Accounting information systems 11e romney steinbart chapter 05

• In this chapter we’ll discuss: – The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and

C HAPTER 5

Computer Fraud and Abuse

• Questions to be addressed in this chapter:

– What is fraud, and how are frauds perpetrated?

– Who perpetrates fraud and why?

– What is computer fraud, and what forms does

it take?

– What approaches and techniques are used to commit computer fraud?

• Information systems are becoming

increasingly more complex and society is

becoming increasingly more dependent on these systems.

– Companies also face a growing risk of these systems being compromised.

– Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.

• Companies face four types of threats to

their information systems:

– Natural and political disasters

• Include:

– Fire or excessive heat – Floods

– Earthquakes – High winds – War and terrorist attack

• When a natural or political disaster

strikes, many companies can be affected at the same time.

– Example: Bombing of the

World Trade Center in NY.

• The Defense Science Board has

predicted that attacks on information systems by foreign

• Companies face four types of threats to

their information systems:

– Natural and political disasters

– Software errors and equipment malfunction

• Estimated annual economic

losses due to software bugs = $60 billion.

• 60% of companies studied

had significant software errors in previous year.

• Companies face four types of threats to

their information systems:

– Natural and political disasters – Software errors and equipment malfunction

– Systems that do not meet needs or

are incapable of performing intended tasks

• Information Systems Security Assn

• Companies face four types of threats to

their information systems:

– Natural and political disasters – Software errors and equipment malfunction – Unintentional acts

– Intentional acts (computer crime)

• Include:

– Sabotage – Computer fraud – Misrepresentation, false use, or

unauthorized disclosure of data

– Misappropriation of assets – Financial statement fraud

• Information systems are increasingly

vulnerable to these malicious attacks.

• In this chapter we’ll discuss:

– The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

THE FRAUD PROCESS

• Fraud is any and all means a person uses to

gain an unfair advantage over another person.

• In most cases, to be considered fraudulent, an

act must involve:

– A false statement (oral or in writing) – About a material fact

– Knowledge that the statement was false when it was uttered (which implies an intent to deceive)

– A victim relies on the statement – And suffers injury or loss as a result

• The definition is the same whether it is a

criminal or civil fraud case.

– The only difference is the burden of

proof required.

• Criminal case: beyond a

reasonable doubt.

• Civil case: preponderance of the

evidence OR clear and convincing evidence.

THE FRAUD PROCESS

• Because fraudsters don’t make journal entries to record their frauds, we can only estimate the

amount of losses caused by fraudulent acts:

– The Association of Certified Fraud Examiners (ACFE) estimates that total fraud losses in the United States run around 6% of annual revenues or approximately

$660 billion in 2004.

• More than we spend on education and roads in a year.

• Six times what we pay for the criminal justice system.

– Income tax fraud (the difference between what taxpayers owe and what they pay to the government)

is estimated to be over $200 billion per year.

– Fraud in the healthcare industry is estimated to

THE FRAUD PROCESS

• Fraud against companies may be committed by

an employee or an external party.

– Former and current employees (called

knowledgeable insiders ) are much more likely than non-employees to perpetrate frauds (and big ones) against companies.

• Largely owing to their understanding of the company’s systems and its weaknesses, which enables them to commit the fraud and cover their tracks.

– Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the

company.

THE FRAUD PROCESS

• Fraud perpetrators are often referred to as

– Distinguishes them from violent criminals, although some white-collar crime can

ultimately have violent outcomes, such as:

• Perpetrators or their victims committing suicide.

• Healthcare patients killed because of alteration of information, etc., that can result in their deaths.

THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

• Involves theft, embezzlement, or misuse of

company assets for personal gain.

• Examples include billing schemes, check

tampering, skimming, and theft of inventory.

• In the 2004 Report to the Nation on Occupational

Fraud and Abuse, 92.7% of occupational frauds

involved asset misappropriation at a median cost

of $93,000.

THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

– Corruption

• Corruption involves the wrongful use of a

position, contrary to the responsibilities of that position, to procure a benefit.

• Examples include kickback schemes and

conflict of interest schemes.

• About 30.1% of occupational frauds include

corruption schemes at a median cost of

$250,000.

THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets – Corruption

– Fraudulent statements

• Financial statement fraud involves misstating the financial condition of

an entity by intentionally misstating amounts or disclosures in order to deceive users.

• Financial statements can be misstated as a result of intentional efforts

to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement.

• About 7.9% of occupational frauds involve fraudulent statements at a

THE FRAUD PROCESS

• A typical employee fraud has a number of important elements or

characteristics:

– The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud.

– Instead of using a gun, knife, or physical force, fraudsters use weapons of deceit and misinformation.

– Frauds tend to start as the result of a perceived need on the part

of the employee and then escalate from need to greed Most fraudsters can’t stop once they get started, and their frauds grow

in size.

– The fraudsters often grow careless or overconfident over time.

– Fraudsters tend to spend what they steal Very few save it.

– In time, the sheer magnitude of the frauds may lead to detection – The most significant contributing factor in most employee frauds

is the absence of internal controls and/or the failure to enforce

THE FRAUD PROCESS

• The National Commission on Fraudulent

Financial Reporting (aka, the Treadway

Commission) defined fraudulent financial

reporting as intentional or reckless conduct,

whether by act or omission, that results in

materially misleading financial statements.

• Financial statements can be falsified to:

– Deceive investors and creditors – Cause a company’s stock price to rise – Meet cash flow needs

– Hide company losses and problems

THE FRAUD PROCESS

• Fraudulent financial reporting is of great

concern to independent auditors, because undetected frauds lead to half of the

lawsuits against auditors.

• In the case of Enron, a financial statement fraud led to the total elimination of Arthur

Andersen, a premiere international public

accounting firm.

THE FRAUD PROCESS

• Common approaches to “cooking the

books” include:

– Recording fictitious revenues – Recording revenues prematurely – Recording expenses in later periods – Overstating inventories or fixed assets (WorldCom)

– Concealing losses and liabilities

THE FRAUD PROCESS

• The Treadway Commission recommended four

actions to reduce the possibility of fraudulent

financial reporting:

– Establish an organizational environment that contributes to the integrity of the financial reporting process.

– Identify and understand the factors that lead to fraudulent financial reporting.

– Assess the risk of fraudulent financial reporting within the company.

– Design and implement internal controls to provide reasonable assurance that fraudulent financial

reporting is prevented.

THE FRAUD PROCESS

• SAS 99: The Auditor’s Responsibility to

Detect Fraud

– In 1997, SAS-82, Consideration of Fraud in a

Financial Statement Audit, was issued to

clarify the auditor’s responsibility to detect fraud.

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud

• Auditors can’t effectively audit something they don’t

understand.

• SAS-99 also indicated that auditors are not lawyers and “do not

make legal determinations of whether fraud has occurred.”

• The external auditor’s interest specifically relates to acts that

result in a material misstatement of the financial statements.

• Note that SAS-99 relates to external auditors Internal auditors

will have a more extensive interest in fraud than just those that impact financial statements.

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent

misstatements

• While planning the audit, members of the audit team

should discuss how and where the company’s financial statements might be susceptible to fraud.

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud – Discuss the risks of material fraudulent misstatements

– Asking management, the audit committee, and others if they

know of any past or current fraud or of fraud risks the organization faces.

• Special care needs to be exercised in examining revenue

accounts, since they are particularly popular fraud targets.

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud – Discuss the risks of material fraudulent misstatements – Obtain information

– Identify, assess, and respond to risks

• Use the gathered information to identify, assess, and respond

to risks.

• Auditors can respond by varying the nature, timing, and extent

of auditing procedures they perform.

• They should also carefully evaluate risks related to

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud – Discuss the risks of material fraudulent misstatements – Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

• Auditors must assess the risk of fraud throughout the

audit.

• When the audit is complete, they must evaluate whether

any identified misstatements indicate the presence of fraud.

• If so, they should determine the impact on the financial

statements and the audit.

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud – Discuss the risks of material fraudulent misstatements – Obtain information

– Identify, assess, and respond to risks – Evaluate the results of their audit tests

– Communicate findings

• Auditors communicate their fraud

findings to management, the audit

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud – Discuss the risks of material fraudulent misstatements – Obtain information

– Identify, assess, and respond to risks – Evaluate the results of their audit tests – Communicate findings

– Document their audit work

• Auditors must document their

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002 SAS-99 requires auditors to:

– Understand fraud – Discuss the risks of material fraudulent misstatements – Obtain information

– Identify, assess, and respond to risks – Evaluate the results of their audit tests – Communicate findings

– Document their audit work

– Incorporate a technology focus

• SAS-99 recognizes that technology impacts

fraud risks and notes opportunities that auditors have to use technology-oriented tools and

techniques to design fraud auditing procedures.

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud – Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

WHO COMMITS FRAUD AND WHY

• Researchers have compared the psychological and

demographic characteristics of three groups of people:

– White-collar criminals – Violent criminals

– The general public

WHO COMMITS FRAUD AND WHY

• White-collar criminals tend to mirror the general

public in:

– Education – Age

– Religion – Marriage – Length of employment – Psychological makeup

WHO COMMITS FRAUD AND WHY

• Perpetrators of computer fraud tend to be

younger and possess more computer

knowledge, experience, and skills.

• Hackers and computer fraud perps tend to be

more motivated by:

– Curiosity – A quest for knowledge – The desire to learn how things work – The challenge of beating the system

WHO COMMITS FRAUD AND WHY

• They may view their actions as a game rather than

dishonest behavior.

• Another motivation may be to gain stature in the hacking community.

• Some see themselves as revolutionaries spreading a

message of anarchy and freedom.

• But a growing number want to profit financially To do so, they may sell data to:

– Spammers – Organized crime – Other hackers

WHO COMMITS FRAUD AND WHY

• Some fraud perpetrators are disgruntled and

unhappy with their jobs and are seeking revenge against their employers.

• Others are regarded as ideal, hard-working

employees in positions of trust.

• Most have no prior criminal record.

• So why are they willing to risk everything?

WHO COMMITS FRAUD AND WHY

• Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to

determine the common threads in their crimes

As a result of his research, he determined that

three factors were present in the commission of

each crime These three factors have come to

be known as the fraud triangle.

– Pressure – Opportunity – Rationalization

The “Fraud Triangle”

Donald Cressey

Pr es

su re

O pp ort un

ity

The “Fraud Triangle”

ity

WHO COMMITS FRAUD AND WHY

• Pressure

– Cressey referred to this pressure as a

“perceived non-shareable need.”

– The pressure could be related to finances, emotions, lifestyle, or some combination.

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

- Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes it

non-shareable).

• May be associated with vices, such

as drugs, gambling, mistresses, etc.

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

- Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable).

- Fear of loss of status because of a personal

failure • Example would be mismanagement of

a personal investment or retirement fund.