Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
Chapter 3
COMPUTER CRIME, ETHICS, AND PRIVACY
Discussion Questions
3-1.
Most experts agree with the claim that the known cases of cybercrime are just the tip
of the iceberg, and most students are likely to agree with them. Of course, it is not known what
percent of all cybercrime is caught because we do not have any measure for the denominator of
such a computation. However, if we only detect most cybercrime by luck, chance, or accident, it
is reasonable to ask, "What are the really clever computer criminals doing?" Thus, there is every
indication that what we have observed about cybercrime in recent years is much less than the
total of all cybercrime.
3-2.
Among the reasons why more cybercrime is not reported are the following:
1. It is not detected.
2. There are no legal requirements to report cybercrime, especially if the "crime" is detected
in private industry.
3. Managers feel that the computer abuses detected within their organizations are
embarrassments. Thus, private businesses are reluctant to report them.
4. Some experts fear that certain types of cybercrime are susceptible to the "sky-jack"
syndrome—i.e., that reporting a particular cybercrime will lead to a rash of similar ones.
5. Some people consider certain practices unethical but not illegal. Thus, for example,
several organizations in the past have chosen not to press charges against students
stealing computer time from university computers or employees for using the company
resources for privately-contracted programming efforts. These activities are rarely
reported.
6. A definition of cybercrime is elusive. Thus, some cybercrime is never reported because it
falls into a gray area.
7. For some “small” crimes involving little money, the trouble of reporting it might be
greater than the gains from such reporting.
8. Many IT personnel are not fully aware of the laws governing computer usage, and
therefore fail to report it because they don’t realize it violates federal or state statutes.
The matter of whether or not these reasons are valid is subjective. Currently, there is a debate in
the literature over how much cybercrime should be reported and what should be revealed if it is
reported. Among the arguments in favor of reporting cybercrime are:
1. Disclosure will alert other organizations about the dangers of computer crime and may
result in better protection against it.
2. Disclosure will lead to better controls and a more informed, security-conscious society.
3. Disclosure will strengthen the case for cybercrime legislation and/or a stricter
enforcement of the laws.
4. Ultimately, cybercrime injures the public at large. Therefore, the public has a right to
know about it.
SM 3.1
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
5. We must learn to use our technology in constructive ways. Philosophically speaking, we
must know about our environment, especially where technological abuse works against
the common good.
3-3.
Most experts believe that cybercrime today is growing, not diminishing. To
understand this claim, we must first distinguish between the amount of cybercrime that is
committed and the amount of cybercrime that is reported. As stressed in the chapter, experts
believe that the number of reported cases of cybercrime is much less than the amount of
cybercrime that goes undetected and/or unreported. Other factors that suggest that cybercrime is
growing include:
1. The number of computers in use today is growing rapidly. It is reasonable to expect the
potential for cybercrime to grow with it.
2. A large number of new computers are personal computers, netbooks, and hand-held
PDAs. These systems are usually less secure than larger computer installations and have
relatively limited control procedures.
3. More is known about the successes of computer criminals than about the ways such
criminals can be thwarted. It is reasonable to assume that the high-gain cybercrime that
has accidentally been caught in one place is currently also being tried elsewhere.
4. We believe that expenditures on computer security are growing much more slowly than
expenditures on computer hardware and software. The difference between such
expenditures is a widening gap that allows for increased cybercrime.
5. We believe that copyright infringement for software usage is common, but that most
companies, as well as most police bodies, may not be aware of such infringements or
may lack the resources to protect their rights.
6. A growing amount of cybercrime involves phishing and financial scams involving other
individuals, not companies.
7. The number of spam emails received by individuals is growing. This is actually illegal in
certain states and countries.
Losses from known cases of cybercrime have been much greater than the losses resulting from
other types of white-collar crime. From this we learn that the vulnerability of a typical
computerized accounting information system is much greater than the vulnerability of a typical
manual system and that special controls and other safeguards must be installed in an AIS to
protect it from abuse.
When reviewing specific cases of cybercrime, such as those presented in this chapter, one is
struck by the fact that they differ widely in target system, method of approach, and means of
deception. These diversities raise the question of whether an accounting information system can
really be adequately protected from systematic abuse. Most experts feel that they cannot. Thus,
the current decade promises yet more cybercrime of even more spectacular proportions than
those crimes of the past.
3-4.
Students may strongly agree or disagree on this issue. However, the responses they
give should be based on their research (visits to various websites to determine exactly what
information different e-retailers collect and what they do with the information that is collected—
or other data that might support their point of view). Encourage students to base their opinions
SM 3.2
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
on data that they might find on the Internet or data that might be available in their university
library (either reference books or digital media), rather than their “feelings”.
This topic can lead to a very lively classroom discussion if half of the students are required to
“support” the view that retailers have the right, and the other half of the students are required to
find data that suggests retailers do not have this right (For example, are there any laws that might
limit what retailers can collect?). A mock debate can be used to bring out both sides of this
issue, where 2-3 students from each group might present their findings (perhaps using
PowerPoint slides) in front of the class and present their respective points of view. After both
presentations, the students in the front of the class could act as facilitators to encourage the rest
of their classmates to give their opinions.
The protection of computer-based information rests upon the need to safeguard individual rights
to privacy. These rights include the protection of personal information when it is collected,
maintained, used, or distributed. The issue becomes increasingly important when some of these
activities were not authorized by those individuals who (perhaps unwillingly or unknowingly)
provided the information. Examples of such vulnerable information include state and federal tax
returns, responses to surveys, consumer behavior observed with hidden cameras, employee work
evaluations, and medical records.
There is remarkably little that an individual can do to protect personalized information in health,
mail-order, and private banking applications. However, the following safeguards are available
for certain other applications:
1. FAIR CREDIT REPORTING ACT OF 1970
This act guarantees the individual certain rights regarding the use of credit information
gathered about him. Among these rights are:
a) access to the information
b) the ability to challenge the information
c) the right to make the credit-information company change the information at
company expense if it is shown to be in error
2. PRIVACY ACT OF 1974
This act places general restrictions on the use of personal information collected by
agencies of the federal government. An individual is now permitted:
a) to ascertain what records pertaining to him are collected, maintained, and used by
any agency
b) to prevent his records from being used or made available to others without his
consent
c) to gain access to the information, and to have copies made at a reasonable
expense (his expense)
d) to correct file information if found to be in error
e) to file civil suits to collect for damages in the event that information collected
about him is misused by a federal agency
SM 3.3
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
3. SUPREME COURT RULING OF GRISWOLD VERSUS CONNECTICUT
This case involved the right of privacy. While the supreme court did not make any
definite statement about privacy in the constitution, it did suggest that the right of
privacy was implied in the First, Third, Fourth, Fifth, and Ninth Amendments.
4. STATE LEGISLATION
Almost all states have now enacted computer crime laws of some type.
5. FREEDOM OF INFORMATION ACT OF 1970
This "sunshine law" guarantees individuals the right to see any information gathered
about them by federal agencies, and also prohibits these agencies from gathering
information about individuals that is not germane to agency needs.
6. COMPUTER SECURITY ACT OF 1987
This act requires more than 550 federal agencies to develop security plans for each
computer system that processes sensitive information.
7. NATIONAL ASSOCIATION OF STATE INFORMATION SYSTEMS (NASIS)
This organization, along with concerned consumer groups, has been active in seeking
state and federal legislation that regulates the use of computerized information.
3-5.
There were a number of factors favorable to the TRW employees in the commission
of their crime. Perhaps the most important was the fact that the change of information in the
company's computer files, in and of itself, did not involve any cash transactions. Thus, unlike
many other computer crimes in which a perpetrator must make a false debit or credit to cover up
his activities, the TRW employees merely changed the credit ratings of the individuals who had
paid for this “service.”
Another factor that aided the participants was the lack of feedback checks which are so often a
natural part of other types of accounting information systems. For example, in an accounts
receivable system, an improper customer billing is likely to be noticed and brought to the
attention of a company manager for correction. In the TRW case, however, TRW’s clients
apparently accepted the credit ratings without question and thus extended credit to individuals
who were not creditworthy.
A final factor that helped TRW employees commit this crime was the seeming lack of internal
control on credit-changes in TRW's input operations. In particular, it appears that the input clerk
was able to make unauthorized credit-rating changes which reversed individual evaluations from
bad ones to acceptable ones. This capability enabled the TRW employees to sell good credit
ratings to customers and thus permitted them to carry out their schemes.
One control that might have prevented this cybercrime would be more stringent supervision in
the altering of credit information in TRW's files. For example, the company might have insisted
that all credit-rating reversals be first approved by management. A similar policy might have
also been applied to all file changes in which favorable credit information was to be added to
unfavorably-rated accounts.
SM 3.4
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
Another control might be the maintenance of duplicate credit information by both TRW and the
credit-card companies. Although this procedure would be expensive, it has the advantage of
installing a feedback characteristic in TRW's credit operations which was obviously missing
when the crime was committed. Given the fact that damages resulting from this crime were
estimated at over $1 million, such a control procedure has the potential to be cost effective
despite such expense.
A number of similar cases of cybercrime fall into the category of “valuable information
computer abuse.” Examples include:
1. Industrial espionage cases, in which corporate budget plans, bidding data on forthcoming
projects, or patent information stored on computer files is the major target
2. Computer snooping, in which information about the volume of accounts of a company or
the salaries of specific individuals is the target
3. Software theft, in which the source code for an application program or operating system
program is desired
4. Student pilferage, in which one student steals an assignment from another
5. Extortion, in which the information stored on a company's files is threatened if the
company does not agree to the perpetrator's demands
6. Blackmail, in which computerized information will be revealed if payment is not made
7. File-napping, which is like kidnapping except that the "kid" is really the computer files of
a company, which are subsequently held for ransom
3-6.
As commonly used, hacking means gaining illegal or unauthorized access to
computers, computer networks, or computer files. To ensure anonymity, the typical hacker
accomplishes this from remote locations and with assumed identities. Some hackers gain little
financially from their activities, but instead seem to enjoy some psychological satisfaction by
successfully gaining access to their target computer resources. The growth of microcomputer
usage has added to the problem because anyone with a microcomputer and access to the Internet
can "hack."
Two major deterrents to hacking are (1) education and (2) prevention. Education includes
teaching students, employees, and the general public about computer ethics, helping them
understand how costly computer breaches can be to victim organizations, and making them
aware of the fact that hacking is now a punishable federal offense. Prevention includes installing
and using firewalls, non-dictionary passwords, lockout, dial-back, and/or other security systems,
changing passwords often, and prosecuting hackers as examples to others.
3-7.
A computer virus is a program or subroutine that can replicate itself in other programs
or computer systems. Typically, viruses are also destructive, although a few "benign" viruses
have commandeered computer systems just long enough to display harmless messages before
returning control to the end user. The damage that can be caused by other virus programs can be
much more serious, and includes destroying system or user files, disrupting computer operations,
denying others access to a system, launching distributed denial of service attacks against other
systems, or disrupting the functioning of a complete system or network.
SM 3.5
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
3-8.
As noted in the text, employees are not likely to be aware of the importance or cost of
cybercrime. Thus, educating employees about cybercrime laws, the telltale signs of cybercrime,
and the importance of making periodic file backups to recover from cybercrime are important.
Research also suggests that cybercrime is less likely if companies inform employees about the
seriousness of such abuse and aggressively prosecute computer abusers.
Although employees can be educated without the support of top management, most experts
agree that such support is critical to successful security programs. The education process itself
takes valuable employee time, of course, and managers must prepare the necessary policy
manuals and training programs must exist with the full consent and encouragement of top
executives.
3-9.
Given that the Internet is a medium of information exchange and a free market,
almost any crime that can be committed in a physical venue can also be committed in an
electronic one. This includes misrepresentation, fraud, theft, racketeering, bribery, extortion, etc.
In addition, as noted in the chapter, the Internet also gives computer abusers the opportunity to
spread computer viruses, hack into computer systems and files for illicit purposes, and destroy or
alter computer records or software without permission. Finally, it is important to note that the
Internet provides perpetrators the critical anonymity they need to execute these forms of
cybercrime.
The types of resources targeted by computer abusers vary widely. In some cases, the financial
information maintained by a computer system is the target, as illustrated by the TRW case. In
other cases, it is the personal identities of customers or taxpayers. In still other cases such as in
denial-of-service attacks, the system itself is the target. The controls that are needed to safeguard
such recourses also vary widely.
3-10.
Ethical behavior means acting in accord with standards of moral conduct. Examples
of ethical behavior within AIS environments include protecting confidential information, being
socially responsible, respecting the privacy of others, avoiding conflicts of interest, and using
work computers only for business purposes. Five ways of encouraging ethical behavior include:
1. Educating employees about the importance of ethical behavior
2. Training employees by providing them with actual cases of ethical behavior in formal
educational settings
3. Teaching by example
4. Rewarding ethical behavior with job promotions and similar benefits
5. Asking employees to subscribe (e.g., by signature) to professional codes of conduct
6. Penalizing those who violate ethical codes of conduct
At one of the author’s universities, the student judicial office keeps lists of students caught
cheating. If the instructor wishes, a student caught cheating can be asked to attend one or more
workshops that teach them about student ethics (point 1 above) and what can happen to students
who violate the university’s student code (point 6 above).
3-11.
Hopefully, Mr. Randy Allen is an honest, hard-working bank employee deserving of
the "Employee-of-the-Year" award. However, the presence of (1) a computerized bank data
SM 3.6
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
processing system to handle accounts, (2) the number of complaints from customers about
account-balance errors, and (3) the ability of Mr. Allen to rectify these errors manually without
additional approval or supervision suggest that additional investigation may be in order. An
enforcement of the two-week vacation rule for Mr. Allen, and perhaps an audit of the accounts of
customers who have been complaining in his absence, would be good ideas. There are just too
many danger signs here to let this situation go unexamined.
Problems
3-12.
The scenarios presented in these brief descriptions actually happened. They are
controversial matters and can lead to good classroom discussions. Although there are no right or
wrong answers, the authors suggest the following as preferred responses:
a. Here we have a student filing a formal complaint against a university because it did not
rectify a problem caused by her own forgetfulness. If the university has a written policy
forbidding techs to provide computer passwords over the phone, the university should be on
solid ground.
b. An individual’s right to privacy sometimes conflicts with corporate goals. This scenario
points to the importance of developing corporate policies about such matters—especially the
issue of what materials employees can maintain on business computers. Educating this
particular employee to how embarrassing it would be if customers learned about his
pornographic materials might be all that was needed to solve this problem. In the end, this
case deals with a corporate computer, owned by the company, which therefore should have
the final say about what can be stored on it.
c. Research shows that allowing individuals to select their own passwords usually results in
easy-to-guess, simple passwords and/or the post-it-note behavior described here. But these
are undesirable security problems. Again, corporate policies that (1) require employees to
use company-assigned or strong passwords, and (2) explicitly require employees to hide their
passwords from public view can help.
d. This event actually happened. The employee objected to someone snooping his old hard
drive on the grounds that it contained personal information, but his superiors argued that he
had accepted the new computer and therefore given up his rights to the old one. The
information on the old hard drive provided clear evidence that this particular employee was
violating corporate policy by working a second job, resulting in a near-dismissal for this
employee.
e. The discovery from this audit is a major red flag. The company should employ a forensic
accountant, and perhaps a lawyer, to investigate further. An interesting question to answer is
“Who is cashing the checks?” If it is the same person, this would be evidence of fraud.
f. This action is perhaps unethical but not illegal. It is not much different from hiring shills in
live auctions to bid up prices.
g. This is an example of click fraud. Because the activity appears intentional, it is prosecutable
as fraud.
3-13.
This problem requires students to create a report on a recent computer abuse that they
find discussed in a recent journal or other publication. Although finding such abuses is relatively
SM 3.7
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
easy, the lack of detailed information in most of them usually makes it more difficult to create
meaningful analyses of them. The important points to emphasize here are students’ research
skills and their ability to find an appropriate example. A good source of information for these
types of examples may be found at the following website: http://www.crime-research.org.
3-14.
Suggested Control procedures are as follows:
a. The company should eliminate incompatible functions: the clerk should not be permitted to
both create payroll records and be in a position to intercept the payroll checks. The system
would also be able to alert others to this activity if it automatically generated confirmation
slips of new hires to department managers.
b. The incompatible function in this example allows a clerk to handle cash and to manipulate
the accounts affected by the cash payments.
c. Passwords should not be dictionary words, but nonsense terms like "RES234" instead.
Access to corporate computers from outside callers can also be controlled by limiting the
number of password tries a caller can make (e.g., to three attempts), or by using a dial-back
system.
d. The only way lapping accounts receivable can be performed successfully over this much time
is by continued access and diligent activity. Enforcing the two-week vacation rule usually
thwarts it.
e. Educating employees to the problems of viruses and how viruses are introduced to LANs
may help. A policy forbidding employees from downloading computer games to corporate
computers would also be useful. Finally, many companies now routinely use antiviral
software that automatically screens new software for known viruses before it is loaded onto
hard disks.
f. This is a breach of confidentiality, and certainly unethical behavior. The employees of
medical facilities are usually cautioned about the strict, private nature of the information they
access. "Education" and "corporate policies" regarding the confidentiality of this information
are important controls. Firing employees who violate such policies also helps other
employees understand their importance and seriousness.
3-15.
1.
2.
3.
4.
5.
6.
7.
The Association of Fraud Examiners (ACFE) Checklist and points are as follows:
Fraud risk oversight (20 points)
Fraud risk ownership (10 points)
Fraud risk assessment (10 points)
Fraud risk tolerance and risk management policy (10 points)
Process-level anti-fraud controls/reengineering (10 points)
Environmental anti-fraud controls (30 points)
Proactive fraud detection (10 points)
This question also asks students whether this checklist “is likely to help organizations prevent
most types of fraud.” Although most students are likely to feel that this checklist can help
managers and employees prevent and/or detect fraud, it is important to note that even the most
stringent controls are worthless if managers ignore them.
SM 3.8
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
Case Analyses
3.16
Find-a-Fraud
1. Potential red flags are: After hours sales, sales during vacation periods, large number of sales
just below authorization requirements, large returns just after year-end.
2.
a. After hours sales: employee could be creating false sales
b. Sales during vacation periods: employee could be creating false sales
c. Sales below authorization levels: employees may be attempting to avoid authorization,
which could indicate the potential for false sales
d. Large returns after year-end: this could indicate that sales recorded near year-end were
fictitious and created to boost reported revenue
3. It appears most likely that Employee C is engaged in some form of fraud involving fictitious
sales, and the company may be intentionally overstating revenue by recording false sales near
year-end.
3-17.
The Resort
1. Yes, because it involves a computer, it is possible to call this a cybercrime.
2. This would be classified as fraud because employees are intentionally deceiving the
company, they are receiving benefits, and the firm is harmed.
3. One obvious control for this application is for the resort to formally adopt a policy
prohibiting employees from receiving booking commissions when they double as travel
agents—or perhaps pay them small, fixed bonuses for such work instead of full commissions.
The resort should also maintain a current list of approved travel agencies, and use this list
before paying booking commissions. It may also be cost effective for managers to handle
non-approved agency commissions on an exceptions basis. For example, each month before
paying commissions to such agencies, the resort might obtain a printout of unrecognized
firms and contact each of them for verification.
4. Classification will depend on the controls that students identify. Using the first example
above, any “policy” is intended to be a preventive control. Notice that the content of the
policy is to segregate duties, which is itself a preventive control. The last example in 3 above
would be a detective control. Students also might suggest training for employees at this
resort so that they learn how management expects them to behave in the future, which would
be an example of a corrective control.
5. The lack of accountability is critical to this fraud because it is the resort’s policy of paying
unverified travel agencies booking commissions that enables this deception to continue. It is
not clear that the resort should change its policy (e.g., it may not be cost effective to do so).
SM 3.9
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
However, this seems unlikely. Catching and disciplining one employee may also act as a
deterrent to others.
3-18.
The Department of Taxation
1. a) Confidentiality problems that could arise processing input data and recommended
corrective actions are as follows:
Problems
Controls
1) Unauthorized user of a) Limit physical access to terminal room used for data
terminal.
input and/or require data input personnel to wear
color-coded badges for identification
b) Use different passwords for each user and change
them frequently
2) Online modification
of program by
operator to by-pass
controls.
a) Prohibit program modification from input or inquiry
terminals
b) Secure the documentation that indicates how to
perform operations other than input of tax returns
c) Do not hire operators with programming skills
d) Prohibit programmers from computer room
3) Use of equipment
for unauthorized
processing or
searching through
files.
a) Use passwords that limit access to only that part of
the system needed for input of current tax data
b) Secure the documentation that indicates how to
perform operations other than input of tax returns
b) Confidentiality problems that could arise processing returns and recommended corrective
actions are as follows:
Problems
Controls
1) Operator
a) Limit operator access to only that part of the
intervention to
documentation needed for equipment operation
input data or to gain b) Prohibit operators from writing programs or modifying the
output from files.
system
c) Daily review of console log messages and/or run times
2) There might be
attempts to screen
individual returns
on the basis of sex,
race, surname, etc.
a) Institute programming controls such that there is a definite
sequence to creating or maintaining programs. This
sequence should contain reviews at general levels and
complete trial runs.
SM 3.10
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
c) Confidentiality problems that could arise in the inquiry of data and recommended
corrective actions are as follows:
Problems
Controls
1) Unauthorized user
with a valid
taxpayer ID using
the system.
a) Use a sign-in/sign-out register for persons using the
system
b) Require users to show some form of identification
c) Use a programmed sequence of questions which only valid
users are likely to be able to answer
d) Prohibit phone responses
2) Taxpayer or
regional state
employee use of
equipment for
unauthorized
processing or
searching through
files.
a) Use passwords to limit access to output of tax information
b) Secure the documentation that indicates how to perform
tasks other than taxpayer inquiries
c) Have the terminals lock out for repeated login errors or
attempts to break security
d) Have a code system that logs each entry and data inquiry
by user
e) Provide daily activity reporting to supervisors and/or
auditors showing terminal numbers, user numbers, type of
processing, name of files accessed, and unacceptable
requests
2. Potential problems and possible controls to provide data security against loss, damage, and
improper input or use of data are as follows:
Problems
Controls
1) Loss of tax return
data before any file
updates.
a) Keep copies of tax returns in a safe location and
(temporarily) organized for reprocessing if necessary
b) Maintain a transaction log on backing media for possible
recall
2) Improper input or
use of data during
processing.
a) Verify data entry or enter twice by different operators
b) Prohibit data entry through inquiry terminals
c) Process routine items at specified times, thus preventing
unauthorized runs of vital information
3) Incomplete
processing of tax
returns.
a) Computer prompting of terminal operators for appropriate
input
b) Balancing of computer processing at each stage back to
input and run control totals
4) Fraudulent program
modifications
a) Prohibit programming from input or inquiry terminals; log
all such attempts on console log for immediate
SM 3.11
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
entered from input
or inquiry
terminals.
supervisory action
b) Periodic checks of all software packages so that any
illegal modifications can be detected
SM 3.12