Chapter 4

Control of Accounting Information Systems

COMPUTER FRAUD
Threats to Accounting Information Systems
THREATS EXAMPLES
Natural and political disasters • Fire or excessive heat
• Floods, earthquakes, landslides, hurricanes, tornadoes,
blizzards, snowstorms, and freezing rain
• War and attacks by terrorists
Software errors and equipment • Hardware or software failure
malfunctions • Software errors or bugs
• Operating system crashes
• Power outages and fluctuations
• Undetected data transmission errors
Unintentional acts • Accidents caused by human carelessness, failure to
follow established procedures, and poorly trained or
supervised personnel
• Innocent errors or omissions
• Lost, erroneous, destroyed, or misplaced data
• Logic errors
• Systems that do not meet company needs or cannot
handle intended tasks
Intentional acts (computer • Sabotage
crimes) • Misrepresentation, false use, or unauthorized disclosure
of data
• Misappropriation of assets
• Financial statement fraud
• Corruption
• Computer fraud – attacks, social engineering, malware,
etc.

Sabotage – an intentional act where the intent is to destroy a system or some of its components

Cookie – a text file created by a Web site and stored on a visitor’s hard drive.

- Store information about who the user is and what the user has done on the site

Introduction to Fraud

Fraud – gaining an unfair advantage over another person

- Any and all means a person uses to gain an unfair advantage over another person
- Legally, for an act to be fraudulent there must be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the misrepresentation to take an
action
5. An injury or loss suffered by a victim
Association of Certified Fraud Examiners (ACFE) – conducts comprehensive fraud studies

▪ Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and
resources. Because employees understand a company’s system and its weaknesses, they are
better able to commit and conceal a fraud. The controls used to protect corporate assets
make it more difficult for an outsider to steal from a company. Fraud perpetrators are often
referred to as white-collar criminals.

White-collar criminals – typically, business people who commit fraud.

- Usually resort to trickery or cunning, and their crimes usually involve a violation of trust or
confidence.

Corruption – dishonest conduct by those in power and it often involves actions that are illegitimate,
immoral, or incompatible with ethical standards.

Examples: bribery, bid rigging

Investment fraud – misrepresenting or leaving out facts in order to promote an investment that
promises fantastic profits with little or no risk.

Examples: Ponzi schemes, securities fraud

Types of Fraud (that are important to businesses)

1. Misappropriation of assets (sometimes called employee fraud) – theft of company assets by

employees
Examples: forging of superior’s signature on invoices for services never performed, kickbacks,
accessing company files after separation from the company

• Many employees did not believe taking company data is equivalent to stealing.
• The most significant contributing factor in most misappropriations is the absence of internal
controls and/or the failure to enforce existing internal controls.
• A typical misappropriation has the following important elements or characteristics. The
perpetrator:
✓ Gains the trust or confidence of the entity being defrauded.
✓ Uses trickery, cunning, or false or misleading information to commit fraud
✓ Conceals the fraud by falsifying records or other information
✓ Rarely terminates the fraud voluntarily
✓ Sees how easy it is to get extra money; need or greed impels the person to continue.
Some frauds are self-perpetuating; if perpetrators stop, their actions are discovered.
✓ Spends the ill-gotten gains. Rarely does the perpetrator save or invest the money.
Some perpetrators come to depend on the “extra” income, and others adopt a
lifestyle that requires even greater amounts of money. For this reason, there are no
small frauds – only large ones that are detected early.

2. Fraudulent financial reporting (sometimes called management fraud) – intentional or reckless

conduct, whether by act or omission, that results in materially misleading financial statements.
 • Management falsifies financial statements to deceive inventors and creditors, increase a
company’s stock price, meet cash flow needs, or hide company losses and problems.
• The most frequent “cook the books” schemes involve fictitiously inflating revenues, holding
the books open (recognizing revenues before they are earned), closing the books early
(delaying current expenses to a later period), overstating inventories or fixed assets, and
concealing losses and liabilities.
• The Treadway Commission recommended four actions to reduce fraudulent financial
reporting:
i. Establish an organizational environment that contributes to the integrity of the
financial reporting process.
ii. Identify and understand the factors that lead to fraudulent financial reporting.
iii. Assess the risk of fraudulent financial reporting within the company.
iv. Design and implement internal controls to provide reasonable assurance of
preventing fraudulent financial reporting.

 The ACFE found that an asset misappropriation is 17 times more likely than fraudulent financial
reporting but that the amounts involved are much smaller. As a result, auditors and
management are more concerned with fraudulent financial reporting even though they are
more likely to encounter misappropriations.

The Auditors Responsibility to Detect Fraud

1. Understand fraud
2. Discuss the risks of material fraudulent misstatements
3. Obtain information
4. Identify, assess, and respond to risks
5. Evaluate the results of their audit tests
6. Document and communicate findings
7. Incorporate a technology focus

Fraud Triangle
Pressures That Can Lead to Employee Fraud
FINANCIAL EMOTIONAL LIFESTYLE
• Living beyond one’s • Excessive greed, ego, pride, • Gambling habit
means ambition • Drug or alcohol
• High personal • Performance not recognized addiction
debt/expenses • Job dissatisfaction • Sexual relationships
• “Inadequate” • Fear of losing job • Family/peer pressure
salary/income • Need for power or control
• Poor credit ratings • Overt, deliberate nonconformity
• Heavy financial losses • Inability to abide by or respect rules
• Bad investments • Challenge of beating the system
• Tax avoidance • Envy or resentment against others
• Unreasonable • Need to win financial one-
quotas/goals upmanship competition
• Coercion by bosses/top
management

Opportunity – the condition or situation that allows a person or organization to commit and conceal
a dishonest act and convert it to personal gain

- the condition or situation, including one’s personal abilities, that allows a perpetrator to do
three things:
1. Commit the fraud
2. Conceal the fraud
3. Convert the theft or misrepresentation to personal gain

Pressures That Can Lead to Financial Statement Fraud

MANAGEMENT CHARACTERISTICS
• Questionable management
ethics, management style, and • Industry or technology
track record
• Unduly aggressive earnings
forecasts, performance
standards, accounting
methods, or incentive
programs
• Significant incentive
compensation based on
achieving unduly aggressive
goals
• Management actions or
transactions with no clear
business justification
• Oversensitivity to the effects of
alternative accounting
treatments on earnings per
share
• Strained relationship with past
auditors
• Failure to correct errors on a
timely basis, leading to even
greater problems
• High management/employee
turnover
• Unusual/odd related-party
transactions
INDUSTRY CONDITIONS FINANCIAL
• Declining industry • Intense pressure to meet or
exceed earnings
changes leading to expectations
declining demand or • Significant cash flow
product obsolescence problems; unusual difficulty
• New regulatory collecting receivables,
requirements that paying payables
impair financial stability • Heavy losses, high or
or profitability undiversified risk, high
• Significant competition dependence on debt, or
or market saturation, unduly restrictive debt
with declining margins covenants
• Significant tax changes • Heavy dependence on new
or adjustments or unproven product lines
• Severe inventory
obsolescence or excessive
inventory buildup
• Economic conditions
(inflation, recession)
• Litigation, especially
management vs.
shareholders
• Impending business failure or
bankruptcy
• Problems with regulatory
agencies
• High vulnerability to rise in
interest rates
 • Poor or deteriorating
financial position
• Unusually rapid growth or
profitability compared to
companies in same industry
• Significant estimates
involving highly subjective
judgments or uncertainties

Rationalization – the excuse that fraud perpetrators use to justify their illegal behavior.

The most frequent rationalizations include the following:

 I am only “borrowing” it, and I will repay my “loan.”
 You would understand if you knew how badly I needed it.
 What I did was not serious.
 It was for a good cause.
 In my very important position of trust, I am above the rules.
 Everyone else is doing it.
 No one will ever know.
 The company owes it to me; I am taking no more than is rightfully mine.

Computer Fraud

Computer Fraud – any fraud that requires computer technology to perpetrate it.
Examples:
 Unauthorized theft, use, access, modification, copying, or destruction of software, hardware,
or data
 Theft of assets covered up by altering computer records
 Obtaining information or tangible property illegally using computers

Computer Fraud Classifications

`
Data Fraud

Input Processor Output

Fraud Fraud Fraud

Computer
Instructions
Fraud
COMPUTER ABUSE TECHNIQUES
Hacking – unauthorized access, modification, or use of an electronic device or some element of a
computer system

Hijacking – gaining control of someone else’s computer to carry out illicit activities, such as sending
spam without the computer user’s knowledge

Botnet – a network of powerful and dangerous hijacked computers that are used to attack systems
or spread malware

Zombie – a hijacked computer, typically part of a botnet, that is used to launch a variety of internet
attacks

Bot herder – the person who creates a botnet by installing software on PCs that responds to the bot
herder’s electronic instructions

Denial-of-Service (DoS) attack – a computer attack in which the attacker sends so many e-mail
bombs or web page requests, often from randomly generated false addresses, that the Internet
service provider’s e-mail server or the web server is overloaded and shuts down

Spamming – simultaneously sending the same unsolicited message to many people at the same
time, often in an attempt to sell something

CONTROL FRAMEWORKS
Organizations have not adequately protected data for several reasons:

• Some companies view the loss of crucial information as a distant, unlikely threat.
• The control implications of moving from centralized computer systems to Internet-based
systems are not fully understood.
• Many companies do not realize that information is a strategic resource and that protecting
it must be a strategic requirement.
Example:
One company lost millions because it did not protect data transmissions. A competitor
tapped into its phone lines and obtained faxes of new product designs.
• Productivity and cost pressures motivate management to forgo time-consuming control
measures.

Threat/Event – any potential adverse occurrence or unwanted event that could injure the AIS or the
organization.

Exposure/Impact – the potential dollar loss should a particular threat become a reality.

Likelihood – the probability that a threat will come to pass.

Any potential adverse occurrence is called a threat or an event. The potential monetary loss
from a threat is called the exposure or impact. The probability that it will happen is called the
likelihood of the threat.
Internal Controls

Internal controls – the processes and procedures implemented to provide reasonable assurance that
the following control objectives are met.

• Safeguard assets – prevent or detect their unauthorized acquisition, use, or disposition.

• Maintain records in sufficient detail to report company assets accurately and fairly.
• Provide accurate and reliable information.
• Prepare financial reports in accordance with established criteria.
• Promote and improve operational efficiency.
• Encourage adherence to prescribed managerial policies.
• Comply with applicable laws and regulations.

Three Functions of Internal Controls

1. Preventive controls – deter problems before they arise.

Example: hiring qualified personnel, segregating employee duties, and controlling physical
access to assets and information

2. Detective controls – discover problems that are not prevented.

Examples: duplicate checking of calculations and preparing bank reconciliations and
monthly trial balances.

3. Corrective controls – identify and correct problems as well as correct and recover from the
resulting errors.
Example: maintaining back up copies of files, correcting data entry errors, and resubmitting
transactions for subsequent processing.

Categories of Internal Controls

1. General controls – make sure an organization’s control environment is stable and well
managed.
Examples: security; IT infrastructure; and software acquisition, development, and
maintenance controls
2. Application controls – prevent, detect, and correct transaction errors and fraud in
application programs.
- Concerned with the accuracy, completeness, validity, and authorization of the data
captured, entered, processed, stored, transmitted to other systems, and reported.

CONTROLS FOR INFORMATION SECURITY

Principles That Contribute to Systems Reliability

1. Security – access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.

2. Confidentiality – sensitive organizational information (e.g. marketing plans, trade secrets) is

protected from unauthorized disclosure.
 3. Privacy – personal information about customers, employees, suppliers, or business partners is
collected, used, disclosed, and maintained only in compliance with internal policies and
external regulatory requirements and is protected from unauthorized disclosure.

4. Processing integrity – data are processes accurately, completely, in a timely manner, and
only with proper authorization,

5. Availability – the system and its information are available to meet operational and
contractual obligations.

The Security Life Cycle

1. Assess threats
and select risk
response

2. Develop and
4. Monitor
communicate
performance
policy

3. Acquire and
implement
solutions

Preventive, Detective, and Corrective Information Security Controls

TYPE OF CONTROL EXAMPLES
Preventive • People
o Creation of a “security-aware” culture
o Training
• Processes: User access controls (authentication and
authorization)
• IT Solutions
o Anti-malware
o Network access controls (firewalls, intrusion prevention
systems, etc.)
o Device and software hardening (configuration controls)
o Encryption
• Physical security: access controls (locks, guards, etc.)
• Change controls and change management

Detective • Log analysis

• Intrusion detection systems
• Penetration testing
• Continuous monitoring
Corrective • Computer incident response teams (CIRT)
• Chief information security officer (CISO)
• Patch management
CONFIDENTIALITY AND PRIVACY CONTROLS
Two Important Principles of Reliable Systems

1. Preserving the confidentiality of an organization’s intellectual property

2. Protecting the privacy of personal information it collects from customers, employees,
suppliers, and business partners

Preserving Confidentiality

Components of Protecting Confidentiality and Privacy

Identify and
classify Encryption
information

Preservation of
Confidentiality
and Privacy

Training Access Controls

Privacy

Data masking – a program that protects privacy by replacing personal information with fake values.

Privacy Concerns

• Spam – unsolicited e-mail that contains either advertising or offensive content.

• Identity theft – assuming someone’s identity, usually for economic gain

GAAP identified and defines the following 10 internationally recognized best practices for
protecting the privacy of customers’ personal information:

1. Management 6. Access
2. Notice 7. Disclosure to third parties
3. Choice and consent 8. Security
4. Collection 9. Quality
5. Use and retention 10. Monitoring and enforcement
PROCESSING INTEGRITY AND AVAILABILITY OF CONTROLS
Application Controls for Processing Integrity
PROCESS STAGE THREATS/RISKS CONTROLS
Input Data that is: Forms design, cancellation and storage of
• Invalid documents, authorization and segregation
• Unauthorized of duties, controls, visual scanning, data
• Incomplete entry controls
• Inaccurate
Processing Errors in output and stored data Data matching, file labels, batch totals,
cross-footing and zero balance tests, write-
protection mechanisms, database
processing, integrity controls
Output • Use of inaccurate or Reviews and reconciliations, encryption
incomplete reports and access controls, parity checks,
• Unauthorized disclosure message acknowledgement techniques
of sensitive information
• Loss, alteration, or
disclosure of information
in transit