1

LECTURE 3:
Computer Fraud and Security
(Part I)
Reference: Chapter 5
 2

Lecture Outline

Overview
Types of Fraud
Fraud perpetrators
The fraud triangle
Fraud deterrence and detection

2
 3

Overview
 4

Threats to companies’ IS

• Fire, heat, flood, earthquake

Natural and political disasters • War, terrorist attack

• Power outages and fluctuations

Software errors and equipment • Software errors and bugs

malfunctions • Data transmission errors

• Errors, misplaced data

Unintentional acts • System that does not meet use needs

• Sabotage, embezzlement
Intentional acts • Assets misappropriation
• Hacking
 5

FRAUD
• Fraud is any and all means a person uses to gain an unfair advantage over
another person.
• Fraud must involve:
• A false statement (oral or in writing)
• A material fact
• An intent to deceive (knowledge that the statement was false when it was
uttered)
• A justifiable reliance (victim relies on the statement)
• An injury or loss suffered by victim
 6

FRAUD
• Who commit fraud against companies?

• Employees/former employees are more frequent

• Why?

• White collar criminals vs. violent criminals?

• Impact of white collar crime vs violent crime?

 7

Auditor’s responsibilities
• Understand fraud.
• Discuss the risks of material fraudulent misstatements.
• Obtain information.
• Identify, assess, and respond to risks.
• Evaluate the results of their audit tests.
• Document and communicate findings.
• Incorporate a technology focus.
 8

Types of fraud

Types of Frauds
OCCUPATIONAL
• Fraudulent Statements
• Financial
• Non-financial
• Asset Misappropriation
• Theft of Cash
• Fraudulent disbursements
• Inventory and other assets
• Bribery and Corruption
• Bribery
• Illegal gratuities
• Economic extortion
• Conflict of interest
9
OTHER
• Intellectual property theft
• Financial institution fraud
• Check and credit card fraud
• Insurance fraud
• Healthcare fraud
• Bankruptcy fraud
• Tax fraud
• Securities fraud
• Money laundering
• Consumer fraud
• Computer and Internet fraud
 10

Occupational Fraud
1. Misappropriation of assets

• Involves theft, embezzlement, or misuse of

company assets for personal gain.
• Examples?
 11

Occupational Fraud
2. Corruption

• Corruption involves the wrongful use of a

position, contrary to the responsibilities of
that position, to procure a benefit.
• Examples?
 12

Occupational Fraud
3. Fraudulent statements

• Misstating the financial condition of an entity by

intentionally misstating amounts or disclosures in
order to deceive users.

• Could result from asset misappropriation

 13

Occupational Fraud
• Contributing factors:
• Trust and confidence
• Lack of internal control
• Failure to enforce existing controls

• Characteristics
• Use deceit and misinformation
• Start with need, escalate with greed.
• Careless or overconfident over time.
• Spend what they steal.
 14

Management Fraud
• “Cooking the books”:
• Recording fictitious revenues
• Recording revenues prematurely
• Recording expenses in later periods
• Overstating inventories or fixed assets (WorldCom)
• Concealing losses and liabilities
 15

Fraud perpetrators
 16

Who and Why?

• White-collar criminals tend to mirror the general public in:
• Education
• Age
• Religion
• Marriage
• Length of employment
• Psychological makeup
 17

Who and why?

• Computer fraudster:
• Younger
• Possess more computer knowledge, experience, and skills.
• Motivated by:
• Curiosity
• A quest for knowledge
• The desire to learn how things work
• The challenge of beating the system
 18

Who and why?

• Disgruntled
• Unhappy
• Greed
• Psychology (habitual)
• Any other reasons?
 19

The fraud triangle

 20
The Fraud Triangle
• Perceived non-shareable need.
• The pressure could be related
to finances, emotions, lifestyle,
or some combination.
Rationalization
The action of attempting to explain or
justify behaviour or an attitude with
logical reasons, even if these are not
appropriate.
Opportunity is the opening or gateway that allows an individual to:
 Commit the fraud -Misappropriation of assets and fraudulent
financial reporting
 Conceal the fraud -When assets are stolen, the only way to
balance the accounting equation is to inflate other assets or
decrease liabilities/equity, lapping or kiting scheme
 Examples of concealment efforts:
 Charge a stolen asset to an expense account or to an
account receivable that is about to be written off.
 Create a ghost employee who receives an extra paycheck.
 Convert the proceeds-All fraud perpetrators go through the
conversion phase unless they steal actual cash.
 21

Pressures –Employee Fraud

FINANCIAL EMOTIONAL LIFESTYLE

• Living beyond means • Greed • Support gambling habit
• High personal • Unrecognized performance • Drug or alcohol addiction
debt/expenses • Job dissatisfaction • Support sexual
• “Inadequate” • Fear of losing job relationships
salary/income • Family/peer pressure
• Power or control
• Poor credit ratings
• Pride or ambition
• Heavy financial losses
• Beating the system
• Bad investments
• Frustration
• Tax avoidance
• Non-conformity
• Meet unreasonable
quotas/goals • Envy, resentment
• Arrogance, dominance
• Non-rules oriented
 22

Pressures –Financial Statement Fraud

MANAGEMENT INDUSTRY FINANCIAL

CHARACTERISTICS CONDITIONS
• Intense pressure to
• Questionable • Declining industry meet expectations
management ethics, • Industry/tech changes • Significant cash flow
track records leading to declining problems
• Unduly aggressive demand, product • Heavy losses
earnings forecasts, obsolescence
accounting methods
• Significant incentive
compensation
based on achieving
unduly aggressive
goals
 23

Opportunity
• Common opportunities:
• Lack of internal controls
• Failure to enforce controls (the most prevalent reason)
• Excessive trust in key employees
• Incompetent supervisory personnel
• Inattention to details
• Inadequate staff
 24

Opportunity

• Internal controls that may be lacking or un-enforced include:

• Authorization procedures
• Clear lines of authority
• Adequate supervision
• Adequate documents and records
• A system to safeguard assets
• Independent checks on performance
• Separation of duties

 One control feature that many companies lack is a background check on all potential
employees.
 25

Opportunity
• Management may allow fraud by:
• Not getting involved in the design or enforcement of internal controls;
• Inattention or carelessness;
• Overriding controls; and/or
• Using their power to compel subordinates to carry out the fraud.
 26

Rationalisation
• Rationalizations:
• I was just borrowing the money.
• It wasn’t really hurting anyone. (Corporations are often seen as non-persons,
therefore crimes against them are not hurting “anyone.”)
• Everybody does it.
• I’ve worked for them for 35 years and been underpaid all that time. I wasn’t
stealing; I was only taking what was owed to me.
• I didn’t take it for myself. I needed it to pay my child’s medical bills.
 27

Rationalisation
• Creators of worms and viruses often use rationalizations like:
• The malicious code helped expose security flaws, so I did a good service.
• It was an accident.
• It was not my fault—just an experiment that went bad.
• It was the user’s fault because they didn’t keep their security up to date.
• If the code didn’t alter or delete any of their files, then what’s the problem?
 28

Fraud deterrence and detection

 29

PREVENTION AND DETECTION METHODS

• Make fraud less likely to occur

• Increase the difficulty of committing fraud
• Improve detection methods
• Reduce fraud losses
 30

PREVENTION AND DETECTION METHODS

Make fraud less likely to occur

Organisational culture – ethics & competence  Mandatory vacations

Audit committee – active, involved &  Confidentiality agreements.
independent
 Adequate controls
Proper assignment of authority and
responsibilities  Increase the penalty for fraudsters
Train employees - integrity and ethics, security,
fraud
 31

PREVENTION AND DETECTION METHODS

Increase the difficulty of committing fraud

Strong internal controls  Restrict access to resources
Segregate the accounting functions of:  Proper designed documents and records
Authorization
 Safeguard all assets, records, and data
Recording
Custody  Independent checks on performance
 32

PREVENTION AND DETECTION METHODS

Improve detection methods

Create an audit trail  Employ a computer security officer,

Periodic audit: external, internal & computer consultants and forensic
security specialists as needed.
Fraud detection software  Monitor system activities
Fraud hotline  Intrusion detection systems
 33

PREVENTION AND DETECTION METHODS

Reduce Fraud Losses

Maintain adequate insurance.
Develop comprehensive fraud contingency, disaster recovery, and
business continuity plans.
Store backup copies of program and data files in a secure, off-site
location.
Use software to monitor system activity and recover from fraud.
34