COMMON THREATS TO AIS: Treadway Commission Actions to Reduce Fraud

 Natural Disasters and Terrorist Threats  Establish environment which supports the integrity of the
 Software Errors and/or Equipment Malfunction financial reporting process.
 Unintentional Acts (Human Error)  Identification of factors that lead to fraud
 Intentional Acts (Computer Crimes)  Assess the risk of fraud within the company
 Design and implement internal controls to provide assurance
FRAUD: individuals who commit fraud are referred to as white-collar
that fraud is being prevented.
criminals.
SAS #99:
 Gaining an unfair advantage over another person.
o A false statement, representation, or disclosure  Auditors Responsibility to detect fraud
o A material fact that induces a person to act o Understand fraud
o An intent to deceive o Discuss risk of material fraudulent statements
o A justifiable reliance on the fraudulent fact in which a  Among members of audit team
person takes action o Obtain Information
o An injury or loss suffered by the victim  Look for fraud risk factors
o Identify, assess, and respond to risk
Forms of Fraud: o Evaluate the results of audit tests
 Misappropriation of Assets  Determine impact of fraud on financial
o Theft of a companies assets statements
o Largest factors for theft of assets o Document and communicate findings
 Absence of internal control system  See chapter 3
 Failure to enforce internal control system o Incorporate a technological focus
o Fraudulent Financial Reporting
FRAUD TRIANGLE:
 “intentional or reckless conduct, whether by act
or omission, that results in materially misleading  Pressure- motivation or incentive to commit fraud
financial statements” (The Treadway o Types:
Commission)  Employee
 Financial
Reasons for Fraudulent Financial Statements
 Emotional
 Deceive investors or creditors  Lifestyle
 Increase a company’s stock price  Financial
 Meet cash flow needs  Industry Conditions
 Hide company losses or other problems  Management Characteristics
  Opportunity- condition or situation that allows a person or  Computer Instructions Fraud- modifying software, illegal
organization to: copying of software, using software in an unauthorized
o Commit the fraud manner, creating software to undergo unauthorized activities.
o Conceal the fraud  Data Fraud- illegally using, copying, browsing, searching, or
 Lapping harming company data.
 Kiting  Output Fraud- stealing, copying, or misusing computer
o Convert the theft or misrepresentation to personal gain printouts or displayed information.
 Rationalizations- justification of illegal behavior
COMPUTER ATTACKS AND ABUSE:
o Justification
 I am not being dishonest  Hacking- unauthorized access, modification, or use of a
o Attitude computer system or other electronic device.
 I don’t need to be honest  Social Engineering- techniques, usually psychological tricks,
o Lack of Personal Integrity to gain access to sensitive data or information
 Theft is valued higher than honesty or integrity o Used to gain access to secure systems or locations
 Malware- any software which can be used to do harm.
Computer Fraud: any illegal act in which knowledge of computer
technology is necessary for: Types of Computer Attacks:

 Perpetration  Botnet- Robot Network

 Investigation o Network of hijacked computers
 Prosecution o Hijacked computers carry out processes without users
knowledge
Rise of Computer Fraud:
o Zombie- hijacked computers
 Definition is not agreed on  Denial-of-Service (DOS) Attack
 Many go undetected o Constant stream of request made to a Web-server
 High percentage is not reported (usually via a Botnet) that overwhelms and shuts down
 Lack of network security service
 Step-by-step guides are easily available  Spoofing
 Law enforcement is overburdened o Making an electronic communication looks as if it
 Difficulty calculating loss comes from a trusted official source to lure recipient
Computer Fraud Classifications into providing information.

 Input Fraud- alteration or falsifying input Types of Spoofing:

 Processor Fraud- unauthorized system use  Email- email sender appears as if it comes from a different
source.
 Caller-ID- incorrect number is displayed
  IP Address- forged IP address to conceal identity to sender of
data over the internet or to impersonate another computer
system
 Address Resolution Protocol (ARP)- allows a computer on a
LAN to intercept traffic meant for any other computer on the
LAN.
 SMS- incorrect number or name appears, similar to caller-ID
but for text messaging.
 Web Page- phishing
 DNS- intercepting a request for a Web service and sending the
request to a false service.
Hacking Attacks:
 Cross-Site Scripting (XSS)- unwanted code is sent via
dynamic Web Pages disguised as user input.
 Buffer Overflow- data is sent that exceeds computer capacity
causing program instructions to be lost and replaced with
attacker instructions.
 SQL Injection (Insertion)- malicious code is inserted in the
place of query to a database system.
 Man-in-the-Middle- hacker places themselves between client
and host
 Password Cracking- penetrating system security to steal
passwords
 War Dialing- computer automatically dials phone numbers
looking for modems.
 Phreaking- attacks on phone systems to obtain free phone
service
 Data Diddling- making changes to data before, during, or after
it is entered into a system.
 Data Leakage- unauthorized copying of company data
Hacking Embezzlement Schemes:
 Salami Technique- taking small amounts from many different
accounts
 Economic Espionage- theft of information, trade secrets, and
intellectual property.
 Cyber-Bullying- internet cell phones, or other communication
technologies to support deliberate repeated, and hostile
behavior that torments, threatens, harasses, humiliates,
embarrasses, or otherwise harms another person.
 Internet Terrorism- act of disrupting electronic commerce
and harming computer and communications.
 Internet Misinformation.
Hacking for Fraud:
 Internet Misinformation- using internet to spread false or
misleading information
 Internet Auction- using an internet auction site to defraud
another person
o Unfairly drive up bidding
o Seller deliveries inferior merchandise or fails to deliver
at all
o Buyer fails to make payment
 Internet Pump-and-Dump- using the internet to pump up the
price of a stock and then selling it.
Social Engineering Techniques:
 Identity Theft- assuming someone else’s identity.
 Pretexting- inventing a scenario that will lull someone into
divulging sensitive information
 Posing- using a fake business to acquire sensitive information
 Phishing- posing a legitimate company asking for verification
type information: passwords, accounts, usernames
 Pharming- redirecting web site traffic to a spoofed web site.
 Typesquatting- typographical errors when entering a web-site
name cause am invalid site to be accessed.
 Tabnapping- changing an already open browser tab
 Scavenging- looking for sensitive information in items thrown
away
  Shoulder Surfing- snooping over someone’s shoulder for
sensitive information
More Social Engineering:
 Lebanese Loping- capturing ATM pin and card numbers
 Skimming- double-swiping a credit card
 Chipping- planting advice to read credit information in a credit
card reader
 Eavesdropping- listening to private communications
Types of Malware:
 Spyware- secretly monitors and collects personal information
about users and sends it to someone else
o Adware- pops banner ads on a monitor, collects
information about the user’s Web-surfing, and spending
habits, and forward it to the adware creator.
 Key Logging- records computer activity, such as a user’s
keystrokes, e-mails sent and received, Web sites visited and
chat session participation.
 Trojan Horse- malicious computer instructions in an
authorized and otherwise properly functioning program
o Time Bombs/ Logic Bombs- idle until triggered by a
specific date or time, by a change in the system, by a
message sent to the system, or by an event that does not
occur.
 Trap Door/ Back Door- a way into a system that bypasses
normal authorization and authentication controls
 Packet Sniffers- capture data from information packets as they
driver networks
o Rootkit- used to hide the presence of trap doors,
sniffers, and key-loggers: conceal software that
originates a denial-of-service or an a-mail spam attack;
and access user names and log-in information.
 Superzapping- unauthorized use of special system programs to
bypass regular system controls and perform illegal acts, all
without leaving an audit trail.
INTERNAL CONTROL: system to provide reasonable assurance
that objectives are met such as:
 Safeguard assets
 Maintain records in sufficient detail to report company assets
accurately and fairly
 Provide accurate and reliable information
 Prepare financial reports in accordance with established criteria
 Promote and improve operational efficiency
 Encourage adherence to prescribed managerial policies
 Comply with applicable laws and regulations
Functions of Internal Control:
 Preventive- deter problems
 Detective- discover problems
 Corrective- correct problems
Categories of Internal Control:
 General- overall IC system and processes
 Application- transactions are processed correctly
Sarbanes Oxley (2002): designed to prevent financial statement fraud,
make financial reports more transparent, protect investors, strengthen
internal controls, and punish executives who perpetrate fraud.
 Public Company Accounting Oversight Board (PCAOB)
o Oversight of auditing profession
 New Auditing Rules
o Partners must rotate periodically
o Prohibited from performing certain non-audit services
 New Roles for Audit Committee
o Be part of board of direction and be independent
o One member must be a financial expert
 o Oversees external auditors  Setting Objectives
 New Rules for Management  Event Identification
o Financial statements and disclosures are fairly  Risk Assessment
presented, were reviewed by management, and are not o Can be controlled but also
misleading.  Accepted
o The auditors were told about all material internal  Diversified
control weaknesses and fraud.  Shared
 New Internal Control Requirements  Transferred
o Management is responsible for establishing and Control Environment:
maintaining an adequate internal control system.
 Management’s philosophy, operating style, and risk appetite
SOX Management Rules:  The board of directors
 Base evaluation of internal control on a recognized framework  Commitment to integrity, ethical values, and competence
 Disclose all material internal control weaknesses  Organizational structure
 Conclude a company does not have effective financial  Methods of assigning authority and responsibility
reporting internal controls of material weaknesses.  Human resource standards
 External Influences
Internal Control Frameworks:
ERM- Objective Setting
 Control Objectives for Information and Related
Technology (COBIT)  Strategic- high-level goals aligned with corporate mission
o Business objectives  Operational- effectiveness and efficiency of operations
o IT Resources  Reporting- complete and reliable
o IT Processes o Improve decision making
 Committee of Sponsoring Organizations (COSO)  Compliance- laws and regulations are followed
o Internal Control- integrated framework ERM-Event Identification
 Control environment
 Control activities  “… An incident or occurrence emanating from internal or
 Risk assessment external sources that effects implementation of strategy or
 Information and communication achievement of objectives.”
 Monitoring o Positive or negative impacts (or both)
o Events may trigger other events
Internal Control: o All events should be anticipated
 Enterprise Risk Management Model Risk Assessment
o Risk-Based vs. Control-Based
 COSO Elements  Identify Risk
 o Identify likelihood of risk  Authorization
o Identify positive or negative impact o Approving transactions and decisions
 Recording
Types of Risk o Preparing source documents
 Inherent- risk that exist before any plans are made to control it o Entering data into an AIS
 Residual- remaining risk after controls are in place to reduce it o Maintaining accounting records
 Custody
ERM-Risk Response
o Handling cash, inventory, fixed assets
 Reduce- implement effective internal control o Receiving incoming checks
 Accept o Writing checks
o Do nothing, accept likelihood of risk
 Share Information and Communication
o Buy insurance, outsource, hedge  Primary purpose of an AIS
 Avoid o Gather
o Do not engage in activity that produces risk o Record
Event/Risk/Response Model o Process
o Summarize
PS: HINDI KO MABASA SOBRANG LABO BALAKAJAN o Communicate
Control Activities Monitoring
 Policies and procedures to provide reasonable assurance that  Evaluate internal control framework
control objectives are met:  Effective supervision
o Proper authorization of transactions and activities  Responsibility accounting system
 Signature or code on document to signal  Monitor system activities
authority over a process  Track purchased software and mobile devices
o Segregation of duties  Conduct periodic audits
o Project development and acquisition controls  Employ a security officer and compliance officer
o Change management controls  Engage forensic specialist
o Design and use of documents and record  Install fraud detection software
o Safeguarding assets, records, and data  Implement a fraud hotline
o Independent checks on performance
Segregation of System Duties
Segregation of Accounting Duties  Like accounting system duties should also be separated
 No one employee should be given too much responsibility  These duties include:
 Separate: o System administration
o Network management
o Security management
o Change management
o Users
o Systems analysts
o Programmers
o Computer operators
o Information system librarian
o Data control