CH 5 COMPUTER FRAUD

AIS THREAT
 Natural and political disasters – as fires, floods, earthquakes, hurricanes, tornadoes, blizzards, wars, and attacks
by terrorists—can destroy an information system and cause many companies to fail
 Software errors and equipment malfunctions - Software errors, operating system crashes, hardware failures,
power outages and fluctuations, and undetected data transmission errors
 Unintentional acts - accidents or innocent errors
and omissions, is the greatest risk to information
systems
- caused by human carelessness, failure to
follow established procedures, and poorly
trained or supervised personnel.
 intentional act - a computer crime, a fraud, or
sabotage
 deliberate destruction or harm to a system.
 sabotage - An intentional act where the intent is
to destroy a system or some of its components.

cookie - A text file created by a Web site and stored on a visitor’s hard drive. Cookies store information about who the
user is and what the user has done on the site

Fraud - Any and all means a person uses to gain an unfair advantage over another person.
 Legally, for an act to be fraudulent there must be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the misrepresentation to take an action
5. An injury or loss suffered by the victim

white-collar criminals – Fraud perpetrators are often referred as

 businesspeople who commit fraud.
 usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
 Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources

corruption - Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or
incompatible with ethical standards.
 Examples include bribery and bid rigging

investment fraud - Misrepresenting or leaving out facts in order to promote an investment that promises fantastic
profits with little or no risk.
 Examples: Ponzi schemes and securities fraud

Two types of frauds that are important to businesses are:

1. misappropriation of assets - sometimes called employee fraud
- theft of company assets by employees
The most significant contributing factor in most misappropriations is the absence of internal controls and/or
the failure to enforce existing internal controls.
The perpetrator:
 Gains the trust or confidence of the entity being defrauded.
 Uses trickery, cunning, or false or misleading information to commit fraud.
 Conceals the fraud by falsifying records or other information.
 Rarely terminates the fraud voluntarily.
 Sees how easy it is to get extra money; need or greed impels the person to continue.
 Some frauds are self-perpetuating; if perpetrators stop, their actions are discovered.
 Spends the ill-gotten gains.

2. fraudulent financial reporting - sometimes called management fraud

- intentional or reckless conduct, whether by act or omission, that results in
materially misleading financial statements - National Commission on
Fraudulent Financial Reporting (the Treadway Commission)
- most frequent “cook the books” schemes involve fictitiously inflating revenues,
holding the books open (recognizing revenues before they are earned), closing the
 books early (delaying current expenses to a later period), overstating inventories
or fixed assets, and concealing losses and liabilities

The Treadway Commission recommended four actions to reduce fraudulent financial reporting:
1. Establish an organizational environment that contributes to the integrity of the financial reporting process.
2. Identify and understand the factors that lead to fraudulent financial reporting.
3. Assess the risk of fraudulent financial reporting within the company.
4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial
reporting.

SAS No. 99: The Auditor’s Responsibility to Detect Fraud

 Understand fraud.
 Discuss the risks of material fraudulent misstatements.
 Obtain information. The audit team gathers evidence by looking for fraud risk factors; testing company records;
and asking management, the audit committee of the board of directors, and others whether they know of past or
current fraud.
 Identify, assess, and respond to risks. The evidence is used to identify, assess, and respond to fraud risks by
varying the nature, timing, and extent of audit procedures and by evaluating carefully the risk of management
overriding internal controls
 Evaluate the results of their audit tests. Auditors must evaluate whether identified misstatements indicate the
presence of fraud and determine its impact on the financial statements and the audit.
 Document and communicate findings. Auditors must document and communicate their findings to management
and the audit committee.
 Incorporate a technology focus.

WHO PERPETRATES FRAUD AND WHY

 disgruntled and unhappy with their jobs and seek revenge against employers
1. Most have no previous criminal record; they were honest, valued, and respected members of their community.
 Typically, younger and possess more computer experience and skills
o motivated by curiosity, a quest for knowledge, the desire to learn how things work, and the challenge of
beating the system. S
o view their actions as a game rather than as dishonest behavior.
o to gain stature in the hacking community
 more predatory in nature and seek to turn their actions into money
o blue-collar criminals that look to prey on others by robbing them.
o use a computer instead of a gun
 first-time fraud perpetrators that are not caught, or that are caught but not prosecuted, move from being
“unintentional” fraudsters to “serial” fraudsters.
 Malicious software – a big business and a huge profit engine for the criminal underground
o sell data to spammers, organized crime, hackers, and the intelligence community.
o market malware, such as virus-producing software, to others.
 Cyber-criminals are a top FBI priority because they have moved from isolated and uncoordinated attacks to
organized fraud schemes targeted at specific individuals and businesses.
o use online payment companies to launder their ill-gotten gains.
o To hide their money, they take advantage of the lack of coordination between international law
enforcement organizations

The Fraud Triangle

 three conditions are present when fraud occurs: a pressure, an opportunity, and a rationalization.
 pressure - A person’s incentive or motivation
for committing fraud.
1. Financial
2. Emotional
Challenge of “beating the system” or
subverting system controls and
breaking into a system
3. LIFESTYLE
  Opportunities - The condition or situation that allows a person or organization to commit and conceal a
dishonest act and convert it to personal gain
 allows a perpetrator to do three things:
1. Commit the fraud.
 The theft of assets - most common type of misappropriation.
 fraudulent financial reporting - Most instances involve overstatements of assets or
revenues, understatements of liabilities, or failures to disclose information
2. Conceal the fraud.
 Lapping – Concealing the theft of cash by means of a series of delays in posting collections
to accounts receivable assets
 Kiting –Creating cash using the lag between the time a check is deposited and the time it
clears the bank.
3. Convert the theft or misrepresentation to personal gain.
 fraud perpetrators who do not steal cash or use the stolen assets personally must convert them
to a spendable form.
 Many opportunities are the result of a deficient
system of internal controls
 Companies who do not perform a background
check on potential employees risk hiring a “phantom
controller.” (a fraud employee)
 Other factors provide an opportunity to commit and
conceal fraud when the company has unclear
policies and procedures, fails to teach and stress
corporate honesty, and fails to prosecute those
who perpetrate fraud.
 Frauds occur when employees build mutually
beneficial personal relationships with customers or
suppliers
 Fraud can also occur when a crisis arises and
normal control procedures are ignored

rationalization - The excuse that fraud perpetrators use to justify their illegal behavior.
Forms:
 a justification (“I only took what they owed me”)
 an attitude (“The rules do not apply to me”)
 a lack of personal integrity (“Getting what I want is more
important than being honest”).
perpetrators rationalize that:
 they are not being dishonest
 that honesty is not required of them
 they value what they take more than honesty and integrity

The most frequent rationalizations include the following:

 I am only “borrowing” it, and I will repay my “loan.”
 You would understand if you knew how badly I needed it.
 What I did was not that serious.
 It was for a good cause (the Robin Hood syndrome: robbing the rich to give to the poor).
 In my very important position of trust, I am above the rules.
 Everyone else is doing it.
 No one will ever know.
 The company owes it to me; I am taking no more than is rightfully mine.

COMPUTER FRAUD
 Computer fraud is any fraud that requires computer technology to perpetrate it.
 Examples
 Unauthorized theft, use, access, modification, copying, or destruction of software, hardware, or data
 Theft of assets covered up by altering computer records
 Obtaining information or tangible property illegally using computers

The Rise in Computer Fraud

1. Not everyone agrees on what constitutes computer fraud.
 (e.g. online files– other people not see it as plagiarism while others prosecute wo make illegal copies)
 2. Many instances of computer fraud go undetected.
3. A high percentage of frauds is not reported.
4. Many networks are not secure.
5. Internet sites offer step-by-step instructions on how to perpetrate computer fraud and abuse
6. Law enforcement cannot keep up with the growth of computer fraud.
7. Calculating losses is difficult.

Computer Fraud Classifications

 Input Fraud - simplest and most common way to commit a computer fraud is to alter or falsify computer
input.
- It requires little skill; perpetrators need only understand how the system operates so they can cover
their tracks
- using forged or other’s numbers/code/account
 Processor Fraud - includes unauthorized system use, including the theft of
computer time and services
- employees use the system w/o permission
 Computer Instructions Fraud - includes tampering with company software,
copying software illegally, using software in an unauthorized manner, and
developing software to carry out an unauthorized activity
- used to be uncommon because it required specialized
programming knowledge.
- Today, it is more frequent because of the many web pages that
tell users how to create them
 Data Fraud - Illegally using, copying, browsing, searching, or harming company data constitute data fraud.
- employee negligence - biggest cause of data breaches
- employees are much more likely to perpetrate data fraud
- In the absence of controls, it is not hard for an employee to steal data
- Data can also be changed, damaged, destroyed, or defaced, especially by disgruntled employees
and hackers.
- Deleting files does not erase them.
 Output Fraud - Unless properly safeguarded, displayed or printed output can be stolen, copied, or misused.
- Fraud perpetrators use computers to forge authentic-looking outputs, such as a paycheck.
- A fraud perpetrator can scan a company paycheck, use desktop publishing software to erase the
payee and amount, and print fictitious paychecks.

Preventing and Detecting Fraud and Abuse

- organizations must create a climate that makes fraud less likely, increases the difficulty of committing it,
improves detection methods, and reduces the amount lost if a fraud occurs
Make Fraud Less Likely to Occur
 Create an organizational culture that stresses integrity and commitment to ethical values and competence.
 Adopt an organizational structure, management philosophy, operating style, and risk appetite that minimizes the
likelihood of fraud.
 Require oversight from an active, involved, and independent audit committee of the board of directors.
 Assign authority and responsibility for business objectives to specific departments and individuals, encourage
them to use initiative to solve problems, and hold them accountable for achieving those objectives.
 Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or accept that risk.
 Develop a comprehensive set of security policies to guide the design and implementation of specific control
procedures, and communicate them effectively to company employees.
 Implement human resource policies for hiring, compensating, evaluating, promoting, and discharging employees
that send
 messages about the required level of ethical behavior and integrity.
 Develop a comprehensive set of anti-fraud policies that clearly set forth the expectation for honest and ethical
behavior and explain the consequences of dishonest and fraudulent acts.
 Effectively supervise employees, including monitoring their performance and correcting their errors.
 Provide employee support programs; this provides a place for employees to turn to when they face pressures they
might be inclined to resolve by perpetrating a fraud
 Maintain open communication lines with employees, customers, suppliers, and relevant external parties (banks,
regulators, tax authorities, etc.)
 Create and implement a company code of conduct to put in writing what the company expects of its employees.
 Train employees in integrity and ethical considerations, as well as security and fraud prevention measures.
 Require annual employee vacations and signed confidentiality agreements; periodically rotate duties of key
employees.
  Implement formal and rigorous project development and acquisition controls, as well as change management
controls.
 Increase the penalty for committing fraud by prosecuting fraud perpetrators more vigorously.
Increase the Difficulty of Committing Fraud
o Develop and implement a strong system of internal controls.
o Segregate the accounting functions of authorization, recording, and custody.
o Implement a proper segregation of duties between systems functions.
o Restrict physical and remote access to system resources to authorized personnel.
o Require transactions and activities to be authorized by appropriate supervisory personnel. Have the system
authenticate the person, and their right to perform the transaction, before allowing the transaction to take place.
o Use properly designed documents and records to capture and process transactions.
o Safeguard all assets, records, and data.
o Require independent checks on performance, such as reconciliation of two independent sets of records, where
practical.
o Implement computer-based controls over data input, computer processing, data storage, data transmission, and
information output.
o Encrypt stored and transmitted data and programs to protect them from unauthorized access and use.
o When disposing of used computers, destroy the hard drive to keep criminals from mining recycled hard drives.
o Fix software vulnerabilities by installing operating system updates, as well as security and application programs
Improve Detection Methods
 Develop and implement a fraud risk assessment program that evaluates both the likelihood and the magnitude of
fraudulent activity and assesses the processes and controls that can deter and detect the potential fraud.
 Create an audit trail so individual transactions can be traced through the system to the financial statements and
financial statement data can be traced back to individual transactions.
 Conduct periodic external and internal audits, as well as special network security audits; these can be especially
helpful if
 sometimes performed on a surprise basis.
 Install fraud detection software.
 Implement a fraud hotline.
 Motivate employees to report fraud by implementing whistleblower rewards and protections for those who come
forward.
 Employ a computer security officer, computer consultants, and forensic specialists as needed.
 Monitor system activities, including computer and network security efforts, usage and error logs, and all
malicious actions.
 Use intrusion detection systems to help automate the monitoring process.
Reduce Fraud Losses
 Maintain adequate insurance.
 Develop comprehensive fraud contingency, disaster recovery, and business continuity plans.
 Store backup copies of program and data files in a secure off-site location.
 Use software to monitor system activity and recover from fraud