Chapter 4 – Ethics,Fraud, And Internal Control

AIS Threats
1. Natural and political disasters— such as fires, floods, earthquakes, hurricanes, tornadoes, blizzards, wars, and attacks
by terrorists—can destroy an information system and cause many companies to fail.

2. Software errors - Operating system crashes, hardware failures, power outages and fluctuations, and undetected data
transmission errors constitute a second type of threat.

3. Unintentional acts- Accidents or innocent errors and omissions, is the greatest risk to information systems and causes
the greatest dollar losses.

4. Intentional act- Computer crime, fraud, or sabotage, which is deliberate destruction or harm to a system.

* Sabotage-An intentional act where the intent is to destroy a system or some of its components.

Fraud

Legally, for an act to be fraudulent there must be:

1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the misrepresentation to take an action
5. An injury or loss suffered by the victim
Modusoperandi (MO) of people committing fraud:
1. They call late in the afternoon, around 4:30PM. Because banks close at 3:00PM and some at 4:00PM. So,
the client can no longer confirm from the bank the fraudster’s claim.Some of the claims are promos, account
suspension, etc.
2. In relation to number 1. They call late in the afternoon so that the client will be pressured to decide (to avail
of the so called promotion) since the fraudster claims that the promo ends at 5:00PM.
How to know if the person calling is a legitimate employee or a fraudster:
1. The number that you will see is a cellphone number. Universal banks have vanity numbers. When the bank
calls the name of the company appears on your phone. Ex. BDO, BPI, etc
2. Listen to the accent of the caller. The bank employee usually have neutral accent and they are fluent in both
English and Filipino as compared to the fraudster.
3. The words employees use. They are very professional in the way they speak, the words that they use.
Because the employees are trained to speak in a professional manner.
4. The employees do not force clients if they don’t want to. Compared to the fraudster who pressures clients.
The employees do not do that, they give the client enough space to make a decision.
Corruption - Dishonest conduct by those in power and it often involves actions that are illegitimate, immoral, or
incompatible with ethical standards.

Investment Fraud - Misrepresenting or leaving out facts in order to promote an investment that promises fantastic
profits with little or no risk.

The Perpetrator:
• Gains the trust or confidence of the entity being defrauded.
• Uses trickery, cunning, or false or misleading information to commit fraud.
• Conceals the fraud by falsifying records or other information.
• Rarely terminates the fraud voluntarily.
• Sees how easy it is to get extra money; need or greed impels the person to continue.
• Spends the ill-gotten gains.
• Gets greedy and takes ever-larger amounts of money at intervals that are more frequent, exposing the
perpetrator to greater scrutiny and increasing the chances the fraud is discovered.
• Grows careless or overconfident as time passes.
Fraudulent Financial Reporting - Intentional or reckless conduct, whether by act or omission, that results in materially
misleading financial statements (National Commission on Fraudulent Financial Reporting).

The Treadway Commission recommended four actions to reduce fraudulent financial reporting:
1. Establish an organizational environment that contributes to the integrity of the financial reporting process.
2. Identify and understand the factors that lead to fraudulent financial reporting.
3. Assess the risk of fraudulent financial reporting within the company.
4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial
Reporting.
The Auditor’s Responsibilities
1. Understand Fraud
2. Discuss the risks of material fraudulent misstatements
3. Obtain information

4. Identify, assess, and respond to risks

5. Evaluate the results of their audit tests
6. Document and communicate findings
7. Incorporate a technology focus
Who commits fraud?
1. Employees that are disgruntled and unhappy.
2. People that view fraud as a challenge and want to beat the system.
3. People that are looking to make money from fraudulent activities.
4. Involved in organized crime.
The Fraud Triangle:

1. Pressure - Financial pressures often motivate misappropriation frauds by employees.

2. Emotional - Many employee frauds are motivated by greed.
3. Lifestyle - The person may need funds to support a gambling habit or support a drug or alcohol addiction.
Opportunity
The condition or situation that allows a person or organization to commit and conceal a dishonest act and
convert it to personal gain. It allows one to do three things:
1. Commit the fraud - The theft of assets is the most common type of misappropriation. Most instances of
fraudulent financial reporting involve overstatements of assets or revenues, understatements of liabilities, or
failures to disclose information.
2. Conceal the fraud - To prevent detection when assets are stolen or financial statements are overstated, perpetrators
must keep the accounting equation in balance by inflating other assets or decreasing liabilities or equity.

3. Convert the theft or misrepresentation to personal gain. In a misappropriation, fraud perpetrators who do not steal
cash or use the stolen assets personally must convert them to a spendable form.

A rationalization is the excuse that fraud perpetrators use to justify their illegal behavior. In other words,
perpetrators rationalize that they are not being dishonest, that honesty is not required of them, or that they
value what they take more than honesty and integrity.
The most frequent rationalizations include the following:
1. I am only “borrowing” it, and I will repay my “loan.”
2. You would understand if you knew how badly I needed it.
3. What I did was not that serious.
4. It was for a good cause (the Robin Hood syndrome: robbing the rich to give to the poor).
5. In my very important position of trust, I am above the rules.
6. Everyone else is doing it.
7. No one will ever know.
8. The company owes it to me; I am taking no more than is rightfully mine.
Computer Fraud
It is any fraud that requires computer technology to perpetrate it. Examples include:

➢Unauthorized theft, use, access, modification, copying, or destruction of software, hardware, or data

➢Theft of assets covered up by altering computer records

➢Obtaining information or tangible property illegally using computers

The number of incidents, the total dollar losses, and the sophistication of the perpetrators and the schemes
used to commit computer fraud are increasing rapidly for several reasons:
1. Not everyone agrees on what constitutes computer fraud.
2. Many instances of computer fraud go undetected.
3. A high percentage of frauds is not reported.
4. Many networks are not secure.
5. Internet sites offer step-by-step instructions on how to perpetrate computer fraud and abuse.
6. Law enforcement cannot keep up with the growth of computer fraud.
7. Calculating losses is difficult.
Computer Fraud Classifications
1. Input Fraud The simplest and most common way to commit a computer fraud is to alter or falsify computer
input.
2. Processor Fraud. Processor fraud includes unauthorized system use, including the theft of computer time
and services.
3. Computer Instructions Fraud. Computer instructions fraud includes tampering with company software,
copying software illegally, using software in an unauthorized manner, and developing software to carry out an
unauthorized activity.
4. Data Fraud. Illegally using, copying, browsing, searching, or harming company data constitutes data fraud.
The biggest cause of data breaches is employee negligence.
Preventing Computer Crime and Fraud
1. Enlist top-management support
2. Increase employee awareness and education
3. Assess security policies and protect passwords
4. Implement controls