ACCOUNTING INFORMATION SYSTEM

Ch.4 Computer Fraud

Learning Objectives: After studying this chapter, you should be able to:
1. Explain the threats faced by modern information systems.
2. Define fraud and describe both the different types of fraud and the process
one follows to perpetuate a fraud.
3. Discuss who perpetrates fraud and why it occurs, including the pressures,
opportunities, and rationalizations that are present in most frauds.
4. Define computer fraud and discuss the different computer fraud
classifications.
5. Explain how to prevent and detect computer fraud and abuse.
1. Introduction
As accounting information systems (AIS) grow more complex to meet our
escalating needs for information, companies face the growing risk that their
systems may be compromised. The four types of AIS threats a company faces
are summarized in Table 5-1.

1
 ACCOUNTING INFORMATION SYSTEM

1. Natural and political disasters—such as fires, floods, earthquakes,

hurricanes, tornadoes, blizzards, wars, and attacks by terrorists—can
destroy an information system and cause many companies to fail.
2. Software errors, operating system crashes, hardware failures, power
outages and fluctuations, and undetected data transmission errors
constitute a second type of threat.
3. Unintentional acts such as accidents or innocent errors and omissions, is
the greatest risk to information systems and causes the greatest dollar
losses.
Unintentional acts are caused by human carelessness, failure to follow
established procedures, and poorly trained or supervised personnel. Users
lose or misplace data and accidentally erase or alter files, data, and
programs. Computer operators and users enter the wrong input or
erroneous input, use the wrong version of a program or the wrong data
files, or misplace data files. Systems analysts develop systems that do not
meet company needs, that leave them vulnerable to attack, or that are
incapable of handling their intended tasks. Programmers make logic errors.
Examples of unintentional acts include the following:
• A data entry clerk at Mizuho Securities mistakenly keyed in a sale for
610,000 shares of J-Com for 1 yen instead of the sale of 1 share for 610,000
yen. The error cost the company $250 million.
• A programmer made a one-line-of-code error that priced all goods at
Zappos, an online retailer, at $49.95—even though some of the items it
sells are worth thousands of dollars. The change went into effect at
midnight, and by the time it was detected at 6:00 a.m., the company had
lost $1.6 million on goods sold far below cost.

2
 ACCOUNTING INFORMATION SYSTEM

• A bank programmer mistakenly calculated interest for each month using

31 days. Before the mistake was discovered, over $100,000 in excess
interest was paid.
• A Fannie Mae spreadsheet error misstated earnings by $1.2 billion.
• UPS lost a box of computer tapes containing sensitive information on 3.9
million Citigroup customers.
4. A fourth threat is an intentional act such as a computer crime, a fraud, or
sabotage, which is deliberate destruction or harm to a system. Information
systems are increasingly vulnerable to attacks.
Cyber thieves have stolen more than $1 trillion worth of intellectual
property from businesses worldwide. General Alexander, director of the
National Security Agency, called cyber theft “the greatest transfer of wealth
in history.” When the top cyber cop at the FBI was asked how the United
States was doing in its attempt to keep computer hackers from stealing data
from corporate networks, he said, “We’re not winning.”
Cookie - A text file created by a Web site and stored on a visitor’s hard drive.
Cookies store information about who the user is and what the user has done
on the site.
2. Fraud
Fraud defined “as any and all means a person uses to gain an unfair advantage
over another person”. Legally, for an act to be fraudulent there must be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the misrepresentation to
take an action
5. An injury or loss suffered by the victim
3
 ACCOUNTING INFORMATION SYSTEM

Most fraud perpetrators are knowledgeable insiders with the requisite

access, skills, and resources. Because employees understand a company’s
system and its weaknesses, they are better able to commit and conceal a fraud.
The controls used to protect corporate assets make it more difficult for an
outsider to steal from a company. Fraud perpetrators are often referred to as
white-collar criminals.
White-collar criminals - Typically, businesspeople who commit fraud.
White-collar criminals usually resort to trickery or cunning, and their crimes
usually involve a violation of trust or confidence.
There are a great many different types of frauds. We briefly define and
give examples of some of those and then provide a more extended discussion
of some of the most important ones to businesses.
Corruption is dishonest conduct by those in power and it often involves
actions that are illegitimate, immoral, or incompatible with ethical standards.
There are many types of corruption; examples include bribery and bid rigging.
Investment fraud is misrepresenting or leaving out facts to promote an
investment that promises fantastic profits with little or no risk. There are many
types of investment fraud; examples include Ponzi schemes and securities
fraud.
Two types of frauds that are important to businesses are
misappropriation of assets (sometimes called employee fraud) and fraudulent
financial reporting (sometimes called management fraud). These two types of
fraud are now discussed in greater depth.
Misappropriation of Assets
Misappropriation of assets is the theft of company assets by employees. The
most significant contributing factor in most misappropriations is the absence
of internal controls and/or the failure to enforce existing internal controls. A
4
 ACCOUNTING INFORMATION SYSTEM

typical misappropriation has the following important elements or

characteristics. The perpetrator:
● Gains the trust or confidence of the entity being defrauded.
● Uses trickery, cunning, or false or misleading information to commit fraud.
● Conceals the fraud by falsifying records or other information.
● Rarely terminates the fraud voluntarily.
● Sees how easy it is to get extra money; need or greed impels the person to
continue. Some frauds are self-perpetuating; if perpetrators stop, their actions
are discovered.
● Spends the ill-gotten gains. Rarely does the perpetrator save or invest the
money. Some perpetrators come to depend on the “extra” income, and others
adopt a lifestyle that requires even greater amounts of money. For these
reasons, there are no small frauds–only large ones that are detected early.
3. Fraudulent Financial Reporting
The National Commission on Fraudulent Financial Reporting (the Treadway
Commission) defined fraudulent financial reporting as intentional or reckless
conduct, whether by act or omission, that results in materially misleading
financial statements. Management falsifies financial statements to deceive
investors and creditors, increase a company’s stock price, meet cash flow
needs, or hide company losses and problems.
The Treadway Commission recommended four actions to reduce
fraudulent financial reporting:
1. Establish an organizational environment that contributes to the integrity of
the financial reporting process.
2. Identify and understand the factors that lead to fraudulent financial
reporting.
3. Assess the risk of fraudulent financial reporting within the company.
5
 ACCOUNTING INFORMATION SYSTEM

4. Design and implement internal controls to provide reasonable assurance of

preventing fraudulent financial reporting.
SAS No. 99: The Auditor’s Responsibility to Detect Fraud
Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a
Financial Statement Audit, became effective in December 2002. SAS No. 99
requires auditors to:
● Understand fraud. Because auditors cannot effectively audit something they
do not understand, they must understand fraud and how and why it is
committed.
● Discuss the risks of material fraudulent misstatements. While planning the
audit, team members discuss among themselves how and where the
company’s financial statements are susceptible to fraud.
● Obtain information. The audit team gathers evidence by looking for fraud
risk factors; testing company records; and asking management, the audit
committee of the board of directors, and others whether they know of past or
current fraud. Because many frauds involve revenue recognition, special care
is exercised in examining revenue accounts.
● Identify, assess, and respond to risks. The evidence is used to identify,
assess, and respond to fraud risks by varying the nature, timing, and extent of
audit procedures and by carefully evaluating the risk of management
overriding internal controls.
● Evaluate the results of their audit tests. Auditors must evaluate whether
identified misstatements indicate the presence of fraud and determine its
impact on the financial statements and the audit.
● Document and communicate findings. Auditors must document and
communicate their findings to management and the audit committee.

6
 ACCOUNTING INFORMATION SYSTEM

● Incorporate a technology focus. SAS No. 99 recognizes the impact

technology has on fraud risks and provides commentary and examples
recognizing this impact. It also notes the opportunities auditors have to use
technology to design fraud-auditing procedures.
4. Who Perpetrates Fraud and Why
When researchers compared the psychological and demographic
characteristics of white-collar criminals, violent criminals, and the public,
they found significant differences between violent and white-collar criminals.
They found few differences between white-collar criminals and the public.
Their conclusion: Many fraud perpetrators look just like you and me.
Some fraud perpetrators are disgruntled and unhappy with their jobs
and seek revenge against employers. Others are dedicated, hard-working, and
trusted employees. Most have no previous criminal record; they were honest,
valued, and respected members of their community. In other words, they were
good people who did bad things.
Computer fraud perpetrators are typically younger and possess more
computer experience and skills. Some are motivated by curiosity, a quest for
knowledge, the desire to learn how things work, and the challenge of beating
the system. Some view their actions as a game rather than as dishonest
behavior. Others commit computer fraud to gain stature in the hacking
community.
A large and growing number of computer fraud perpetrators are more
predatory in nature and seek to turn their actions into money. These fraud
perpetrators are more like the “blue-collar” criminals that look to prey on
others by robbing them. The difference is that they use a computer instead of
a gun.

7
 ACCOUNTING INFORMATION SYSTEM

Many first-time fraud perpetrators that are not caught, or that are caught
but not prosecuted, move from being “unintentional” fraudsters to “serial”
fraudsters.
Malicious software is a big business and a huge profit engine for the
criminal underground, especially for digitally savvy hackers in Eastern
Europe. They break into financial accounts and steal money. They sell data to
spammers, organized crime, hackers, and the intelligence community. They
market malware, such as virus-producing software, to others. Some work with
organized crime. A recently convicted hacker was paid $150 for every 1,000
computers he infected with his adware and earned hundreds of thousands of
dollars a year.
Cyber-criminals are a top FBI priority because they have moved from
isolated and uncoordinated attacks to organized fraud schemes targeted at
specific individuals and businesses. They use online payment companies to
launder their ill-gotten gains. To hide their money, they take advantage of the
lack of coordination between international law enforcement organizations.
5. The Fraud Triangle
For most predatory fraud perpetrators, all the fraudster needs are an
opportunity and the criminal mind-set that allows him/her to commit the
fraud. For most first-time fraud perpetrators, three conditions are present
when fraud occurs: a pressure, an opportunity, and a rationalization. This is
referred to as the fraud triangle and is the middle triangle in Figure 5-1.

8
 ACCOUNTING INFORMATION SYSTEM

Fig. 5-1

Pressures A pressure is a person’s incentive or motivation for

committing fraud. Three types of pressures that lead to misappropriations are
shown in the Employee Pressure Triangle in Figure 5-1 and are summarized
in Table 5-2.

Financial pressures often motivate misappropriation frauds by

employees. Examples of such pressures include living beyond one’s means,
9
 ACCOUNTING INFORMATION SYSTEM

heavy financial losses, or high personal debt. Often, the perpetrator feels the
pressure cannot be shared and believes fraud is the best way out of a difficult
situation.
A second type of pressure is emotional. Many employee frauds are
motivated by greed. Some employees turn to fraud because they have strong
feelings of resentment or believe they have been treated unfairly. They may
feel their pay is too low, their contributions are not appreciated, or the
company is taking advantage of them.
Other people are motivated by the challenge of “beating the system” or
subverting system controls and breaking into a system. When a company
boasted that its new system was impenetrable, a team of individuals took less
than 24 hours to break into the system and leave a message that the system
had been compromised.
- Some people commit fraud to keep pace with other family members or
win a “who has the most or best” competition.
- Other people commit fraud due to some combination of greed, ego,
pride, or ambition that causes them to believe that no matter how much
they have, it is never enough.
A third type of employee pressure is a person’s lifestyle. The person
may need funds to support a gambling habit or support a drug or alcohol
addiction.
Opportunities As shown in the Opportunity Triangle in Figure 5-1,
opportunity is the condition or situation, including one’s personal abilities,
that allows a perpetrator to do three things:
1. Commit the fraud. The theft of assets is the most common type of
misappropriation. Most instances of fraudulent financial reporting

10
 ACCOUNTING INFORMATION SYSTEM

involve overstatements of assets or revenues, understatements of

liabilities, or failures to disclose information.
2. Conceal the fraud. To prevent detection when assets are stolen or
financial statements are overstated, perpetrators must keep the
accounting equation in balance by inflating other assets or decreasing
liabilities or equity. Concealment often takes more effort and time and
leaves behind more evidence than the theft or misrepresentation.
3. Convert the theft or misrepresentation to personal gain. In a
misappropriation, fraud perpetrators who do not steal cash or use the
stolen assets personally must convert them to a spendable form. For
example, employees who steal inventory or equipment sell the items or
otherwise convert them to cash.
Rationalizations A rationalization allows perpetrators to justify their
illegal behavior. As shown in the Rationalization Triangle in Figure 5-1, this
can take the form of a justification “I only took what they owed me”, an
attitude “The rules do not apply to me”, or a lack of personal integrity “Getting
what I want is more important than being honest”. Then, Rationalization is
“the excuse that fraud perpetrators use to justify their illegal behavior”.
To conclude, fraud occurs when people have high pressures; an
opportunity to commit, conceal, and convert; and the ability to rationalize
away their personal integrity.
Likewise, fraud can be prevented by eliminating or minimizing one or
more fraud triangle elements. Although companies can reduce or minimize
some pressures and rationalizations, their greatest opportunity to prevent
fraud lies in reducing or minimizing opportunity by implementing a good
system of internal controls.

11
 ACCOUNTING INFORMATION SYSTEM

6. Computer Fraud
Computer fraud is “any fraud that requires computer technology to perpetrate
it”. Examples include:
▪ Unauthorized theft, use, access, modification, copying, or destruction of
software, hardware, or data.
▪ Theft of assets covered up by altering computer records.
▪ Obtaining information or tangible property illegally using computers.
Computer systems are particularly vulnerable for the following reasons:
- People who break into corporate databases can steal, destroy, or alter
massive amounts of data in very little time, often leaving little evidence.
One bank lost $10 million in a just a few minutes.
- Computer fraud can be much more difficult to detect than other types of
fraud.
- Some organizations grant employees, customers, and suppliers’ access to
their system. The number and variety of these access points significantly
increase the risks.
- Computer programs need to be modified illegally only once for them to
operate improperly for as long as they are in use.
- Personal computers (PCs) are vulnerable. It is difficult to control physical
access to each PC that accesses a network and PCs, and their data can be
lost, stolen, or misplaced. Also, PC users are generally less aware of the
importance of security and control. The more legitimate users there are,
the greater the risk of an attack on the network.
- Computer systems face several unique challenges: reliability, equipment
failure, dependency on power, damage from water or fire, vulnerability to
electromagnetic interference and interruption, and eavesdropping.

12
 ACCOUNTING INFORMATION SYSTEM

7. Computer Fraud Classification

As shown in Figure 5-2, computer fraud can be categorized using the data
processing model.
Input Fraud The simplest and most common way to commit a
computer fraud is to alter or falsify computer input. It requires little skill;
perpetrators need only understand how the system operates so they can cover
their tracks. For example: A man used desktop publishing to prepare bills for
office supplies that were never ordered or delivered and mailed them to local
companies. The invoices were for less than $300, an amount that often does
not require purchase orders or approvals. A high percentage of the companies
paid the bills.
Fig 5-2

Processor Fraud Processor fraud includes unauthorized system use,

including the theft of computer time and services. For example: An insurance
company installed software to detect abnormal system activity and found that
employees were using company computers to run an illegal gambling website.
Computer Instructions Fraud Computer instructions fraud includes
tampering with company software, copying software illegally, using software

13
 ACCOUNTING INFORMATION SYSTEM

in an unauthorized manner, and developing software to carry out an

unauthorized activity. This approach used to be uncommon because it
required specialized programming knowledge. Today, it is more frequent
because of the many web pages that tell users how to create them.
Data Fraud Illegally using, copying, browsing, searching, or harming
company data constitutes data fraud. The biggest cause of data breaches is
employee negligence.
In the absence of controls, it is not hard for an employee to steal data.
For example, an employee using a small flash drive can steal large amounts
of data and remove it without being detected. In today’s world, you can even
buy wristwatches with a USB port and internal memory.
- Data can also be changed, damaged, destroyed, or defaced, especially by
disgruntled employees and hackers.
- Data can be lost as a result of negligence or carelessness.
- Deleting files does not erase them. Even reformatting a hard drive may not
wipe it clean. To erase a hard drive completely, special software must be
used. When used computers are to be disposed of, the best way to protect
data is to destroy the hard drive.
Output Fraud Unless properly safeguarded, displayed or printed
output can be stolen, copied, or misused.
8. Preventing and Detecting Fraud and Abuse
To prevent fraud, organizations must create a climate that makes fraud less
likely, increases the difficulty of committing it, improves detection methods,
and reduces the amount lost if a fraud occurs. These measures are summarized
in Table 5-5.

14
ACCOUNTING INFORMATION SYSTEM

15
ACCOUNTING INFORMATION SYSTEM

16
 ACCOUNTING INFORMATION SYSTEM

Questions
1. Which of the following is a fraud in which later payments on account are
used to pay off earlier payments that were stolen?
a. lapping b. kiting
c. Ponzi scheme d. salami technique

2. Which type of fraud is associated with 50% of all auditor lawsuits?

a. kiting b. fraudulent financial reporting
c. Ponzi schemes d. lapping

3. Which of the following statements is false?

a. The psychological profiles of white-collar criminals differ from those of
violent criminals.
b. The psychological profiles of white-collar criminals are significantly
different from those of the general public.
c. There is little difference between computer fraud perpetrators and other
types of white-collar criminals.
d. Some computer fraud perpetrators do not view themselves as criminals.

4. Which of the following conditions is/are usually necessary for a fraud to

occur? (Select all correct answers.)
a. pressure b. opportunity
c. explanation d. rationalization

5. Which of the following is not an example of computer fraud?

a. theft of money by altering computer records
b. obtaining information illegally using a computer.
17
 ACCOUNTING INFORMATION SYSTEM

c. failure to perform preventive maintenance on a computer.

d. unauthorized modification of a software program.
6. Which of the following causes the majority of computer security problems?
a. human errors b. software errors
c. natural disasters d. power outages

7. Which of the following is not one of the responsibilities of auditors in

detecting fraud according to SAS No. 99?
a. evaluating the results of their audit tests.
b. incorporating a technology focus.
c. discussing the risks of material fraudulent misstatements.
d. catching the perpetrators in the act of committing the fraud.

8. Which of the following control procedures is most likely to deter lapping?

a. encryption b. continual update of the access control
matrix
c. background check on employees d. periodic rotation of duties

9. Which of the following is the most important, basic, and effective control
to deter fraud?
a. enforced vacations b. logical access control.
c. segregation of duties d. virus protection controls

10. Once fraud has occurred, which of the following will reduce fraud losses?
(Select all correct answers.)
a. insurance b. regular backup of data and programs
c. contingency plan d. segregation of duties
18