Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Human Resource Management

Borden's modified PPT slides

advertisement 
C HAPTER 5
Computer Fraud and
Security
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
1 of 175
INTRODUCTION
• Questions to be addressed in this chapter:
– What is fraud, and how are frauds
perpetrated?
– Who perpetrates fraud and why?
– What is computer fraud, and what forms does
it take?
– What approaches and techniques are used to
commit computer fraud?
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
2 of 175
INTRODUCTION
• Information systems are becoming
increasingly more complex and society is
becoming increasingly more dependent on
these systems.
– Companies also face a growing risk of these
systems being compromised.
– Recent surveys indicate 67% of companies
suffered a security breach in the last year with
almost 60% reporting financial losses.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
3 of 175
INTRODUCTION
• Companies face four types of threats to
their information systems:
– Natural and political disasters
– Software errors and equipment malfunction
• 60% of companies studied had significant software errors in previous
year.
– Unintentional acts
• Information Systems Security Assn. estimates 65% of security
problems are caused by human error
– Intentional acts (computer crime)
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
4 of 175
INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit computer
fraud
– Ways companies can deter and detect
computer fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
5 of 175
INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit computer
fraud
– Ways companies can deter and detect
computer fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
6 of 175
• The definition is the same whether it is a
criminal or civil fraud case.
– The only difference is the burden of
proof required.
• Criminal case: Beyond a
Fraud is any and all means
a person
reasonable
doubt. uses to
gain an unfair advantage
over
another
person.
• Civil
case:
Preponderance
of the
evidence OR clear and convincing
In most cases, to be considered
evidence. fraudulent, an
THE FRAUD PROCESS
•
•
act must involve:
– A false statement (oral or in writing)
– About a material fact
– Knowledge that the statement was false when it was
uttered (which implies an intent to deceive)
– A victim relies on the statement
– And suffers injury or loss as a result
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
7 of 175
THE FRAUD PROCESS
• Since fraudsters don’t make journal entries to
record their frauds, we can only estimate the
amount of losses caused by fraudulent acts:
– The Association of Certified Fraud Examiners (ACFE)
estimates that total fraud losses in the U.S. run
around 6% of annual revenues or approximately $660
billion in 2004.
• More than we spend on education and roads in a year.
• 6 times what we pay for the criminal justice system.
– Income tax fraud (the difference between what
taxpayers owe and what they pay to the government)
is estimated to be over $200 billion per year.
– Fraud in the healthcare industry is estimated to
exceed $100 billion a year.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
8 of 175
THE FRAUD PROCESS
• Fraud against companies may be committed by
an employee or an external party.
– Former and current employees (called
knowledgeable insiders) are much more likely than
non-employees to perpetrate frauds (and big ones)
against companies.
• Largely owing to their understanding of the company’s
systems and its weaknesses, which enables them to commit
the fraud and cover their tracks.
– Organizations must utilize controls to make it difficult
for both insiders and outsiders to steal from the
company.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
9 of 175
THE FRAUD PROCESS
• Three types of occupational fraud:
– Misappropriation of assets
• Involves theft, embezzlement, or misuse of
company assets for personal gain.
• Examples include billing schemes, check
tampering, skimming, and theft of inventory.
• In the 2004 Report to the Nation on Occupational
Fraud and Abuse, 92.7% of occupational frauds
involved asset misappropriation at a median cost
of $93,000.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
11 of 175
THE FRAUD PROCESS
• Three types of occupational fraud:
– Misappropriation of assets
– Corruption
• Corruption involves the wrongful use of a
position, contrary to the responsibilities of
that position, to procure a benefit.
• Examples include kickback schemes and
conflict of interest schemes.
• About 30.1% of occupational frauds include
corruption schemes at a median cost of
$250,000.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
12 of 175
THE FRAUD PROCESS
• Three types of occupational fraud:
– Misappropriation of assets
– Corruption
– Fraudulent statements
• Financial statement fraud involves misstating the financial condition of
an entity by intentionally misstating amounts or disclosures in order to
deceive users.
• Financial statements can be misstated as a result of intentional efforts
to deceive or as a result of undetected asset misappropriations that are
so large that they cause misstatement.
• About 7.9% of occupational frauds involve fraudulent statements at a
median cost of $1 million. (The median pales in comparison to the
maximum cost.)
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
13 of 175
THE FRAUD PROCESS
•
A typical employee fraud has a number of important elements or
characteristics:
– The fraud perpetrator must gain the trust or confidence of the person or
company being defrauded in order to commit and conceal the fraud.
– Instead of using a gun, knife, or physical force, fraudsters use weapons
of deceit and misinformation.
– Frauds tend to start as the result of a perceived need on the part of the
employee and then escalate from need to greed. Most fraudsters can’t
stop once they get started, and their frauds grow in size.
– The fraudsters often grow careless or overconfident over time.
– Fraudsters tend to spend what they steal. Very few save it.
– In time, the sheer magnitude of the frauds may lead to detection.
– The most significant contributing factor in most employee frauds is the
absence of internal controls and/or the failure to enforce
existing controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
14 of 175
THE FRAUD PROCESS
• The National Commission on Fraudulent
Financial Reporting (aka, the Treadway
Commission) defined fraudulent financial
reporting as intentional or reckless conduct,
whether by act or omission, that results in
materially misleading financial statements.
• Financial statements can be falsified to:
–
–
–
–
Deceive investors and creditors
Cause a company’s stock price to rise
Meet cash flow needs
Hide company losses and problems
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
15 of 175
THE FRAUD PROCESS
• Fraudulent financial reporting is of great
concern to independent auditors, because
undetected frauds lead to half of the
lawsuits against auditors.
• In the case of Enron, a financial statement
fraud led to the total elimination of Arthur
Andersen, a premiere international public
accounting firm.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
16 of 175
THE FRAUD PROCESS
• Common approaches to “cooking the
books” include:
– Recording fictitious revenues
– Recording revenues prematurely
– Recording expenses in later periods
– Overstating inventories or fixed assets
(WorldCom)
– Concealing losses and liabilities
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
17 of 175
THE FRAUD PROCESS
• The Treadway Commission recommended four
actions to reduce the possibility of fraudulent
financial reporting:
– Establish an organizational environment that
contributes to the integrity of the financial reporting
process.
– Identify and understand the factors that lead to
fraudulent financial reporting.
– Assess the risk of fraudulent financial reporting within
the company.
– Design and implement internal controls to provide
reasonable assurance that fraudulent financial
reporting is prevented.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
18 of 175
THE FRAUD PROCESS
• SAS 99: The Auditor’s Responsibility
to Detect Fraud
– In 1997, SAS-82, Consideration of Fraud in a
Financial Statement Audit, was issued to
clarify the auditor’s responsibility to detect
fraud.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
19 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
• Auditors can’t effectively audit something they don’t
understand.
• SAS-99 also indicated that auditors are not lawyers and “do not
make legal determinations of whether fraud has occurred.”
• The external auditor’s interest specifically relates to acts that
result in a material misstatement of the financial statements.
• Note that SAS-99 relates to external auditors. Internal auditors
will have a more extensive interest in fraud than just those that
impact financial statements.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
20 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent
misstatements
• While planning the audit, members of the audit team
should discuss how and where the company’s financial
statements might be susceptible to fraud.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
21 of 175
• The audit team must gather evidence about the existence of fraud
by:
– Looking for fraud risk factors
– Testing company records
• A –revision
to SAS-82, SAS-99, was issued in
Asking management, the audit committee, and others if they
December
2002.
requires
auditors
to:
know of any
past orSAS-99
current fraud
or of fraud
risks the
organizationfraud
faces.
– Understand
• –Special
carethe
needs
to of
bematerial
exercisedfraudulent
in examining
revenue
Discuss
risks
misstatements
accounts, since they are particularly popular fraud targets.
THE FRAUD PROCESS
– Obtain information
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
22 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
–
–
–
–
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
• Use the gathered information to identify, assess, and respond to
risks.
• Auditors can respond by varying the nature, timing, and extent
of auditing procedures they perform.
• They should also carefully evaluate risks related to management
override of controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
23 of 175
THE FRAUD PROCESS
• A revision
to SAS-82, SAS-99, was issued in
• Auditors must assess the risk of fraud throughout the
December
audit. 2002. SAS-99 requires auditors to:
–
–
–
–
–
Understand
• When thefraud
audit is complete, they must evaluate whether
any identified
indicate the
presence of
Discuss
the risksmisstatements
of material fraudulent
misstatements
fraud.
Obtain
information
• If so, they should determine the impact on the financial
Identify,
assess,
and
to risks
statements
and
therespond
audit.
Evaluate the results of their audit tests
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
24 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
–
–
–
–
–
–
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
• Auditors communicate their fraud
findings to management, the audit
committee, and others.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
25 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
–
–
–
–
–
–
–
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
Document their audit work
• Auditors must document their
compliance with SAS-99 requirements.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
26 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
–
–
–
–
–
–
–
–
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate
results
of theirthat
audit
tests impacts fraud
• the
SAS-99
recognizes
technology
risks and
notes opportunities that auditors have
Communicate
findings
to use technology-oriented tools and techniques
Documenttotheir
audit work
design fraud auditing procedures.
Incorporate a technology focus
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
27 of 175
INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit computer
fraud
– Ways companies can deter and detect
computer fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
28 of 175
WHO COMMITS FRAUD AND WHY
• Researchers have compared the psychological and
demographic characteristics of three groups of people:
– White-collar criminals
– Violent criminals
– The general public
• They found:
– Significant differences between violent and white-collar
criminals.
– Few differences between white-collar criminals and the general
public.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
29 of 175
WHO COMMITS FRAUD AND WHY
• White-collar criminals tend to mirror the general
public in:
–
–
–
–
–
–
Education
Age
Religion
Marriage
Length of employment
Psychological makeup
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
30 of 175
WHO COMMITS FRAUD AND WHY
• Perpetrators of computer fraud tend to be
younger and possess more computer
knowledge, experience, and skills.
• Hackers and computer fraud perps tend to be
more motivated by:
–
–
–
–
Curiosity
A quest for knowledge
The desire to learn how things work
The challenge of beating the system
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
31 of 175
WHO COMMITS FRAUD AND WHY
• They may view their actions as a game rather than
dishonest behavior.
• Another motivation may be to gain stature in the hacking
community.
• Some see themselves as revolutionaries spreading a
message of anarchy and freedom.
• But a growing number want to profit financially. To do so,
they may sell data to:
–
–
–
–
Spammers
Organized crime
Other hackers
The intelligence community
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
32 of 175
WHO COMMITS FRAUD AND WHY
• Some fraud perpetrators are disgruntled and
unhappy with their jobs and are seeking revenge
against their employers.
• Others are regarded as ideal, hard-working
employees in positions of trust.
• Most have no prior criminal record.
• So why are they willing to risk everything?
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
33 of 175
WHO COMMITS FRAUD AND WHY
• Criminologist Donald Cressey, interviewed 200+
convicted white-collar criminals in an attempt to
determine the common threads in their crimes.
As a result of his research, he determined that
three factors were present in the commission of
each crime. These three factors have come to
be known as the fraud triangle.
– Pressure
– Opportunity
– Rationalization
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
34 of 175
The “Fraud Triangle”
Donald Cressey
Rationalization
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
35 of 175
The “Fraud Triangle”
Donald Cressey
Rationalization
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
36 of 175
WHO COMMITS FRAUD AND WHY
• The most common pressures were:
- Not being able to pay one’s debts, nor admit it to
one’s employer, family, or friends (which makes in
non-shareable)
- Fear of loss of status because of a personal failure
- Business reversals
- Physical isolation
- Status gaining
- Difficulties in employer-employee relations
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
37 of 175
WHO COMMITS FRAUD AND WHY
• What’s important here is the perception of the
pressure.
– There might be a number of people who could and would
help a tentative fraudster out of his financial woes.
– But as long as he perceives that he cannot share his
burden, the pressure is present.
– Research has also found that an individual’s propensity to
commit fraud is more related to how much he worries
about his financial position than his actual position.
– The millionaire who frets a lot about his financial condition
is more likely to commit fraud than the guy who doesn’t
have two dimes to rub together but isn’t worried about it.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
38 of 175
WHO COMMITS FRAUD AND WHY
• Financial statement fraud is distinct from other
types of fraud in that the individuals who commit
the fraud are not the direct beneficiaries.
– The company is the direct beneficiary.
– The perpetrators are typically indirect beneficiaries.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
39 of 175
WHO COMMITS FRAUD AND WHY
• In the case of financial statement frauds, common
pressures include:
– To prop up earnings or stock price so that management can:
• Receive performance-related compensation.
• Preserve or improve personal wealth held in company stock
or stock options.
• Keep their jobs.
– To cover the inability to generate cash flow.
– To obtain financing.
– To appear to comply with bond covenants or other agreements.
– May be opposite of propping up earnings in cases involving
income-tax motivations, government contracts, or regulation.
• Click here for a comprehensive list of pressures.
Pressures
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
40 of 175
The “Fraud Triangle”
Donald Cressey
Rationalization
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
42 of 175
WHO COMMITS FRAUD AND WHY
• Opportunity is the opening or gateway that
allows an individual to:
– Commit the fraud
– Conceal the fraud
– Convert the proceeds
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
43 of 175
WHO COMMITS FRAUD AND WHY
• If the fraud is a financial statement fraud,
then the gains received may include:
– I got to keep my job.
– The value of my stock or stock options rose.
– I got a raise, promotion, or bonus.
– I got power.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
44 of 175
WHO COMMITS FRAUD AND WHY
• There are many opportunities that enable fraud.
Some of the most common are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent
reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staff
• Click here for a comprehensive list of
opportunities.
Opportunities
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
45 of 175
WHO COMMITS FRAUD AND WHY
• Internal controls that may be lacking or unenforced include:
–
–
–
–
–
–
–
Authorization procedures
Clear lines of authority
Adequate supervision
Adequate documents and records
A system to safeguard assets
Independent checks on performance
Separation of duties
 One control feature that many companies lack is
a background check on all potential employees.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
50 of 175
WHO COMMITS FRAUD AND WHY
• Management may allow fraud by:
– Not getting involved in the design or
enforcement of internal controls;
– Inattention or carelessness;
– Overriding controls; and/or
– Using their power to compel subordinates to
carry out the fraud.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
51 of 175
The “Fraud Triangle”
Donald Cressey
Rationalization
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
52 of 175
WHO COMMITS FRAUD AND WHY
• Fraud occurs when:
– People have perceived, non-shareable pressures;
– The opportunity gateway is left open; and
– They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).
• Fraud is much less likely to occur when
– There is low pressure, low opportunity, and high integrity.
• Unfortunately, there is usually a mixture of these forces
in play, and it can be very difficult to determine the
pressures that may apply to an individual and the
rationalizations he/she may be able to produce.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
53 of 175
INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit computer
fraud
– Ways companies can deter and detect
computer fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
54 of 175
APPROACHES TO COMPUTER FRAUD
• The U.S. Department of Justice defines
computer fraud as any illegal act for
which knowledge of computer technology
is essential for its:
– Perpetration;
– Investigation; or
– Prosecution.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
55 of 175
APPROACHES TO COMPUTER FRAUD
• Computer fraud includes the following:
– Unauthorized theft, use, access, modification,
copying, and destruction of software or data.
– Theft of money by altering computer records.
– Theft of computer time.
– Theft or destruction of computer hardware.
– Use or the conspiracy to use computer
resources to commit a felony.
– Intent to illegally obtain information or tangible
property through the use of computers.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
56 of 175
APPROACHES TO COMPUTER FRAUD
• In using a computer, fraud perpetrators
can steal:
– More of something
– In less time
– With less effort
• They may also leave very little evidence,
which can make these crimes more
difficult to detect.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
57 of 175
APPROACHES TO COMPUTER FRAUD
• Computer systems are particularly vulnerable to
computer crimes for several reasons:
– Company databases can be huge and access
privileges can be difficult to create and enforce.
Consequently, individuals can steal, destroy, or alter
massive amounts of data in very little time.
– Organizations often want employees, customers,
suppliers, and others to have access to their system
from inside the organization and without. This access
also creates vulnerability.
– Computer programs only need to be altered once,
and they will operate that way until:
• The system is no longer in use; or
• Someone notices.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
58 of 175
APPROACHES TO COMPUTER FRAUD
– Modern systems are accessed by PCs, which
are inherently more vulnerable to security
risks and difficult to control.
• It is hard to control physical access to each PC.
• PCs are portable, and if they are stolen, the data
and access capabilities go with them.
• PCs tend to be located in user departments, where
one person may perform multiple functions that
should be segregated.
• PC users tend to be more oblivious to security
concerns.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
59 of 175
APPROACHES TO COMPUTER FRAUD
– Computer systems face a number of unique
challenges:
• Reliability (accuracy and completeness)
• Equipment failure
• Environmental dependency (power, water damage,
fire)
• Vulnerability to electromagnetic interference and
interruption
• Eavesdropping
• Misrouting
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
60 of 175
APPROACHES TO COMPUTER FRAUD
• Organizations that track computer fraud
estimate that most U.S. businesses have
been victimized by at least one incident of
computer fraud.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
61 of 175
APPROACHES TO COMPUTER FRAUD
• These frauds cost billions of dollars each
year, and their frequency is increasing
because:
– Not everyone agrees on what constitutes
computer fraud.
• Many don’t believe that taking an unlicensed copy
of software is computer fraud. (It is and can result
in prosecution.)
• Some don’t think it’s a crime to browse through
someone else’s computer if their intentions aren’t
malicious.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
62 of 175
APPROACHES TO COMPUTER FRAUD
– Many computer frauds go undetected.
– An estimated 80-90% of frauds that are
uncovered are not reported because of fear
of:
• Adverse publicity
• Copycats
• Loss of customer confidence.
– There are a growing number of competent
computer users, and they are aided by easier
access to remote computers through the
Internet and other data networks.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
63 of 175
APPROACHES TO COMPUTER FRAUD
– Some folks believe “it can’t happen to us.”
– Many networks have a low level of security.
– Instructions on how to perpetrate computer
crimes and abuses are readily available on
the Internet.
– Law enforcement is unable to keep up with
the growing number of frauds.
– The total dollar value of losses is difficult to
calculate. $67.2 billion?? links
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
64 of 175
APPROACHES TO COMPUTER FRAUD
• Economic espionage, the theft of
information and intellectual property, is
growing especially fast.
• This growth has led to the need for
investigative specialists or cybersleuths.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
65 of 175
APPROACHES TO COMPUTER FRAUD
• Computer Fraud Classification
– Frauds can be categorized according to the
data processing model:
•
•
•
•
•
Input
Processor
Computer instructions
Stored data
Output
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
66 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
67 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
68 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• Inventory frauds
• Payroll frauds
• Cash receipt frauds
• Fictitious refund fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
69 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
70 of 175
APPROACHES TO COMPUTER FRAUD
• Processor Fraud
– Involves computer fraud committed through
unauthorized system use.
– Includes theft of computer time and services.
– Incidents could involve employees:
• Surfing the Internet;
• Using the company computer to conduct personal business;
or
• Using the company computer to conduct a competing
business.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
71 of 175
APPROACHES TO COMPUTER FRAUD
• In one example, an agriculture college at a major state
university was experiencing very sluggish performance from
its server.
• Upon investigating, IT personnel discovered that an individual
outside the U.S. had effectively hijacked the college’s server
to both store some of his/her research data and process it.
• The college eliminated the individual’s data and blocked
future access to the system.
• The individual subsequently contacted college personnel to
protest the destruction of the data.
• Demonstrates both:
– How a processor fraud can be committed.
– How oblivious users can sometimes be to the unethical or illegal
nature of their activities.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
72 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
73 of 175
APPROACHES TO COMPUTER FRAUD
• Computer Instructions Fraud
– Involves tampering with the software that
processes company data.
– May include:
• Modifying the software
• Making illegal copies
• Using it in an unauthorized manner
– Also might include developing a software
program or module to carry out an
unauthorized activity.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
74 of 175
APPROACHES TO COMPUTER FRAUD
• Computer instruction fraud used to be one of the
least common types of frauds because it
required specialized knowledge about computer
programming beyond the scope of most users.
• Today these frauds are more frequent--courtesy
of web pages that instruct users on how to
create viruses and other schemes.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
75 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
76 of 175
APPROACHES TO COMPUTER FRAUD
• Data Fraud
– Involves:
• Altering or damaging a company’s data files; or
• Copying, using, or searching the data files without
authorization.
– In many cases, disgruntled employees have
scrambled, altered, or destroyed data files.
– Theft of data often occurs so that perpetrators can sell
the data.
• Most identity thefts occur when insiders in financial
institutions, credit agencies, etc., steal and sell financial
information about individuals from their employer’s database.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
77 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
78 of 175
APPROACHES TO COMPUTER FRAUD
• Output Fraud
– Involves stealing or misusing system output.
– Output is usually displayed on a screen or printed on
paper.
– Unless properly safeguarded, screen output can
easily be read from a remote location using
inexpensive electronic gear.
– This output is also subject to prying eyes and
unauthorized copying.
– Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs, such as checks.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
79 of 175
INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit
computer fraud
– Ways companies can deter and detect
computer fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
80 of 175
INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process
– Why fraud occurs
– Approaches to computer fraud
– Specific techniques used to commit computer
fraud
– Ways companies can deter and detect
computer fraud
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
81 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
–
–
–
–
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
82 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
–
–
–
–
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
83 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Make fraud less likely to occur
– Create a culture that stresses integrity and
commitment to ethical values and competence.
– Adopt an organizational structure, management
philosophy, operating style, and appetite for risk that
minimizes the likelihood of fraud.
– Require oversight from an active, involved, and
independent audit committee.
– Assign authority and responsibility for business
objectives to specific departments and individuals,
encourage initiative in solving problems, and hold
them accountable for achieving those objectives.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
84 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Identify the events that lead to increased fraud risk,
and take steps to prevent, avoid, share, or accept that
risk.
– Develop a comprehensive set of security policies to
guide the design and implementation of specific
control procedures, and communicate them effectively
to company employees.
– Implement human resource policies for hiring,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
required level of ethical behavior and integrity.
– Effectively supervise employees, including monitoring
their performance and correcting their errors.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
85 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Train employees in integrity and ethical
considerations, as well as security and fraud
prevention measures.
– Require annual employee vacations, periodically
rotate duties of key employees, and require signed
confidentiality agreements.
– Implement formal and rigorous project development
and acquisition controls, as well as change
management controls.
– Increase the penalty for committing fraud by
prosecuting fraud perpetrators more vigorously.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
86 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
–
–
–
–
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
87 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Increase the difficulty of committing
fraud
– Develop a strong system of internal controls
– Segregate the accounting functions of:
• Authorization
• Recording
• Custody
– Implement a program segregation of duties
between systems functions
– Restrict physical and remote access to
system resources to authorized personnel
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
88 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Require transactions and activities to be authorized
by appropriate supervisory personnel. Have the
system authenticate the person and their right to
perform the transaction before allowing the
transaction to take place.
– Use properly designed documents and records to
capture and process transactions.
– Safeguard all assets, records, and data.
– Require independent checks on performance, such
as reconciliation of two independent sets of records,
where possible and appropriate.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
89 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Implement computer-based controls over data input,
computer processing, data storage, data
transmission, and information output.
– Encrypt stored and transmitted data and programs to
protect them from unauthorized access and use.
– Fix known software vulnerabilities by installing the
latest updates to operating systems, security, and
applications programs.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
90 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
–
–
–
–
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
91 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Improve detection methods.
– Create an audit trail so individual transactions
can be traced through the system to the
financial statements and vice versa.
– Conduct periodic external and internal audits,
as well as special network security audits.
– Install fraud detection software.
– Implement a fraud hotline.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
92 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Employ a computer security officer, as well as
computer consultants and forensic specialists
as needed.
– Monitor system activities, including computer
and network security efforts, usage and error
logs, and all malicious actions.
– Use intrusion detection systems to help
automate the monitoring process.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
93 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
–
–
–
–
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
94 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Reduce Fraud Losses
– Maintain adequate insurance.
– Develop comprehensive fraud contingency,
disaster recovery, and business continuity
plans.
– Store backup copies of program and data files
in a secure, off-site location.
– Use software to monitor system activity and
recover from fraud.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
95 of 175
SUMMARY
• In this chapter, you’ve learned what fraud
is, who commits fraud, and how it’s
perpetrated.
• You’ve learned about the many variations
of computer fraud, and you’ve learned
about techniques to reduce an
organization’s vulnerability to these types
of fraud.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
96 of 175
Related documents
Using CommonKADS Method to Build Prototype System in
Using CommonKADS Method to Build Prototype System in
WCMSRiskManagement
WCMSRiskManagement
Problem Solving Essay.doc
Problem Solving Essay.doc
The Headright System Yazoo Land Fraud (Allocation By Price)
The Headright System Yazoo Land Fraud (Allocation By Price)
Financial Certification
Financial Certification
Download
advertisement