Accounting Information Systems - CH 8, 9

What are the three pressures that can lead to fraud?

Financial pressure - living beyond means, poor credit scores, bad investments, unreasonable goals, feels that the pressure cannot be shared and fraud is the best way out of a difficult situation, usually results in misappropriation of assets Emotional pressure - excessive greed, pride, ego, job dissatisfaction, fear of losing job, need for power Lifestyle pressure - gambling habit, drug/alcohol problem

What are vulnerabilities?

Flaws that a hacker can exploit to either crash a system or take control of it

What is click fraud?

Manipulating click numbers to inflate advertising bills

What is investment fraud?

Misrepresenting or leaving out facts in order to promote an investment that promises profits with little to no risk (i.e. Ponzi Scheme)

What is the fraud triangle?

Pressure - incentive or motivation to commit fraud Opportunity - condition or situation, including one's personal abilities, that allow Rationalization - excuse that fraud perpetrators use to justify their illegal behavior Usually all three elements have to be present

What is masquerading/impersonation?

Pretending to be an authorized user to access a system Perpetrator knows user's legitimate ID/password and uses their computer

What is pharming?

Redirecting website traffic to a spoofed site

What is social engineering?

Refers to techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network

What is password cracking?

Trying every possible combination of upper and lowercase letters, numbers, and special characters and comparing them to cryptographic hash of the password

What is the profile for a computer fraud perpetrator?

Typically younger and posses more computer experience

What is hacking?

Unauthorized access, modification, or use of an electronic device or some element of a computer system

What are examples of computer fraud?

Unauthorized theft, use, access, modification, copying, or destruction of software, hardware, or data Theft of assets covered up by altering computer records Obtaining information or tangible property by illegally using computers

What percentage of security problems do human errors cause?

80%

What are the five characteristics that define fraud (legally speaking)?

A false statement, representation, or disclosure A material fact (something that induces a person to act) An intent to deceive A justifiable reliance (person relies on the misrepresentation to take an action) An injury or loss suffered by the victim

What is a virus?

A segment of self replicating, executable code that attached itself to a file or program

What is a worm?

A self-replicating program, similar to a virus, that is a stand-alone program, doesn't require a human to do something, and harms networks instead of files or data

What is a Trojan Horse?

A set of malicious computer instructions in an authorized and otherwise properly functioning program

Excessive heat is an example of a(n): A. Natural and political disasters B. Software errors and equipment malfunctions C. Intentional acts (computer crimes) D. Unintentional acts

A. Natural and political disasters

What are the three unintentional errors?

Accidents, innocent errors, and omissions

What is computer fraud?

Any fraud that requires computer technology to perpetrate it

What is malware?

Any software used to do harm

What is identity theft?

Assuming someone's identify by illegally obtaining and using confidential information

What is a zero-day (hour) attack?

Attack between the time a new software vulnerability is discovered and the time a developer releases a patch that fixes the problem Vulnerability windows last anywhere from hours to forever if users don't patch a system

How do you increase the difficulty of committing fraud?

Develop and implement a strong system of internal controls Segregation of duties - authorization, recording, and custody Require physical access Encrypt stores and transmitted data

What is the primary difference between fraud and errors in financial statement reporting? A. The level of management involved B. The intent to deceive C. The materiality of the misstatement D. The type of transaction effected

B. The intent to deceive

What are white-collar criminals?

Business people who commit fraud

How can fraud be prevented?

By eliminating or minimizing one or more fraud triangle elements Greatest opportunity to prevent fraud lies in reducing or minimizing opportunity by implementing a good system of internal controls

"Cooking the books" is typically accomplished by all the following except: A. Overstating inventory B. Accelerating recognition of revenue C. Inflating accounts payable D. Delaying recording or expenses

C. Inflating accounts payable

What are unintentional errors caused by?

Carelessness, failure to follow established procedures, poorly trained/supervised personnel, and poorly developed systems

What human traits do fraudster take advantage of?

Compassions, greed, sex appeal, sloth, trust, urgency, vanity

What is corruption?

Dishonest conduct by those in power and it often involved actions that are illegitimate, immoral, or incompatible with ethical standards

What are the steps to computer attacks and abuse

Conduct reconnaissance - collect information about the target and identify potential vulnerabilities (i.e. financial statements, press releases, physical security) Attempt social engineering - use of deception to obtain unauthorized access to information resources (i.e. telephone, email, USB drives) Scan and map the target - more detailed research to identify potential points of remote entry Research software for known vulnerabilities Execute the attack - obtain unauthorized access to the information system Cover tracks - after attack, create a back door to obtain access if initial attack is discovered

How do you make fraud and errors less likely to occur?

Create a culture that stresses integrity Adopt a structure that minimizes the likelihood of fraud Continuously improve security policies Maintain open communication lines Require vacations and signed confidentiality agreements

How can data analytics prevent and detect fraud?

Data analytics examine an entire data population vs a sample - every transaction is compared against selected criteria Unusual items are tagged for human examination - experience humans needed to examine and understand if fraud was involved Must understand the tools being used, as well as the business and its practices and the data

How do you improve the detection methods of fraud?

Develop and implement a fraud risk assessment program that evaluates both the likelihood and magnitude of fraudulent activity Create an audit trail so transactions can be traced through the system to the financial statements Install fraud detection software Implement a fraud hotline

What is the biggest cause of data breach?

Employee negligence

What are the recommended actions to reduce fraudulent reporting?

Establish an organizational environment that contributed to the integrity of the financial reporting process Identify and understand the factors that lead to fraudulent financial reporting Assess the risk of fraudulent financial reporting within the company Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting

What is fraud?

Gaining an unfair advantage over another person

What is hijacking?

Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge

How does a perpetrator commit fraud?

Gains the trust of the entity Uses trickery, cunning or false/misleading information Conceals fraud by falsifying records or other information Rarely terminates the fraud voluntarily Need/greed impels the person to continue or it is self-perpetuating Spend the ill-gotten gains Gets greedy and takes larger amounts of assets at more frequent intervals Grows careless/overconfident as time passes

What is a dictionary attack?

Generates user IDs/passwords guesses using a dictionary of possible user IDs and passwords to reduce the number of guesses required

What does "cook the books" mean?

Inflating revenue, holding books open, closing books early, overstating fixed assets/inventory, concealing losses

What are examples of computer fraud classifications?

Input fraud - alter or falsify computer input (requires little skill - perps only need to understand how the system operates so they can cover their tracks Processor fraud - unauthorized system use, including theft if computer time and services Computer instructions fraud - tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an illegal activity Data fraud - illegally using, copying, browsing, searching, or harming company data Output fraud - unless properly safeguarded, displayed, or printed, output can be stolen, copied, or misused

What is fraudulent financial reporting?

Intentional or reckless conduct, whether by an act or omission, that results in materially misleading financial statements

What are the ways fraudsters rationalize their behavior?

Justification - "I only took what they owed me." Attitude - "The rules don't apply to me." Lack of personal integrity - "Getting what I want is more important than being honest."

Who is most likely to commit fraud?

Knowledgeable insiders with the required access, skills, and resources - they understand a company and its weaknesses

What are examples of how fraudsters try to conceal their fraud?

Lapping - concealing theft of cash by a series of delays in posting collections to AR Check Kiting - creating cash using lag between the time cash is deposited and time it clears the bank

How do you reduce losses from fraud and errors?

Maintain adequate insurance Develop contingency and continuity plans Store backup copies of program and data files Use software to monitor system

What is spoofing?

Making an electronic communication looks as if someone else sent it to gain trust of the recipient (i.e. using email, caller ID, IP address, SMS, web-page)

What are two threats to AIS?

Natural and Political disasters Fires, floods, earthquakes, hurricanes, wars, terrorist attacks can destroy an information system and cause companies to fail

How do you minimize social engineering?

Never let people follow you into a restricted building, never log in for someone else on a computer, never give sensitive information over the phone or through email, never share passwords or user IDs, be cautious of anyone who is trying to gain access through you

Why is computer fraud increasing rapidly?

Not everyone agrees on what constitutes computer fraud (i.e. does copying software constitute computer fraud?) Many instances of computer fraud go undetected A high percentage of frauds is not reported (fear of copycats) Many networks are not secure Internet sites offer instructions on how to perpetrate computer fraud and abuse Law enforcement cannot keep up with the growth of computer fraud Calculating losses is difficult

What are examples of how data analytics can detect fraud?

Outlier detection - items outside a range of similar data Anomaly detection - not in line with patterns Regression analysis - evaluate connection between two or more data items Semantic modeling - analyze structured and unstructured test for hidden clues Benford's Law - naturally occurring that 1 is most likely to be the first number, and then 2, and it continues sequentially

What are some challenges to using data analytics to prevent and detect fraud?

Scoping data Obtaining clean data Large number of false positives Dealing with various complex software Dealing with security concerns Cost Fraud perpetrators don't want to be caught, so the better concealed activities, the harder the fraud is to detect

What is spyware?

Secretly monitors and collects personal information about users and sends it to someone else

What is phishing?

Sending an electronic message pretending to be a legitimate company, requesting information or verification of information

What is typosquatting?

Setting up similarly names websites so users making typographical errors when entering a website are sent to an invalid site

What is spamming?

Simultaneously sending the same unsolicited message to many people at the same time (often to sell something)

What is piggybacking?

Tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrators unto the system Using a neighbor's Wi-Fi network An unauthorized person following an authorized person through a secure door, bypassing physical security controls

What are some benefits to using data analytics to prevent and detect fraud?

Test for most frequent fraud schemes Look at data reactively & proactively Identify fraud before it becomes material Helps investigators focus on detection efforts Analyze numeric and non-numeric data Test internal controls

What is the most significant contributing factor for misappropriation of assets?

The absence of internal controls and/or failure to enforce existing internal controls

What is sabotage?

The deliberate destruction or harm to a system

What are many opportunities to commit fraud caused by?

The result of a deficient system of controls (whether by design or enforcement), unclear policies/procedures, failure to teach and stress corporate honesty, and failure to prosecute those who perpetrate the fraud

What is misappropriation of assets?

Theft of company assets by employees

What is economic espionage?

Theft of information, trade secrets, and IP

What are the three things happen when perpetrators have the opportunity to commit fraud?

They commit the fraud - includes misappropriation of assets and fraudulent financial reporting (overstatement of assets/revenues, understatement of liabilities, or failures to disclose information) They conceal the fraud - have to keep the accounting equation in balance They convert theft to a personal gain - misappropriation (have to convert assets to a spendable form) and FFR (indirect benefits by keeping a job, receiving pay raises, gaining power/influence

What is a brute force attack?

Trial-and-error method that uses software to guess information, such as the user ID and the password, needed to gain access to a system

What does SAS No. 99 require auditors to do?

Understand fraud - because auditors cannot effectively audit something they don't understand, they must understand fraud and how it is committed Discuss the risks of material fraudulent misstatements - while planning an audit, team members discuss among themselves how and where the company's financial statements are susceptible to fraud Obtain information - gather evidence by looking for fraud risk factors, testing records, and asking management, the AVC and BOD and others whether they know of past or current fraud Identify, assess, and respond to risks - evidence is used to identify, assess, and respond to fraud risks by varying the nature, timing, and extent of audit procedures and by evaluating carefully the risk of management override of internal control Evaluate results of audit test - auditors must evaluate whether identified misstatements indicate the presence of fraud and determine its impact on the financial statements and the audit Document and communicate findings - auditors must document and communicate their findings to management and the audit committee Incorporate a technology focus - SAS 99 recognizes the impact technology has on fraud risks and provides commentary/examples recognizing the impact

What is the greatest risk to information systems?

Unintentional errors Causes great dollar loss

What is internet misinformation?

Using the internet to spread false or misleading information

What is a denial-of-service attack?

a computer attach in which the attacker sends so many email bombs or web page requests the internet service provider/web server is overloaded and shuts down