Você está na página 1de 168

L

ECTURE 4

Computer Fraud and Abuse

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

1 of 175

INTRODUCTION
Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems.
Companies also face a growing risk of these systems being compromised. Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 175

INTRODUCTION

Include: Fire or excessive heat Companies face four types of threats to Floods Earthquakes High winds Natural and political disasters War and terrorist attack When a natural or political disaster strikes, many companies can be affected at the same time. Example: Bombing of the World Trade Center in NY. The Defense Science Board has predicted that attacks on information systems by foreign countries, espionage agents, and terrorists will soon be widespread.

their information systems:

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

3 of 175

Include: Hardware or software failures Software errors or bugs Operating system crashes Companies face four types of threats to Power outages and fluctuations Natural and political disasters Undetected data transmission errors Software errors and equipment annual economic Estimated malfunction losses due to software bugs = $60 billion. 60% of companies studied had significant software errors in previous year.

INTRODUCTION

their information systems:

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

4 of 175

INTRODUCTION
Include Accidents of threats Companies face four types caused by: to Human carelessness Failure to follow established procedures Natural and political disasters Poorly trained or supervised Software errors and equipment malfunction personnel Unintentional acts Innocent errors or omissions Lost, destroyed, or misplaced data Logic errors Systems that do not meet needs or are incapable of performing intended tasks Information Systems Security Assn. estimates 65% of security problems are caused by human error. 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 175

their information systems:

INTRODUCTION Include:

Sabotage Computer fraud Companies face four types of threatsuse, or Misrepresentation, false to unauthorized disclosure of data Misappropriation of assets Natural and political Financial statement fraud disasters Information systems are increasingly Software errors and equipment malfunction vulnerable to these malicious attacks.

their information systems:

Unintentional acts Intentional acts (computer crime)

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

6 of 175

INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

7 of 175

INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

8 of 175

The definition is the same whether it is a criminal or civil fraud case. The only difference is the burden of proof required. Criminal case: beyond a Fraud is any and all means a person uses to reasonable doubt. gain an unfair advantage over another person.the Civil case: preponderance of evidence OR clear and convincing In most cases, to be considered fraudulent, an evidence.

THE FRAUD PROCESS

act must involve:


A false statement (oral or in writing) About a material fact Knowledge that the statement was false when it was uttered (which implies an intent to deceive) A victim relies on the statement And suffers injury or loss as a result
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 175

THE FRAUD PROCESS


Because fraudsters dont make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts:
The Association of Certified Fraud Examiners (ACFE) estimates that total fraud losses in the United States run around 6% of annual revenues or approximately $660 billion in 2004.
More than we spend on education and roads in a year. Six times what we pay for the criminal justice system.

Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $200 billion per year. Fraud in the healthcare industry is estimated to exceed $100 billion a year.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 175

THE FRAUD PROCESS


Fraud against companies may be committed by an employee or an external party.
Former and current employees (called knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies.
Largely owing to their understanding of the companys systems and its weaknesses, which enables them to commit the fraud and cover their tracks.

Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

11 of 175

THE FRAUD PROCESS


Fraud perpetrators are often referred to as white-collar criminals.
Distinguishes them from violent criminals, although some white-collar crime can ultimately have violent outcomes, such as:
Perpetrators or their victims committing suicide. Healthcare patients killed because of alteration of information, etc., that can result in their deaths.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

12 of 175

THE FRAUD PROCESS


Three types of occupational fraud:
Misappropriation of assets
Involves theft, embezzlement, or misuse of company assets for personal gain. Examples include billing schemes, check tampering, skimming, and theft of inventory. In the 2004 Report to the Nation on Occupational Fraud and Abuse, 92.7% of occupational frauds involved asset misappropriation at a median cost of $93,000.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

14 of 175

THE FRAUD PROCESS


Three types of occupational fraud:
Misappropriation of assets Corruption
Corruption involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit. Examples include kickback schemes and conflict of interest schemes. About 30.1% of occupational frauds include corruption schemes at a median cost of $250,000.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

15 of 175

THE FRAUD PROCESS


Three types of occupational fraud:
Misappropriation of assets Corruption Fraudulent statements
Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users. Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement. About 7.9% of occupational frauds involve fraudulent statements at a median cost of $1 million. (The median pales in comparison to the maximum cost.) 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 175

THE FRAUD PROCESS


A typical employee fraud has a number of important elements or characteristics: The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud. Instead of using a gun, knife, or physical force, fraudsters use weapons of deceit and misinformation. Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most fraudsters cant stop once they get started, and their frauds grow in size. The fraudsters often grow careless or overconfident over time. Fraudsters tend to spend what they steal. Very few save it. In time, the sheer magnitude of the frauds may lead to detection. The most significant contributing factor in most employee frauds is the absence of internal controls and/or the failure to enforce existing controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 175

THE FRAUD PROCESS


The National Commission on Fraudulent Financial Reporting (aka, the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements. Financial statements can be falsified to:
Deceive investors and creditors Cause a companys stock price to rise Meet cash flow needs Hide company losses and problems

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

18 of 175

THE FRAUD PROCESS


Fraudulent financial reporting is of great concern to independent auditors, because undetected frauds lead to half of the lawsuits against auditors. In the case of Enron, a financial statement fraud led to the total elimination of Arthur Andersen, a premiere international public accounting firm.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

19 of 175

THE FRAUD PROCESS


Common approaches to cooking the books include:
Recording fictitious revenues Recording revenues prematurely Recording expenses in later periods Overstating inventories or fixed assets (WorldCom) Concealing losses and liabilities

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

20 of 175

THE FRAUD PROCESS


The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting:
Establish an organizational environment that contributes to the integrity of the financial reporting process. Identify and understand the factors that lead to fraudulent financial reporting. Assess the risk of fraudulent financial reporting within the company. Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

21 of 175

THE FRAUD PROCESS


SAS 99: The Auditors Responsibility to Detect Fraud
In 1997, SAS-82, Consideration of Fraud in a Financial Statement Audit, was issued to clarify the auditors responsibility to detect fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

22 of 175

THE FRAUD PROCESS


A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Auditors cant effectively audit something they dont understand. SAS-99 also indicated that auditors are not lawyers and do not make legal determinations of whether fraud has occurred. The external auditors interest specifically relates to acts that result in a material misstatement of the financial statements. Note that SAS-99 relates to external auditors. Internal auditors will have a more extensive interest in fraud than just those that impact financial statements.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

23 of 175

THE FRAUD PROCESS


A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud Discuss the risks of material fraudulent misstatements
While planning the audit, members of the audit team should discuss how and where the companys financial statements might be susceptible to fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

24 of 175

The audit team must gather evidence about the existence of fraud by: Looking for fraud risk factors Testing company records A Asking management, the audit committee,issued in if they revision to SAS-82, SAS-99, was and others Decemberany past or current fraud or of fraud risks the know of 2002. SAS-99 requires auditors to: organization faces. Understand fraud Discuss the risks of material fraudulent misstatements Special care needs to be exercised in examining revenue accounts, since they are particularly popular fraud targets.

THE FRAUD PROCESS

Obtain information

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

25 of 175

THE FRAUD PROCESS


A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify, assess, and respond to risks

Use the gathered information to identify, assess, and respond to risks. Auditors can respond by varying the nature, timing, and extent of auditing procedures they perform. They should also carefully evaluate risks related to management override of controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 175

THE FRAUD PROCESS


A revision to must assess the risk of was throughout the SAS-82, SAS-99, fraud issued in Auditors December 2002. SAS-99 requires auditors to: audit.
Understand fraud is complete, they must evaluate whether When the audit any the risks of material fraudulent misstatements Discussidentified misstatements indicate the presence of fraud. Obtain information If so, they should determine the impact on the financial Identify, assess, and respond to risks statements and the audit. Evaluate the results of their audit tests

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

27 of 175

THE FRAUD PROCESS


A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify, assess, and respond to risks Evaluate the results of their audit tests Communicate findings
Auditors communicate their fraud findings to management, the audit committee, and others.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 175

THE FRAUD PROCESS


A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify, assess, and respond to risks Evaluate the results of their audit tests Communicate findings Document their audit work
Auditors must document their compliance with SAS-99 requirements.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 29 of 175

THE FRAUD PROCESS


A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify, assess, and respond to risks Evaluate the results of theirthat technology impacts fraud SAS-99 recognizes audit tests risks findings Communicate and notes opportunities that auditors have to use technology-oriented tools and techniques Document their audit work to design fraud auditing procedures. Incorporate a technology focus

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

30 of 175

INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

31 of 175

WHO COMMITS FRAUD AND WHY


Researchers have compared the psychological and demographic characteristics of three groups of people:
White-collar criminals Violent criminals The general public

They found:
Significant differences between violent and white-collar criminals. Few differences between white-collar criminals and the general public.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

32 of 175

WHO COMMITS FRAUD AND WHY


White-collar criminals tend to mirror the general public in:
Education Age Religion Marriage Length of employment Psychological makeup

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

33 of 175

WHO COMMITS FRAUD AND WHY


Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills. Hackers and computer fraud perps tend to be more motivated by:
Curiosity A quest for knowledge The desire to learn how things work The challenge of beating the system

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

34 of 175

WHO COMMITS FRAUD AND WHY


They may view their actions as a game rather than dishonest behavior. Another motivation may be to gain stature in the hacking community. Some see themselves as revolutionaries spreading a message of anarchy and freedom. But a growing number want to profit financially. To do so, they may sell data to:
Spammers Organized crime Other hackers The intelligence community
Accounting Information Systems, 11/e Romney/Steinbart 35 of 175

2008 Prentice Hall Business Publishing

WHO COMMITS FRAUD AND WHY


Some fraud perpetrators are disgruntled and unhappy with their jobs and are seeking revenge against their employers. Others are regarded as ideal, hard-working employees in positions of trust. Most have no prior criminal record. So why are they willing to risk everything?

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

36 of 175

WHO COMMITS FRAUD AND WHY


Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle.
Pressure Opportunity Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 37 of 175

The Fraud Triangle


Donald Cressey

Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 175

The Fraud Triangle


Donald Cressey

Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 39 of 175

WHO COMMITS FRAUD AND WHY


Pressure
Cressey referred to this pressure as a perceived non-shareable need. The pressure could be related to finances, emotions, lifestyle, or some combination.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

40 of 175

WHO COMMITS FRAUD AND WHY


The most common pressures were:
- Not being able to pay ones debts, nor admit it to ones employer, family, or friends (which makes it non-shareable).
May be associated with vices, such as drugs, gambling, mistresses, etc.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

41 of 175

WHO COMMITS FRAUD AND WHY


The most common pressures were:
- Not being able to pay ones debts, nor admit it to ones employer, family, or friends (which makes in non-shareable). - Fear of loss of status because of a personal failure Example would be mismanagement of
a personal investment or retirement fund.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

42 of 175

WHO COMMITS FRAUD AND WHY


The most common pressures were:
- Not being able to pay ones debts, nor admit it to ones employer, family, or friends (which makes in non-shareable). - Fear of loss of status because of a personal failure - Business reversals
Not many people can walk away from a failing business.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

43 of 175

WHO COMMITS FRAUD AND WHY


The most common pressures were:
- Not being able to pay ones debts, nor admit it to ones employer, family, or friends (which makes in non-shareable). - Fear of loss of status because of a personal failure - Business reversals - Physical isolation
When an individual is isolated, physically or psychologically, almost any pressure becomes nonshareable.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

44 of 175

WHO COMMITS FRAUD AND WHY


The most common pressures were:
- Not being able to pay ones debts, nor admit it to ones employer, family, or friends (which makes in non-shareable). - Fear of loss of status Many frauds are motivated by nothing because of a personal failure - Business reversals more than a perceived need to keep up with the Joneses. - Physical isolation The problem is that there is always a - Status gaining richer Jones down the street and
the pressure continues to mount, as do the resulting thefts.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

45 of 175

WHO COMMITS FRAUD AND WHY


The most common pressures were:
- Not being able to pay ones debts, nor admit it to ones employer, family, or friends (which makes in non-shareable). - Fear of loss of status because of a personal failure - Business reversalsMay create pressure to get revenge, - Physical isolation take the money you feel is rightfully owed to you, etc. - Status gaining - Difficulties in employer-employee relations

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

46 of 175

WHO COMMITS FRAUD AND WHY


Whats important here is the perception of the pressure.
There might be a number of people who could and would help a tentative fraudster out of his financial woes. But as long as he perceives that he cannot share his burden, the pressure is present. Research has also found that an individuals propensity to commit fraud is more related to how much he worries about his financial position than his actual position. The millionaire who frets a lot about his financial condition is more likely to commit fraud than the guy who doesnt have two dimes to rub together but isnt worried about it.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

47 of 175

WHO COMMITS FRAUD AND WHY


Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries.
The company is the direct beneficiary. The perpetrators are typically indirect beneficiaries.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

48 of 175

WHO COMMITS FRAUD AND WHY


In the case of financial statement frauds, common pressures include:
To prop up earnings or stock price so that management can: Receive performance-related compensation. Preserve or improve personal wealth held in company stock or stock options. Keep their jobs. To cover the inability to generate cash flow. To obtain financing. To appear to comply with bond covenants or other agreements. May be opposite of propping up earnings in cases involving income-tax motivations, government contracts, or regulation.

Click here for a comprehensive list of pressures.

Pressures
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 49 of 175

The Fraud Triangle


Donald Cressey

Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 175

WHO COMMITS FRAUD AND WHY


Opportunity is the opening or gateway that allows an individual to:
Commit the fraud Conceal the fraud Convert the proceeds

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

52 of 175

WHO COMMITS FRAUD AND WHY


Opportunity is the opening or gateway that allows an individual to:
Commit the fraud Conceal the fraud Convert the proceeds

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

53 of 175

WHO COMMITS FRAUD AND WHY


Committing the fraud might involve acts such as:
Misappropriating assets. Issuing deceptive financial statements. Accepting a bribe in order to make an arrangement that is not in the companys best interest.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

54 of 175

WHO COMMITS FRAUD AND WHY


Opportunity is the opening or gateway that allows an individual to:
Commit the fraud Conceal the fraud Convert the proceeds

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

55 of 175

WHO COMMITS FRAUD AND WHY


Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. Examples of concealment efforts:
Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

56 of 175

WHO COMMITS FRAUD AND WHY


Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. Examples of concealment efforts:
Charge a stolen asset to an expense account or to an account receivable that is about to be written off. Create a ghost employee who receives an extra paycheck.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

57 of 175

WHO COMMITS FRAUD AND WHY


Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. Examples of concealment efforts:

Steal a payment from Charge a stolen asset to Customer A. account or to an an expense Apply Customer Bs account receivable that payment to Customer As account so is about to be written off. Customer A wont get a late notice. Create a ghost employee who receives an extra Apply Customer Cs payment to Customer Bs account, so paycheck. Customer B wont get a late notice, etc. Lapping.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

58 of 175

WHO COMMITS FRAUD AND WHY


Concealing the fraud often takes more time and Creates cash by transferring money between banks. effort and leaves more evidence than the actual Requires multiple bank accounts. theft or misrepresentation. Basic scheme: Examples of a check on the account of Bank A. Write concealment efforts:
Bank A doesnt have sufficient funds to cover to Charge a stolen asset to an expense account orthe an check, so write a check from an account in Bank account receivable that is about to be written off. B to be deposited in Bank A. Create a ghost employee who receives an extra Bank B doesnt have sufficient funds to cover the paycheck. so write a check from an account in Bank C to check, be Lapping. deposited in Bank B, etc. Kiting.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

59 of 175

WHO COMMITS FRAUD AND WHY


Opportunity is the opening or gateway that allows an individual to:
Commit the fraud Conceal the fraud Convert the proceeds

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

60 of 175

WHO COMMITS FRAUD AND WHY


Unless the target of the theft is cash, then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator.
Checks can be converted through alterations, forged endorsements, check washing, etc. Non-cash assets can be sold (online auctions are a favorite forum) or returned to the company for cash.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 61 of 175

WHO COMMITS FRAUD AND WHY


If the fraud is a financial statement fraud, then the gains received may include:
I have to keep my job. The value of my stock or stock options rose. I received a raise, promotion, or bonus. I have power.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

62 of 175

WHO COMMITS FRAUD AND WHY


There are many opportunities that enable fraud. Some of the most common are:
Lack of internal controls Failure to enforce controls (the most prevalent reason) Excessive trust in key employees Incompetent supervisory personnel Inattention to details Inadequate staff

Click here for a comprehensive list of opportunities. Opportunities


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 63 of 175

WHO COMMITS FRAUD AND WHY


Internal controls that may be lacking or unenforced include:
Authorization procedures Clear lines of authority Adequate supervision Adequate documents and records A system to safeguard assets Independent checks on performance Separation of duties

One control feature that many companies lack is a background check on all potential employees.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 175

WHO COMMITS FRAUD AND WHY


Management may allow fraud by:
Not getting involved in the design or enforcement of internal controls; Inattention or carelessness; Overriding controls; and/or Using their power to compel subordinates to carry out the fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

69 of 175

The Fraud Triangle


Donald Cressey

Rationalization
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 175

WHO COMMITS FRAUD AND WHY


How many people do you know who regard themselves as being unprincipled or sleazy? It is important to understand that fraudsters do not regard themselves as unprincipled.
In general, they regard themselves as highly principled individuals. That view of themselves is important to them. The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations that recast their actions as morally acceptable behaviors.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 71 of 175

WHO COMMITS FRAUD AND WHY


These rationalizations take many forms, including:
I was just borrowing the money. It wasnt really hurting anyone. (Corporations are often seen as non-persons, therefore crimes against them are not hurting anyone.) Everybody does it. Ive worked for them for 35 years and been underpaid all that time. I wasnt stealing; I was only taking what was owed to me. I didnt take it for myself. I needed it to pay my childs medical bills.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 72 of 175

WHO COMMITS FRAUD AND WHY


Creators of worms and viruses often use rationalizations like:
The malicious code helped expose security flaws, so I did a good service. It was an accident. It was not my faultjust an experiment that went bad. It was the users fault because they didnt keep their security up to date. If the code didnt alter or delete any of their files, then whats the problem?

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

73 of 175

WHO COMMITS FRAUD AND WHY


Fraud occurs when:
People have perceived, non-shareable pressures; The opportunity gateway is left open; and They can rationalize their actions to reduce the moral impact in their minds (i.e., they have low integrity).

Fraud is much less likely to occur when:


There is low pressure, low opportunity, and high integrity.

Unfortunately, there is usually a mixture of these forces in play, and it can be very difficult to determine the pressures that may apply to an individual and the rationalizations he/she may be able to produce.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

74 of 175

INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

75 of 175

APPROACHES TO COMPUTER FRAUD


The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its:
Perpetration; Investigation; or Prosecution.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

76 of 175

APPROACHES TO COMPUTER FRAUD


Computer fraud includes the following:
Unauthorized theft, use, access, modification, copying, and destruction of software or data. Theft of money by altering computer records. Theft of computer time. Theft or destruction of computer hardware. Use or the conspiracy to use computer resources to commit a felony. Intent to illegally obtain information or tangible property through the use of computers.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 77 of 175

APPROACHES TO COMPUTER FRAUD


In using a computer, fraud perpetrators can steal:
More of something In less time With less effort

They may also leave very little evidence, which can make these crimes more difficult to detect.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 78 of 175

APPROACHES TO COMPUTER FRAUD


Computer systems are particularly vulnerable to computer crimes for several reasons:
Company databases can be huge and access privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time. Organizations often want employees, customers, suppliers, and others to have access to their system from inside the organization and without. This access also creates vulnerability. Computer programs only need to be altered once, and they will operate that way until:
The system is no longer in use; or Someone notices.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 79 of 175

APPROACHES TO COMPUTER FRAUD


Modern systems are accessed by PCs, which are inherently more vulnerable to security risks and difficult to control.
It is hard to control physical access to each PC. PCs are portable, and if they are stolen, the data and access capabilities go with them. PCs tend to be located in user departments, where one person may perform multiple functions that should be segregated. PC users tend to be more oblivious to security concerns.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 80 of 175

APPROACHES TO COMPUTER FRAUD


Computer systems face a number of unique challenges:
Reliability (accuracy and completeness) Equipment failure Environmental dependency (power, water damage, fire) Vulnerability to electromagnetic interference and interruption Eavesdropping Misrouting

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

81 of 175

APPROACHES TO COMPUTER FRAUD


Organizations that track computer fraud estimate that most U.S. businesses have been victimized by at least one incident of computer fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

82 of 175

APPROACHES TO COMPUTER FRAUD


These frauds cost billions of dollars each year, and their frequency is increasing because:
Not everyone agrees on what constitutes computer fraud.
Many dont believe that taking an unlicensed copy of software is computer fraud. (It is and can result in prosecution.) Some dont think its a crime to browse through someone elses computer if their intentions arent malicious.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 83 of 175

APPROACHES TO COMPUTER FRAUD


Many computer frauds go undetected. An estimated 8090% of frauds that are uncovered are not reported because of fear of:
Adverse publicity Copycats Loss of customer confidence

There are a growing number of competent computer users, and they are aided by easier access to remote computers through the Internet and other data networks.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 175

APPROACHES TO COMPUTER FRAUD


Some folks believe it cant happen to us. Many networks have a low level of security. Instructions on how to perpetrate computer crimes and abuses are readily available on the Internet. Law enforcement is unable to keep up with the growing number of frauds. The total dollar value of losses is difficult to calculate.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 85 of 175

APPROACHES TO COMPUTER FRAUD


Economic espionage, the theft of information and intellectual property, is growing especially fast. This growth has led to the need for investigative specialists or cybersleuths.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

86 of 175

APPROACHES TO COMPUTER FRAUD


Computer fraud classification
Frauds can be categorized according to the data processing model:
Input Processor Computer instructions Stored data Output

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

87 of 175

COMPUTER FRAUD CLASSIFICATIONS


Data Fraud

Input Fraud

Processor Fraud

Output Fraud

Computer Instructions Fraud


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 88 of 175

COMPUTER FRAUD CLASSIFICATIONS


Data Fraud

Input Fraud

Processor Fraud

Output Fraud

Computer Instructions Fraud


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 89 of 175

APPROACHES TO COMPUTER FRAUD


Input Fraud
The simplest and most common way to commit a fraud is to alter computer input. Requires little computer skills Perpetrator only needs to understand how the system operates Can take a number of forms, including: Disbursement frauds
The perpetrator causes a company to: Pay too much for ordered goods; or Pay for goods never ordered.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

90 of 175

APPROACHES TO COMPUTER FRAUD


Input Fraud
The simplest and most common way to commit a fraud is to alter computer input. Requires little computer skills. Perpetrator only needs to understand how the system operates. Can take a number of forms, including: Disbursement frauds Inventory frauds
The perpetrator enters data into the system to show that stolen inventory has been scrapped.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

91 of 175

APPROACHES TO COMPUTER FRAUD


Input Fraud
The simplest and most common way to commit a fraud is to alter computer input. Perpetrators may enter data to: Requires little computer skills. Increase to understand Perpetrator only needtheir salaries. how the system operates Create a fictitious employee. Can take a number of forms, including: Retain a terminated employee on the records. Disbursement frauds two instances, the perpetrator In the latter intercepts and cashes the resulting paychecks. Inventory frauds Payroll frauds

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

92 of 175

APPROACHES TO COMPUTER FRAUD


Input Fraud
The simplest and most common way to commit a fraud is to alter computer input. Requires little computer skills. Perpetrator only needs to understand how the system operatesThe perpetrator hides the theft by falsifying Can take a number of forms, including: system input. Disbursement frauds Cash of $200 is received. The EXAMPLE: perpetrator records a cash receipt of $150 and Inventory frauds pockets the $50 difference. Payroll frauds
Cash receipt frauds

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

93 of 175

APPROACHES TO COMPUTER FRAUD


Input Fraud
The simplest and most common way to commit a fraud is to alter computer input. Requires little computer skills. Perpetrator only needs to understand how the system operates Can take a number of forms, including: Disbursement frauds Inventory frauds Payroll frauds perpetrator files for an undeserved refund, The such as a Cash receipt frauds tax refund. Fictitious refund fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

94 of 175

COMPUTER FRAUD CLASSIFICATIONS


Data Fraud

Input Fraud

Processor Fraud

Output Fraud

Computer Instructions Fraud


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 95 of 175

APPROACHES TO COMPUTER FRAUD


Processor fraud
Involves computer fraud committed through unauthorized system use. Includes theft of computer time and services. Incidents could involve employees:
Surfing the Internet; Using the company computer to conduct personal business; or Using the company computer to conduct a competing business.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

96 of 175

APPROACHES TO COMPUTER FRAUD


In one example, an agriculture college at a major state university was experiencing very sluggish performance from its server. Upon investigating, IT personnel discovered that an individual outside the United States had effectively hijacked the colleges server to both store some of his/her research data and process it. The college eliminated the individuals data and blocked future access to the system. The individual subsequently contacted college personnel to protest the destruction of the data. Demonstrates both:
How a processor fraud can be committed. How oblivious users can sometimes be to the unethical or illegal nature of their activities.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

97 of 175

COMPUTER FRAUD CLASSIFICATIONS


Data Fraud

Input Fraud

Processor Fraud

Output Fraud

Computer Instructions Fraud


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 98 of 175

APPROACHES TO COMPUTER FRAUD


Computer instructions fraud
Involves tampering with the software that processes company data. May include:
Modifying the software Making illegal copies Using it in an unauthorized manner

Also might include developing a software program or module to carry out an unauthorized activity.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 175

APPROACHES TO COMPUTER FRAUD


Computer instruction fraud used to be one of the least common types of frauds because it required specialized knowledge about computer programming beyond the scope of most users. Today these frauds are more frequentcourtesy of Web pages that instruct users on how to create viruses and other schemes.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

100 of 175

COMPUTER FRAUD CLASSIFICATIONS


Data Fraud

Input Fraud

Processor Fraud

Output Fraud

Computer Instructions Fraud


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 101 of 175

APPROACHES TO COMPUTER FRAUD


Data fraud
Involves:
Altering or damaging a companys data files; or Copying, using, or searching the data files without authorization.

In many cases, disgruntled employees have scrambled, altered, or destroyed data files. Theft of data often occurs so that perpetrators can sell the data.
Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employers database.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 175

COMPUTER FRAUD CLASSIFICATIONS


Data Fraud

Input Fraud

Processor Fraud

Output Fraud

Computer Instructions Fraud


2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 103 of 175

APPROACHES TO COMPUTER FRAUD


Output fraud
Involves stealing or misusing system output. Output is usually displayed on a screen or printed on paper. Unless properly safeguarded, screen output can easily be read from a remote location using inexpensive electronic gear. This output is also subject to prying eyes and unauthorized copying. Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 104 of 175

INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

105 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling

Changing data before, during, or after it is entered into the system. Can involve adding, deleting, or altering key system data.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

106 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage

Unauthorized copying of company data.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

107 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage Denial of service attacks An attacker overloads and shuts down an Internet service providers email system by sending email bombs at a rate of thousands per secondoften from randomly generated email addresses. May also involve shutting down a Web server by sending a load of requests for the Web pages.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

108 of 175

Carried out as follows: The attacker infects dozens of computers that have broadband TECHNIQUES with denial-of-service Internet access programs. These infected computers Perpetrators have devised are the zombies. to commit many methods The attacker then computer fraud and abuse. These include:activates the denial-of-service programs, and the Data diddling zombies send pings (emails or Data leakage requests for data) to the target server. Denial of service attacks The victim responds to each, not realizing they have fictitious return addresses, and waits for responses that dont come. While the victim waits, system performance degrades until the system freezes up or crashes. The attacker terminates the program after an hour or two to limit the victims ability to trace the source.

COMPUTER FRAUD AND ABUSE

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

109 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage Denial of service attacks Experts estimate there as many as 5,000 denial-of-service attacks weekly in the United States. A denial-of-service can cause severe economic damage to its victim or even drive them out of business.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

110 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage Denial of service attacks Eavesdropping Perpetrators surreptitiously observe private communications or transmission of data. Equipment to commit these electronic wiretaps is readily available at electronics stores.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

111 of 175

COMPUTER FRAUD AND ABUSE A threatening message is sent to a victim to induce the victim to TECHNIQUES do something that would make it possible to be defrauded.

Several banks in the Midwest were contacted by an overseas Perpetrators who indicated that: methods to commit perpetrator have devised many computer fraud and abuse. computer system and obtained He had broken into their These include: personal Data diddlingand banking information about all of the banks customers. Data leakage He of service attacks Denialwould notify the banks customers of this breach if he was not paid a specified sum of money. Eavesdropping Email threats

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

112 of 175

appears to have come from someone other than the actual sender. Perpetrators have devised many methods to commit Email spoofers may: computer fraud and abuse. These include: Claim to be system administrators Data diddling and ask users to change their Data leakage passwords to specific values. Denial of service attacks Pretend to be management and request a copy of some sensitive Eavesdropping information. Email threats Email forgery (aka, spoofing)

COMPUTER FRAUD AND ABUSE Involves sending TECHNIQUES an email message that

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

113 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit Unauthorized access to and use of computer systemsusually by computer fraud and abuse. These include:
means of a personal computer and a telecommunications Data diddling network. Data leakage Most hackers break into systems using known flaws in operating Denial of service attacks systems, applications programs, or access controls. Eavesdropping malevolent and mainly motivated by curiosity Some are not very and a desire to Email threats overcome a challenge. Emailhave malicious intent and can do significant damage. Others forgery (aka, spoofing) Hacking

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

114 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage Denial of service attacks Eavesdropping Hacking that attacks phone systems and Email threats uses phone lines to transmit viruses and to spoofing) Email forgery (aka, access, steal, and destroy data. They also steal telephone services and Hacking may break into voice mail systems. Phreaking Some hackers gain access to systems through dial-up modem lines.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

115 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage Denial of service attacks Eavesdropping Email threats Email forgery (aka, spoofing) Hacking Involves gaining control of someone Phreaking elses computer to carry out illicit activities without the users knowledge. Hijacking The illicit activity is often the perpetuation of spam emails.
Accounting Information Systems, 11/e Romney/Steinbart 116 of 175

2008 Prentice Hall Business Publishing

Assuming someones identity, typically for economic gain, by illegally have devised many methods to commit Perpetratorsobtaining and using confidential information such as the persons social security number, bank computer fraud and abuse. These include: account number, or credit card number. Data diddling Identity thieves benefit financially by: Data leakage Taking funds out of the victims bank account. Denial of service attacks Taking out mortgages or other loans under the victims Eavesdropping identity. Email Taking out credit cards and running up large balances. threats Email forgery (aka, spoofing) If the thief is careful and ensures that bills and notices are Hackingto an address he controls, the scheme may be sent prolonged until such time as the victim attempts to buy a Phreaking home Hijackingor car and finds out that his credit is destroyed. Identity theft

COMPUTER FRAUD AND ABUSE TECHNIQUES

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

117 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling Data leakage Victims can usually clear their credit, but the effort requires a Denial of service attacks time and expense. significant amount of Eavesdropping was made a federal offense in 1998, but it is a Identity theft Email threats growing crime industry. Email forgery (aka, spoofing) whose job duties involved One U.S. postal inspector, investigation of identity thefts, was himself a victim. The thief Hacking ran up Phreaking$80,000 in debt under the postal inspectors identity before the inspector discovered the problem. Hijacking Identity theft

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

118 of 175

Identity thieves can steal corporate or individual identities by: Shoulder surfing

COMPUTER FRAUD AND ABUSE Watching people enter telephone calling card numbers or credit card TECHNIQUES numbers or listening to communications as they provide this
information to sales clerks or others.

Scavenging or have devised many methods to commit Perpetrators dumpster diving


Searching corporate abuse. records by rifling computer fraud andor personalThese include: garbage cans,

company information. Data diddling May also look for personal information such as checks, credit card Data leakage statements, bank statements, tax returns, discarded applications for Denial of service attacks pre-approved credit cards, or other records that contain social security Eavesdropping numbers, names, addresses, phone numbers, and other data that allow them to assume an identity. Email threats Email forgery Redirecting mail (aka, spoofing) Hacking Intercepting mail and having it delivered to a location where others can access it. Phreaking Using Internet, email, and other technology in spoofing, phishing, Hijacking eavesdropping, impersonating, social engineering, and data Identity theft leakage schemes.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 175

communal trash bins, and city dumps for documents with confidential

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit The U.S. and abuse. Justice suggests computer fraud Department ofThese include: the following four
ways to minimize the chances of being victimized by Data diddling theft: identity Data leakage Do not give out corporate or personal information Denial of unless there is a good reason to trust the person to service attacks Eavesdropping it is given. whom Email threats financial information regularly for what should Check be there, spoofing) Email forgery (aka, as well as for what should not be there. Hacking Periodically review your credit report. Maintain careful records of banking and financial Phreaking Hijackingaccounts. Identity theft

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

120 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Using the Internet to spread false or misleading information about people or companies. May involve: Planting inflammatory messages in online chat rooms. Websites with misinformation. Pretending to be someone else online and making inflammatory comments that will be attributed to that person. A pump-and-dump occurs when an individual spreads misinformation, often through Internet chat rooms, to cause a runup in the value a stock and then sells off his shares of the stock. A number of pump-and-dump cases have been prosecuted by the SEC. 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 121 of 175

Another common form of Internet misinformation is the spreading of urban legendsoften by innocently forwarding emails. TECHNIQUES Urban legends may often include damaging implications about company products, such as a recent email suggesting that certain Perpetrators have devised many methods to commit lipsticks contain lead or that using plastic cookware in the computer fraud and abuse. These include: microwave can cause cancer. Internet misinformation Before forwarding any emails with negative information about individuals, companies, or their products, its a good idea to check the veracity of the information first. Emails with urban legends often attribute their facts to credible sources, such as the federal government, Stanford University researchers, the FBI, etc. There are several Websites that attempt to verify the truth of emails that are circulated. One such Website is www.snopes.com. You can easily locate the email you received on these Websites, by searching under a key term in the email, such as lipstick. You are likely to find that most emails you were getting ready to forward are either false or only partially true.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 175

COMPUTER FRAUD AND ABUSE

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Hackers use the Internet to disrupt electronic commerce and destroy company and individual communications. Viruses and worms are two main forms of Internet terrorism.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

123 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs A program that lies idle until triggered by some circumstance or a particular time. Once triggered, it sabotages the system, destroying programs, data, or both. Usually written by disgruntled programmers. EXAMPLE: A programmer places a logic bomb in a payroll application that will destroy all the payroll records if the programmer is terminated.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation

The perpetrator gains access to the system by pretending to be an authorized user. The perpetrator must know the legitimate users ID and password. Once in the system, he enjoys the same privileges as the legitimate user.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

125 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers

Programs that capture data from information packets as they travel over the Internet or company networks. Confidential information and access information can be gleaned from the captured datasome of which is later sold.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

126 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers Password cracking

An intruder penetrates a systems defenses, steals the file of valid passwords, decrypts them, and then uses them to gain access to almost any system resources.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

127 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Sending out a spoofed email that appears to come from a Perpetrators have such as amany methods to commitPayPal, legitimate company, devised financial institution. eBay, computer are commonly spoofed. and banks fraud and abuse. These include: Internet misinformation The recipient is advised that information or a security check is needed on terrorism Internet his account, and advised to click on a link to the companys website to provide the information. Logic time bombs The link connects the individual to a Website that is an imitation of Masquerading or impersonation the spoofed companys actual Website. These counterfeit Websites Packet sniffers appear very authentic, as do the emails. Password cracking Phishing

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

128 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES One newly graduated college student recently took a job in
California and deposited his first paycheck of approximately $5,000 Perpetrators have devised many methods to commit in the bank. computer night, he received anThesefrom the bank, inviting him That same fraud and abuse. email include: Internet the link in the to click on misinformation email to set up online banking for his new bank account. Internet terrorism He Logic timedirections and provided the requested information to followed bombs set Masquerading or impersonation up online banking. Two hourssniffers was nervous and called the bankonly to find Packet later, he out that his bank account had been cleaned out and closed. Password cracking Phishing

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

129 of 175

COMPUTER FRAUD AND ABUSE As a rule of thumb, it is a good idea not to click on any link TECHNIQUES provided in an email and to go directly to the Website instead.

PayPal, whose email address is commonly spoofed for phishing Perpetrators the following advice: methods to commit scams, offers have devised many computer fraud and abuse. Thesethey will include your first If PayPal ever sends you an email, include: and last name in the salutation of the email. Internet misinformation If you need to enter PayPals Website, type https: in the URL Internet terrorism instead of http: Logic time bombs in order to enter on the companys secured server. Masquerading or impersonation If you sniffers Packetreceive a suspicious email, get out of your browser and go back in before proceeding directly to a company Website. Password cracking Phishing

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

130 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methodsSouth America with In 2004, a phishing-related scam took place in to commit respect to fraud and abuse. These include: computer three large South American banks. Once an individual
opened themisinformation a script was downloaded on their Internet related email, computer. The script would alter the individuals Web browser so Internet terrorism that if the user entered the URL of one of these three banks, the Logic time bombs browser would redirect them to a counterfeit Website for that bank. The oblivious user would provide ID and password information, Masquerading or impersonation and was instantly set up for a high-tech robbery of his bank Packet sniffers account. Password cracking Phishing

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

131 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Consumer Reports suggests that if you have any questions about legitimacy of a impersonation theMasquerading orWebsite, you should try entering the wrong password.sniffers Packet A phishing Website will typically accept an incorrect passwordwhich cues you that it is a phishing scam. Password cracking Phishing

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

132 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Example of a Website produced for a phishing scam.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

133 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers Password cracking Tapping into a telecommunications line and latching onto a legitimate user before that Phishing user logs into a system. Piggybacking The legitimate user unknowingly carries the perpetrator into the system.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

134 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Made famous in the movie, Office Space. Packet sniffers The programmer instructs the Password cracking computer to round interest Phishing calculations down to two Piggybacking decimal places and deposits Round-down technique the remaining fraction into the account of a programmer or an accomplice.
Accounting Information Systems, 11/e Romney/Steinbart 135 of 175

2008 Prentice Hall Business Publishing

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers Password cracking Involves the theft of tiny slices of money over a Phishing period of time. Piggybacking Round-down technique The round-down is just a special form of a salami Salami technique technique.
Accounting Information Systems, 11/e Romney/Steinbart 136 of 175

2008 Prentice Hall Business Publishing

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering

Perpetrators trick employees into giving them information they need to get into the system. A perpetrator might call an employee and indicate he is the systems administrator and needs to get the employees password.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

137 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Copying software without the publishers permission. In the United States, its estimated that 26% of software in use is pirated. Fines for individuals and corporations are stiff, and individuals convicted of software piracy can serve jail terms of up to 5 years.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

138 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Spamming Emailing an unsolicited message to multitudes of people, often in an attempt to sell a product. Many times the product offers are fraudulent.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

139 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Spamming

Spammers use creative means to find valid email addresses: Scanning the Internet for addresses posted online. Hacking into company databases and stealing mailing lists. Staging dictionary (aka direct harvesting) attacks. These attacks use special software to guess addresses at a particular company and send blank emails. Messages not returned are usually valid. These attacks are very burdensome to corporate email systems. 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 140 of 175

Companies may use filtering software to detect dictionary attacks, search mail for competitive leaks, and block inappropriate attachments, such TECHNIQUES as pornography and illegal MP3 files. Filtering is not always to commit Perpetrators have devised many methods viable. The director of internal audit at a major computer fraud and abuse. These include: healthcare company changes email addresses Social engineering frequently because of the volume of spam Software piracy email in his inbox. When asked why his company did not filter the spam, he Spamming replied, Because were a healthcare company, we cannot filter out any references to body parts or prescription medications. There is increasing public clamor for laws to clamp down on spamming. In December 2004, a federal judge awarded over $1 billion to a small Midwestern Internet service provider in an action against three spammers.

COMPUTER FRAUD AND ABUSE

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

141 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include: Software that monitors computing habits, such
Social engineeringWeb-surfing habits, and sends the data it as Software piracygathers to someone else, typically without the users permission. Spamming One type, called adware (for advertisingSpyware supported software) does two things: Causes banner ads to pop up on your monitor as you surf the net. Collects information about your Websurfing and spending habits and forward it to a company gathering the dataoften an advertising or large media organization.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

142 of 175

Usually comes bundled with COMPUTER FRAUD AND ABUSE freeware and shareware TECHNIQUES from the Internet. downloaded
May be disclosed in the Perpetrators have devised many methods to commit licensing agreement, but users computer fraud and abuse. are unlikely to read it. These include: Reputable adware companies Social engineering claim they dont collect Software piracy sensitive or identifying data. Spamming But there is no way for users to Spyware control or limit the activity.
It is not illegal, but many find it objectionable.

Software has been developed to detect and eliminate spyware, but it may also impair the downloaded software.
Some is intentionally difficult to uninstall.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 143 of 175

COMPUTER FRAUD AND ABUSE A keystroke users TECHNIQUESlogger records ato or keystrokes and emails them
saves them for the party that planted Perpetrators have devisedthe logger. These arecommit many methods to sometimes used computer fraud and abuse. These include: by: Parents to monitor their childrens Social engineering computer usage. Software piracy Businesses to monitor employee Spamming activity. Spyware Fraudsters to capture passwords, Keystroke loggers credit card numbers, etc. A keystroke logger can be a hardware device attached to a computer or can be downloaded on an individuals computer in the same way that any Trojan horse might be downloaded.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 144 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Spamming Spyware Keystroke loggers Spyware and keystroke loggers are very problematic for companies with employees who telecommute or contact the companys computer from remote locations. Spyware on those computers makes the companys systems vulnerable. Individuals are also exposed when they use wireless networks, such as those that may be available in coffee shops.
Romney/Steinbart 145 of 175

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Spamming Spyware Keystroke loggers Superzapping

Unauthorized use of special system programs to bypass regular system controls and perform illegal acts. The name is derived from an IBM software utility called Superzap that was used to restored crashed systems.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

146 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Also called back doors. Programmers create trap doors to Spamming modify programs. Spyware The trap door is a way into the system Keystroke loggersthat bypasses normal controls. Superzapping The trap door should be removed Trap doors before the program is implemented. If it is not, the programmer or others may later gain unauthorized access to the system.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

147 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and A set of unauthorized computer abuse. These include:
Social engineering Software piracy Spamming Spyware Keystroke loggers Superzapping Trap doors Trojan horse instructions planted in an authorized and otherwise properly functioning program. Allows the creator to control the victims computer remotely. The code does not try to replicate itself but performs an illegal act at some specific time or when some condition arises. Programs that launch denial of service attacks are often Trojan horses.
Accounting Information Systems, 11/e Romney/Steinbart 148 of 175

2008 Prentice Hall Business Publishing

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Spamming Spyware Keystroke loggers Superzapping Hackers search for an idle modem by Trap doors programming their computers to dial Trojan horse thousands of phone lines. War dialing Hackers enter through the idle modem and gain access to the connected network.
Accounting Information Systems, 11/e Romney/Steinbart 149 of 175

2008 Prentice Hall Business Publishing

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering Software piracy Spamming Spyware Keystroke loggers Superzapping Driving around in cars looking for Trap doors unprotected home or corporate Trojan horse wireless networks. War dialing If the hackers mark the sidewalk of War driving the susceptible wireless network, the practice is referred to as warchalking.
Accounting Information Systems, 11/e Romney/Steinbart 150 of 175

2008 Prentice Hall Business Publishing

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus Many viruses have two phases: First, when some predefined event occurs, the virus replicates itself and spreads to other systems or files. Another event triggers the attack phase in which the virus carries out its mission. A virus may lay dormant or propagate itself without causing damage for an extended period.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

151 of 175

COMPUTER may take many forms:ABUSE FRAUD AND Damage TECHNIQUES Send email with the victims name as the alleged
source. Perpetrators have devisedalter data or programs. Destroy or many methods to commit computer fraud and abuse. of the computer. Take control These include: Virus Destroy or alter file allocation tables. Delete or rename files or directories. Reformat the hard drive. Change file content. Prevent users from booting. Intercept and change transmissions. Print disruptive images or messages on the screen. Change screen appearance. As viruses spread, they take up much space, clog communications, and hinder system performance.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 152 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraudVirus symptoms: and abuse. These include:
Virus Computer will not start or execute Performs unexpected read or write operations Unable to save files Long time to load programs Abnormally large file sizes Slow systems operation Unusual screen activity Error messages

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

153 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraudViruses are contagiousinclude: spread from and abuse. These and easily
Virus one system to another. They are usually spread by: Opening an infected email attachment or file (most common); or Running an infected program. Some viruses can mutate, which makes them more difficult to detect and destroy. The emails often appear to come from sources like Microsoft and seem very convincing.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

154 of 175

Virus protections include: COMPUTER FRAUD AND ABUSE for, Install reliable virus software that scans identifies, and destroys TECHNIQUES viruses. Keep the antivirus program up to date. devised many methods server level, Perpetrators haveScan incoming email at the to commit rather than computer fraud and abuse. when it include: These hits the desktops. Certify all software as virus-free before Virus loading it. Software from unknown sources may be virus bait, especially if it seems too good to be true. Deal with trusted software retailers. Use electronic techniques to make tampering evident. Check new software on an isolated machine. Have two backups of all files. Do not put diskettes or CDs in strange machines, or let others put unscanned disks in your machine.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 155 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus Viruses attack computers, but any device that is part of the communications network is vulnerable, including: Cell phones Smart phones PDAs

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

156 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devisedexcept that: A worm is similar to a virus many methods to commit computer fraud stand-alone program, while a virus is only a A worm is a and abuse. These include:

Virus segment of code hidden in a host program or executable file. Worms will replicate itself automatically, while a virus A worm requires a human to do something like open a file. Worms often reproduce by mailing themselves to the recipients mailing list. They are not confined to PCs and have infected cell phones in Japan. A worm typically has a short but very destructive life. It takes little technical knowledge to create worms or viruses; several Websites provide instructions. Most exploit known software vulnerabilities that can be corrected with a software patch, making it important to install all patches as soon as they are Accounting 2008 Prentice Hall Business Publishing available. Information Systems, 11/e Romney/Steinbart 157 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES


Perpetrators have devised many methods to commit computer fraudemail abuse.friend, apologizing profusely that You receive an and from a These include:

he/she has previously sent you an email that was infected with a Virus virus. Worms The friends email gives you instructions to look for and remove The low-tech, do-it-yourself attack the offending virus. You delete the file from your hard drive. The only problem is that the file you just deleted was part of your operating system. Your friend was well-intended and has done the same thing to his/her computer. REMEDY: Before even considering following instructions of this sort, check the list of hoaxes that are available on any virus protection Website, such as:
www.norton.com www.mcafee.com

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

158 of 175

INTRODUCTION
In this chapter well discuss:
The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

159 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Organizations must take every precaution to protect their information systems. Certain measures can significantly decrease the potential for fraud and any resulting losses. These measures include:
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

160 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Organizations must take every precaution to protect their information systems. Certain measures can significantly decrease the potential for fraud and any resulting losses. These measures include:
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

161 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Make fraud less likely to occur
Create a culture that stresses integrity and commitment to ethical values and competence. Adopt an organizational structure, management philosophy, operating style, and appetite for risk that minimizes the likelihood of fraud. Require oversight from an active, involved, and independent audit committee. Assign authority and responsibility for business objectives to specific departments and individuals, encourage initiative in solving problems, and hold them accountable for achieving those objectives.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 162 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or accept that risk. Develop a comprehensive set of security policies to guide the design and implementation of specific control procedures, and communicate them effectively to company employees. Implement human resource policies for hiring, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the required level of ethical behavior and integrity. Effectively supervise employees, including monitoring their performance and correcting their errors.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

163 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Train employees in integrity and ethical considerations, as well as security and fraud prevention measures. Require annual employee vacations, periodically rotate duties of key employees, and require signed confidentiality agreements. Implement formal and rigorous project development and acquisition controls, as well as change management controls. Increase the penalty for committing fraud by prosecuting fraud perpetrators more vigorously.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

164 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Organizations must take every precaution to protect their information systems. Certain measures can significantly decrease the potential for fraud and any resulting losses. These measures include:
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

165 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Increase the difficulty of committing fraud
Develop a strong system of internal controls Segregate the accounting functions of:
Authorization Recording Custody

Implement a program segregation of duties between systems functions Restrict physical and remote access to system resources to authorized personnel
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 166 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Require transactions and activities to be authorized by appropriate supervisory personnel. Have the system authenticate the person and their right to perform the transaction before allowing the transaction to take place. Use properly designed documents and records to capture and process transactions. Safeguard all assets, records, and data. Require independent checks on performance, such as reconciliation of two independent sets of records, where possible and appropriate.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

167 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Implement computer-based controls over data input, computer processing, data storage, data transmission, and information output. Encrypt stored and transmitted data and programs to protect them from unauthorized access and use. Fix known software vulnerabilities by installing the latest updates to operating systems, security, and applications programs.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

168 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Organizations must take every precaution to protect their information systems. Certain measures can significantly decrease the potential for fraud and any resulting losses. These measures include:
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

169 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Improve detection methods
Create an audit trail so individual transactions can be traced through the system to the financial statements and vice versa. Conduct periodic external and internal audits, as well as special network security audits. Install fraud detection software. Implement a fraud hotline.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

170 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Employ a computer security officer, as well as computer consultants and forensic specialists as needed. Monitor system activities, including computer and network security efforts, usage and error logs, and all malicious actions. Use intrusion detection systems to help automate the monitoring process.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

171 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Organizations must take every precaution to protect their information systems. Certain measures can significantly decrease the potential for fraud and any resulting losses. These measures include:
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

172 of 175

PREVENTING AND DETECTING COMPUTER FRAUD


Reduce fraud losses
Maintain adequate insurance. Develop comprehensive fraud contingency, disaster recovery, and business continuity plans. Store backup copies of program and data files in a secure, off-site location. Use software to monitor system activity and recover from fraud.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 173 of 175

SUMMARY
In this chapter, youve learned what fraud is, who commits fraud, and how its perpetrated. Youve learned about the many variations of computer fraud, and youve learned about techniques to reduce an organizations vulnerability to these types of fraud.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

174 of 175