Professional Documents
Culture Documents
AIS Chapter 4 Fraud and Abuses
AIS Chapter 4 Fraud and Abuses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 175
• Include:
Threats of IS – Fire or excessive heat
– Floods
• Companies face – Earthquakes
four types of threats – High winds
to their information – War and terrorist attack
systems:
• When a natural or political
– Natural and political disaster strikes, many companies
can be affected at the same time.
– disasters – Example: Bombing of the
World Trade Center in NYC.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 4 of 175
• Include:
– Hardware or software
INTRODUCTION failures
– Software errors or bugs
– Operating system
• Companies face four types of threats
crashes
• to their information systems:
– Natural and political disasters
– Power outages and
– Software errors and equipment fluctuations
malfunction – Undetected data
transmission errors
• Estimated annual economic
losses due to software
bugs = $60 billion.
• 60% of companies studied
had significant software
errors in previous year.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 175
INTRODUCTION
• Include
• Companies face four types of threats to their information
– Accidents causedsystems:
by:
– Natural and political
• Human carelessness
disasters
– Software errors and • Failure to follow established
equipment malfunction procedures
– Unintentional acts • Poorly trained or supervised
personnel
– Innocent errors or omissions
– Lost, destroyed, or misplaced data
• Information Systems Security Assn.
estimates 65% of security problems are
caused by human error.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 175
INTRODUCTION
• Include:
– Computer fraud
• Companies face four
– Misrepresentation, false use, or
•
unauthorized disclosure of data
types of threats to their
• information systems: – Misappropriation of assets
– Natural and political disasters – Financial statement fraud
– Software errors and equipment malfunction
– Unintentional acts
– Intentional acts
(computer crime)
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 175
THE FRAUD PROCESS
• Since fraudsters don’t make journal entries to
record their frauds, we can only estimate the
amount of losses caused by fraudulent acts:
– The Association of Certified Fraud Examiners (ACFE)
estimates that total fraud losses in the U.S. run
around 6% of annual revenues or approximately $660
billion in 2004.
• More than we spend on education and roads in a year.
• 6 times what we pay for the criminal justice system.
– Income tax fraud (the difference between what
taxpayers owe and what they pay to the government)
is estimated to be over $200 billion per year.
– Fraud in the healthcare industry is estimated to
exceed $100 billion a year.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 175
THE FRAUD PROCESS
• Fraud against companies may be committed by
an employee or an external party.
– Former and current employees (called
knowledgeable insiders) are much more likely than
non-employees to perpetrate frauds (and big ones)
against companies.
• Largely owing to their understanding of the company’s
systems and its weaknesses, which enables them to commit
the fraud and cover their tracks.
– Organizations must utilize controls to make it difficult
for both insiders and outsiders to steal from the
company.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 175
THE FRAUD PROCESS
– Understand fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 175
THE FRAUD PROCESS
– Understand fraud
– Discuss the risks of material fraudulent
misstatements
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 175
• The audit team must gather evidence about the existence of fraud
by: THE FRAUD PROCESS
– Looking for fraud risk factors
– Testing company records
• A –revision to SAS-82, SAS-99, was issued in
Asking management, the audit committee, and others if they
December 2002.
know of any past orSAS-99 requires
current fraud auditors
or of fraud to:
risks the
– Understand
organizationfraud
faces.
• –Special carethe
Discuss needs to of
risks bematerial
exercisedfraudulent
in examining revenue
misstatements
accounts, since they are particularly popular fraud targets.
– Obtain information
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
• Auditors must assess the risk of fraud throughout the
December
audit. 2002. SAS-99 requires auditors to:
– Understand
• When thefraud
audit is complete, they must evaluate whether
– Discuss the risksmisstatements
any identified of material fraudulent misstatements
indicate the presence of
fraud.
– Obtain information
• If so, they should determine the impact on the financial
– Identify, assess,
statements andand
the respond
audit. to risks
– Evaluate the results of their audit tests
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate the results of their audit tests
– Communicate findings
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate the results of their audit tests
– Communicate findings
– Document their audit work
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate the results of their audit tests
– Communicate findings
– Document their audit work
– Incorporate a technology focus
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 175
WHO COMMITS FRAUD AND WHY
• Researchers have compared the psychological and
demographic characteristics of three groups of people:
– White-collar criminals
– Violent criminals
– The general public
• They found:
– Significant differences between violent and white-collar
criminals.
– Few differences between white-collar criminals and the general
public.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 175
The “Fraud Triangle”
Donald Cressey
Op
r e
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 175
The “Fraud Triangle”
Donald Cressey
Op
re
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 175
WHO COMMITS FRAUD AND WHY
• Pressure
– Cressey referred to this pressure as a
“perceived non-shareable need.”
– The pressure could be related to
finances, emotions, lifestyle, or some
combination.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 175
The “Fraud Triangle”
Donald Cressey
Op
r e
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 175
WHO COMMITS FRAUD AND WHY
• There are many opportunities that enable fraud.
Some of the most common are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent
reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staff
Opportunities
Opportunities
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 175
The “Fraud Triangle”
Donald Cressey
Op
r e
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 43 of 175
WHO COMMITS FRAUD AND WHY
• Fraud occurs when:
– People have perceived, non-shareable pressures;
– The opportunity gateway is left open; and
– They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).
• Fraud is much less likely to occur when
– There is low pressure, low opportunity, and high integrity.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 44 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 45 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• The perpetrator causes a company to:
– Pay too much for ordered goods; or
– Pay for goods never ordered.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• Inventory frauds
• The perpetrator enters data into the system to
show that stolen inventory has been scrapped.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Perpetrators
• Requires little computer may enter data to:
skills.
– Increase
• Perpetrator only needtheir salaries how the system
to understand
operates – Create a fictitious employee
– Can take a number
– Retain of forms, including:
a terminated employee on the records.
• Disbursement
• In the frauds
latter two instances, the perpetrator
• Inventoryintercepts
frauds and cashes the resulting paychecks.
• Payroll frauds
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
• The perpetrator hides the theft by falsifying
– Can take a number
system of forms, including:
input.
• Disbursement
• EXAMPLE: frauds Cash of $200 is received. The
• Inventoryperpetrator
frauds records a cash receipt of $150 and
pockets the $50 difference.
• Payroll frauds
• Cash receipt frauds
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 175
APPROACHES TO COMPUTER FRAUD
• Processor Fraud
– Involves computer fraud committed through
unauthorized system use.
– Includes theft of computer time and services.
– Incidents could involve employees:
• Surfing the Internet;
• Using the company computer to conduct personal business;
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 175
APPROACHES TO COMPUTER FRAUD
• Data Fraud
– Involves:
• Altering or damaging a company’s data files; or
• Copying, using, or searching the data files without
authorization.
– In many cases, disgruntled employees have altered,
or destroyed data files.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 175
APPROACHES TO COMPUTER FRAUD
• Output Fraud
– Involves stealing or misusing system output.
– Output is usually displayed on a screen or printed on
paper.
– Unless properly safeguarded, screen output can
easily be read from a remote location
– Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
• Hackers use the Internet to disrupt electronic commerce and
destroy company and individual communications.
• Viruses and worms are two main forms of Internet terrorism.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
• A program that lies idle until triggered by some circumstance or a
particular time.
• Once triggered, it sabotages/destroying the system, destroying
programs, data, or both.
• Usually written by disgruntled (angry or dissatisfied) programmers.
• EXAMPLE: A programmer places a logic bomb in a payroll
application that will destroy all the payroll records if the
programmer is terminated.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Password cracking
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 65 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Virus
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 66 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and symptoms:
• Virus abuse. These include:
Virus – Computer will not start or
execute
– Performs unexpected read or
write operations
– Unable to save files
– Long time to load programs
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 68 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Make fraud less likely to occur
– Create a culture that stresses integrity and
commitment to ethical values.
– Require oversight from an active, involved, and
independent audit committee.
– . Require annual employee vacations, periodically
rotate duties of key employees, and require signed
confidentiality agreements.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Improve detection methods.
– Create an audit trail so individual transactions
can be traced through the system to the
financial statements and vice versa.
– Conduct periodic external and internal audits,
as well as special network security audits.
– Install fraud detection software.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 74 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 75 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Reduce Fraud Losses
– Maintain adequate insurance.
– Develop comprehensive fraud contingency,
disaster recovery, and business continuity
plans.
– Store backup copies of program and data files
in a secure, off-site location.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 76 of 175
Thank you
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 77 of 175