QuickBooks Audit Trail: Leveraging This Tool to Expose the Footprints of a Fraudster

Employers, if you use QuickBooks for your company’s accounting needs, you have a built-in tool for fraud prevention and detection at no additional cost to you: the QuickBooks Audit Trail.

What Is It?

If you’re operating a software version of QuickBooks, you have the capability to run a built-in report called the Audit Trail.  (For QuickBooks Online users, this report is called the Activity Log.)  The Audit Trail lists each accounting transaction and any additions, deletions, or modifications affecting the accounting integrity of the transaction.

What Does It Capture?

The Audit Trail captures each transaction as it is initially entered into QuickBooks and certain subsequent changes made to the transactions.  The Audit Trail may pick up changes to the following QuickBooks fields:

  • Transaction Date
  • Transaction Type
  • Account
  • Vendor/Customer Name
  • Amount
  • Quantity
  • Price

Additionally, the Audit Trail portrays the User ID under which the entry, deletion, or modification was made.  (This is only as valuable as you allow it to be.  See #3 in “What Steps Should I Take?”)

Is It Easy to Use? Yes!  This report comes standard with QuickBooks – it’s already built for you in the QuickBooks ReportCenter.  Just click a button to run the report.  And it couldn’t be simpler to read:

  • The Audit Report is grouped by unique transaction numbers.  It includes the initial entry of each transaction and any subsequent changes to that transaction.
  • When a transaction is modified or deleted, a “Prior” entry displays in system date/time order.
  • Specific changes to each transaction are in bold so that you can easily determine the differences from the prior version of the transaction.

So, I Can Use It to Prevent and Detect Fraud?

Definitely.  The QuickBooks Audit Trail is a powerful resource, and it’s right at your fingertips.  At Forensic Strategic Solutions (FSS), we frequently encounter instances in which the fraudster has used QuickBooks to conceal his or her embezzlement. But the footprints exist, and the Audit Trail exposes them.

Transactions that have been modified, unauthorized, deleted, reclassified, and reversed: these are what FSS President Ralph Summerford identifies in his March 2012 blog post as “anomalies” indicative of fraud.  The Audit Trail is the first report we run when examining QuickBooks files for potential fraud – it’s that valuable!

What Steps Should I Take?

As an employer, there are four simple steps you can take to be sure you leverage the capabilities of the Audit Trail to reveal the footprints of fraud:

  1. Enable It – In versions of QuickBooks prior to 2006, you have the option to disable the Audit Trail.  Later versions no longer have this option.  If you are operating on an earlier version, be sure the Audit Trail is enabled.
  2. Control It – Restrict QuickBooks user access so that no user has more rights than their job requires.
  3. Secure It – Enforce strict username and password security measures.  Each user should have a unique username, and passwords should not be shared.  Otherwise, the Audit Trail’s capability to track user activity is rendered useless!
  4. Monitor It – Periodically run the Audit Trail report to see what entries are being entered, changed, or deleted.  QuickBooks allows for reports to be easily exported to Microsoft Excel if you prefer to work with them in this format.

Now that you know about the usefulness of the Audit Trail, don’t let it go to waste!  It may just uncover some footprints…

Computer Forensics v. E-Discovery: What Every Expert Should Know

Increasingly, the answers to the most fundamental litigation questions – the “who, what, where, when, and why” – are contained in electronically stored information (ESI), which can be retrieved through electronic discovery (e-discovery) and/or computer forensics.

Before you get to that crucial step, however, you need to understand both the applications and parameters of e-discovery and computer forensics as it can be critical to the outcomes of litigated matters.

E-Discovery and Computer Forensics

The primary focus of standard e-discovery is the collection of active data and metadata from multiple hard drives and other storage media.  Litigation can be supported by active data (information readily available to the user, such as e-mail, electronic calendars, word processing files, and databases), or by metadata (that which tells us about the document’s author, time of creation, source, and history).

Data collected in e-discovery can be limited; for deeper recovery, computer forensics is often used.

The goal of computer forensics is to conduct an autopsy of a computer hard drive – searching hidden folders and unallocated disk space to identify the who, what, where, when, and why from a computer. A significant amount of evidence is not readily accessible on a computer; when this occurs, a computer forensic examination is necessary.

Data Gathered by Computer Forensics

When we use computer forensics, we are typically retrieving specific, accessible, and inaccessible data, such as:

Automatically stored data: Data that is automatically stored by the computer, like with an automated backup. A file that has been purged from a server may still exist as a copy on the user’s hard drive.

Deleted files: “Deleted” but not destroyed. Deleted data can remain on a hard drive until it is overwritten or wiped.

Residual or “ghost” data: Data that remains recoverable from a computer system, but isn’t readily accessible, such as deleted files or file fragments.

System data: An electronic trail of activity on a computer or network.

Wiping software: If wiping software has been used, it can be detected with computer forensic software.

Preservation of the original evidence is critical.  Creating a mirror image of the storage device produces an exact replica, bit for bit, of the original device that allows investigation of past use without alteration of the evidence.

The Court’s View of Computer Forensics

In the last decade, it has become common for the courts to enter an order requiring the mirror imaging of hard drives and peripheral devises that could contain responsive and relevant evidence to an opposing party’s request for production. See, e.g., Communications Center, Inc. v. Hewitt, 2005 WL 3277983 (E.D. Cal, April 5, 2005).

However, computer forensics and mirror imaging have been constrained by the courts to avoid overly broad and intrusive measures without sufficient justification. In McMurdy Group v. American Biomedical Group, Inc. 9 Fed. Appx. 822, 2001 WL 536974 (10th Cir. 2001), the Court of Appeals found that mere skepticism alone of a party’s will to produce copies of relevant and non-privileged documentation isn’t sufficient to warrant computer forensics.

Courts have found, though, that reasonable conclusions about the potential whereabouts of relevant evidence can be justification for computer forensics. In Balboa Threadworks, Inc. v. Stucky, No. 05-1157-JTM-DWB, 2006 U.S. Dist. LEXIS 29265, 2006 WL 763668 (D. Kan. Mar. 24, 2006), the court ruled that computer forensics recovery was “particularly important” in this copyright infringement case because of the use of computers to allegedly download copyrighted material. Even though one defendant claimed that his computers were not used for the benefit of the business, the use of said computers to draft a document pertaining to infringement was reason enough to find evidence on any of the computers in question.

To avoid the denial of a request, it helps to create specific and limited requests. See e.g., Rowe Entertainment v. William Morris Agency, 205 F.R.D. 421, 427-28, 432-33 (S.D.N.Y. 2002), or Simon Property Group L.P. v. mySimon, Inc., 194 F.R.D. 639, 641 (S.D. Ind. 2000).

The Bottom Line

Computer forensics and e-discovery are both valuable ways to retrieve ESI, and countless cases have been critically bolstered by the ESI gathered in the course of an investigation and discovery process.

Because the discovery of ESI can easily become overly broad and intrusive, one must have a clear understanding of the issues when considering the deep-dive approach that computer forensics requires.

For more information, reference my article in “Dunn on Damages” from the Fall 2012 issue: Click here.