the drugs; and
C gives the drugs to police detective D who brings the drugs to court. The testimony of A, B, C,
and D constitute a "chain of custody" for the drugs, and the prosecution would need to offer
2
All copy and transmission rights reserved by the IICFIP USA, Incorporation
testimony by each person in the chain to establish both the condition and identification of the
evidence, unless the defendant stipulated as to the chain of custody in order to save time.
A chain of custody need not be demonstrated for every piece of tangible evidence that is
accepted into the trial court's record(s). In fact, the physical evidence that is readily identifiable
by the witness might not need to be supported by a chain-of-custody proof. Take for instance, no
chain-of-custody foundation is needed for items that are imprinted with a serial number or
inscribed with initials by an officer who collected the confirmations. Likewise, items which are
inherently distinctive or memorable might be sufficiently unique and identifiable that they
Whether the requisite foundation has been laid to establish a chain of custody for an exhibit, is a
matter of discretion on the part of the trial judge/ jury. Chances of misidentification and
adulteration must be gotten rid off, not completely, but as a matter of reasonable prospect.
Wherever there is sufficient testimony that the evidence is what it purports to be, and that
testimony is offered by each responsible person in the chain of custody, variations as to accuracy
or reliability of testimony regarding the chain of custody go to the weight of the evidence and not
to its acceptability, which means that the evidence would be admitted into the record for the
judge or jury to evaluate in light of any conflicting testimony that the chain of custody somehow
had been altered. Although the party who offers the evidence has the burden of demonstrating
the chain of custody, the party against whom the evidence is offered must timely object to the
evidence when it is first introduced at examination, or the party will waive any objections as to
3
All copy and transmission rights reserved by the IICFIP USA, Incorporation
Impartiality of an investigation is becoming a new standard in digital forensics, one that service
providers are well-suited to deliver. Outsourcing almost guarantees that any investigation is
impartial. It also saves organizations money since they don't have to keep a digital forensic
investigator on the payroll. Service providers who offer digital forensic services can ease
customer's minds by remaining impartial and taking the necessary steps to ensure that collected
evidence is not tampered with and can be relied upon when called upon.
One element often overlooked in the rush to obtain evidence during a forensic investigation is
control. To prove impartiality you must be able to answer the five W's and H questions: who,
Ultimately, if the chain of custody is not maintained, all evidence can be challenged and thrown
out of court. This can be particularly devastating when valuable time and resources have been
used to collect the evidence in the first place, not to mention the fact that a failed investigation
erodes the customers confidence. How then should you ensure that forensic evidence is properly
controlled to maintain the chain of custody? There are forms and software programs to assist in
documenting the chain of custody, but here are top tips that you won't find in reference guides.
4
All copy and transmission rights reserved by the IICFIP USA, Incorporation
Label everything
Cables, Wireless access points, anything and everything that is found at the site should be treated
as a possible exhibit and labeled accordingly. It's easy to forget what goes where when you get
into a tangle of cables and equipments in the server room. If you have to tear down the site and
reassemble it in a lab, the labels make sure you get everything right. This is very applicable to
Witness everything
I have found it very useful, chiefly when an examination is facing tough scrutiny, to have a
witness for the whole thing. Should your labels, or printed photos and recovered data be all
assessment. Furthermore, heaven prohibit, if you are incapacitated and not able to provide
testimony when needed, the witness may be used to back up your investigation.
Last but not least in the investigation is controlling the evidence by maintaining an indisputable
chain of custody. The best method is to give everything a unique ID with accurate and complete
descriptions. Include in your descriptions any unrecoverable marks on equipment such as deep
scratches and dents. Address the five W's and an H for all evidence, seal it with tamper-proof
seals, sign and witness the seals. Lock it up in an indisputably secure location and log every time
the evidence is accessed. If you have to turn evidence over to legal authorities, they are not
above these rules, so have them sign for everything they take.
5
All copy and transmission rights reserved by the IICFIP USA, Incorporation
Digital forensics is an exciting new industry that is bound to see new methods and challenges as
techniques and technology continue to change. To maintain a solid reputation in the field, build
solid skills with existing software tools and ensure your methodology is beyond reproach.
Documentary evidence gathering must be done according to law and generally accepted
investigative practice.
Contaminated evidence will not be admissible or it may impede the extraction of further
6
All copy and transmission rights reserved by the IICFIP USA, Incorporation
External Confirmations
Introduction
External confirmations, I am writing about here, is not exactly the same as what is outlined in
the ISA standard. They may be some similarities but the mindset and some procedures are totally
different.
The mindset of the certified forensic investigator is to independently collect evidence in support
or against what he has collected from the transactional and documentary analysis. The
investigator plans to collect the evidence from external parties without informing the client about
his exact intentions.
Evidence provided by external parties is more reliable than the information supplied by the
clients staff.
The following are the sources of external evidence for the purposes of forensic investigation:
1. Banks;
2. Suppliers;
3. Customers; and
4. Former staff.
External confirmation can be defined as the process of obtaining and evaluating investigation
party in response to a call for information concerning a particular item touching assertions in the
7
All copy and transmission rights reserved by the IICFIP USA, Incorporation
confirmations, the investigator should consider the features of the environment in which the
entity being investigated functions and the practice of potential respondents in dealing with
Based on my own findings, investigation evidence availed by the original documents may be
investigation evidence in the form of original written responses to confirmation requests received
directly by the investigator from third parties unrelated to the entity being investigated,
considered cumulatively with investigation evidence from other investigation dealings, can assist
in reducing the risk of material misrepresentation for the related assertions to an acceptably low
level.
Although its very useful for a successful result, an investigator must establish whether the
investigations evidence at the assertion level. When doing this determination, investigators must
consider the already assessed risk of material misstatement at the assertion level and how the
investigation evidence from other planned investigation procedures will trim down the risk of
The investigator should tailor external confirmation requests to the specific investigation
objective. When designing the request, the investigator considers the assertions being addressed
and the factors that are likely to affect the reliability of the confirmations. Determinates like the
form of the external confirmation request, previous familiarity on the investigation or similar
activities, nature of the information being investigated, alongside the intended respondent, have
an effect on the design of the requests since these factors have a direct consequence on the
8
All copy and transmission rights reserved by the IICFIP USA, Incorporation
processes.
Management Requests
When the investigator needs to ascertain particular certain balances, but management requests
the investigator not to carry out as he/ she sees necessary, the investigator should consider
whether there are valid grounds for such a request and obtain investigation evidence to support
the validity of managements requests. Should the investigator concur to managements request
not to seek external confirmation regarding a particular concern, then the investigator must apply
Should the investigator fail to accept the validity of managements request and is prevented from
carrying out the investigation, then there has been a limitation on the scope of the investigators
work and the investigator should consider the possible impact on his or her report findings.
When performing confirmation procedures/ processes, investigators should keep control over the
process of selecting those to whom a request will be referred, sending and preparing the
confirmation requests, and the responses to those requests. In no circumstance should the control
of communications between the intended recipients and the investigator be ignored since this
may minimize the possibility that the results of the confirmation process will be unbiased due to
the interception and alteration of confirmation requests. The firm in question should see to it that
it is the investigator who sends out the confirmation requests, alongside ensuring that the
9
All copy and transmission rights reserved by the IICFIP USA, Incorporation
requests are properly handled, and that it is requested that all replies are sent directly to the
investigator.
In cases where no response is received, he /she should contact the recipient of the request to
bring out a response. However, in cases where even that are in vain, the investigator uses other
investigation measures. The nature of the substitute investigation procedures depend on the
account and assertion in query. In the assessment of accounts receivable, optional investigation
procedures might include but not limited to examination of subsequent cash proceeds,
evidence to help in assertion. While, in the examination of accounts payable, other investigation
procedures might include but not limited to examination of succeeding cash disbursements or
correspondence from third parties to give investigation evidence of the existence assertion,
assessment of other records, like goods received notes, in order to give investigation evidence of
After receiving a response, the investigator considers whether there is any indication that
external confirmations received may not be reliable in anyway. He/ she consider the responses
authenticity and perform investigation procedures to dispel any concern of doubt. He / she may
decide to verify its source and contents of a response in a telephone call to the purported sender.
Furthermore, the investigator requests the purported sender to mail the original confirmation
directly to the investigators physical and email address. Should the information be in the form of
10
All copy and transmission rights reserved by the IICFIP USA, Incorporation
oral confirmations the investigator may request the relevant parties to submit written
Carrying out external confirmation tests can provide very good evidence of the
offense.
According to ISA 505, External Confirmations should be read in conjunction with ISA 200,
confirmations must not however be done according to tradition but by using proactive methods
like undercover inquiries to all with potential to provide the clues necessary for discovery.
The investigator should determine whether the use of external confirmations is necessary to
obtain sufficient appropriate investigation evidence at the assertion level. It indicates that, while
recognizing exceptions may exist, the following generalization about the reliability of
11
All copy and transmission rights reserved by the IICFIP USA, Incorporation
External confirmation is the process of obtaining and evaluating investigation evidence through a
request for information about a particular item affecting assertions in the financial statements or
related disclosures.
External confirmations are frequently used in relation to account balances and their components,
but need not be restricted to these items. The following are examples of situations where external
Property title deeds held by lawyers or financiers for safe custody or as security.
Investments purchased from stockbrokers but not delivered at the balance sheet date.
12
All copy and transmission rights reserved by the IICFIP USA, Incorporation
evidence regarding the existence of the account as at a certain date. Confirmation also provides
confirmation does not ordinarily provide all the necessary investigation evidence relating to the
valuation assertion, since it is not practicable to ask the debtor to confirm detailed information
Similarly, in the case of goods held on consignment, external confirmation is likely to provide
reliable and relevant investigation evidence to support the existence and the rights and
obligations assertions, but might not provide investigation evidence that supports the valuation
assertion.
The investigator should tailor external confirmation requests to the specific investigation
objective. When designing the request, the investigator considers the assertions being addressed
and the factors that are likely to affect the reliability of the confirmations.
Factors such as the form of the external confirmation request, prior experience on the
investigation or similar engagements, the nature of the information being confirmed, and the
intended respondent, affect the design of the requests because these factors have a direct effect
procedures.
13
All copy and transmission rights reserved by the IICFIP USA, Incorporation
A positive external confirmation request asks the respondent to reply to the investigator in all
cases either by indicating the respondents agreement with the given information, or by asking
A negative external confirmation request asks the respondent to reply only in the event of
Management Requests
When the investigator seeks to confirm certain balances or other information, and management
requests the investigator not to do so, the investigator should consider whether there are valid
grounds for such a request, and obtain investigation evidence to support the validity of
managements requests. If the investigator agrees to managements request not to seek external
confirmation regarding a particular matter, the investigator should apply alternative investigation
If the investigator does not accept the validity of managements request and is prevented from
carrying out the confirmations, there has been a limitation on the scope of the investigators work
and the investigator should consider the possible impact on the investigators report.
Characteristics of Respondents
14
All copy and transmission rights reserved by the IICFIP USA, Incorporation
When performing confirmation procedures, the investigator should maintain control over the
process of selecting those to whom a request will be sent, the preparation and sending of
confirmation requests, and the responses to those requests. Control is maintained over
communication between the intended recipients and the investigator to minimize the possibility
that the results of the confirmation process will be biased because of the interception and
should be such as to provide investigation evidence about the assertions that the confirmation
When the investigator forms a conclusion that the confirmation process and alternative
obtain sufficient appropriate investigation evidence. In forming the conclusion, the investigator
considers the:
15
All copy and transmission rights reserved by the IICFIP USA, Incorporation
b. Nature of any exceptions, including the implications, both quantitative and qualitative of
The investigator should evaluate whether the results of the external confirmation process
together with the results from any other investigation procedures performed, provide sufficient
When the investigator uses confirmation as at a date prior to the balance sheet to obtain
investigation evidence that transactions relevant to the assertion in the intervening period have
not been materially misstated. Depending on the assessed risk of material misstatement, the
investigation or may decide to confirm balances at a date other than the period end, for example,
when the investigation is to be completed within a short time after the balance sheet date. As
with all types of pre-year-end work, the investigator considers the need to obtain further
investigation evidence relating to the remainder of the period. ISA 330 provides additional
The reliability of investigation evidence is evaluated based on how the support was obtained and
who it was obtained from. The most reliable form of investigation evidence comes when
independent sources provide tangible support directly to the investigators, whether in the form of
paper copies, electronic, or other mediums. In turn, support which is provided verbally from the
16
All copy and transmission rights reserved by the IICFIP USA, Incorporation
client is not considered as valuable to the investigator, although it may still be considered
investigation evidence.
17
All copy and transmission rights reserved by the IICFIP USA, Incorporation
Almost all agencies/ firms are subject to fraud risks, and need to complete a fraud risk
assessment for their agency at least every two years. An exhaustive fraud assessment needs to be
performed by division and/or function. Functions and services that need to be included in the
assessment are Finance and Accounting, Human Resources Management (payroll), Purchasing
and Contracting, and Information Technology. As a part of the assessment, agencies need to look
at control environment and information technology as both have a significant effect on fraud risk
A fraud risk assessment should be performed periodically to identify potential schemes and
events that need to be eradicated. It provides guidance for conducting a fraud risk assessment;
however, agencies will need to make modifications to meet their individual needs and
complexities.
An effective fraud risk management assessment should identify where fraud may occur and who
the perpetrators are. Thus, subdue activities should always consider both the fraud scheme and
the individuals within and outside the organization who could be the perpetrators of each
controls, since conspiracy interferes with the controls effectiveness of segregation of duties.
Fraud, by definition, entails intentional misconduct, intended to dodge a detection. For instance,
the fraud assessment should foresee the behavior of a potential perpetrator. Ideally, it is vital to
design fraud detection procedures that a perpetrator may not anticipate; it needs a cynical attitude
18
All copy and transmission rights reserved by the IICFIP USA, Incorporation
With this in mind, a fraud risk assessment generally includes three key elements:
Respond to reasonably likely and significant inherent and residual fraud risks.
When performing an audit, you use risk assessment procedures to assess the risk that material
misstatement actually took place. It is the most important step since the whole point of a
financial statement audit is finding out if the financial statements are materially correct.
A clients contribution to audit risk; the risk of a material misstatement existing in the
financial records due to errors and fraud influences your firms plans regarding what audit
evidence is necessary and which personnel will be assigned to the task. The higher the risk the
How exactly do you perform a risk assessment audit? You may follow various risk assessment
procedures, such as recognizing the nature of the company, its management alongside
procedures, one must use the results in figuring out how high the chance is that your client has
19
All copy and transmission rights reserved by the IICFIP USA, Incorporation
Recognizing the nature of the company: There should be some crucial questions to ask
management.
Analyzing processes and paperwork: That is, use the analytical procedures test to see if
plausible and expected relationships exist in both financial and nonfinancial data.
Observing the client at work: One common type of observation is to watch the staff
Fraud Risk Assessment is also referred to as Proactive Fraud Audit. It is a deliberate and well
planned search of loopholes and fraud without prior warning of any wrong doing.
20
All copy and transmission rights reserved by the IICFIP USA, Incorporation
A. True
B. False
2. What is the name given to scientific data when used in a courtroom setting to establish
the connection of a person to a crime?
A. Evidence
B. Testimony
C. Hearsay
D. Witness
B. To physically link the defendant to the crime scene, thereby providing inferential
4. Facts or opinions generated or supported by the use of one or more of the forensic
sciences is called:
A. Evidence
B. Forensic evidence
D. Generation
21
All copy and transmission rights reserved by the IICFIP USA, Incorporation
6. When performing an audit, you use risk assessment procedures to assess the risk that
material misstatement actually took place.
A. True
B. False
7. When performing confirmation procedures, the investigator should maintain control over the
process of selecting those to whom a request will be sent.
A. Yes
B. No
8. A negative external confirmation request asks the respondent to reply only in the event of
disagreement with the information provided in the request.
A. Yes
B. No
9. External Confirmation also provides investigation evidence regarding the operation of cut-
off procedures.
A. Yes
B. No
10. Investigation evidence availed by the original documents may be more reliable than
investigation evidence availed by photocopies or facsimiles.
A. Yes
B. No
22
All copy and transmission rights reserved by the IICFIP USA, Incorporation
Appendix 1
Chain of Custody
Item # Date/Time Released by Received by Comments/Location
(Signature & ID#) (Signature & ID#)
23
All copy and transmission rights reserved by the IICFIP USA, Incorporation
This Evidence Chain-of-Custody form is to be retained as a permanent record by the Anywhere Police Department.
24