HAPTER 5

1. HAPTER 5 Computer Fraud and Security

2. INTRODUCTION • Questions to be addressed in this chapter: • What is fraud, and how are frauds perpetrated? • Who perpetrates fraud and why? • What is computer fraud, and what forms does it take? • What approaches and techniques are used to commit computer fraud?

3. INTRODUCTION • Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems. • Companies also face a growing risk of these systems being compromised. • Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.

4. INTRODUCTION • Companies face four types of threats to their information systems: AIS threatsالتهديدات التي تواجه نظم المعلومات المحاسبية • Natural and political disasters • Include: • Fire or excessive heat • Floods • Earthquakes • High winds • War and terrorist attack • When a natural or political disaster strikes, many companies can be affected at the same time. • Example: Bombing of the World Trade Center in NYC. • The Defense Science Board has predicted that attacks on information systems by foreign countries, espionage agentsالتجسس) ), and terrorists will soon be widespread.

5. INTRODUCTION 2. Software errors and equipment malfunction (it fails to work properly) فشل في العمل كما ينبغي • Include: • Hardware or software failures (فشل • Software errors or bugs علة او اخطاء • Operating system crashes تحطم نظام التشغيل • Power outages and fluctuations الفترة الزمنية التي يتطلبها تشغيل الكهرباء • Undetected data transmission errors اخطاء غير مكتشفة في عملية نقل البيانات • Estimated annual economic losses due to software bugs = $60 billion. • 60% of companies studied had significant software errors in previous year 2005.

6. INTRODUCTION 3. Unintentional acts افعال غير مقصودة • Include • Accidents caused by: • Human carelessness • Failure to follow established procedures • Poorly trained or supervised personnel • Innocent errors or omissions مثلا في عملية ادخال البيانات • Lost, destroyed, or misplaced data • Logic errors مثلا البرنامج المصمم لا يلبي احتياجات الشركة • Systems that do not meet needs or are incapable of performing intended tasks • Information Systems Security Association. estimates 65% of security problems are caused by human error.

7. INTRODUCTION 4. Intentional acts (computer crime) الافعال المقصودة(جرائمالكمبيوتر) • Include: • Sabotage عملية التخريب المتعمد (مثلا اثناء المظاهرات) • Computer fraud الخداع (corruption) الفساد • Misrepresentation, false use, or unauthorized disclosure of data خطا في التمثيل او الاستخدام او التصريح ببيانات غير مصرح بها • Misappropriation of assetsاستخدام الموارد بدون اذن او استخدموها لأهدافخاصة. • Financial statement fraud خداع القوائم المالية • Information systems are increasingly vulnerable to these malicious attacks. انظمة المعلومات اصبحت هشة بشكل متزايد لهذا التخريب المقصود

8. INTRODUCTION • In this chapter we’ll discuss: • The fraud process • Why fraud occurs • Approaches to computer fraud الطرق امؤدية الى غش الكمبيوتر • Specific techniques used to commit computer fraud • Ways companies can deter and detect computerfraud الطرق التي تمكن الشركات لتحول دون حدوث غش الكمبيوتر اواكتشافه.

9. THE FRAUD PROCESS • Fraudis any and all means a person uses to gain an unfair advantage over another person. • In most cases, to be considered fraudulent, an act must involve: الافعال التي تعتبر افعال غش , أي فعل يتضمن • A false statement (oral or in writing) • About a material fact حول حقائق مادية • Knowledge that the statement was false when it was uttered (which implies an intent to deceive) لديك علم تام بأن المعلومة المقدمة كانت خطأ, هذا تلميح بأنة لديك نية للخداع. • A victim relies on the statement الضحية اعتمد في قراراته على هذه المعلومة • And suffers injury or loss as a result

10. THE FRAUD PROCESS • Since fraudsters don’t make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts افعال احتيالية: • The Association of Certified Fraud Examiners (ACFE) estimates that total fraud losses in the U.S. run around 6% of annual revenues or approximately $660 billion in 2004. • More than we spend on education and roads in a year. • 6 times what we pay for the criminal justice system. • Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $200 billion per year. • Fraud in the healthcare industry is estimated to exceed $100 billion a year.

11. THE FRAUD PROCESS • Fraud against companies may be committed by an employee or an external party. • Former and current employees (called knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies. • Largely owing to their understanding of the company’s systems and its weaknesses, which enables them to commit the fraud and cover their tracks. • Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.

12. THE FRAUD PROCESS • Fraud perpetrators are often referred to as white-collar criminals. • Distinguishes them from violent criminals, although some white-collar crime can ultimately have violent outcomes, such as: • Perpetrators or their victims committing suicide. • Healthcare patients killed because of alteration of information, etc., that can result in their deaths.

13. THE FRAUD PROCESS • Three types of occupational fraud: 1. Misappropriation of assets • Involves theft, embezzlement الاختلاس, or misuse of company assets for personal gain. • Examples include billing schemes, check tampering, skimming, and theft of inventory. • In the 2004 Report to the Nation on Occupational Fraud and Abuse, 92.7% of occupational frauds involved asset misappropriation at a median cost of $93,000.

14. THE FRAUD PROCESS • Three types of occupational fraud: 2. Corruption • Corruption involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit. • Examples include kickback schemes and conflict of interest schemes. • About 30.1% of occupational frauds include corruption schemes at a median cost of $250,000.

15. THE FRAUD PROCESS • Three types of occupational fraud: 3. Fraudulent statements • Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users. • Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement. • About 7.9% of occupational frauds involve fraudulent statements at a median cost of $1 million. (The median pales in comparison to the maximum cost.)

16. THE FRAUD PROCESS • A typical employee fraud has a number of important elements or characteristics: • The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud. • Instead of using a gun, knife, or physical force, fraudsters use weapons of deceit and misinformation. • Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most fraudsters can’t stop once they get started, and their frauds grow in size. • The fraudsters often grow careless or overconfident over time. • Fraudsters tend to spend what they steal. Very few save it. • In time, the sheer magnitude of the frauds may lead to detection. • The most significant contributing factor in most employee frauds is the absence of internal controls and/or the failure to enforce existing controls.

17. THE FRAUD PROCESS • The National Commission on Fraudulent Financial Reporting (aka, the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements. • Financial statements can be falsified to: • Deceive investors and creditors • Cause a company’s stock price to rise • Meet cash flow needs • Hide company losses and problems

18. THE FRAUD PROCESS • Fraudulent financial reporting is of great concern to independent auditors, because undetected frauds lead to half of the lawsuits against auditors. • In the case of Enron, a financial statement fraud led to the total elimination of Arthur Andersen, a premiere international public accounting firm.

19. THE FRAUD PROCESS • Common approaches to “cooking the books” include: تغير ارقام او سجلات مكتوبة • Recording fictitious revenues • Recording revenues prematurely • Recording expenses in later periods • Overstating inventories or fixed assets (WorldCom) • Concealing losses and liabilities

20. THE FRAUD PROCESS • The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting: • Establish an organizational environment that contributes to the integrity of the financial reporting process. • Identify and understand the factors that lead to fraudulent financial reporting. • Assess the risk of fraudulent financial reporting within the company. • Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented.

21. THE FRAUD PROCESS • SAS 99: The Auditor’s Responsibility to Detect Fraud • In 1997, SAS-82, Consideration of Fraud in a Financial Statement Audit, was issued to clarify the auditor’s responsibility to detect fraud. SAS: Statement on Auditing Standards

22. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Auditors can’t effectively audit something they don’t understand. • SAS-99 also indicated that auditors are not lawyers and “do not make legal determinations of whether fraud has occurred.” • The external auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements. • Note that SAS-99 relates to external auditors. Internal auditors will have a more extensive interest in fraud than just those that impact financial statements.

23. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • While planning the audit, members of the audit team should discuss how and where the company’s financial statements might be susceptible to fraud.

24. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • Obtain information • The audit team must gather evidence about the existence of fraud by: • Looking for fraud risk factors • Testing company records • Asking management, the audit committee, and others if they know of any past or current fraud or of fraud risks the organization faces. • Special care needs to be exercised in examining revenue accounts, since they are particularly popular fraud targets.

25. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • Obtain information • Identify, assess, and respond to risks • Use the gathered information to identify, assess, and respond to risks. • Auditors can respond by varying the nature, timing, and extent of auditing procedures they perform. • They should also carefully evaluate risks related to management override of controls.

26. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • Obtain information • Identify, assess, and respond to risks • Evaluate the results of their audit tests • Auditors must assess the risk of fraud throughout the audit. • When the audit is complete, they must evaluate whether any identified misstatements indicate the presence of fraud. • If so, they should determine the impact on the financial statements and the audit.

27. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • Obtain information • Identify, assess, and respond to risks • Evaluate the results of their audit tests • Communicate findings • Auditors communicate their fraud findings to management, the audit committee, and others.

28. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • Obtain information • Identify, assess, and respond to risks • Evaluate the results of their audit tests • Communicate findings • Document their audit work • Auditors must document their compliance with SAS-99 requirements.

29. THE FRAUD PROCESS • A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to: • Understand fraud • Discuss the risks of material fraudulent misstatements • Obtain information • Identify, assess, and respond to risks • Evaluate the results of their audit tests • Communicate findings • Document their audit work • Incorporate a technology focus • SAS-99 recognizes that technology impacts fraud risks and notes opportunities that auditors have to use technology-oriented tools and techniques to design fraud auditing procedures.

30. INTRODUCTION • In this chapter we’ll discuss: • The fraud process • Why fraud occurs • Approaches to computer fraud • Specific techniques used to commit computer fraud • Ways companies can deter and detect computer fraud

31. WHO COMMITS FRAUD AND WHYمن يرتكب الخداع ولماذا؟ • Researchers have compared the psychological and demographic characteristics of three groups of people: • White-collar criminals • Violent criminals • The general public • They found: • Significant differences between violent and white-collar criminals. • Few differences between white-collar criminals and the general public.

32. WHO COMMITS FRAUD AND WHY • White-collar criminals tend to mirror the general public in: انعكاس للعامة • Education • Age • Religion • Marriage • Length of employment • Psychological makeup التركيبة او البنية النفسية

33. WHO COMMITS FRAUD AND WHY • Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills. • Hackers and computer fraud perps tend to be more motivated by: • Curiosityالفضول • A quest for knowledge باحث عن المعرفة • The desire to learn how things work • The challenge of beating the system

34. WHO COMMITS FRAUD AND WHY • They may view their actions as a game rather than dishonest behavior. • Another motivation may be to gain stature in the hacking community. • Some see themselves as revolutionaries spreading a message of anarchy and freedom. • But a growing number want to profit financially. To do so, they may sell data to: • Spammers • Organized crime • Other hackers • The intelligence community

35. WHO COMMITS FRAUD AND WHY • Some fraud perpetrators are disgruntled and unhappy with their jobs and are seeking revenge against their employers. • Others are regarded as ideal, hard-working employees in positions of trust. • Most have no prior criminal record. • So why are they willing to risk everything?

36. WHO COMMITS FRAUD AND WHY • Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle. • Pressure • Opportunity • Rationalization

37. The “Fraud Triangle”مثلث الخداعDonald Cressey Pressure الضغط Opportunity الفرصة Rationalizationالتبرير

38. WHO COMMITS FRAUD AND WHY • Pressure • Cressey referred to this pressure as a “perceived non-shareable need.” • The pressure could be related to finances, emotions, lifestyle, or some combination. • The most common pressures were: 1. Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable) • May be associated with vices, such as drugs, gambling, mistresses, etc.

39. WHO COMMITS FRAUD AND WHY • The most common pressures were: 2. Fear of loss of status because of a personal failure • Example would be mismanagement of a personal investment or retirement fund.

40. WHO COMMITS FRAUD AND WHY • The most common pressures were: 3. Business reversals 4. Physical isolation • Not many people can walk away from a failing business. • When an individual is isolated, physically or psychologically, almost any pressure becomes non-shareable.

41. WHO COMMITS FRAUD AND WHY • The most common pressures were: 5. Status gaining • Many frauds are motivated by nothing more than a perceived need to keep up with the Joneses. • The problem is that there is always a richer “Jones” down the street and the pressure continues to mount, as do the resulting thefts.

42. WHO COMMITS FRAUD AND WHY • The most common pressures were: 6. Difficulties in employer-employee relations • May create pressure to get revenge, take the money you feel is rightfully owed to you, etc.

43. WHO COMMITS FRAUD AND WHY • What’s important here is the perception of the pressure.الاهمية هنا هي ادراك الضغوطات • There might be a number of people who could and would help a tentative fraudster out of his financial woes. • But as long as he perceives that he cannot share his burden, the pressure is present. • Research has also found that an individual’s propensity to commit fraud is more related to how much he worries about his financial position than his actual position. • The millionaire who frets a lot about his financial condition is more likely to commit fraud than the guy who doesn’t have two dimes to rub together but isn’t worried about it.

44. WHO COMMITS FRAUD AND WHY • Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries. • The company is the direct beneficiary. • The perpetrators are typically indirect beneficiaries.

45. WHO COMMITS FRAUD AND WHY • In the case of financial statement frauds, common pressures include: • To prop up earnings or stock price so that management can: • Receive performance-related compensation. • Preserve or improve personal wealth held in company stock or stock options. • Keep their jobs. • To cover the inability to generate cash flow. • To obtain financing. • To appear to comply with bond covenants or other agreements. • May be opposite of propping up earnings in cases involving income-tax motivations, government contracts, or regulation.

46. WHO COMMITS FRAUD AND WHY • Opportunity is the opening or gateway that allows an individual to: • Commit the fraud • Conceal the fraud • Convert the proceeds

47. WHO COMMITS FRAUD AND WHY • Committing the fraud might involve acts such as: • Misappropriating assets. • Issuing deceptive financial statements. • Accepting a bribe in order to make an arrangement that is not in the company’s best interest. • Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. • Examples of concealment efforts: • Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

48. WHO COMMITS FRAUD AND WHY • Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. • Examples of concealment efforts: • Charge a stolen asset to an expense account or to an account receivable that is about to be written off. • Create a ghost employee who receives an extra paycheck. • Lapping. • Steal a payment from Customer A. • Apply Customer B’s payment to Customer A’s account so Customer A won’t get a late notice. • Apply Customer C’s payment to Customer B’s account, so Customer B won’t get a late notice, etc.

49. WHO COMMITS FRAUD AND WHY • Kiting. • Creates “cash” by transferring money between banks. • Requires multiple bank accounts. • Basic scheme: • Write a check on the account of Bank A. • Bank A doesn’t have sufficient funds to cover the check, so write a check from an account in Bank B to be deposited in Bank A. • Bank B doesn’t have sufficient funds to cover the check, so write a check from an account in Bank C to be deposited in Bank B, etc.

50. WHO COMMITS FRAUD AND WHY Convert the proceedsتحويل العائد • Unless the target of the theft is cash, then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator. • Checks can be converted through alterations (التحويل ), forged endorsements (تزوير التوقيع), check washing شيكات مموهه, etc. • Non-cash assets can be sold (online auctions are a favorite forum) or returned to the company for cash.