1 / 33

HAPTER 5

HAPTER 5. Computer Fraud. INTRODUCTION. Questions to be addressed in this chapter: Explain the threats faced by modern information systems. Define fraud and describe the process one follows to perpetuate a fraud. Discuss who perpetrates fraud and why it occurs, including:

tod
Télécharger la présentation

HAPTER 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HAPTER 5 Computer Fraud

  2. INTRODUCTION • Questions to be addressed in this chapter: • Explain the threats faced by modern information systems. • Define fraud and describe the process one follows to perpetuate a fraud. • Discuss who perpetrates fraud and why it occurs, including: • the pressures, opportunities, and rationalizations that are present in most frauds. • Define computer fraud and discuss the different computer fraud classifications.

  3. INTRODUCTION • Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems. • Companies also face a growing risk of these systems being compromised. • Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.

  4. INTRODUCTION • Include: • Fire or excessive heat • Floods • Earthquakes • High winds • War and terrorist attack • When a natural or political disaster strikes, many companies can be affected at the same time. • Example: Bombing of the World Trade Center in NYC. • The Defense Science Board has predicted that attacks on information systems by foreign countries, espionage agents, and terrorists will soon be widespread. • Companies face four types of threats to their information systems: • Natural and political disasters

  5. Include: • Hardware or software failures • Software errors or bugs • Operating system crashes • Power outages and fluctuations • Undetected data transmission errors • Estimated annual economic losses due to software bugs = $60 billion. • 60% of companies studied had significant software errors in previous year. INTRODUCTION • Companies face four types of threats to their information systems: • Natural and political disasters • Software errors and equipment malfunction

  6. INTRODUCTION • Include • Accidents caused by: • Human carelessness • Failure to follow established procedures • Poorly trained or supervised personnel • Innocent errors or omissions • Lost, destroyed, or misplaced data • Logic errors • Systems that do not meet needs or are incapable of performing intended tasks • The Computing Technology Industry Assn. estimates 80% of security problems are caused by human error. • Companies face four types of threats to their information systems: • Natural and political disasters • Software errors and equipment malfunction • Unintentional acts

  7. INTRODUCTION • Include: • Sabotage • Computer fraud • Misrepresentation, false use, or unauthorized disclosure of data • Misappropriation of assets • Financial statement fraud • Information systems are increasingly vulnerable to these malicious attacks. • Companies face four types of threats to their information systems: • Natural and political disasters • Software errors and equipment malfunction • Unintentional acts • Intentional acts (computer crime)

  8. THE FRAUD PROCESS • Fraudis any and all means a person uses to gain an unfair advantage over another person. • In most cases, to be considered fraudulent, an act must involve: • A false statement (oral or in writing) • About a material fact • Knowledge that the statement was false when it was uttered (which implies an intent to deceive) • A victim relies on the statement • And suffers injury or loss as a result

  9. THE FRAUD PROCESS • Since fraudsters don’t make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts: • Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $400 billion per year. • Fraud in the healthcare industry is estimated to exceed $100 billion a year. • The average organization loses 7% of its annual revenues to fraud. • Frauds are more likely to be detected by a tip than by audits, controls, or other means.

  10. THE FRAUD PROCESS • Fraud against companies may be committed by an employee or an external party. • Former and current employees (called knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies. • Largely owing to their understanding of the company’s systems and its weaknesses, which enables them to commit the fraud and cover their tracks. • Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.

  11. THE FRAUD PROCESS • Types of fraud: • Misappropriation of assets • Involves theft, embezzlement, or misuse of company assets for personal gain. • Examples include billing schemes, check tampering, skimming, and theft of inventory.

  12. THE FRAUD PROCESS • Types of fraud: • Misappropriation of assets • Fraudulent financial reporting • Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users. • Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement. • Asset misappropriation is 17 times more likely than fraudulent financial reporting, but the amounts involved are much smaller.

  13. WHO COMMITS FRAUD AND WHY • Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries. • The company is the direct beneficiary. • The perpetrators are typically indirect beneficiaries. • Reasons for Fraudulent Financial Statements • Deceive investors or creditors • Increase a company’s stock price • Meet cash flow needs • Hide company losses or other problems

  14. SAS #99 • Auditors responsibility to detect fraud • Understand fraud • Discuss risks of material fraudulent statements • Among members of audit team • Obtain information • Look for fraud risk factors • Identify, assess, and respond to risk • Evaluate the results of audit tests • Determine impact of fraud on financial statements • Document and communicate findings • See Chapter 3 • Incorporate a technological focus

  15. THE FRAUD PROCESS • Fraud perpetrators are often referred to as white-collar criminals. • Researchers have compared the psychological and demographic characteristics of three groups of people: • White-collar criminals • Violent criminals • The general public • They found: • Significant differences between violent and white-collar criminals. • Few differences between white-collar criminals and the general public.

  16. WHO COMMITS FRAUD AND WHY • Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle. • Pressure • Opportunity • Rationalization

  17. The “Fraud Triangle”Donald Cressey Pressure Opportunity Three conditions that are present when Fraud occurs. Rationalization

  18. WHO COMMITS FRAUD AND WHY • Pressure • Cressey referred to this pressure as a “perceived non-shareable need.” • The pressure could be related to finances, emotions, lifestyle, or some combination.

  19. WHO COMMITS FRAUD AND WHY • Opportunity is the opening or gateway that allows an individual to: • Commit the fraud • Conceal the fraud • Convert the proceeds

  20. WHO COMMITS FRAUD AND WHY • Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. • Examples of concealment efforts: • Charge a stolen asset to an expense account or to an account receivable that is about to be written off. • Create a ghost employee who receives an extra paycheck. • Lapping. • Kiting.

  21. WHO COMMITS FRAUD AND WHY • Unless the target of the theft is cash, then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator. • Checks can be converted through alterations, forged endorsements, check washing, etc. • Non-cash assets can be sold (online auctions are a favorite forum) or returned to the company for cash.

  22. WHO COMMITS FRAUD AND WHY • There are many opportunities that enable fraud. Some of the most common are: • Lack of internal controls • Failure to enforce controls (the most prevalent reason) • Excessive trust in key employees • Incompetent supervisory personnel • Inattention to details • Inadequate staff

  23. WHO COMMITS FRAUD AND WHY • Management may allow fraud by: • Not getting involved in the design or enforcement of internal controls; • Inattention or carelessness; • Overriding controls; and/or • Using their power to compel subordinates to carry out the fraud.

  24. WHO COMMITS FRAUD AND WHY • How many people do you know who regard themselves as being unprincipled or sleazy? • It is important to understand that fraudsters do not regard themselves as unprincipled. • In general, they regard themselves as highly principled individuals. • That view of themselves is important to them. • The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations that recast their actions as “morally acceptable” behaviors.

  25. WHO COMMITS FRAUD AND WHY • These rationalizations take many forms, including: • I was just borrowing the money. • It wasn’t really hurting anyone. (Corporations are often seen as non-persons, therefore crimes against them are not hurting “anyone.”) • Everybody does it. • I’ve worked for them for 35 years and been underpaid all that time. I wasn’t stealing; I was only taking what was owed to me. • I didn’t take it for myself. I needed it to pay my child’s medical bills.

  26. WHO COMMITS FRAUD AND WHY • Creators of worms and viruses often use rationalizations like: • The malicious code helped expose security flaws, so I did a good service. • It was an accident. • It was not my fault—just an experiment that went bad. • It was the user’s fault because they didn’t keep their security up to date. • If the code didn’t alter or delete any of their files, then what’s the problem?

  27. WHO COMMITS FRAUD AND WHY • Fraud occurs when: • People have perceived, non-shareable pressures; • The opportunity gateway is left open; and • They can rationalize their actions to reduce the moral impact in their minds (i.e., they have low integrity). • Fraud is much less likely to occur when • There is low pressure, low opportunity, and high integrity. • Unfortunately, there is usually a mixture of these forces in play, and it can be very difficult to determine the pressures that may apply to an individual and the rationalizations he/she may be able to produce.

  28. APPROACHES TO COMPUTER FRAUD • The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its: • Perpetration; • Investigation; or • Prosecution.

  29. APPROACHES TO COMPUTER FRAUD • In using a computer, fraud perpetrators can steal: • More of something • In less time • With less effort • They may also leave very little evidence, which can make these crimes more difficult to detect.

  30. APPROACHES TO COMPUTER FRAUD • Computer systems are particularly vulnerable to computer crimes for several reasons: • Company databases can be huge and access privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time. • Organizations often want employees, customers, suppliers, and others to have access to their system from inside the organization and without. This access also creates vulnerability. • Computer programs only need to be altered once, and they will operate that way until: • The system is no longer in use; or • Someone notices.

  31. APPROACHES TO COMPUTER FRAUD • Modern systems are accessed by PCs, which are inherently more vulnerable to security risks and difficult to control. • It is hard to control physical access to each PC. • PCs are portable, and if they are stolen, the data and access capabilities go with them. • PCs tend to be located in user departments, where one person may perform multiple functions that should be segregated. • PC users tend to be more oblivious to security concerns.

  32. Computer Fraud Classifications • Input Fraud • Alteration or falsifying input • Processor Fraud • Unauthorized system use • Computer Instructions Fraud • Modifying software, illegal copying of software, using software in an unauthorized manner, creating software to undergo unauthorized activities • Data Fraud • Illegally using, copying, browsing, searching, or harming company data • Output Fraud • Stealing, copying, or misusing computer printouts or displayed information

  33. Preventing and Detecting Fraud • Make fraud less likely to occur • Increase the difficulty of committing fraud • Improve detection methods • Reduce fraud losses

More Related