2IntroductionInformation systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems.Companies also face a growing risk of these systems being compromised.Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.
3Threats to AIS Natural and political disasters Include: Fire or excessive heatFloodsEarthquakesHigh windsWar and terrorist attack
4Threats to AIS Natural and political disasters Software errors and equipment malfunctionInclude:Hardware or software failuresSoftware errors or bugsOperating system crashesPower outages and fluctuationsUndetected data transmission errors
5Threats to AIS Natural and political disasters Software errors and equipment malfunctionUnintentional actsIncludeAccidents caused by:Human carelessnessFailure to follow established proceduresPoorly trained or supervised personnelInnocent errors or omissionsLost, destroyed, or misplaced dataLogic errorsSystems that do not meet needs or are incapable of performing intended tasks
6Threats to AIS Natural and political disasters Software errors and equipment malfunctionUnintentional actsIntentional acts (computer crime)Include:SabotageComputer fraudMisrepresentation, false use, or unauthorized disclosure of dataMisappropriation of assetsFinancial statement fraudInformation systems are increasingly vulnerable to these malicious attacks.
7FraudAny means a person uses to gain an unfair advantage over another person; includes:A false statement, representation, or disclosureA material fact, which induces a victim to actAn intent to deceiveVictim relied on the misrepresentationInjury or loss was suffered by the victimFraud is white collar crimeScanning the headlines or doing a simple Google search can show many news articles at your local or regional level as well as national and international fraud.Because fraud is often perpetrated by knowledgeable insiders, it is important for accountants to maintain the highest level of professional ethics.
8Two Categories of Fraud Misappropriation of assetsTheft of company assets which can include physical assets (e.g., cash, inventory) and digital assets (e.g., intellectual property such as protected trade secrets, customer data)Largest factors for theft of assets:Absence of internal control systemFailure to enforce internal control system
9Two Categories of Fraud Fraudulent financial reporting“cooking the books”(e.g.,booking fictitious revenue,McCormick grocery productsBooking revenue before it is earnedXeroxoverstating assets, etc.Crazy Eddies)
10Reasons for Fraudulent Financial Statements Deceive investors or creditorsIncrease a company’s stock priceMeet cash flow needsHide company losses or other problems
11Treadway Commission Actions to Reduce Fraud Establish environment which supports the integrity of the financial reporting process.Identification of factors that lead to fraud.Assess the risk of fraud within the company.Design and implement internal controls to provide assurance that fraud is being prevented.
12SAS #99 Auditors responsibility to detect fraud Understand fraud Discuss risks of material fraudulent statementsAmong members of audit teamObtain informationLook for fraud risk factorsIdentify, assess, and respond to riskEvaluate the results of audit testsDetermine impact of fraud on financial statementsDocument and communicate findingsIncorporate a technological focus
13Conditions for FraudThese three conditions must be present for fraud to occur:PressureEmployeeFinancialLifestyleEmotionalFinancial StatementManagementIndustry conditionsOpportunity to:CommitConcealConvert to personal gainRationalizeJustify behaviorAttitude that rules don’t applyLack personal integrityFrom your accounting coursework in your program, it is important to understand why internal controls are so important. In this book we will cover many internal controls that will prevent and detect these two categories of fraud. In your financial accounting coursework, it is important to understand why transactions should be recorded correctly and in the proper time period. Inappropriate transactions recorded in the accounting system can be indicators of covering up misappropriation of assets or management’s intent to “cook the books”.That is why for fraud to occur there must be:Pressure or incentive to commit the fraudOpportunity to commit the fraudRationalization of the person committing the fraud as to why it’s ok that they committed the fraudWith articles that you find in the news on fraud, see if you can identify the pressure, opportunity, and rationalization as to how the person committed the fraud and why they did it.
14Fraud TriangleFigure 5-1 in the text is a good visualization of the Fraud Triangle and the detailed components of the two major types of pressure, the 3 C’s needed for opportunity and types of rationalization. It is noted that committing a fraud requires that all three components to occur: opportunity to commit the fraud, conceal the fraud, and then convert it.
15PRESSURES THAT LEAD TO EMPLOYEE FRAUD FINANCIALLiving beyond meansHigh personal debt/expenses“Inadequate” salary/incomePoor credit ratingsHeavy financial lossesBad investmentsTax avoidanceMeet unreasonable quotas/goalsEMOTIONALGreedUnrecognized performanceJob dissatisfactionFear of losing jobPower or controlPride or ambitionBeating the systemFrustrationNon-conformityEnvy, resentmentArrogance, dominanceNon-rules orientedLIFESTYLESupport gambling habitDrug or alcohol addictionSupport sexual relationshipsFamily/peer pressure
17Opportunity Commit the fraud Conceal the fraud ConvertCondition or situation that allows a person or organization to:Commit the fraudConceal the fraudConvert the theft or misrepresentation to personal gain
18OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD Internal Control FactorsFailure to enforce/monitor internal controlsManagement not involved in control systemManagement override of controls and guidelinesManagerial carelessness/inattention to detailsDominant and unchallenged managementIneffective oversight by board of directorsNo effective internal auditing staffInfrequent third-party reviewsInsufficient separation of authorization, custody, and record-keeping dutiesToo much trust in key employeesInadequate supervisionUnclear lines of authority
19OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD Lack of proper authorization proceduresNo independent checks on performanceInadequate documents and recordsInadequate system for safeguarding assetsNo physical or logical security systemNo audit trailsFailure to conduct background checksNo policy of annual vacations, rotation of duties
20OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD Other FactorsLarge, unusual, or complex transactionsNumerous adjusting entries at year endRelated-party transactionsAccounting department understaffed and overworkedIncompetent personnelRapid turnover of key employeesLengthy tenure in a key jobUnnecessarily complex organizational structureNo code of conduct, conflict of interest statements, or definitions of unacceptable behaviorFrequently changing auditors/legal counselOperating on a crisis basisClose association with suppliers/customers
21OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD Assets highly susceptible to misappropriationQuestionable accounting practicesPushing accounting principles to the limitUnclear company policies and proceduresFailing to teach and stress corporate honestyFailure to prosecute dishonest employeesLow employee morale and loyalty
22Lack of Peronal Integrity RationalizationsJustification of illegal behaviorJustificationI am not being dishonest.I am only borrowing and will pay it backAttitudeI don’t need to be honest.Lack of personal integrityTheft is valued higher than honesty or integrity.RationalizationJustificationAttitudeLack of Peronal Integrity
23Computer FraudIf a computer is used to commit fraud it is called computer fraud.Computer fraud is classified as:InputProcessorComputer instructionDataOutputUsing the data processing diagram model that we discussed in Chapter 2, computer fraud is classified using this structure:From the processing cycle of the DP model, it would include processor and computer instruction fraud.The best way to learn about the computer fraud classifications is to talk about stories that occurred within these classifications. The book does a good job at describing many stories within these classifications.If you are a movie fan, there are many movies out there that use computer fraud as a storyline in the plot. For example, the movie “Office Space” is about a group of guys at a company that are unhappy with the company management. They change the computer code (computer instruction fraud) to divert fractions of pennies to an account that they own. You will have to watch the movie yourself to see if you can identify the components of fraud.A good example of output fraud is someone stealing the company trash to examine the reports generated and placed in the trash from a computer system. That is why many companies now have shredding policies.Although not a complete list here are some favorites (you can find many more just by going to the Web and looking for movies with fraud in the plot):Office SpaceCatch Me If You CanThe Informant!
24Computer Fraud In using a computer, fraud perpetrators can steal: More of somethingIn less timeWith less effortThey may also leave very little evidence, which can make these crimes more difficult to detect.
25Computer FraudComputer systems are particularly vulnerable to computer crimes for several reasons:Company databases can be huge and access privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time.Organizations often want employees, customers, suppliers, and others to have access to their system from inside the organization and without. This access also creates vulnerability.Computer programs only need to be altered once, and they will operate that way until:The system is no longer in use; orSomeone notices.
26Computer FraudModern systems are accessed by PCs, which are inherently more vulnerable to security risks and difficult to control.It is hard to control physical access to each PC.PCs are portable, and if they are stolen, the data and access capabilities go with them.PCs tend to be located in user departments, where one person may perform multiple functions that should be segregated.PC users tend to be more oblivious to security concerns.
27Computer systems face a number of unique challenges: Computer FraudComputer systems face a number of unique challenges:Reliability (accuracy and completeness)Equipment failureEnvironmental dependency (power, water damage, fire)Vulnerability to electromagnetic interference and interruptionEavesdroppingMisrouting
28Rise of Computer Fraud Definition is not agreed on Many go undetected High percentage is not reportedLack of network securityStep-by-step guides are easily availableNext 3 slidesLaw enforcement is overburdenedDifficulty calculating loss
30Easier if WPS enabledCopyright 2012 Pearson Education, Inc. publishing as Prentice Hall
31Computer Fraud Classifications Input FraudThe simplest and most common way to commit a fraud is to alter computer input.Requires little computer skills.Perpetrator only needs to understand how the system operatesCan take a number of forms, including:Disbursement fraudsInventory fraudsPayroll fraudsCash receipt fraudsFictitious refund fraud
32Computer Fraud Classifications Processor fraudInvolves computer fraud committed through unauthorized system use.Includes theft of computer time and services.Incidents could involve employees:Using the company computer to conduct personal business; orUsing the company computer to conduct a competing business.
33Computer Fraud Classifications Computer instructions fraudInvolves tampering with the software that processes company data.May include:Modifying the softwareMaking illegal copiesUsing it in an unauthorized mannerAlso might include developing a software program or module to carry out an unauthorized activity.
34Computer Fraud Classifications Data fraudInvolves:Altering or damaging a company’s data files; orCopying, using, or searching the data files without authorization.In many cases, disgruntled employees have scrambled, altered, or destroyed data files.Theft of data often occurs so that perpetrators can sell the data.Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employer’s database.
35Computer Fraud Classifications Output fraudInvolves stealing or misusing system output.Output is usually displayed on a screen or printed on paper.Unless properly safeguarded, screen output can easily be read from a remote location using inexpensive electronic gear.This output is also subject to prying eyes and unauthorized copying.Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks.
36Preventing and Detecting Fraud 1. Make Fraud Less Likely to Occur OrganizationalSystemsCreate a culture of integrityAdopt structure that minimizes fraud, create governance (e.g., Board of Directors)Assign authority for business objectives and hold them accountable for achieving those objectives, effective supervision and monitoring of employeesCommunicate policiesDevelop security policies to guide and design specific control proceduresImplement change management controls and project development acquisition controlsTable 5-5 is a long list for students to remember, it may be simpler to break the list down into categories that would be general for the organization and those that are specific from a systems perspectiveThese details are discussed more in Chapters 7 through 10 in the text
37Preventing and Detecting Fraud 2. Make It Difficulty to Commit OrganizationalSystemsDevelop strong internal controlsSegregate accounting functionsUse properly designed formsRequire independent checks and reconciliations of dataRestrict accessSystem authenticationImplement computer controls over input, processing, storage and output of dataUse encryptionFix software bugs and update systems regularlyDestroy hard drives when disposing of computers
38Preventing and Detecting Fraud 3. Improve Detection OrganizationalSystemsAssess fraud riskExternal and internal auditsFraud hotlineAudit trail of transactions through the systemInstall fraud detection softwareMonitor system activities (user and error logs, intrusion detection)
39Preventing and Detecting Fraud 4. Reduce Fraud Losses OrganizationalSystemsInsuranceBusiness continuity and disaster recovery planStore backup copies of program and data files in secure, off-site locationMonitor system activity