Abstract
This study examines a mathematical model to determine the timing and consequently volume of transactions to be audited in a continuous audit system to detect both errors and malicious fraud. The interactions between the audit system and a potential fraudster are modeled as a continuous time Markov chain. State changes occur due to either fraud or unintentional errors. In the case of frauds, the state changes are computed using a game theoretic approach. The model proposes a non-uniform frequency, which is perhaps more appropriate for an automated audit system.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alpcan, T., and T. Başar. 2003. A game theoretic approach to decision and analysis in network intrusion detection. In Proceedings of 42nd IEEE conference on decision and control, 2003, vol. 3, 2595–2600.
Boritz, E., and D.S. Broca. 1986. Scheduling internal audit activities. Auditing: A Journal of Practice & Theory 6(1): 1–19.
Buzacott, J. 1970. Markov approach to finding failure times of repairable systems. IEEE Transactions on Reliability 19(4): 128–134.
Cavusoglu, H., B. Mishra, and S. Raghunathan. 2005. The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1): 28–46.
Cavusoglu, H., S. Raghunathan, and W. Yue. 2008. Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25(2): 281–304.
Chou, C.L., Timon Du, and Vincent S. Lai. 2007. Continuous auditing with a multi-agent system. Decision Support Systems 42(4): 2274–2292.
Cohen, J.R., Y. Ding, C. Lesage, and H. Stolowy. 2010. Corporate fraud and managers’ behavior: Evidence from the press. Social Science Research Network Working Paper Series. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1160076. Retrieved 31 Oct 2010.
Dodin, B., and A.A. Elimam. 1997. Audit scheduling with overlapping activities and sequence-dependent setup costs. European Journal of Operational Research 97(1): 22–33.
Dodin, B., A.A. Elimam, and E. Rolland. 1998. Tabu search in audit scheduling. European Journal of Operational Research 106(2–3): 373–392.
Groomer, S., and U. Murthy. 1989. Continuous auditing of database applications: An embedded audit module approach. Journal of Information Systems 3(2): 53–69.
Hamilton, S.N., W.L. Miller, and A.O.O.S. Saydjari. 2002. The role of game theory in information warfare. In 4th Information Survivability Workshop, Vancouver, BC, Canada.
Holton, Carolyn. 2009. Identifying disgruntled employee systems fraud risk through text mining: A simple solution for a multi-billion dollar problem. Decision Support Systems 46(4): 853–864.
Hughes, J.S. 1977. Optimal Internal Audit Timing. The Accounting Review 52(1): 56–68.
Kogan, A., E. Sudit, and M. Vasarhelyi. 1999. Continuous online auditing: A program of research. Journal of Information Systems 13(2): 87–103.
Liu, P., W. Zang, and M. Yu. 2005. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8(1): 78–118.
Lye, K., and J.M. Wing. 2005. Game strategies in network security. International Journal of Information Security 4(1): 71–86.
Morey, R.C., and D.A. Dittman. 1986. Optimal timing of account audits in internal control. Management Science 32(3): 272–282.
Owen, G. 1995. Game theory, 3rd ed. New York: Academic Press.
PricewaterhouseCoopers. 2006. State of the internal audit profession study: Continuous auditing gains momentum. http://www.pwc.com/us/en/internal-audit/publications/2009-study-internal-audit-profession.jhtml. Retrieved 1 Sept 2010.
PricewaterhouseCoopers. 2009. State of the internal audit profession study: Business upheaval: Internal audit weighs its role amid the recession and evolving enterprise risks. http://www.pwc.com/us/en/internal-audit/publications/2009-study-internal-audit-profession.jhtml. Retrieved 1 Sept 2010.
Rausand, M., and A. Hyland. 2004. System reliability theory: Models and statistical methods. New York: Wiley-IEEE.
Reserve Bank of India. 2002. Report of the committee on computer audit. http://rbidocs.rbi.org.in/rdocs/publicationreport/pdfs/33484.pdf. Retrieved 2 Sept 2010.
Rossi, R., A. Tarim, B. Hnich, S. Prestwich, and S. Karacaer. 2010. Scheduling internal audit activities: A stochastic combinatorial optimization problem. Journal of Combinatorial Optimization 19(3): 325–346.
Sallhammar, K., and S.J. Knapskog. 2004. Using game theory in stochastic models for quantifying security. In Proceedings of the 9th Nordic workshop on secure IT-systems, Espoo, Finland, 4–5 November 2004.
Sokolowski, J.A., and C.M. Banks. 2010. Modeling and simulation fundamentals: Theoretical underpinnings and practical domains. New York: Wiley.
van der Aalst, Wil, Kees van Hee, Jan Martijn van der Werf, Akhil Kumar, and Marc Verdonk. 2011. Conceptual model for online auditing. Decision Support Systems 50(3): 636–647.
Vasarhelyi, M., and F. Halper. 1991. The continuous audit of online systems. Auditing: A Journal of Practice and Theory 10(1): 110–125.
Willem, M. 1997. Minimax theorems, 1st ed. Boston: Birkhäuser.
Wilson, D., and R. Ranson. 1971. Internal audit scheduling—A mathematical model. The Internal Auditor (July–August): 42–50.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Thomas, M.A., Marathe, R.R. Forensic Considerations in Determining Timing of Continuous Audit Systems. Technol. Oper. Manag 2, 80–89 (2011). https://doi.org/10.1007/s13727-012-0009-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13727-012-0009-7