AIS Chapter 4 Fraud and Abuses

C HAPTER 4
Computer Fraud and

Security
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 175
INTRODUCTION
• Questions to be addressed in this chapter:

– What is fraud, and how are frauds
perpetrated?
– Who perpetrates fraud and why?
– What is computer fraud, and what forms does
it take?
– What approaches and techniques are used to
commit computer fraud?
INTRODUCTION
• Information systems are becoming

increasingly more complex and society is
becoming increasingly more dependent on
these systems.
– Companies also face a growing risk of these
systems being compromised.
– Recent surveys indicate 67% of companies
suffered a security breach in the last year with
almost 60% reporting financial losses.
• Include:
Threats of IS – Fire or excessive heat
– Floods
• Companies face – Earthquakes
four types of threats – High winds
to their information – War and terrorist attack
systems:
• When a natural or political
– Natural and political disaster strikes, many companies
can be affected at the same time.
– disasters – Example: Bombing of the
World Trade Center in NYC.
• Include:
– Hardware or software
INTRODUCTION failures
– Software errors or bugs
– Operating system
• Companies face four types of threats
crashes
• to their information systems:
– Natural and political disasters
– Power outages and
– Software errors and equipment fluctuations
malfunction – Undetected data
transmission errors
• Estimated annual economic
losses due to software
bugs = $60 billion.
• 60% of companies studied
had significant software
errors in previous year.
INTRODUCTION
• Include
• Companies face four types of threats to their information
– Accidents causedsystems:
by:
– Natural and political
• Human carelessness
disasters
– Software errors and • Failure to follow established
equipment malfunction procedures
– Unintentional acts • Poorly trained or supervised
personnel
– Innocent errors or omissions
– Lost, destroyed, or misplaced data
• Information Systems Security Assn.
estimates 65% of security problems are
caused by human error.
INTRODUCTION
• Include:
– Computer fraud
• Companies face four
– Misrepresentation, false use, or
•
unauthorized disclosure of data
types of threats to their
• information systems: – Misappropriation of assets
– Natural and political disasters – Financial statement fraud
– Software errors and equipment malfunction
– Unintentional acts
– Intentional acts
(computer crime)
INTRODUCTION
• In this chapter we’ll discuss:

– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit computer
fraud
– Ways companies can deter and detect
computer fraud
INTRODUCTION

fraud
computer fraud
THE FRAUD PROCESS
• Fraud is any and all means a person uses to

gain an unfair advantage over another person.
• In most cases, to be considered fraudulent, an
act must involve:
– A false statement (oral or in writing)
– About a material fact
– A victim relies on the statement
– And suffers injury or loss as a result
THE FRAUD PROCESS
• Since fraudsters don’t make journal entries to
record their frauds, we can only estimate the
amount of losses caused by fraudulent acts:
– The Association of Certified Fraud Examiners (ACFE)
estimates that total fraud losses in the U.S. run
around 6% of annual revenues or approximately $660
billion in 2004.
• More than we spend on education and roads in a year.
• 6 times what we pay for the criminal justice system.
– Income tax fraud (the difference between what
taxpayers owe and what they pay to the government)
is estimated to be over $200 billion per year.
– Fraud in the healthcare industry is estimated to
exceed $100 billion a year.
THE FRAUD PROCESS
• Fraud against companies may be committed by
an employee or an external party.
– Former and current employees (called
knowledgeable insiders) are much more likely than
non-employees to perpetrate frauds (and big ones)
against companies.
• Largely owing to their understanding of the company’s
systems and its weaknesses, which enables them to commit
the fraud and cover their tracks.
– Organizations must utilize controls to make it difficult
for both insiders and outsiders to steal from the
company.
THE FRAUD PROCESS
• Fraud perpetrators are often referred to as

white-collar criminals.
.
THE FRAUD PROCESS
• Three types of occupational fraud:

– Misappropriation of assets
• Involves theft, or misuse of company assets for
personal gain.
• Examples include billing schemes, check
tampering,and theft of inventory.
• In the 2004 Report to the Nation on Occupational
Fraud and Abuse, 92.7% of occupational frauds
involved asset misappropriation at a median cost
of $93,000.
THE FRAUD PROCESS

– Corruption
• Corruption involves the wrongful use of a
position, contrary to the responsibilities of
that position, to procure a benefit.
THE FRAUD PROCESS

– Corruption
– Fraudulent statements
• Financial statements can be misstated
• About 7.9% of occupational frauds involve fraudulent statements at a
median cost of $1 million
THE FRAUD PROCESS
• Common approaches to “cooking the

books” include:
– Recording fictitious revenues
– Recording revenues prematurely
– Recording expenses in later periods
– Overstating inventories or fixed assets
– Concealing losses and liabilities
THE FRAUD PROCESS
• The Auditor’s Responsibility to Detect

Fraud
auditor’s responsibility to detect fraud.
THE FRAUD PROCESS
– Understand fraud
• Auditors can’t effectively audit something they don’t

understand.
• also indicated that auditors are not lawyers and “do not make
legal determinations of whether fraud has occurred.”
• The external auditor’s interest specifically relates to acts that
result in a material misstatement of the financial statements.
• Internal auditors will have a more extensive interest in fraud
than just those that impact financial statements.
THE FRAUD PROCESS
– Discuss the risks of material fraudulent
misstatements
• While planning the audit, members of the audit team

should discuss how and where the company’s financial
statements might be susceptible to fraud.
• The audit team must gather evidence about the existence of fraud
by: THE FRAUD PROCESS
– Looking for fraud risk factors
– Testing company records
• A –revision to SAS-82, SAS-99, was issued in
Asking management, the audit committee, and others if they
December 2002.
know of any past orSAS-99 requires
current fraud auditors
or of fraud to:
risks the
– Understand
organizationfraud
faces.
• –Special carethe
Discuss needs to of
risks bematerial
exercisedfraudulent
in examining revenue
misstatements
accounts, since they are particularly popular fraud targets.
– Obtain information
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
• Auditors must assess the risk of fraud throughout the
December
audit. 2002. SAS-99 requires auditors to:
– Understand
• When thefraud
audit is complete, they must evaluate whether
– Discuss the risksmisstatements
any identified of material fraudulent misstatements
indicate the presence of
fraud.
• If so, they should determine the impact on the financial
– Identify, assess,
statements andand
the respond
audit. to risks
– Evaluate the results of their audit tests
THE FRAUD PROCESS
December 2002. SAS-99 requires auditors to:
– Discuss the risks of material fraudulent misstatements
– Identify, assess, and respond to risks
– Communicate findings
• Auditors communicate their fraud

findings to management, the audit
committee, and others.
THE FRAUD PROCESS
– Document their audit work
• Auditors must document their

compliance with SAS-99 requirements.
THE FRAUD PROCESS
– Document their audit work
– Incorporate a technology focus
INTRODUCTION

fraud
computer fraud
WHO COMMITS FRAUD AND WHY
• Researchers have compared the psychological and
demographic characteristics of three groups of people:
– White-collar criminals
– Violent criminals
– The general public
• They found:
– Significant differences between violent and white-collar
criminals.
– Few differences between white-collar criminals and the general
public.
• White-collar criminals tend to mirror the general

public in:
– Education
– Age
– Religion
– Marriage
– Length of employment
– Psychological makeup
The “Fraud Triangle”
Donald Cressey
Op
r e
su
po
es
r tu
Pr
ni
ty
Rationalization
Donald Cressey
Op
re
su
po
es
r tu
Pr
ni
ty
Rationalization
• Pressure
– Cressey referred to this pressure as a
“perceived non-shareable need.”
– The pressure could be related to
finances, emotions, lifestyle, or some
combination.
• The most common pressures were:

- Not being able to pay one’s debts, nor admit it to
one’s employer, family, or friends (which makes
in non-shareable)
• May be associated with vices, such
as drugs, gambling, mistresses, etc.

one’s employer, family, or friends (which makes in
non-shareable)
- Fear of loss of status because of a personal
failure • Example would be mismanagement of
a personal investment or retirement
fund.

non-shareable)
- Fear of loss of status because of a personal failure
- Business reversals
- Status gaining

non-shareable)
- Fear of loss of status because of a personal failure
- Business reversals
• May create pressure to get revenge,
- Physical isolation take the money you feel is rightfully
owed to you, etc.
- Status gaining
- Difficulties in employer-employee relations
Donald Cressey
Op
r e
su
po
es
r tu
Pr
ni
ty
Rationalization
• There are many opportunities that enable fraud.
Some of the most common are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent
reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staff
Opportunities
Opportunities
Donald Cressey
Op
r e
su
po
es
r tu
Pr
ni
ty
Rationalization
• How many people do you know who regard

themselves as being unprincipled or sleazy?
• It is important to understand that fraudsters do
not regard themselves as unprincipled.
– In general, they regard themselves as highly
principled individuals.
– That view of themselves is important to them.
– The only way they can commit their frauds and
maintain their self image as principled individuals is to
create rationalizations that recast their actions as
“morally acceptable” behaviors.
• Fraud occurs when:
– People have perceived, non-shareable pressures;
– The opportunity gateway is left open; and
– They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).
• Fraud is much less likely to occur when
– There is low pressure, low opportunity, and high integrity.
INTRODUCTION

fraud
computer fraud
APPROACHES TO COMPUTER FRAUD
• The U.S. Department of Justice defines

computer fraud as any illegal act for
which knowledge of computer technology
is essential for its:
– Perpetration; (to bring about or carry out
(something, such as a crime or deception
– Investigation; or Prosecution.
• Economic espionage, the theft of

information and intellectual property, is
growing especially fast.
• This growth has led to the need for
investigative specialists or cybersleuths.
• Computer Fraud Classification

– Frauds can be categorized according to the
data processing model:
• Input
• Processor
• Computer instructions
• Stored data
• Output
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input Processor Output

Fraud Fraud Fraud
Computer
Instructions
Fraud
Data
Fraud

Fraud Fraud Fraud
Computer
Instructions
Fraud
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• The perpetrator causes a company to:
– Pay too much for ordered goods; or
– Pay for goods never ordered.
• Input Fraud
computer input.
operates
– Can take a number of forms, including:
• Disbursement frauds
• Inventory frauds
• The perpetrator enters data into the system to
show that stolen inventory has been scrapped.
• Input Fraud
computer input.
• Perpetrators
• Requires little computer may enter data to:
skills.
– Increase
• Perpetrator only needtheir salaries how the system
to understand
operates – Create a fictitious employee
– Can take a number
– Retain of forms, including:
a terminated employee on the records.
• Disbursement
• In the frauds
latter two instances, the perpetrator
• Inventoryintercepts
frauds and cashes the resulting paychecks.
• Payroll frauds
• Input Fraud
computer input.
operates
• The perpetrator hides the theft by falsifying
– Can take a number
system of forms, including:
input.
• Disbursement
• EXAMPLE: frauds Cash of $200 is received. The
• Inventoryperpetrator
frauds records a cash receipt of $150 and
pockets the $50 difference.
• Payroll frauds
• Cash receipt frauds
Data
Fraud

Fraud Fraud Fraud
Computer
Instructions
Fraud
• Processor Fraud
– Involves computer fraud committed through
unauthorized system use.
– Includes theft of computer time and services.
– Incidents could involve employees:
• Surfing the Internet;
• Using the company computer to conduct personal business;
Data
Fraud

Fraud Fraud Fraud
Computer
Instructions
Fraud
• Computer Instructions Fraud

– Involves tampering with the software that
processes company data.
– May include:
• Modifying the software
• Making illegal copies
• Using it in an unauthorized manner
– Also might include developing a software
program or module to carry out an
unauthorized activity.
Data
Fraud

Fraud Fraud Fraud
Computer
Instructions
Fraud
• Data Fraud
– Involves:
• Altering or damaging a company’s data files; or
• Copying, using, or searching the data files without
authorization.
– In many cases, disgruntled employees have altered,
or destroyed data files.
Data
Fraud

Fraud Fraud Fraud
Computer
Instructions
Fraud
• Output Fraud
– Involves stealing or misusing system output.
– Output is usually displayed on a screen or printed on
paper.
– Unless properly safeguarded, screen output can
easily be read from a remote location
– Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs.
COMPUTER FRAUD AND ABUSE
TECHNIQUES
 Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
 Internet misinformation
 Internet terrorism
• Hackers use the Internet to disrupt electronic commerce and
destroy company and individual communications.
• Viruses and worms are two main forms of Internet terrorism.
TECHNIQUES
 Logic time bombs
• A program that lies idle until triggered by some circumstance or a
particular time.
• Once triggered, it sabotages/destroying the system, destroying
programs, data, or both.
• Usually written by disgruntled (angry or dissatisfied) programmers.
• EXAMPLE: A programmer places a logic bomb in a payroll
application that will destroy all the payroll records if the
programmer is terminated.
TECHNIQUES
 Logic time bombs
 Masquerading or impersonation
 Password cracking
• An intruder penetrates a system’s defenses, steals the file of valid

passwords, decrypts them, and then uses them to gain access to
almost any system resources.
TECHNIQUES
 Virus
TECHNIQUES
computer fraud and symptoms:
• Virus abuse. These include:
 Virus – Computer will not start or
execute
– Performs unexpected read or
write operations
– Unable to save files
– Long time to load programs
INTRODUCTION

fraud
computer fraud
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
COMPUTER FRAUD
COMPUTER FRAUD
• Make fraud less likely to occur
– Create a culture that stresses integrity and
commitment to ethical values.
– Require oversight from an active, involved, and
independent audit committee.
– . Require annual employee vacations, periodically
rotate duties of key employees, and require signed
confidentiality agreements.
COMPUTER FRAUD
COMPUTER FRAUD
COMPUTER FRAUD
• Improve detection methods.
– Create an audit trail so individual transactions
can be traced through the system to the
financial statements and vice versa.
– Conduct periodic external and internal audits,
as well as special network security audits.
– Install fraud detection software.
COMPUTER FRAUD
COMPUTER FRAUD
• Reduce Fraud Losses
– Maintain adequate insurance.
– Develop comprehensive fraud contingency,
disaster recovery, and business continuity
plans.
– Store backup copies of program and data files
in a secure, off-site location.
Thank you

AIS Chapter 4 Fraud and Abuses

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIS Chapter 4 Fraud and Abuses

Uploaded by

Copyright:

Available Formats

C HAPTER 4

Computer Fraud and

• Questions to be addressed in this chapter:

• Information systems are becoming

• In this chapter we’ll discuss:

• In this chapter we’ll discuss:

• Fraud is any and all means a person uses to

• Fraud perpetrators are often referred to as

• Three types of occupational fraud:

• Three types of occupational fraud:

• Three types of occupational fraud:

• Common approaches to “cooking the

• The Auditor’s Responsibility to Detect

• Auditors can’t effectively audit something they don’t

• While planning the audit, members of the audit team

• Auditors communicate their fraud

• Auditors must document their

• In this chapter we’ll discuss:

• White-collar criminals tend to mirror the general

• The most common pressures were:

• The most common pressures were:

• The most common pressures were:

• The most common pressures were:

• How many people do you know who regard

• In this chapter we’ll discuss:

• The U.S. Department of Justice defines

• Economic espionage, the theft of

• Computer Fraud Classification

Input Processor Output

Input Processor Output

Input Processor Output

Input Processor Output

• Computer Instructions Fraud

Input Processor Output

Input Processor Output

• An intruder penetrates a system’s defenses, steals the file of valid

• In this chapter we’ll discuss:

You might also like