4838 Wilkinson Apps pp 203-241 8/9/99 10:04 AM Page 203
APPENDIX 7.1
•
CD–203
APPENDIX 7.1
FRAUDS
Two closely related types of crimes receiving widespread
media coverage are noncomputer fraud and computer
fraud. Fraud is defined as any intentional or deliberate
scheme that one person uses to gain an unfair advantage over another. The major elements of fraud include a
misrepresentation of a material point, which is believed
and acted upon by a victim who suffers damages. Financial fraud is any intentional or deliberate act a wrongdoer commits to deceive other persons who in turn
suffer a financial loss.
Crimes Classified as Frauds
Fraud is a very broad term used to describe a wide assortment of crimes, including the following, many of
which result in financial losses:
1. Misrepresentation of material facts. This fraud
offense involves the making of deliberate false
statements to induce a victim to part with money
or property.* Misrepresentation cases include
making false statements or false claims that are
often prosecuted under the U.S. Criminal Code
statute covering wire and mail frauds. For example, this statute was used to convict television
evangelist Jim Bakker of defrauding tens of millions of dollars from his television viewers who
purchased a lifetime share in a theme park based
on the facts Bakker presented to them during his
television shows. Many external auditors have
been found guilty of misrepresentation, such as
issuing a false audit report, falsely stating that the
audit was conducted in accordance with generally
accepted auditing standards, and violating the
competency standard of fieldwork that requires all
audits to be performed by duly qualified auditors.
2. Failure to disclose material facts. As a result of
failing to disclose material facts, the victim is misled or deceived. Accountants, lawyers, management, and the board of directors all have an
agency relationship involving a special position of
trust. These agents must fully disclose material
facts to those parties who rely on these facts to
make decisions. For example, an external auditor
may be held liable for failing to report to the corporate audit committee a material misrepresentation on a financial statement.
*Joseph T. Wells et al., Fraud Examiners Manual, 2nd ed. (Austin,
Tex.: Association of Certified Fraud Examiners, 1993), p. 2.20.
3. Embezzlement. The essence of embezzlement is
that it is committed after a person has been entrusted with or legally comes into possession of
the property. Thus a bookkeeper who handles cash
has a fiduciary duty to his or her employer to account for all cash and to record the cash in the
appropriate books of account; if he or she confiscates cash, the bookkeeper commits the crime of
embezzlement.
4. Larceny. Larceny is wrongfully taking away someone’s personal property with the intent to convert
the property to one’s personal use. Larceny differs
from embezzlement since the intent to commit
the crime and the carrying away of the property
occur simultaneously. In a larceny, the lawbreaker
was never legally entrusted with the property. Under most criminal statutes, embezzlement and larceny are types of theft.
5. Bribery. Bribery is giving or receiving anything of
value “to influence” an official act. The thing of
value—cash, gifts, loans, paying off credit card
debt, travel, or entertainment—is promised or
given before the act is completed. That is, the
thing of value influences the decision.
6. Illegal gratuity. An illegal gratuity is giving or receiving anything of value “for or because of an official act” that has already taken place. The
distinction between a bribe and illegal gratuity is
that a bribe is given before the official act takes
place, whereas in an illegal gratuity, the thing of
value, such as a gift, is awarded to an official for
performing the desired duties.
Major Types of Frauds
The most commonly occurring type of fraud reported by
respondents to a survey conducted by the Association of
Certified Fraud Examiners was misappropriation of assets, including cash (the most common type), inventory,
supplies, equipment, and information. A second main
category of fraud reported by the association was bribery
and corruption, such as conflicts of interest, economic
extortion, and illegal gratuities. The third main category
was fraudulent financial statements.** Although this
kind of fraud occurred only a small percentage of the
time, the losses from such frauds often amount to mil-
**Report to the Nation on Occupational Fraud and Abuse (Austin, Tex.:
Association of Certified Fraud Examiners, 1996), pp. 4–38.
4838 Wilkinson Apps pp 203-241 8/9/99 10:04 AM Page 204
CD–204
•
APPENDIX 7.1
lions of dollars, as opposed to misappropriation of cash,
whose losses may amount to hundreds of dollars.
All frauds are intentional, not accidental, and involve
three phases. First, a wrongful act is committed. (For example, a bookkeeper steals cash from his or her employer.) Second, the person committing the wrongful act
attempts to conceal or hide the act. (The bookkeeper
could create a fictitious journal entry debiting an expense account and crediting cash.) The third element of
a fraud is conversion. That is, the item taken is used for
the personal benefit of the person committing the crime.
(The bookkeeper could use the illegally obtained funds
to purchase a new BMW automobile.)
Classification of Frauds
Two types of frauds are committed within organizations—internal and external frauds. Internal frauds are
committed by the managers or employees of a firm. Examples of internal frauds include creation of fictitious
journal entries and preparation of phony inventory tickets to inflate ending inventory, thus falsely increasing
income. Others include larceny, embezzlement, and
the creation of fraudlent financial statements. External
frauds are committed against the firm by nonemployee
parties. Our main concern is with internal frauds, since
most of them are related to the accounting system. A
properly functioning internal control structure will prevent or detect material internal frauds.
Methods of Concealing Frauds
Financial frauds are concealed in one of two ways. On
book frauds involve concealing the fraudulent activity
in the normal accounting records. An auditor searching for this type of fraud would find evidence in the
firm’s journals and ledgers. Unauthorized cash could
be drawn from the firm’s bank account, recorded as
a credit in the regular books and records, and the
theft could be disguised as a debit to a regular business expense. On-book frauds, therefore, leave a visible audit trail of forged or altered documents, and the
preparation of fictitious journal entries to conceal the
scheme.
Off-book frauds are not concealed in the normal accounting records but are maintained off the books and
are more difficult to uncover since no visible audit trail
exists. Such schemes are frequently employed by firms
that generate large cash sales, for example, restaurants
and bars. In these types of firms, a bartender may record
half of the cash sales in the cash register and pocket the
other half. The stolen cash does not appear anywhere in
the firm’s books. This off-book scheme is known as skimming. As fraudulent schemes become more complex,
they will sometimes exhibit the characteristics of both
on- and off-book schemes.
Computer Frauds
Because of the proliferation of microcomputers and
computer networks, as well as the increasing computer
knoweledge of millions of microcomputer users, computer fraud is expected to increase significantly in both
frequency and amount of losses. Computer frauds exhibit the same characteristics as noncomputer frauds,
except that the perpetrator uses a computer to help
commit the fraud, often over long distances. Also, the
average dollar loss is much greater than in manually
committed frauds. Computer frauds involve the same six
types of frauds discussed above; they are often committed internally by management and employees and are
concealed using either on- or off-book schemes. Computer frauds can be committed at breathtaking speeds
over long distances and are easier to conceal since the
evidence of the crime is maintained on magnetic tape or
disk files. These files are often encrypted or coded so
that an auditor investigating the crime could not use the
coded file as evidence unless the files were decrypted.
Unfortunately, decrypting a file involves a special key or
password that is possessed only by the perpetrator, who
is unlikely to reveal it. A sampling of reported computer
crimes, many of which are in fact types of computer
frauds, is given in Figure A7.1-1.
Firms Vulnerable to Fraud
Some firms are more vulnerable to fraud than others.
Organizations with weak internal control environments
are particularly susceptible to frauds, computer frauds,
and other types of computer crimes. The lack of soft controls, such as hiring untrustworthy, incompetent, and
unethical managers and employees, is a major factor
contributing to internal management and employee
fraud. A typical profile of persons who commit fraud and
computer crimes is presented in Figure A7.1-2. Dominance by one or two managers, as was often true in the
savings and loan scandals, allows these managers to
override the internal controls and commit frauds
amounting to tens of millions of dollars. Factors that increase a firm’s exposure to fraud are called red flags.
KPMG’s 1998 Fraud Survey asked respondents to report
the red flags identified prior to discovering an internal
fraud. The results, along with the percentage of respondents reporting this red flag, are as follows:*
• Personal financial pressure (66%)
• Vices (e.g., abuse of drugs, alcohol, or gambling)
(48%)
*The highlights or a copy of the full report of KPMG’s latest
annual Fraud Survey can be downloaded at http://www.us.
KPMG.com.
4838 Wilkinson Apps pp 203-241 8/9/99 10:04 AM Page 205
APPENDIX 7.1
•
•
•
•
•
•
•
A sampling of reported computer crimes.
• Extravagant purchases or lifestyle (42%)
• Real or imagined grievances against the company or
management (33%)
• Ongoing transactions with related parties (27%)
• Increased stress (27%)
• Internal pressure (e.g., management pressure to meet
budgets) (22%)
• Short vacations/unexplained hours (11%)
•
•
•
•
•
•
Male, white, 19–30 years sold (persons committing fraud tend to be older)
First-time offender
Modified Robin Hood syndrome (i.e., keep for thyself)
Bright, well-educated, highly motivated
Accepts challenges and likes to play computer
games
Disgruntled, frustrated
Bragger
FIGURE A7.1-2
CD–205
A self-employed computer expert discovered the daily code that authorized funds to be
transferred from a large bank to other banks. One day, five minutes before closing time,
he called the wire room, gave the correct authorization code, and transferred $10 million
into a bank account opened under his alias.
A technician who helped design the computerized ticket system for a major league baseball club stayed around the office one day to show staff workers how to operate the system. Later, club officials discovered that he had also used that day to print 7000 tickets,
which he illegally sold through ticket brokers.
Automated teller machines (ATMs) installed by a large New York bank were the means
of an ingenious fraud. Persons posing as bank employees would stop depositors in the
middle of ATM transactions and direct them to other ATMs, explaining that the ATMs being used were inoperative. Then these persons would withdraw funds from the abandoned ATMs that had been opened (but not closed) by the depositors.
A number of unauthorized persons obtained the password into the files of the largest
credit bureau in the country. From home computers they were thereby able to view the
credit reports of millions of credit card users.
In a case similar to the preceding one, the “414 gang” (a group of young computer “hackers”) broke into the highly sensitive files of the Los Alamos National Laboratory.
Two executives of a nationwide firm pleaded guilty to the theft of Social Security numbers. The executives used a microcomputer to illegally access a federal government
computer containing the Social Security data.
In a case widely publicized in The Wall Street Journal, hackers from a European country
gained unauthorized access to hundreds of university and military defense computers.
The illegally obtained data was reportedly sold to the former KGB.
FIGURE A7.1-1
•
•
Uncovering Fraud
Predication is defined as the totality of circumstances
that would lead a reasonably prudent person to believe
that a fraud has occurred, is occurring, or will occur. Factors that may trigger an initial fraud investigation include violations of internal controls, internal auditor
findings, anonymous letters, and notification by police
of possible wrongdoing.
•
•
•
•
•
•
Identifies with own technology far more than with
employer’s business
Often employed in data processing or accounting
field
Frequently suffers from financial pressures (e.g.,
expensive tastes, habits, drugs, high living costs)
Feels exploited by employer and wants to get
even; feels employer can afford the loss
Does not intend to hurt anyone
Sees self as a borrower, not as a thief
Typical profile of persons who commit fraud and computer crimes.
4838 Wilkinson Apps pp 203-241 8/9/99 10:04 AM Page 206
CD–206
•
APPENDIX 7.2
A Certified Fraud Examiner (CFE) is often contacted
to conduct a scientific fraud investigation. The CFE’s first
step is to gather and analyze the relevant data to determine whether predication is sufficient to proceed further. Sufficient predication is the basis for creating a
hypothesis of a specific fraud. That is, the CFE, based on
an evaluation of the initial fraud indicators, decides
whether enough evidence exists to proceed further. The
next step is to test the hypothesis by gathering sufficient
evidence through interviews, document examinations,
and observation. At the conclusion of evidence gathering, the CFE prepares a written report that does or does
not support the allegation of fraud or is inconclusive. If
warranted, the case is turned over to an attorney, who
works closely with the CFE to prosecute the case.
Fraud and Computer Crime Prevention Safeguards
With the massive number of cases of insider theft, fraud,
embezzlement, and other crimes reported in the media,
management should take proper action to prevent, detect, and deter these risk exposures. Firms should establish and enforce strong soft controls, including a written
code of professional conduct, ethics, and personnel
policies. Ethical principles should receive increased attention throughout the organization. Sound personnel
policies and controls, such as reference checks on employment applications, should be enforced. The corporate audit committee should be independent of
management and should closely monitor stakeholders’
interests. A properly developed internal audit function,
adequately staffed, can significantly reduce the probability of fraud and other computer crimes. Internal auditors should complete training courses on fraud and
computer crime, such as those offered by the Association of Certified Fraud Examiners of Austin, Texas. In addition, internal auditors and other accountants involved
in the audit function should be encouraged to become
Certified Fraud Examiners. A CFE is trained in criminology, legal elements of fraud, interrogation and investigative matters, and financial fraud.
Respondents to KPMG’s 1998 Fraud Survey have documented policies and procedures they follow for dealing
with fraud. The reported safeguards and controls and the
percentage of responding firms reporting them are as
follows.*
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
A corporate code of conduct (75%)
Reference checks on new employees (65%)
Employment contracts (48%)
Review and improvement of internal controls (47%)
Fraud audit (42%)
Ethics training (41%)
Training courses in fraud prevention and detection
(31%)
Surveillance equipment (30%)
Increased focus of senior management on the problem (29%)
Enhanced surveillance equipment (27%)
Code of sanctions against suppliers/contractors (26%)
Increased role of audit committee (16%)
Surveillance of electronic correspondence (15%)
Increased budget for internal audit (13%)
Staff rotation policy (11%)
Increased budget for security department (9%)
Although such crimes can never be eliminated, organizations that adopt the above safeguards can dramatically reduce their vulnerability.
*http://www.us.KPMG.com, p. 1.
APPENDIX 7.2
COMPUTER VIRUSES AND RELATED RISKS
A potentially significant risk exposure to information
stored on microcomputers and local-area networks
(LANs) is a computer virus. More than 17,000 computer
virus strains have been documented, and new ones appear daily. Most viruses have static or unchanging structures that render them relatively easy to detect and
destroy with the use of anti-virus software. Anti-virus software checks for, finds, and removes most types of viruses.
A computer virus is a computer program that copies
or attaches itself to a program file and causes either the
display of prankish messages or the destruction of data,
such as erasing all the files on a hard disk. Most com-
puter viruses attach themselves to either executable or
document program files.
Currently, macro viruses, which attach to document
files of word processing software packages, such as Microsoft Word, are the fastest growing viruses with thousands of documented strains. These viruses are easy to
write and easy to spread; they usually enter a PC via
e-mail attachments received from the Internet. They,
along with other types of viruses, can also be introduced
into a microcomputer or a LAN when an infected floppy
disk is copied onto a hard disk. Once attached to an executable or document file, a computer virus can remain