All posts by

A new era for!

Welcome to H.B. Kay Log!

Frequent visitors of may notice the radical change that has just taken place. After allowing it to hibernate for several years, I have decided to revive this site.

In the past, I would update it depending on whether  I went on a long vacation, or there was a national disaster that I wanted to memorialize. Sadly, there were more disasters than long vacations. What was a middle of the road, standard website layout in 2005 is no longer acceptable. It’s time to shake up the status quo!

Plus, it took me all this time to figure out what the heck I want to do with this site. So I’m going to post about those things that are interesting to me on a professional basis.  I’m starting by re-posting a number of short papers I had to write while in graduate school, at the New Jersey Institute of Technology, for my Masters in Information Technology Administration and Security.

So let’s get started!

H.B. Kay

H.B. Kay


Recognizing and Fighting the Fraud Triangle

The Fraud Triangle is a method for explaining why someone might want to commit fraud. The idea for it was created by Donald Cressey, who, among other things, contributed to the study of criminology and white collar crime. The concept of the Fraud Triangle originated from his hypothesis that trusted employees commit fraud and violate the trust that has been placed in them when:

1. They are under some form of pressure that they cannot share. Pressure can take several different forms, including gambling and drug addictions which could lead to excessive personal debt. A different form of pressure is related to status, for example, a trader looking to improve his status in the organization by improving his numbers.

2. Perpetrators recognize an opportunity to remove this pressure by illicitly abusing their position in the organization. Once an employee feels this pressure, they may see an opportunity to do something about it. These opportunities could include:

  • No apparent audit trail in the organization.
  • Inadequate oversight by supervisors.
  • Management’s past failures to discipline perpetrators. This could lead to a lack of fear about reprisal.
  • Inadequate or non-existent internal controls for detecting fraud.

3. Once they see an opportunity, perpetrators rationalize illicit actions or abuses of power so that they can remove their pressure. (Frenza 2011)

The Fraud Triangle

The Fraud Triangle

How can we fight the Fraud Triangle?

Employee Pressure can be difficult to identify until after a fraud has occurred. However, there are preemptive actions that an employer can take:

Criminal background check – there are a number of online services that claim to be able to conduct a national criminal background check for as little as $10 per search. They typically access large national databases to search for criminal information. However, these national databases are not necessarily complete. Data collection is usually conducted at the county level, and reporting standards and requirements vary greatly from county to county. To be thorough, these checks need to be made at the county level, which becomes more expensive. A good rule of thumb is that a good, thorough criminal background check could cost about as much as a day’s salary of the prospective employee. (Fishman 2008)

Employers can also run a Credit Check on current or prospective employees. However, they will need the employee’s name, address, social security number, and authorization in writing. The cost can vary, but is typically between $8.00 and $20.00. (Donnelly 2010). The Credit Check can help identify potential pressures that could be considered red flags, such as outstanding liens, bankruptcy/foreclosure, if the employee is using 100% of their credit, recent late fees, and significant financial activity. (Doyle n.d.)

Organizations probably have the greatest control over Opportunity. The first step is for management to lead by example. Employees will notice when management is absent or acts dishonestly. Secondly, strong procedures and control activities should be put into place. These include segregation of duties, input and data validation controls, process controls, batch controls, access controls, physical controls and authorization controls. A comprehensive audit trail needs to be implemented. Finally, the organization should be willing to hire an independent third party to analyze these controls, and make recommendations for improvements. These actions will not stop all fraud, but may discourage it. (Frenza 2011)

Unfortunately, organizations have the least control over an employee’s Rationalization for conducting fraud. It can be difficult to know what someone is thinking. One possible way to handle this is for managers to get to know their subordinates better (without being intrusive), and to be willing to give an employee some support and encouragement during a difficult time.



Donnelly, Tim. How to Run a Credit Check. December 30th, 2010. (accessed April 6th, 2014).

Doyle, Alison. Why Do Employers Check Credit History? n.d. (accessed April 6th, 2014).

Fishman, Nick. How Much Should a Reliable Background Check Cost? April 22nd, 2008. (accessed April 6th, 2014).

Frenza, Michael D. The Fraud Triangle – How to Keep It Out of Your Business. October 26, 2011. (accessed April 5th, 2014).




The Case for Implementing Strong Business Ethics

The idea of implementing and enforcing a strong code of Business Ethics in for-profit organizations may sound like it could only be appreciated by New Age gurus and Marxist rebels operating in the jungles of South America, but it actually makes good business sense, can save companies their hard earned money, and protect their reputations.

There are advantages to implementing and enforcing a Business Code of Ethics. Corporate culture starts from the top and works its way down through the ranks, and most workers tend to adopt the business values of the corporate leadership. Implementing and enforcing a strong set of Business Ethics makes it easier to retain good employees who know they will be treated fairly, and will be heard if they speak up about potential wrong doing. On the other hand, lack of Business Ethics could encourage employees and management to cover up or hide problems. This may work in the short term, but could cause much larger problems in the long term. (Wadhwa 2013).

Second, implementing strong Business Ethics can attract good customers and vendors. Customers are more comfortable knowing they are buying services or products from a company that acquires materials and utilizes labor in a responsible and ethical manner. Some people buy their coffee based on whether or not it’s picked in a sustainable manner, by people who are paid a decent wage. Companies that practice and enforce Business Ethics are less likely to get in trouble for poor behavior. (Joseph 2013).

One example of corporate misbehavior is the recent General Motors recall of faulty ignition switches in several automobile models. In February 2014, General Motors finally began a recall of 2.6 million cars for a problem that was first detected in 2001 – thirteen years ago. This faulty ignition switch could automatically turn the car’s engine off and prevent airbags from deploying while the car was moving. GM itself believes that the faulty ignition switch is responsible for 31 crashes and 13 deaths. (Basu 2014). If GM had owned up to this problem when it was first detected, those fatalities may not have occurred, and its reputation untarnished.



Basu, Tanya. Timeline: A History Of GM’s Ignition Switch Defect. March 31st, 2014. (accessed April 5th, 2014).

Joseph, Laran. Importance of Business Ethics and Corporate Social Responsibility. December 10th, 2013. (accessed April 5th, 2014).

Wadhwa, Vivek. Wall Street Journal: Corruption in Business and the Importance of Ethics. June 29th, 2013. (accessed April 5th, 2014).

Auditing the Expenditure Cycle – Weaknesses in the Payroll System

A 2012 study by the Association of Fraud Examiners revealed that 11 percent of workplace frauds involve payroll. The average cost of this type of fraud was $48,000. On average these types of schemes avoid detection for 36 months.

The creation of false, or “ghost”, employees is one of the most common forms of payroll fraud. Fictitious hours are submitted in the name of the “ghost” employee for work not performed. (Chris Bradford n.d.)

Responsibility for entering payroll data and processing paychecks should be divided between human resources and the accounting department to make sure that multiple people are needed to complete the payroll cycle. This segregation of duties helps prevent possible abuses, such as the creation of “ghost” employees, diverting money to personal accounts, or modifying vacation hours. (Nestor-Harper n.d.)

In most companies, the personnel department uses personnel action forms to designate employees receiving pay checks, what their salary is, job classification and any payroll deductions. Supervisors are not responsible for managing this information because of the potential for abuse. (Hall 2011)

Many organizations use time cards to track the hours that an employee is at work. Or they may ask each employee to enter a unique code into the system to clock in or clock out. Both of these methods are susceptible to potential fraud. One employee could clock in using another employee’s Time Card or code. Reasons for doing this may include covering for a late or absent employee. One method of discouraging this behavior is for supervisors to observe the practice of clocking in.

A payroll preview report should be generated and reviewed before paychecks are printed, or pay transferred into direct deposit accounts. This review should be done by someone other than the person or department responsible for payment processing. This review would look for terminated employees who shouldn’t receive paychecks, inordinate hours worked, or invalid vacation dates posted. (Nestor-Harper n.d.)



Chris Bradford. How Can Internal Control Overcome Payroll Fraud? n.d. (accessed March 29th, 2014).

Hall, James A. “Chapter 9: Auditing the Revenue Cycle.” In Information Technology Auditing and Assurance, Third Edition, by James A. Hall, 647. Mason, Ohio: South-Western Cengage Learning, 2011.

Nestor-Harper, Mary. The Internal Control Weaknesses of a Payroll System. n.d. (accessed March 29th, 2014).

Thoughts on Access Control

There are several layers of Access Control that need to be audited. These are some of the questions that need to be asked when auditing access.


  • Which groups or individuals have access to sensitive locations or equipment in the organization being audited?

Operating System/Network Access to network resources: 

  • Who has access to file shares or network resources on the network?  I.E. does the Marketing Department really need access to the Sales Team’s reports folder?
  • What kinds of privileges do individuals or groups have in these shares – Read, Write, Execute?
  • Are these privileges appropriate?

Access to Enterprise Resource Planning systems:

  • Which groups or individuals have access to each ERP module?
  • Is this access appropriate?

Getting Started with ACL 9

One of the objectives of this week’s class was to begin familiarizing students with ACL (Audit Command Language) software. The textbook for this class, Information Technology Auditing, 3rdEdition, includes a CD containing the ACL 9 Desktop Education Edition software. After the ACL 9 software has been installed, you can view the ACL Getting Started guide, located in C:\ACL Data\Sample Data Files\ACLStart.pdf.

You can also download ACL 9 tutorials from the publisher’s website, Click on the “Free Resources” button, setup an account, provide the Cengage website with the 13 digit ISBN number of the text book, and you’ll be able to download three ACL 9 software tutorials, in the form of zipped MS Word documents. (Hall 2011)

Loading the demonstration project for the tutorials is easy:

1. Click on the “ACL Desktop Education Edition” icon.

1 - ACL Icon

1 – ACL Icon

@2014 Image created by Harold Kay

2. ACL 9 opens. Click the “Open an existing Project” link.

2. Open ACL

2. Open ACL

@2014 Image created by Harold Kay

3. The Project dialog opens. Select ACL_Demo.acl

4. Click the “Open Button.

3. Select ACL Demo

3. Select ACL Demo

@2014 Image created by Harold Kay

5. The ACL_Demo.acl project opens. This post will now demonstrate some very simple functionality in ACL 9. Open the ACL_Demo.ACL project, using the instructions above.

6. In the left hand “Project Navigator” pane, select Tables|Metaphor_Trans_2002.

4. Select Table

4. Select Table

@2014 Image created by Harold Kay

7. Click the “Analyze” menu.

8. Select “Look for Gaps”

5. Select Gaps

5. Select Gaps

@2014 Image created by Harold Kay

9. The “Gaps” dialog box opens. Click on Invoice to search for gaps in Invoice Numbers.

10. Select “List Gap Ranges” radio button to view the gap ranges.

11. Click the “Ok” button.

6. Gaps Option

6. Gaps Option

@2014 Image created by Harold Kay

12. The screen now displays the “Gaps Found Between” report

7. Gap Report

7. Gap Report

@2014 Image created by Harold Kay This is just one simple function available to users of ACL. There are many others, and documentation on them can be found in the ACL Getting Started guide.  (ACL Services Ltd 2006)

ACL is a very powerful Computer-Assisted Audit Tools and Techniques (CAATT) application which allows auditors to take data from almost any platform, in any format, and derive meaning and analysis from that data. This post has provided a brief overview about opening the demo ACL project and running a simple Gap report.  (ACL Services LTD 2006)


ACL Services Ltd. “Testing for gaps and duplicates in sequential data.” In ACL Getting Started, 74. Vancouver, BC, Canada: ACL Services Ltd, 2006.

Hall, James A. “Chapter 9: Auditing the Revenue Cycle.” In Information Technology Auditing and Assurance, Third Edition, by James A. Hall, 647. Mason, Ohio: South-Western Cengage Learning, 2011.


SQL SELECT Basics. Plus – Run SQL Commands in your Browser!

Chapter 8 of the text book gave a high level overview of relational database data structures and Entity Relationship Diagrams (ERD). The book only briefly discussed several Structured Query Language (SQL) commands, and what they did. When auditing relational databases, a basic understanding of SQL could make it much easier to pull appropriate data from a system in a format that makes it easier to import into a CAATTs Generalized Audit Software. This knowledge could save the auditor time and effort.

In a relational database, data is stored in tables. The rows of these tables are discrete collections of data, or records. The columns of these tables are attributes, or fields that describe the records.

Table Structure

Table Structure

SQL is the language that gives the user access to the data contained in a relational database’s tables. With the proper use of SQL commands, a user can build queries that either SELECT data from database tables, UPDATEs that data, INSERTs new data, or DELETEs it. (Systems 2005) This post will focus on the SELECT command, and will direct readers to a website where SQL commands can be practiced right from the user’s browser, without installing any software. ( n.d.)

A basic knowledge of SQL can be very useful if you have to generate a report or export data from a relational database. The SQL SELECT statement has a number of elements, but we are going to focus on the most common:

  • FROM

The most basic SELECT query is the statement “SELECT * FROM [Employees];” where Employees is the name of a data table in the database, and the * character is shorthand for “select all fields in this table”. This statement will grab all the columns (field names) of a table, and all the rows of the table (records). (Systems 2005).

The user can be more selective. An example of this would be an Employees table, where the user wants to retrieve data from the EmployeeID, LastName, FirstName and BirthdDate columns, and return only employees who were born after January 1st, 1960, sorted by employee birthdate. We would use the following query:

SELECT EmployeeID, LastName, FirstName, BirthDate
FROM [Employees]
WHERE BirthDate >= ’1960-01-01′
ORDER BY BirthDate;

SELECT Statement - WHERE clause results

SELECT Statement – WHERE clause results

The WHERE command limits the rows returned by the query, based on the criteria supplied in the WHERE command. In this case, only return records where the employee’s birthday is greater than or equal to January 1st, 1960.

The ORDER BY command sorts the rows returned based on the field name used with the ORDER BY command. In this case, we are sorting by Birthdate.

Readers of this post can try the bolded queries included in this post by going directly to, pasting the query into the “SQL Statement” text box, and clicking the “Run SQL” button.

Test out SQL Statements for yourself!

Test out SQL Statements for yourself!

The reader can try a number of other SQL commands, such as INSERT, UPDATE, or DELETE for herself by going to the website, selecting a command from the list on the left hand side, and clicking the “Try it yourself” button. ( n.d.)

More and more companies are moving toward relational databases and enterprise resource planning (ERP) systems. Having a basic understanding of SQL can give auditors much finer control over retrieving and extracting the data to import into their CAATTs.



SQL SELECT Statement. n.d. (accessed March 17, 2014).

Systems, Jackie Goldstein of Renaissance Computer. 01, 2005. (accessed March 17, 2014).



Using SSIS ETL Methodology for CAATs and Data Mining

I’d like to mention that Microsoft SQL Server has extract-transform-load (ETL) capabilities built into it called SQL Server Integration Services (SSIS).  SSIS uses a Graphical User Interface very similar to what you might see when building applications with Visual Basic or VB .NET.

With SSIS, you can extract data from almost every kind of data source: text files, CSV files, MS Excel spreadsheets, database tables using ODBC or OLEDB connectors, etc.
SSIS has a number of tools for transforming that data into a usable format. Do you need to filter certain data out, or concatenate two fields together, or create a calculated field based on several other fields? It can do that.
Finally, it can load data into almost every kind of format: text files, CSV files, MS Excel spreadsheets, database table using ODBC or OLEDB connectors, etc.
Since SSIS is a part of SQL Server, you can use SQL Server’s Scheduling service to schedule SSIS jobs. I use SSIS to initiate SFTP transfers of data files to and from several of our vendor’s SFTP sites on a nightly basis. It’s a great tool that’s available for the price of a SQL Server installation. I really like working with SSIS.
Just for clarity, this service used to be called Data Transformation Services (DTS) from SQL Server 7.0 through SQL Server 2000.
Anyway, my point about SSIS is that it is a powerfull, moderately inexpensive solution and is fairly easy to use. It may allow you to take your company’s data and transform it into a format that could be used by a CAATT.

Formats for Importing Data into a CAAT

One of the challenges involving the use of Computer Aided Audit Tools and Techniques (CAATs) when testing application controls is the transfer of information from the production system being audited into the auditor’s CAAT of choice.

There are a large number of data formats that could be used, depending on the DBMS (database management system), application software, or platform of the system being audited. The extracted data file could be a delimited text file, an XML file, an MS Excel spreadsheet, a PDF file, a dBase .dbf file, or even a connection to the database itself via ODBC (Open Database Connectivity).

In the article, the author ranks Data File formats by how efficient they are for importing data into a CAAT. His ranking, from most efficient to least efficient is:

  • dBase dbf file.
  • Adobe PDF File exported from system (not a scanned image).
  • Microsoft Excel XLS or XLSX file.
  • Delimited text file, such as CSV or TXT file.
  • XML file.
  • Miscellaneous others. (Tommie W. Singleton 2010)

I don’t agree with his ranking – I think that trying to extract data from a PDF file is more difficult and challenging than using almost any of the other methods.

There are limits to how many rows of data an MS Excel file can utilize. In the older XLS format, there is a 65,536 row limit (Microsoft Corporation 2012). In the newer XLSX file format, the limit is 1,048,576 rows. (Microsoft Corporation n.d.)

XML has become more common as a data extaction and communication tool. However, XML data use data dictionaries, and the auditor may not have access to the audited system’s data dictionary.

In the article, the author states that the “ideal format” is typically a flat file composed of rows of data. The first row contains column heading names, while subsequent rows contain the data.

CAAT Flat File

CAAT Flat File

After the data has been imported into the CAAT, it’s important to verify that it is exactly the same as the data in the operational system. One method of verification is similar to the batch transmittal sheet method. This involves using metrics about the data itself, such as the number of data records, summing total dollar amount or quantity columns or other similar kinds of data.

The author concludes that CAATs provide an effective and efficient method for meeting the goals of the audit. However, the most difficult step of the process may be putting the data into a format that can be used by the CAAT. (Tommie W. Singleton 2010)


Microsoft Corporation. Excel specifications and limits. n.d. (accessed 03 09, 2014).

—. Text files that are larger than 65,536 rows cannot be imported to Excel 97, Excel 2000, Excel 2002 and Excel 2003. December 19, 2012. (accessed March 09, 2014).

Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CMA, CPA. Data Extraction, A Hindrance to Using CAATs . June 01, 2010. (accessed 03 09, 2014).


Cloud Service Definitions

The beauty of cloud based systems is that things like security, software updates, system upgrades and data backups can now be handled offsite by organizations that have core competencies in these areas.
The amount of support the cloud provider gives your organization depends on on the type of cloud service provider they are, Software as a Service(SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS).
Software as a Service (SaaS): The customer accesses applications controlled by the Cloud Provider. These applications run within a cloud infrastructure. The customer does not control application capabilities, servers, operating systems, storage, network or underlying cloud infrastructure. In this model, the customer has the least amount of flexibility and control of the cloud environment. On the other hand, security is integrated at a high level because the cloud service provider is responsible for everything. would be a good example of this SPI Model.
Platform as a Service (PaaS): The Cloud Provider grants customers the ability to deploy customer created applications or purchased applications onto the cloud. The customer does not control servers, operating systems, storage, network or underlying cloud infrastructure. However, the customer can deploy their own applications. This model gives the customer more control over their cloud platform than the SaaS model. There are fewer pre-built features for the customer. The customer can add additional layers of security.
Infrastructure as a Service (IaaS): The customer can deploy software, including applications and operating systems. The customer has control over operating systems, storage, and applications. The customer does not have control of the underlying cloud infrastructure. The customer has a great deal of latitude about how the operating system and applications are configured. Because of this, the customer bears a much greater share of responsibility for managing the security of their platform. Amazon’s AWS EC2 offering is an example of this model.
Whatever cloud based model your organization uses, the IT team can focus on supporting core aspects of your business.
The downside to cloud based ERP systems is that you are relying on another organization to guard your data. If an organization is planning on moving to a cloud based system, it’s very important that Service Level Agreements and assurances are worked out ahead of time.