Professional Documents
Culture Documents
LECTURE 3:
Computer Fraud and Security
(Part I)
Reference: Chapter 5
2
Lecture Outline
Overview
Types of Fraud
Fraud perpetrators
The fraud triangle
Fraud deterrence and detection
2
3
Overview
4
Threats to companies’ IS
• Sabotage, embezzlement
Intentional acts • Assets misappropriation
• Hacking
5
FRAUD
• Fraud is any and all means a person uses to gain an unfair advantage over
another person.
• Fraud must involve:
• A false statement (oral or in writing)
• A material fact
• An intent to deceive (knowledge that the statement was false when it was
uttered)
• A justifiable reliance (victim relies on the statement)
• An injury or loss suffered by victim
6
FRAUD
• Who commit fraud against companies?
• Why?
Auditor’s responsibilities
• Understand fraud.
• Discuss the risks of material fraudulent misstatements.
• Obtain information.
• Identify, assess, and respond to risks.
• Evaluate the results of their audit tests.
• Document and communicate findings.
• Incorporate a technology focus.
8
Types of fraud
9
Types of Frauds
OCCUPATIONAL OTHER
• Fraudulent Statements • Intellectual property theft
• Financial • Financial institution fraud
• Non-financial
• Check and credit card fraud
• Asset Misappropriation
• Insurance fraud
• Theft of Cash
• Fraudulent disbursements • Healthcare fraud
• Inventory and other assets • Bankruptcy fraud
• Bribery and Corruption • Tax fraud
• Bribery • Securities fraud
• Illegal gratuities
• Money laundering
• Economic extortion
• Conflict of interest • Consumer fraud
• Computer and Internet fraud
10
Occupational Fraud
1. Misappropriation of assets
Occupational Fraud
2. Corruption
Occupational Fraud
3. Fraudulent statements
Occupational Fraud
• Contributing factors:
• Trust and confidence
• Lack of internal control
• Failure to enforce existing controls
• Characteristics
• Use deceit and misinformation
• Start with need, escalate with greed.
• Careless or overconfident over time.
• Spend what they steal.
14
Management Fraud
• “Cooking the books”:
• Recording fictitious revenues
• Recording revenues prematurely
• Recording expenses in later periods
• Overstating inventories or fixed assets (WorldCom)
• Concealing losses and liabilities
15
Fraud perpetrators
16
• Perceived non-shareable need. Opportunity is the opening or gateway that allows an individual to:
Commit the fraud -Misappropriation of assets and fraudulent
• The pressure could be related
financial reporting
to finances, emotions, lifestyle,
or some combination. Conceal the fraud -When assets are stolen, the only way to
balance the accounting equation is to inflate other assets or
decrease liabilities/equity, lapping or kiting scheme
Examples of concealment efforts:
Charge a stolen asset to an expense account or to an
account receivable that is about to be written off.
Create a ghost employee who receives an extra paycheck.
Convert the proceeds-All fraud perpetrators go through the
Rationalization conversion phase unless they steal actual cash.
The action of attempting to explain or
justify behaviour or an attitude with
logical reasons, even if these are not
appropriate.
21
Opportunity
• Common opportunities:
• Lack of internal controls
• Failure to enforce controls (the most prevalent reason)
• Excessive trust in key employees
• Incompetent supervisory personnel
• Inattention to details
• Inadequate staff
24
Opportunity
One control feature that many companies lack is a background check on all potential
employees.
25
Opportunity
• Management may allow fraud by:
• Not getting involved in the design or enforcement of internal controls;
• Inattention or carelessness;
• Overriding controls; and/or
• Using their power to compel subordinates to carry out the fraud.
26
Rationalisation
• Rationalizations:
• I was just borrowing the money.
• It wasn’t really hurting anyone. (Corporations are often seen as non-persons,
therefore crimes against them are not hurting “anyone.”)
• Everybody does it.
• I’ve worked for them for 35 years and been underpaid all that time. I wasn’t
stealing; I was only taking what was owed to me.
• I didn’t take it for myself. I needed it to pay my child’s medical bills.
27
Rationalisation
• Creators of worms and viruses often use rationalizations like:
• The malicious code helped expose security flaws, so I did a good service.
• It was an accident.
• It was not my fault—just an experiment that went bad.
• It was the user’s fault because they didn’t keep their security up to date.
• If the code didn’t alter or delete any of their files, then what’s the problem?
28