ACCOUNTING INFORMATION SYSTEM

Chapter 4
Ethics, Fraud, an Internal
Control

53
 ACCOUNTING INFORMATION SYSTEM

Chapter 4 - Ethics, Fraud, an Internal Control

Description: This chapter discusses the different ethical issues that faces business organization
when it comes to the use of information technology as well as the different internal
controls that can be used to mitigate the effects of those ethical issues and fraud.

Learning Objectives:

1. Explain the threats faced by modern information systems.

2. Define fraud and describe both the different types of fraud and the process one follows to
perpetuate a fraud.

3. Discuss who perpetrates fraud and why it occurs, including the pressures, opportunities, and
rationalizations that are present in most frauds.

4. Define computer fraud and discuss the different computer fraud classifications. 5. Explain
how to prevent and detect computer fraud and abuse.

Lesson proper:

Introduction

As accounting information systems (AIS) grow more complex to meet our escalating
needs for information, companies face the growing risk that their systems may be compromised.
Recent surveys show that 67% of companies had a security breach, over 45% were targeted by
organized crime, and 60% reported financial losses. The four types of AIS threats a company faces
are summarized in Table 4.1

54
 ACCOUNTING INFORMATION SYSTEM

Table 4.1 Threat to Accounting Information System

THREATS EXAMPLES
Natural and Fire or excessive heat
political Floods, earthquakes, landslides, hurricanes, tornadoes.
disasters blizzards, snowstorms, and freezing rain
War and attacks by terrorists
Software Hardware or software failure
errors and Software errors or bugs
equipment Operating system crashes
malfunctions Power outages and fluctuations
Undetected data transmission errors
Unintentional Accidents caused by human carelessness, failure to follow
acts established procedures, and poorly trained or supervised
personnel
Innocent errors or omissions
Lost, erroneous, destroyed, or misplaced data
Logic errors
Systems that do not meet company needs or cannot handle
intended task
International Sabotage
acts Misrepresentation, false use, or unauthorized disclosure of
(computer data Misappropriation of assets
crimes) Financial statement fraud
Corruption
Computer fraud-attacks, social engineering, malware, etc.

AIS Threats

Natural and political disasters—such as fires, floods, earthquakes, hurricanes, tornadoes,

blizzards, wars, and attacks by terrorists—can destroy an information system and cause many
companies to fail. For example:

● Terrorist attacks on the World Trade Center in New York City and on the Federal Building
in Oklahoma City destroyed or disrupted all the systems in those buildings.

● A flood in Chicago destroyed or damaged 400 data processing centers. A flood in Des
Moines, Iowa, buried the city’s computer under eight feet of water. Hurricanes and
earthquakes have destroyed numerous computer systems and severed communication
lines. Other systems were damaged by falling debris, water from ruptured sprinkler
systems, and dust.

55
 ACCOUNTING INFORMATION SYSTEM

● A very valid concern for everyone is what is going to happen when cyber-attacks are
militarized; that is, the transition from disruptive to destructive attacks. Example is Case
4.1

Case 4.1 Denial of Service Attack at American Banks

Shortly after Obama was elected President, he authorized cyber-attacks on

computer systems that run Iran’s main nuclear enrichment plants. The intent
was to delay or destroy Iran’s nuclear-weapons program. The attacks were
based on the Stuxnet virus, which was developed with help from a secret Israeli
intelligence unit. The attack damaged 20% of the centrifuges at the Natanz
uranium enrichment facility (Iran denied its existence) by spinning them too
fast. This was the first known cyber-attack intended to harm a real-world
physical target. A hacker group that is a front for Iran retaliated using
distributed denial of service attacks (DDoS) to bring online systems at major
American banks to its knees. Most denial of service attacks use botnets, which
are networks of computers that the bot-herder infected with malware.
However, the Iranians remotely hijacked and used “clouds” of thousands of
networked servers located in cloud computing data centers around the world.
The attack inundated bank computers with encryption requests (they consume
more system resources), allowing the hackers to cripple sites with fewer
requests. The cloud services were infected with a sophisticated malware, which
evaded detection by antivirus programs and made it very difficult to trace the
malware back to its user. The scale and scope of these attacks and their
effectiveness is unprecedented, as there have never been that many financial
institutions under simultaneous attack

Software errors, operating system crashes, hardware failures, power outages

and fluctuations, and undetected data transmission errors constitute a second type of
threat. A federal study estimated yearly economic losses due to software bugs at almost
$60 billion. More than 60% of companies studied had significant software errors.

Examples of errors include:

● Over 50 million people in the Northeast were left without power when an
industrial control system in part of the grid failed. Some areas were powerless for
four days, and damages from the outage ran close to $10 billion.

56
 ACCOUNTING INFORMATION SYSTEM

● At Facebook, an automated system for verifying configuration value errors

backfired, causing every single client to try to fix accurate data it perceived as
invalid. Since the fix involved querying a cluster of databases, that cluster was
quickly overwhelmed by hundreds of thousands of queries a second. The
resultant crash took the Facebook system offline for two-and-a-half hours.

● As a result of tax system bugs, California failed to collect $635 million in

business taxes.

● A bug in Burger King’s software resulted in a $4,334.33 debit card charge for
four hamburgers. The cashier accidentally keyed in the $4.33 charge twice,
resulting in the overcharge.

A third type of threat, unintentional acts such as accidents or innocent errors and
omissions, is the greatest risk to information systems and causes the greatest dollar
losses. The Computing Technology Industry Association estimates that human errors
cause 80% of security problems. Forrester Research estimates that employees
unintentionally create legal, regulatory, or financial risks in 25% of their outbound e-
mails.

Unintentional acts are caused by human carelessness, failure to follow

established procedures, and poorly trained or supervised personnel. Users lose or
misplace data and accidentally erase or alter files, data, and programs. Computer
operators and users enter the wrong input or erroneous input, use the wrong version of
a program or the wrong data files, or misplace data files. Systems analysts develop
systems that do not meet company needs, that leave them vulnerable to attack, or that
are incapable of handling their intended tasks. Programmers make logic errors. Examples
of unintentional acts include the following:

● A data entry clerk at Mizuho Securities mistakenly keyed in a sale for 610,000
shares of J-Com for 1 yen instead of the sale of 1 share for 610,000 yen. The error
cost the company $250 million.

● A programmer made a one-line-of-code error that priced all goods at Zappos,

an online retailer, at $49.95—even though some of the items it sells are worth
thousands of dollars. The change went into effect at midnight, and by the time it
was detected at 6:00 a.m., the company had lost $1.6 million on goods sold far
below cost.

57
 ACCOUNTING INFORMATION SYSTEM

● A bank programmer mistakenly calculated interest for each month using 31

days. Before the mistake was discovered, over $100,000 in excess interest was
paid. ● A Fannie Mae spreadsheet error misstated earnings by $1.2 billion.

● UPS lost a box of computer tapes containing sensitive information on 3.9

million Citigroup customers.

● Jefferson County, West Virginia, released a new online search tool that exposed
the personal information of 1.6 million people.

● McAfee, the antivirus software vendor, mistakenly identified svchost.exe, a

crucial part of the Windows operating system, as a malicious program in one of
its updates. Hundreds of thousands of PCs worldwide had to be manually
rebooted—a process that took 30 minutes per machine. A third of the hospitals
in Rhode Island were shut down by the error. One company reported that the
error cost them $2.5 million.

A fourth threat is an intentional act such as a computer crime, a fraud, or

sabotage, which is deliberate destruction or harm to a system. Sabotage - An intentional
act where the intent is to destroy a system or some of its components. Information
systems are increasingly vulnerable to attacks. Examples of intentional acts include the
following:

● In a recent three-year period, the number of networks that were compromised

rose 700%. Experts believe the actual number of incidents is six times higher than
reported because companies tend not to report security breaches. Symantec
estimates that hackers attack computers more than 8.6 million times per day.
One computer-security company reported that in the cases they handled that
were perpetrated by Chinese hackers, 94% of the targeted companies didn’t
realize that their systems had been compromised until someone else told them.
The median number of days between when an intrusion started and when it was
detected was 416.

● The Sobig virus wreaked havoc on millions of computers, including shutting

down train systems for up to six hours.

● In Australia, a disgruntled employee hacked into a sewage system 46 times over

two months. Pumps failed, and a quarter of a million gallons of raw sewage
poured into nearby streams, flooding a hotel and park.

58
 ACCOUNTING INFORMATION SYSTEM

● A programmer was able to download OpenTable’s database due to an

improperly designed cookie (data a website stores on your computer to identify
the site so you do not have to log on each time you visit the site).

● A hacker stole 1.5 million credit and debit card numbers from Global Payments,
resulting in an $84 million loss and a 90% drop in profits in the quarter following
disclosure.

● The activist hacker group called Anonymous played Santa Claus one Christmas,
indicating they were “granting wishes to people who are less fortunate than
most.” They were inundated with requests for iPads, iPhones, pizzas, and
hundreds of other things. They hacked into banks and sent over $1 million worth
of virtual credit cards to people.

Cyber thieves have stolen more than $1 trillion worth of intellectual property
from businesses worldwide. General Alexander, director of the National Security Agency,
called cyber theft “the greatest transfer of wealth in history.”

Introduction to Fraud

Fraud is gaining an unfair advantage over another person. Legally, for an act to
be fraudulent there must be:

1. A false statement, representation, or disclosure

2. A material fact, which is something that induces a person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the misrepresentation to take an
action
5. An injury or loss suffered by the victim

Annual economic losses resulting from fraudulent activity each year are
staggering. It is rare for a week to go by without the national or local press reporting
another fraud of some kind. These frauds range from a multimillion-dollar fraud that
captures the attention of the nation to an employee defrauding a local company out of
a small sum of money.

The Association of Certified Fraud Examiners (ACFE) conducts comprehensive

fraud studies and releases its findings in a Report to the Nation on Occupational Fraud
and Abuse (2010). The ACFE estimates that:

59
 ACCOUNTING INFORMATION SYSTEM

● A typical organization loses 5% of its annual revenue to fraud, indicating yearly

global fraud losses of over $2.9 trillion.

● Owner/executive frauds took much longer to detect and were more than three
times as costly as manager-perpetrated frauds and more than nine times as costly
as employee frauds.

● More than 85% of the perpetrators had never been charged or convicted of
fraud.

● Small businesses, with fewer and less effective internal controls, were more
vulnerable to fraud than large businesses.

● Occupational frauds are much more likely to be detected by an anonymous tip

than by audits or any other means.

Most fraud perpetrators are knowledgeable insiders with the requisite access,
skills, and resources. Because employees understand a company’s system and its
weaknesses, they are better able to commit and conceal a fraud. The controls used to
protect corporate assets make it more difficult for an outsider to steal from a company.
Fraud perpetrators are often referred to as white-collar criminals. White-collar criminals
- Typically, businesspeople who commit fraud. White-collar criminals usually resort to
trickery or cunning, and their crimes usually involve a violation of trust or confidence.

Corruption is dishonest conduct by those in power and it often involves actions

that are illegitimate, immoral, or incompatible with ethical standards. There are many
types of corruption; examples include bribery and bid rigging.

Investment fraud is misrepresenting or leaving out facts in order to promote an

investment that promises fantastic profits with little or no risk. There are many types of
investment fraud; examples include Ponzi schemes and securities fraud.

Misappropriation of assets is the theft of company assets by employees.

Examples include the following:

● Albert Milano, a manager at Reader’s Digest responsible for processing bills,

embezzled $1 million over a five-year period. He forged a superior’s signature on
invoices for services never performed, submitted them to accounts payable,
forged the endorsement on the check, and deposited it in his account. Milano
used the stolen funds to buy an expensive home, five cars, and a boat.

60
 ACCOUNTING INFORMATION SYSTEM

● A bank vice president approved $1 billion in bad loans in exchange for $585,000
in kickbacks. The loans cost the bank $800 million and helped trigger its collapse.

● A manager at a Florida newspaper went to work for a competitor after he was

fired. The first employer soon realized its reporters were being scooped. An
investigation revealed the manager still had an active account and password and
regularly browsed its computer files for information on exclusive stories.

● In a recent survey of 3,500 adults, half said they would take company property
when they left and were more likely to steal e-data than assets. More than 25%
said they would take customer data, including contact information. Many
employees did not believe taking company data is equivalent to stealing. The
most significant contributing factor in most misappropriations is the absence of
internal controls and/or the failure to enforce existing internal controls. A typical
misappropriation has the following important elements or characteristics.

The perpetrator:

● Gains the trust or confidence of the entity being defrauded.

● Uses trickery, cunning, or false or misleading information to commit fraud.

● Conceals the fraud by falsifying records or other information.

● Rarely terminates the fraud voluntarily.

● Sees how easy it is to get extra money; need or greed impels the person to
continue. Some frauds are self-perpetuating; if perpetrators stop, their actions
are discovered.

● Spends the ill-gotten gains. Rarely does the perpetrator save or invest the
money. Some perpetrators come to depend on the “extra” income, and others
adopt a lifestyle that requires even greater amounts of money. For these reasons,
there are no small frauds— only large ones that are detected early.

● Gets greedy and takes ever-larger amounts of money at intervals that are more
frequent, exposing the perpetrator to greater scrutiny and increasing the chances
the fraud is discovered. The sheer magnitude of some frauds leads to their
detection. For example, the accountant at an auto repair shop, a lifelong friend
of the shop’s owner, embezzled ever larger sums of money over a seven-year
period. In the last year of the fraud, the embezzler took over $200,000. Facing
bankruptcy, the owner eventually laid off the accountant and had his wife take

61
 ACCOUNTING INFORMATION SYSTEM

over the bookkeeping. When the company immediately began doing better, the
wife hired a fraud expert who investigated and uncovered the fraud.

● Grows careless or overconfident as time passes. If the size of the fraud does
not lead to its discovery, the perpetrator eventually makes a mistake that does
lead to the discovery

Fraudulent Financial Reporting

The National Commission on Fraudulent Financial Reporting (the Treadway

Commission) defined fraudulent financial reporting as intentional or reckless conduct,
whether by act or omission, that results in materially misleading financial statements.
Management falsifies financial statements to deceive investors and creditors, increase a
company’s stock price, meet cash flow needs, or hide company losses and problems.

Through the years, many highly publicized financial statement frauds have
occurred. In each case, misrepresented financial statements led to huge financial losses
and a number of bankruptcies. The most frequent “cook the books” schemes involve
fictitiously inflating revenues, holding the books open (recognizing revenues before they
are earned), closing the books early (delaying current expenses to a later period),
overstating inventories or fixed assets, and concealing losses and liabilities.

The Treadway Commission recommended four actions to reduce fraudulent

financial reporting:

1. Establish an organizational environment that contributes to the integrity of the

financial reporting process.

2. Identify and understand the factors that lead to fraudulent financial reporting.

3. Assess the risk of fraudulent financial reporting within the company.

4. Design and implement internal controls to provide reasonable assurance of

preventing fraudulent financial reporting.

The ACFE found that an asset misappropriation is 17 times more likely than
fraudulent financial reporting but that the amounts involved are much smaller. As a
result, auditors and management are more concerned with fraudulent financial
reporting even though they are more likely to encounter misappropriations.

62
 ACCOUNTING INFORMATION SYSTEM

The Auditor’s Responsibilities

● Understand fraud. Because auditors cannot effectively audit something they

do not understand, they must understand fraud and how and why it is
committed.

● Discuss the risks of material fraudulent misstatements. While planning the

audit, team members discuss among themselves how and where the company’s
financial statements are susceptible to fraud.

● Obtain information. The audit team gathers evidence by looking for fraud risk
factors; testing company records; and asking management, the audit committee
of the board of directors, and others whether they know of past or current fraud.
Because many frauds involve revenue recognition, special care is exercised in
examining revenue accounts.

● Identify, assess, and respond to risks. The evidence is used to identify, assess,
and respond to fraud risks by varying the nature, timing, and extent of audit
procedures and by evaluating carefully the risk of management overriding
internal controls.

● Evaluate the results of their audit tests. Auditors must evaluate whether
identified misstatements indicate the presence of fraud and determine its impact
on the financial statements and the audit.

● Document and communicate findings. Auditors must document and

communicate their findings to management and the audit committee.

● Incorporate a technology focus. Recognize the impact technology has on fraud

risks and provides commentary and examples recognizing this impact. It also
notes the opportunities auditors have to use technology to design fraud-auditing
procedures.

Who Commits Fraud and Why.

When researchers compared the psychological and demographic characteristics

of white-collar criminals, violent criminals, and the public, they found significant
differences between violent and white-collar criminals. They found few differences
between white-collar criminals and the public. Their conclusion: Many fraud
perpetrators look just like you and me.

63
 ACCOUNTING INFORMATION SYSTEM

Some fraud perpetrators are disgruntled and unhappy with their jobs and seek
revenge against employers. Others are dedicated, hard-working, and trusted employees.
Most have no previous criminal record; they were honest, valued, and respected
members of their community. In other words, they were good people who did bad
things.

Computer fraud perpetrators are typically younger and possess more computer
experience and skills. Some are motivated by curiosity, a quest for knowledge, the desire
to learn how things work, and the challenge of beating the system. Some view their
actions as a game rather than as dishonest behavior. Others commit computer fraud to
gain stature in the hacking community.

A large and growing number of computer fraud perpetrators are more predatory
in nature and seek to turn their actions into money. These fraud perpetrators are more
like the blue collar criminals that look to prey on others by robbing them. The difference
is that they use a computer instead of a gun.

Many first-time fraud perpetrators that are not caught, or that are caught but not
prosecuted, move from being “unintentional” fraudsters to “serial” fraudsters.

Malicious software is a big business and a huge profit engine for the criminal
underground, especially for digitally savvy hackers in Eastern Europe. They break into
financial accounts and steal money. They sell data to spammers, organized crime,
hackers, and the intelligence community. They market malware, such as virus-producing
software, to others. Some work with organized crime. A recently convicted hacker was
paid $150 for every 1,000 computers he infected with his adware and earned hundreds
of thousands of dollars a year.

Cyber-criminals are a top FBI priority because they have moved from isolated and
uncoordinated attacks to organized fraud schemes targeted at specific individuals and
businesses. They use online payment companies to launder their ill-gotten gains. To hide
their money, they take advantage of the lack of coordination between international law
enforcement organizations.

The Fraud Triangle

For most predatory fraud perpetrators, all the fraudster needs is an opportunity
and the criminal mind-set that allows him/her to commit the fraud. For most first-time
fraud perpetrators, three conditions are present when fraud occurs: a pressure, an
opportunity, and a rationalization. This is referred to as the fraud triangle, and is the
middle triangle in Figure 4.2

64
 ACCOUNTING INFORMATION SYSTEM

Pressures

A pressure is a person’s incentive or motivation for committing fraud. Three types

of pressures that lead to misappropriations are shown in the Employee Pressure Triangle
in Figure 4.2 and are summarized in Table 4.3. Financial pressures often motivate
misappropriation frauds by employees. Examples of such pressures include living beyond
one’s means, heavy financial losses, or high personal debt. Often, the perpetrator feels
the pressure cannot be shared and believes fraud is the best way out of a difficult
situation.

Figure 4.2. The Fraud Triangle

A second type of pressure is emotional. Many employee frauds are motivated by

greed. Some employees turn to fraud because they have strong feelings of resentment
or believe they have been treated unfairly. They may feel their pay is too low, their
contributions are not appreciated, or the company is taking advantage of them.

Other people are motivated by the challenge of “beating the system” or

subverting system controls and breaking into a system. When a company boasted that
its new system was impenetrable, a team of individuals took less than 24 hours to break
into the system and leave a message that the system had been compromised.

Table 4.3 Pressures that can lead to employee fraud.

65
 ACCOUNTING INFORMATION SYSTEM

Some people commit fraud to keep pace with other family members or win a
“who has the most or best” competition. A plastic surgeon, making $800,000 a year,
defrauded his clinic of $200,000 to compete in the family “game” of financial one-
upmanship. Other people commit fraud due to some combination of greed, ego, pride,
or ambition that causes them to believe that no matter how much they have, it is never
enough.

Other people commit fraud due to some combination of greed, ego, pride, or
ambition that causes them to believe that no matter how much they have, it is never
enough.

A third type of employee pressure is a person’s lifestyle. The person may need
funds to support a gambling habit or support a drug or alcohol addiction. One young
woman embezzled funds because her boyfriend threatened to leave her if she did not
provide him the money he needed to support his gambling and drug addictions. Three
types of organizational pressures that motivate management to misrepresent financial
statements are shown in the Financial Statement Pressure triangle in Figure 4.2 and
summarized in Table 4.3.

A prevalent financial pressure is a need to meet or exceed earnings expectations

to keep a stock price from falling. Managers create significant pressure with unduly
aggressive earnings forecasts or unrealistic performance standards or with incentive
programs that motivate employees to falsify financial results to keep their jobs or to
receive stock options and other incentive payments. Industry conditions such as new

66
 ACCOUNTING INFORMATION SYSTEM

regulatory requirements or significant market saturation with declining margins can

motivate fraud.

Opportunity

Opportunity - The condition or situation that allows a person or organization to

commit and conceal a dishonest act and convert it to personal gain. It allows one to do
three things:

1. Commit the fraud. The theft of assets is the most common type of
misappropriation. Most instances of fraudulent financial reporting involve
overstatements of assets or revenues, understatements of liabilities, or failures
to disclose information.
2. Conceal the fraud. To prevent detection when assets are stolen or financial
statements are overstated, perpetrators must keep the accounting equation in
balance by inflating other assets or decreasing liabilities or equity. Concealment
often takes more effort and time and leaves behind more evidence than the theft
or misrepresentation. Taking cash requires only a few seconds; altering records
to hide the theft is more challenging and time-consuming. One way for an
employee to hide a theft of company assets is to charge the stolen item to an
expense account

Another way to hide a theft of company assets is to use a lapping scheme. In a

lapping scheme, an employee of Company Z steals the cash or checks customer
A mails in to pay the money it owes to Company Z. Later, the employee uses funds
from customer B to pay off customer A’s balance. Funds from customer C are
used to pay off customer B’s balance, and so forth. Because the theft involves
two asset accounts (cash and accounts receivable), the cover-up must continue
indefinitely unless the money is replaced or the debt is written off the books.

An individual, for his own personal gain or on behalf of a company, can hide the
theft of cash using a check-kiting scheme. In check kiting, cash is created using
the lag between the time a check is deposited and the time it clears the bank.
Suppose an individual or a company opens accounts in banks A, B, and C. The
perpetrator “creates” cash by depositing a $1,000 check from bank B in bank C
and withdrawing the funds. If it takes two days for the check to clear bank B, he
has created $1,000 for two days. After two days, the perpetrator deposits a
$1,000 check from bank A in bank B to cover the created $1,000 for two more
days. At the appropriate time, $1,000 is deposited from bank C in bank A. The
scheme continues—writing checks and making deposits as needed to keep the

67
 ACCOUNTING INFORMATION SYSTEM

checks from bouncing—until the person is caught or he deposits money to cover

the created and stolen cash.

Electronic banking systems make kiting harder because the time between a
fraudster depositing the check in one bank and the check being presented to the
other bank for payment is shortened.

3. Convert the theft or misrepresentation to personal gain. In a misappropriation,

fraud perpetrators who do not steal cash or use the stolen assets personally must
convert them to a spendable form. For example, employees who steal inventory
or equipment sell the items or otherwise convert them to cash. In cases of
falsified financial statements, perpetrators convert their actions to personal gain
through indirect benefits; that is, they keep their jobs, their stock rises, they
receive pay raises and promotions, or they gain more power and influence.

Table 4.4 Opportunities Permitting Employee and Financial Statement Fraud

68
 ACCOUNTING INFORMATION SYSTEM

Rationalizations
A rationalization is the excuse that fraud perpetrators use to justify their
illegal behavior. In other words, perpetrators rationalize that they are not being
dishonest, that honesty is not required of them, or that they value what they take
more than honesty and integrity. Some perpetrators rationalize that they are not
hurting a real person, but a faceless and nameless computer system or an
impersonal company that will not miss the money.

The most frequent rationalizations include the following:

● I am only “borrowing” it, and I will repay my “loan.”
● You would understand if you knew how badly I needed it.
● What I did was not that serious.
● It was for a good cause (the Robin Hood syndrome: robbing the rich to
give to the poor).
● In my very important position of trust, I am above the rules.
● Everyone else is doing it.
● No one will ever know.
● The company owes it to me; I am taking no more than is rightfully mine.

Fraud occurs when people have high pressures; an opportunity to

commit, conceal, and convert; and the ability to rationalize away their personal
integrity. Fraud is less likely to occur when people have few pressures, little
opportunity, and high personal integrity. Usually all three elements of the fraud
triangle must be present to some degree before a person commits fraud.
Likewise, fraud can be prevented by eliminating or minimizing one or
more fraud triangle elements. Although companies can reduce or minimize some
pressures and rationalizations, their greatest opportunity to prevent fraud lies in
reducing or minimizing opportunity by implementing a good system of internal
controls.

Computer Fraud

Computer fraud is any fraud that requires computer technology to

perpetrate it. Examples include:
● Unauthorized theft, use, access, modification, copying, or destruction
of software, hardware, or data
● Theft of assets covered up by altering computer records

69
 ACCOUNTING INFORMATION SYSTEM

● Obtaining information or tangible property illegally using computers

The Rise in Computer Fraud

It is estimated that computer fraud costs the United States somewhere
between $70 billion and $125 billion a year and that the costs increase
significantly each year. Computer systems are particularly vulnerable for the
following reasons:

● People who break into corporate databases can steal, destroy, or alter
massive amounts of data in very little time, often leaving little evidence.
One bank lost $10 million in a just a few minutes.
● Computer fraud can be much more difficult to detect than other types
of fraud.
● Some organizations grant employees, customers, and suppliers access
to their system. The number and variety of these access points
significantly increase the risks.
● Computer programs need to be modified illegally only once for them to
operate improperly for as long as they are in use.
● Personal computers (PCs) are vulnerable. It is difficult to control
physical access to each PC that accesses a network and PCs and their data
can be lost, stolen, or misplaced. Also, PC users are generally less aware
of the importance of security and control. The more legitimate users there
are, the greater the risk of an attack on the network.
● Computer systems face a number of unique challenges: reliability,
equipment failure, dependency on power, damage from water or fire,
vulnerability to electromagnetic interference and interruption, and
eavesdropping.

As early as 1979, Time magazine labeled computer fraud a “growth

industry.” Most businesses have been victimized by computer fraud. Recently, a
spy network in China hacked into 1,300 government and corporate computers in
103 countries. The number of incidents, the total dollar losses, and the
sophistication of the perpetrators and the schemes used to commit computer
fraud are increasing rapidly for several reasons:

1. Not everyone agrees on what constitutes computer fraud. Many

people do not believe that copying software constitutes computer fraud.
Software publishers think otherwise and prosecute those who make

70
 ACCOUNTING INFORMATION SYSTEM

illegal copies. Some people do not think it is a crime to browse someone

else’s computer files if they do no harm, whereas companies whose data
are browsed feel much differently.

2. Many instances of computer fraud go undetected. A few years ago, it

was estimated that U.S. Defense Department computers were attacked
more than a half million times per year, with the number of incidents
increasing 50% to 100% per year. Defense Department staffers and
outside consultants made 38,000 “friendly hacks” on their networks to
evaluate security. Almost 70% were successful, and the Defense
Department detected only 4% of the attacks.

3. A high percentage of frauds is not reported. Many companies believe

the adverse publicity would result in copycat fraud and a loss of customer
confidence, which could cost more than the fraud itself.

4. Many networks are not secure. Dan Farmer, who wrote SATAN (a
network security testing tool), tested 2,200 high-profile websites at
government institutions, banks, and newspapers. Only three sites
detected and contacted him.

5. Internet sites offer step-by-step instructions on how to perpetrate

computer fraud and abuse. For instance, an Internet search found
thousands of sites telling how to conduct a “denial of service” attack, a
common form of computer abuse.

6. Law enforcement cannot keep up with the growth of computer fraud.

Because of lack of funding and skilled staff, the FBI investigates only 1 in
15 computer crimes.

7. Calculating losses is difficult. It is difficult to calculate total losses when

information is stolen, websites are defaced, and viruses shut down entire
computer systems.

71
 ACCOUNTING INFORMATION SYSTEM

Computer Fraud Classifications

Computer fraud can be categorized using the data processing model.

Input Fraud The simplest and most common way to commit a computer
fraud is to alter or falsify computer input. It requires little skill; perpetrators need
only understand how the system operates so they can cover their tracks. For
example:
● A man opened a bank account in New York and had blank bank deposit
slips printed that were similar to those available in bank lobbies, except
that his account number was encoded on them. He replaced the deposit
slips in the bank lobby with his forged ones. For three days, bank deposits
using the forged slips went into his account. The perpetrator withdrew
the money and disappeared. He was never found.

● A man used desktop publishing to prepare bills for office supplies that
were never ordered or delivered and mailed them to local companies. The

72
 ACCOUNTING INFORMATION SYSTEM

invoices were for less than $300, an amount that often does not require
purchase orders or approvals. A high percentage of the companies paid
the bills.

● An employee at the Veteran’s Memorial Coliseum sold customers full-

price tickets, entered them as half-price tickets, and pocketed the
difference.

● Railroad employees entered data to scrap over 200 railroad cars. They
removed the cars from the railway system, repainted them, and sold
them.

● A company providing on-site technical support created exact duplicates

of the checks used to pay them, using off-the-shelf scanners, graphics
software, and printers. If the double payments were caught, the bank
checked their microfiche copies of the two identical checks, assumed a
clerical error had occurred, and wrote off the loss as a gesture of
maintaining good customer relations.

Processor Fraud. Processor fraud includes unauthorized system use,

including the theft of computer time and services. For example:

● An insurance company installed software to detect abnormal system

activity and found that employees were using company computers to run
an illegal gambling website.
● Two accountants without the appropriate access rights hacked into
Cisco’s stock option system, transferred over $6.3 million of Cisco stock
to their brokerage accounts, and sold the stock. They used part of the
funds to support an extravagant lifestyle, including a $52,000 Mercedes-
Benz, a $44,000 diamond ring, and a $20,000 Rolex watch.

Computer Instructions Fraud

Computer instructions fraud includes tampering with company software,

copying software illegally, using software in an unauthorized manner, and
developing software to carry out an unauthorized activity. This approach used to
be uncommon because it required specialized programming knowledge. Today,

73
 ACCOUNTING INFORMATION SYSTEM

it is more frequent because of the many web pages that tell users how to create
them.

Figure 4.3 Computer Fraud Classifications

Data Fraud

Illegally using, copying, browsing, searching, or harming company data

constitutes data fraud. The biggest cause of data breaches is employee
negligence.
Companies now report that their losses are greater from the electronic theft of
data than from stealing physical assets. It is estimated that, on average, it costs a
company $6.6 million, including lost business, to recover from a data breach.
Company employees are much more likely to perpetrate data fraud than
outsiders are. A recent study shows that 59% of employees who lost or left a job
admitted to stealing confidential company information. Almost 25% of them had
access to their former employer’s computer system. In addition, more cases are
beginning to surface of employees stealing their employer’s intellectual
properties and selling them to foreign companies or governments.
In the absence of controls, it is not hard for an employee to steal data.
For example, an employee using a small flash drive can steal large amounts of

74
 ACCOUNTING INFORMATION SYSTEM

data and remove it without being detected. In today’s world, you can even buy
wristwatches with a USB port and internal memory.

PREVENTING COMPUTER CRIME AND FRAUD

 Enlist Top-Management Support

Most employees do not automatically follow organizational security

policies and procedures—they are rarely rewarded for it, and such tasks take
time away from those activities for which they are rewarded. This is why
experts agree that computer security begins (or ends) with the top
management and security policies. Without such policies, for example,
organizations can only expect limited employee (1) compliance with security
procedures, (2) sensitivity to potential problems, or (3) awareness of why
computer abuse is important.

 Increase Employee Awareness and Education

Ultimately, controlling computer crime means controlling people. But

which people? The idea that computer crimes are outside jobs is a myth. With
the exception of hackers, most computer abusers are the employees of the
same companies at which the crimes take place. In fairness, employees
cannot be expected to automatically understand the problems or
ramifications of computer crime. Thus, another dimension of preventing
computer crime is employee education. Informing employees of the
significance of computer crime and abuse.

 Assess Security Policies and Protect Passwords

Common sense dictates that organizations should regularly survey

their computer security measures and assess potential areas of vulnerability.
Nearly all organizations use firewalls, antivirus software, and access controls,
but many are not as conscientious about performing periodic security
reviews. An important security process that organizations should consider is
evaluating employee practices and educating users to protect their own
computers.

75
 ACCOUNTING INFORMATION SYSTEM

Ten simple steps to safer personal computers.

Implement Controls

Most computer crime and abuse succeeds because of the absence of

controls rather than the failure of controls. There are many reasons why
businesses do not implement control procedures to deter computer crime. One
is the all-too-common belief of those managers who have not suffered a
computer crime that they have nothing to fear.

76