AIS: Chapter 5
Intentional acts ("Scienter")
Any means a person uses to gain an unfair advantage over another person: a computer crime, a fraud, or sabotage, which is deliberate destruction or harm to a system.
Billing and noncash schemes
are asset misappropriation schemes that pose the highest risk
Fraudulent perpetrators
are knowledgeable insiders with the requisite access, skills, and resources. Because employees understand a company's system and its weaknesses, they are better able to commit and conceal a fraud.
Asset Misappropriation and corruption
are the two most frequent fraud types
Bid-Rigging Schemes
collusive fraud wherein an employee helps a vendor illegally obtain a contract that was supposed to involve competitive bidding
lapping scheme
concealing the theft of cash by means of a series of delays in posting collections to accounts receivable
Three categories of fraud:
corruption, asset misappropriation, financial statement fraud
Check kiting
creating cash using the lag between the time a check is deposited and the time it clears the bank
corruption
dishonest conduct by those in power and it often involves actions that are illegitimate, immoral, or incompatible with ethical standards. There are many types of corruption; examples include bribery and bid rigging.
Pressures that can lead to employee fraud
financial, emotional, lifestyle
Which type of fraud is associated with 50 percent of all auditor lawsuits?
fraudulent financial reporting
Fraudulent financial reporting (management fraud)
intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements. Management falsifies financial statements to deceive investors and creditors, increase a company's stock price, meet cash flow needs, or hide company losses and problems.The most frequent "cook the books" schemes involve fictitiously inflating revenues, holding the books open (recognizing revenues before they are earned), closing the books early (delaying current expenses to a later period), overstating inventories or fixed assets, and concealing losses and liabilities.
pressures that can lead to financial statement fraud
management characteristics, industry conditions, financial
investment fraud
misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. There are many types of investment fraud; examples include Ponzi schemes and securities fraud.
A fraud perpetrator scanned a company paycheck, used desktop publishing software to erase the payee and amount, and printed fictitious paychecks. What type of fraud is this?
output fraud
Cyber sleuths need the following skills:
-Ability to follow a trail, think analytically, and be thorough. -Good understanding of information technology (IT). -Ability to think like a fraud perpetrator. -Ability to use hacking tools and techniques.
Unintentional Acts
-Accidents caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel. -Examples: Innocent errors or omissions Lost, erroneous, destroyed, or misplaced data Logic errors Systems that do not meet company needs or cannot handle intended tasks
Why are computer systems vulnerable?
-Fast destruction -difficult to detect -variety of access points -programs are fragile to even one-time modification -hard to control physical access to PC's
Auditing Standards (SAS) No. 99 requires auditors to:
-Understand fraud -Discuss the risks of material fraudulent misstatements -Obtain information -Identify, assess, and respond to risks -Evaluate the results of their audit tests -Document and communicate findings -Incorporate a technology focus
computer fraud
-any fraud that requires computer technology to perpetrate it. -Examples include: Unauthorized theft, use, access, modification, copying, or destruction of software, hardware, or data Theft of assets covered up by altering computer records Obtaining information or tangible property illegally using computers
Legally, for an act to be fraudulent there must be:
1. A false statement, representation, or disclosure 2. A material fact, which is something that induces a person to act 3. An intent to deceive 4. A justifiable reliance; that is, the person relies on the misrepresentation to take an action 5.An injury or loss suffered by the victim
Threats to Accounting Information Systems
1. Natural and political disasters 2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional acts (computer crimes)
The number of incidents, the total dollar losses, and the sophistication of the perpetrators and the schemes used to commit computer fraud are increasing rapidly for several reasons:
1. Not everyone agrees on what constitutes computer fraud. 2. Many instances of computer fraud go undetected. 3. A high percentage of frauds is not reported. 4.Many networks are not secure. 5. Internet sites offer step-by-step instructions on how to perpetrate computer fraud and abuse. 6. Law enforcement cannot keep up with the growth of computer fraud. 7. Calculating losses is difficult.
Computer Fraud classifications
1. input fraud: to alter or falsify computer input. It requires little skill; perpetrators need only understand how the system operates so they can cover their tracks. 2. processor fraud: unauthorized system use, including the theft of computer time and services. 3. computer instructions fraud: tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity. This approach used to be uncommon because it required specialized programming knowledge. 4. data fraud: Illegally using, copying, browsing, searching, or harming company data.The biggest cause of data breaches is employee negligence. 5. output fraud: displayed or printed output can be stolen, copied, or misused.
Two types of frauds that are important to businesses
1. misappropriation of assets (sometimes called employee fraud) 2.fraudulent financial reporting (sometimes called management fraud)
Tradeway Commission's four actions to reduce fraudulent financial reporting
1.Establish an organizational environment that contributes to the integrity of the financial reporting process. 2.Identify and understand the factors that lead to fraudulent financial reporting. 3.Assess the risk of fraudulent financial reporting within the company. 4.Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting.
Rationalization
allows perpetrators to justify their illegal behavior: a justification, an attitude, or a lack or personal integrity.
A programmer at a large bank inserted code into the company's computer system that told the computer to not only ignore any overdrafts on his accounts, but to not charge his accounts any late or service fees. This is an example of what type of fraud?
Computer instruction fraud
Opportunity is the condition or situation that allows a perpetrator to
Conceal the fraud Commit the fraud Convert theft into a personal gain
The Association of Certified Fraud Examiners (ACFE)
Conducts comprehensive fraud studies and releases its findings in a Report to the Nation on Occupational Fraud and Abuse. Explores the costs, schemes, victims and perpetrators of fraud
After a fraud has occurred, which one of the following is the best way to reduce the loss from that fraud?
Create an organizational culture that stresses integrity and commitment to ethical values and competence.
A hacker was able to break into the system that transmitted the daily transactions of a retail store to the company's central office. Every night for several weeks he copied the transaction data that included customer names, credit card numbers, and other confidential data. Hundreds of thousands of customers were affected. This is an example of what type of fraud?
Data fraud
Madoff Fraud
Example of output fraud & ponzi scheme
Fraud
Gaining an unfair advantage over another person. It is a white collar crime.(intentional)
Software errors and equipment malfunctions
Hardware or software failures, Software errors or bugs, Operating system crashes, Power outages and fluctuations, undetected data transmission errors
Which of the following will improve the ability to detect fraud?
Implement a fraud hotline. Implement whistleblower rewards.
A woman sent her company fictitious medical bills from doctors who did not exist. The bills were processed in the normal way by her employer, and payments went to her husband's office address. She bilked her company out of millions of dollars. This is an example of what type of fraud?
Input fraud
Which of the following is a fraud in which later payments on account are used to pay off earlier payments that were stolen?
Lapping
Improve detection
Organizational: •Assess fraud risk •External and internal audits •Fraud hotline Systems: •Audit trail of transactions through the system •Install fraud detection software •Monitor system activities (user and error logs, intrusion detection)
Making it hard to commit
Organizational: •Develop strong internal controls •Segregate accounting functions •Use properly designed forms •Require independent checks and reconciliations of data System: •Restrict access •System authentication •Implement computer controls over input, processing, storage and output of data •Use encryption •Fix software bugs and update systems regularly •Destroy hard drives when disposing of computers
Reduce fraud losses
Organizational: •Insurance •Business continuity and disaster recovery plan Systems: •Store backup copies of program and data files in secure, off-site location •Monitor system activity
Employees at a large brokerage house used their employer's computer system to run a large and lucrative side business that their employer knew nothing about. This is an example of what type of fraud?
Processor fraud
small businesses vs. others in fraud
Small businesses are more susceptible to fraud and lose twice as much as other sized businesses.This is because there are less efficient internal controls and separation of duties because there are less employees and departments in the company. There's also an inherent false sense of trust with small groups/businesses. Not all small businesses pay for audits, they are more likely to be victim for financial statement fraud.
which fraud is more harmful?
The ACFE found that an asset misappropriation is 17 times more likely than fraudulent financial reporting but that the amounts involved are much smaller. As a result, auditors and management are more concerned with fraudulent financial reporting even though they are more likely to encounter misappropriations.
Fraud Triangle
The three factors that contribute to fraudulent activity by employees: opportunity, financial pressure, and rationalization.
Natural and political disasters
This AIS threat includes fire or excessive heat, floods, earthquakes, landslides, hurricanes, tornadoes, and war and attacks by terrorists
misappropriation of assets
the theft of company assets by employees.The most significant contributing factor is the absence of internal controls and/or the failure to enforce existing internal controls.
which type of threat represents the greatest risk to information systems and causes the greatest dollar losses?
unintentional acts
Organizational fraud prevention
•Create a culture of integrity •Adopt structure that minimizes fraud, create governance (e.g., Board of Directors) •Assign authority for business objectives and hold them accountable for achieving those objectives, effective supervision and monitoring of employees Communicate policies
Systems fraud prevention
•Develop security policies to guide and design specific control procedures •Implement change management controls and project development acquisition controls