Accounting Information System

Computer Fraud
 Learning Objectives
After studying this chapter, you should be able to:
1. Explain the threats faced by modern information
systems.
2. Define fraud and describe both the different types of
fraud and the process one follows to perpetuate a fraud.
3. Discuss who perpetrates fraud and why it occurs,
including the pressures, opportunities, and
rationalizations that are present in most frauds.
4. Define computer fraud and discuss the different
computer fraud classifications.
5. Explain how to prevent and detect computer fraud and
abuse.
Threats to AIS
 Threats to AIS
1. Natural and political disasters—such as fires,
floods, earthquakes, hurricanes, tornadoes,
blizzards, wars, and attacks by terrorists—can
destroy an information system and cause many
companies to fail.
2. Software errors, operating system crashes,
hardware failures, power outages and
fluctuations, and undetected data transmission
errors constitute a second type of threat.
 Threats to AIS
3. Unintentional acts such as accidents or innocent errors and
omissions, is the greatest risk to information systems and
causes the greatest financial losses. Unintentional acts are
caused by human carelessness, failure to follow established
procedures, and poorly trained or supervised personnel. Users
lose or misplace data and accidentally erase or alter files, data,
and programs. Computer operators and users enter the wrong
input or erroneous input, use the wrong version of a program
or the wrong data files, or misplace data files. Systems
analysts develop systems that do not meet company needs,
that leave them vulnerable to attack, or that are incapable of
handling their intended tasks. Programmers make logic errors.
 Threats to AIS
4. Intentional act such as a computer crime, a fraud, or
sabotage, which is deliberate destruction or harm to a
system. Information systems are increasingly vulnerable to
attacks
Introduction to Fraud
Fraud is gaining an unfair advantage over another
person. Legally, for an act to be fraudulent there must
be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a
person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the
misrepresentation to take an action
5. An injury or loss suffered by the victim
Introduction to Fraud
White-collar criminals - Typically, businesspeople
who commit fraud. White-collar criminals usually
resort to trickery or cunning, and their crimes usually
involve a violation of trust or confidence.
Corruption is dishonest conduct by those in power
and it often involves actions that are illegitimate,
immoral, or incompatible with ethical standards.
There are many types of corruption; examples
include bribery and bid rigging.
Introduction to Fraud
Investment fraud is misrepresenting or leaving out
facts in order to promote an investment that
promises fantastic profits with little or no risk.
 Two types of frauds that are
important to businesses
1. Misappropriation of assets (sometimes called
employee fraud); and
2. Fraudulent financial reporting (sometimes
called management fraud).
 Misappropriation of assets
Misappropriation of assets is the theft of
company assets by employees.

The most significant contributing factor in

most misappropriations is the absence of
internal controls and/or the failure to enforce
existing internal controls
Fraudulent Financial Reporting
Intentional or reckless conduct, whether by
act or omission, that results in materially
misleading financial statements. Management
falsifies financial statements to deceive
investors and creditors, increase a company’s
stock price, meet cash flow needs, or hide
company losses and problems.
Fraudulent Financial Reporting
The most frequent “cook the books” schemes
involve fictitiously inflating revenues, holding
the books open (recognizing revenues before
they are earned), closing the books early
(delaying current expenses to a later period),
overstating inventories or fixed assets, and
concealing losses and liabilities.
 Four actions to reduce fraudulent
financial reporting:
1. Establish an organizational environment that
contributes to the integrity of the financial reporting
process.
2. Identify and understand the factors that lead to
fraudulent financial reporting.
3. Assess the risk of fraudulent financial reporting within
the company.
4. Design and implement internal controls to provide
reasonable assurance of preventing fraudulent
financial reporting.
 The Auditor’s Responsibility to
Detect Fraud
Understand fraud. Because auditors cannot
effectively audit something they do not
understand, they must understand fraud and
how and why it is committed.
Discuss the risks of material fraudulent
misstatements. While planning the audit, team
members discuss among themselves how and
where the company’s financial statements are
susceptible to fraud.
The Auditor’s Responsibility to
Detect Fraud
Obtain information. The audit team gathers
evidence by looking for fraud risk factors;
testing company records; and asking
management, the audit committee of the
board of directors, and others whether they
know of past or current fraud. Because many
frauds involve revenue recognition, special
care is exercised in examining revenue
accounts.
The Auditor’s Responsibility to
Detect Fraud
Identify, assess, and respond to risks. The
evidence is used to identify, assess, and
respond to fraud risks by varying the nature,
timing, and extent of audit procedures and by
evaluating carefully the risk of management
overriding internal controls.
The Auditor’s Responsibility to
Detect Fraud
Evaluate the results of their audit tests.
Auditors must evaluate whether identified
misstatements indicate the presence of fraud
and determine its impact on the financial
statements and the audit.
Document and communicate findings. Auditors
must document and communicate their
findings to management and the audit
committee.
The Auditor’s Responsibility to
Detect Fraud
Incorporate a technology focus. Indeed the
technology has an impact on fraud risks
prompting auditors to use technology to
design fraud-auditing procedures.
 The Fraud Triangle
For most predatory fraud perpetrators, all the
fraudster needs is an opportunity and the
criminal mind-set that allows him/her to
commit the fraud. For most first-time fraud
perpetrators, three conditions are present
when fraud occurs: a pressure, an
opportunity, and a rationalization.
The Fraud Triangle
 Pressures
A pressure is a person’s incentive or motivation
for committing fraud.
Three types of pressures that
lead to misappropriations:
 Opportunities
Opportunity is the condition or situation,
including one’s personal abilities, that allows a
perpetrator to do three things:
a. Commit the fraud.
b.Conceal the fraud
c. Convert the theft or misrepresentation to
personal gain
Lapping - Concealing the theft of cash by
means of a series of delays in posting
collections to accounts receivable.

Example: an employee of Company Z steals the cash or

checks customer A mails in to pay the money it owes to
Company Z. Later, the employee uses funds from customer
B to pay off customer A’s balance. Funds from customer C
are used to pay off customer B’s balance, and so forth.
Because the theft involves two asset accounts (cash and
accounts receivable), the cover-up must continue
indefinitely unless the money is replaced or the debt is
written off the books.
Check kiting - Creating cash using the lag between
the time a check is deposited and the time it
clears the bank.
Example: Suppose an individual or a company opens accounts in
banks A, B, and C. The perpetrator “creates” cash by depositing
a $1,000 check from bank B in bank C and withdrawing the
funds. If it takes two days for the check to clear bank B, he has
created $1,000 for two days. After two days, the perpetrator
deposits a $1,000 check from bank A in bank B to cover the
created $1,000 for two more days. At the appropriate time,
$1,000 is deposited from bank C in bank A. The scheme
continues—writing checks and making deposits as needed to
keep the checks from bouncing—until the person is caught or
he deposits money to cover the created and stolen cash.
 Opportunities
Many opportunities are the result of a deficient system of
internal controls, such as deficiencies in proper segregation of
duties, authorization procedures, clear lines of authority,
proper supervision, adequate documents and records,
safeguarding assets, or independent checks on performance.
Management permits fraud by inattention or carelessness.
Management commits fraud by overriding internal controls or
using a position of power to compel subordinates to
perpetrate it. The most prevalent opportunity for fraud
results from a company’s failure to design and enforce its
internal control system.
 Opportunities
Other factors provide an opportunity to commit and conceal
fraud when the company has unclear policies and procedures,
fails to teach and stress corporate honesty, and fails to
prosecute those who perpetrate fraud. Examples include
large, unusual, or complex transactions; numerous adjusting
entries at year-end; questionable accounting practices;
pushing accounting principles to the limit; related-party
transactions; incompetent personnel, inadequate staffing,
rapid turnover of key employees, lengthy tenure in a key job,
and lack of training.
 Opportunities
Frauds occur when employees build mutually beneficial
personal relationships with customers or suppliers, such as a
purchasing agent buying goods at an inflated price in
exchange for a vendor kickback.

Fraud can also occur when a crisis arises and normal control
procedures are ignored.
 Rationalizations
The excuse that fraud perpetrators use to justify
their illegal behavior.

The most frequent rationalizations include the following:

– You would understand if you knew how badly I needed it.
– What I did was not that serious.
– It was for a good cause (the Robin Hood syndrome: robbing the rich to
give to the poor).
– Everyone else is doing it.
– No one will ever know.
– The company owes it to me; I am taking no more than is rightfully
mine.
 Computer Fraud
Computer fraud is any fraud that requires
computer technology to perpetrate it.
Examples include:
a. Unauthorized theft, use, access, modification, copying,
or destruction of software, hardware, or data ;
b. Theft of assets covered up by altering computer
records ;
c. Obtaining information or tangible property illegally
using computers.
 Computer Fraud Classification
1. Input Fraud
2. Processor Fraud
3. Computer Instruction Fraud
4. Data Fraud
5. Output Fraud
 Input Fraud
The simplest and most common way to commit a
computer fraud is to alter or falsify computer input. It
requires little skill; perpetrators need only understand
how the system operates so they can cover their
tracks.

Example: An employee at the Veteran’s Memorial

Coliseum sold customers full-price tickets, entered
them as half-price tickets, and pocketed the
difference.
 Processor Fraud
Processor fraud includes unauthorized system
use, including the theft of computer time and
services
Example: Two accountants without the appropriate
access rights hacked into Cisco’s stock option system,
transferred over $6.3 million of Cisco stock to their
brokerage accounts, and sold the stock. They used part
of the funds to support an extravagant lifestyle,
including a $52,000 Mercedes-Benz, a $44,000
diamond ring, and a $20,000 Rolex watch.
 Computer Instruction Fraud
Computer instructions fraud includes
tampering with company software, copying
software illegally, using software in an
unauthorized manner, and developing
software to carry out an unauthorized activity.
 Data Fraud
Illegally using, copying, browsing, searching, or
harming company data constitutes data fraud.
Example: The U.S. Department of Veterans
Affairs was sued because an employee laptop
containing the records of 26.5 million veterans
was stolen, exposing them to identity theft.
Soon thereafter, a laptop with the records of
38,000 people disappeared from a
subcontractor’s office.
 Output Fraud
Unless properly safeguarded, displayed or
printed output can be stolen, copied, or
misused.
Fraud perpetrators use computers to forge
authentic-looking outputs, such as a paycheck.
A fraud perpetrator can scan a company
paycheck, use desktop publishing software to
erase the payee and amount, and print
fictitious paychecks
Source: Accounting Information System 2013 Edition by Romney Steinbart