How Forensic Accountants Partner with Cybersecurity Teams When a Data Breach Occurs

Uncovering one of the most famous hacking episodes in history started with a $0.75 cent accounting discrepancy.

In 1986, a remote user of a minicomputer at the Lawrence Berkeley National Laboratory used up 9 seconds of processing time. Each department and outside user of the timeshare system was billed by the second for computer time, but for some reason, the accounting system couldn’t link that particular 9 seconds—and the associated $0.75 charge—to any known user account.

It was a mystery that a junior system administrator at the lab was assigned to solve. Not imagining it was anything more than a glitch in the bookkeeping, Clifford Stoll (an astronomer, not an accountant or even a computer administrator by training) dove headfirst into a trail of numbers that eventually lead to a West German national working as a hacker for Soviet intelligence agencies who had happened to pass through the National Library in his hunt for military secrets.

The hunt for the now-infamous Cuckoo’s Egg hacker as he would come to be known wasn’t performed by forensic accountants, but it did foreshadow the importance of accounting in cybersecurity investigations. Today, forensic accountants are some of the first people who get the call when malicious intrusion is suspected in a computer network.

In A World of Ones and Zeroes, Forensic Accountants Make the Numbers Add Up

Everyone knows that the world of accounting has been permanently and drastically changed by the introduction of information technology. The humble spreadsheet, when introduced in the 1980s, did more to revolutionize the field than any technological breakthrough since cuneiform impressions of sales and inventory records were first pressed into clay tablets in protoliterate Mesopotamia.

But technology has impacted accounting in other ways that aren’t either as beneficial or as clear-cut. One of those ways is how it has dramatically affected the role and tasks of forensic accountants.

For Forensic Accountants, An Old Role Becomes Prominent Again

Forensic accountants have had a role in fraud investigation and law enforcement stretching back long before the investigation of computer crime. For all that Al Capone had his hands deep into murder, extortion, and smuggling rackets, few people remember that it was tax evasion that brought him down. The G-men who investigated the case were former accountants.

Today, forensic accounting takes a lot more than a head for numbers and a knowledge of GAAP. You have to understand how the ones and zeros that store all those numbers flow through the processors and storage systems that hold them, and be able to visualize how that data could be manipulated through backdoors.

Although forensic accountants are not directly responsible for security, they provide an important service to investigators attempting to unravel the complicated steps that lead to a data breach. They may be asked to verify that the information within breached systems has not been tainted. Hackers sometimes attempt to cover their tracks by altering logs and other records.

Forensic accountants also play an important part when the inevitable lawsuits over fiduciary breaches start to roll in in the wake of a cybersecurity incident. Determining damages is a notoriously difficult part of accountability in cybersecurity cases. When virtual goods and services are taken or disrupted, it takes some serious calculating to establish plausible harm to real-world bank accountants.

By investigating historical numbers and tying them together, forensic accountants can help legal teams figure out losses and justify or dispute them in court.

Forensic Accounting Investigations For the Purpose of Cybersecurity Requires New Tools and Techniques

Forensic accounting differs from standard auditing in that there’s a presumption of malfeasance. It’s the job of the forensic accountant to prove that the numbers must be accurate, not that they might plausibly be so. This requires a deep dive into source data—nothing is taken on faith.

Most major accountancy firms today recognize the importance of this specialty area by incorporating dedicated cybersecurity teams. Their role is to recognize the implications introduced into accounting systems and processes by the technology used to manage them.

This means that forensic accountants require a special set of skills over and above the usual. Some of them may be exactly what you expect, while others may be a little surprising:

  • Data systems design and use– Modern accounting systems are rooted in database technologies. Forensic accountants often have to understand the underpinnings of these systems to account for the information stored in them.
  • Programming– Not all forensic accountants need formal training in coding, but most will find it useful to have an understanding of the rules and logic of programming languages.
  • Interviewing– Investigations involve more than just going over numbers. Forensic accountants often interview subjects in the course of investigations and have to be skilled at getting answers to their questions.
  • Writing and communication– Reports and documentation are an important part of the job, and they’ll be viewed by non-accountants, which means that clarity and precision are at a premium.
  • Creativity– Sometimes, understanding how an accounting system has been breached or manipulated requires a conceptual leap. The best forensic accountants, like other types of investigators, need to be able to think outside the box to crack cases.

It’s also common for forensic accounting positions to require applicants have a clean criminal record. Working with sensitive investigations and data means former felons need not apply.

As more and more accounting processes move onto networked computers, there will unfortunately be more and more demand for forensic accounting services in cybersecurity.

Not only will the demand increase, but so will the complexity of the investigations. As blockchain and other novel technologies become more commonly adopted, the gap between cybersecurity specialist and forensic accountants will shrink even further.