Beruflich Dokumente
Kultur Dokumente
Introduction
Our society has become increasingly dependent on accounting information
systems.
As system complexity and our dependence on systems increase, companies
face the growing risk of their systems being compromised.
Page 1 of 34
The four types of threats a company faces are explained in Table 5-1 on
Page 143
AIS Threats
Four Types Of Systems Threats:
1. Natural and political disasters
2. Software errors and equipment malfunctions
3. Unintentional acts
4. Intentional acts (computer crimes)
1. Natural and political disasters
Fires, excessive heat, floods, earthquakes, high winds, war
and attacks by terrorists
Flood in Chicago
Page 2 of 34
3. Unintentional Acts
The Computing Technology Industry Association estimates that
human errors cause 80% of security problems.
Forrester Research estimates that employees unintentionally
create legal, regulatory or financial risks in 25% of their
outbound e-mails.
Programmers make logic errors. Examples include the
following::
Page 3 of 34
INTRODUCTION TO FRAUD
Fraud is any and all means a person uses to gain an unfair
advantage over another person. Legally, for an act to be
considered fraudulent there must be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a person to
act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the
misrepresentation to take an action
Page 4 of 34
Misappropriation of Assets
Misappropriation of Assets often referred to as Employee
Fraud
Some examples include:
Page 5 of 34
to
newspaper
for
stories
Page 6 of 34
Page 7 of 34
Understand fraud
Obtain information
Multiple Choice 2
The Association of Certified Fraud Examiners estimates total fraud
losses in the United States to be over
a.
b.
c.
d.
$350
$660
$100
$800
billion
billion
billion
billion
a
a
a
a
year
year
year
year
Multiple Choice 3
Which of the following statements is false?
a. For an act to be fraudulent there must be a false
statement, representation, or disclosure.
b. Fraud perpetrators are often referred to as management
fraud.
c. Misappropriation of assets is often referred to as
employee fraud.
d. SAS No. 82 was adopted in 1997.
Page 8 of 34
Pressures
A pressure is a persons incentive or motivation for committing
the fraud. The three common types of pressures are 1) Financial,
Emotional and Lifestyle which is summarized in Table 5-2 on Page
149. Table 5-3 on Page 150 provides the pressures that can lead to
financial statement fraud.
Opportunities
As shown in the opportunity triangle in Figure 5-1 on Page 148,
opportunity is the condition or situation that allows a person or
organization to do three things:
1. Commit the fraud
Most fraudulent financial reporting consists of the
overstatement of assets or revenues or the understatement of
liabilities, or the failure to disclose information.
2. Conceal the fraud
A common and effective way to hide a theft is to charge the
stolen item to an expense account. For example, charge
supplies to an expense account when they are initially
purchased; before they are used. This allows the perpetrator
the opportunity to use some of the supplies for personal
benefit at the expense of the company. These unused supplies
Page 9 of 34
Page 10 of 34
BANK A
BANK B
PERPETRATOR
1,000
1/1 Bal. +1,000
#2 1/2 W/D -1,000
Bal.
-0No NSF Due
1/3 +1,000
Bal.
-0No NSF Due
#4
1/2
BANK C
+1,000
#3 1/3 1,000 check
Bal.-1,000
NSF Due 1/5
+1,000
Bal.
-0No NSF Due
1/5
1,000 check
Bal. -1,000
NSF Due 1/7
Deposit +1,0001
Note #1: At this point the perpetrator may want to deposit the $1,000 he has had for 5 days (1/2
through 1/6), on the morning of 1/7 and start over again with Bank A.
Legend: W/D = withdraws cash
Bal. = balance
Page 11 of 34
Page 12 of 34
Rationalizations
Rationalization allows perpetrators to justify their illegal
behavior.
A list of some of the rationalizations people use:
Multiple Choice 4
The three conditions that are present when fraud occurs includes:
a.
b.
c.
d.
Attitude
Opportunity
Lack of control
Financial
Multiple Choice 5
The pressures that can lead to employee fraud include
a.
b.
c.
d.
e.
Multiple Choice 6
Internal control factors that provide an opportunity for employee
and financial statement fraud includes
a.
b.
c.
d.
Incompetent personnel
Operating on a crisis basis
Inadequate supervision
Low employee morale and loyalty
Page 13 of 34
Computer Fraud
The U.S. Department of Justice defines computer fraud as any
illegal act for which knowledge of computer technology is
essential for its perpetration, investigation or prosecution. More
specifically, computer fraud includes the following:
Page 14 of 34
Input
Page 15 of 34
Page 16 of 34
Page 17 of 34
Computer Attacks
Hacking is the unauthorized access to and use of computer systems,
usually by means of a personal computer and a telecommunications
network. Most hackers are able to break into systems using known
flaws in operating systems or application programs, or as a result
of poor access controls. Some hackers are motivated by the
challenge of breaking into computer systems and just browse or
look for things to copy and keep. Other hackers have malicious
intentions.
The following examples illustrate hacking attacks and the damage
they cause:
Several years ago, Russian hackers broke into Citibanks
system and stole $10 million from customer accounts
During Operation Desert Storm, Dutch hackers broke into
computers at 34 different military sites and extracted
confidential information. Among the information stolen
were the troop movements and weapons used in the Iraq
war. The group offered to sell the information it Iraq,
but the government declines, probably because it feared
it was a setup.
A 17-hear-old hacker, nicknamed Shadow Hawk, was
convicted of electronically penetrating the Bell
Laboratories national network, destroying files valued at
$174,000, and copying 52 proprietary software programs
worth $1.2 million. He published confidential information
such as telephone numbers, passwords and instructions
on how to breach AT&Ts computer security system on
underground bulletin boards. He was sentenced to nine
months in prison and given a $10,000 fine. Like Shadow
Hawk, many hackers are fairly young, some as young as 12
and 13.
Hackers who search for dial-up modem lines by programming
computers to dial thousands of phone lines is referred to as
war dialing.
War driving is driving around looking for unprotected
wireless networks.
Some war drivers draw chalk symbols on sidewalks to mark
unprotected wireless networks, referred to as war chalking.
One enterprising group of researches went war rocketing.
They sent rockets into the air that let loose wireless
access points, each attached to a parachute.
Page 18 of 34
Page 19 of 34
2.
Page 20 of 34
3.
Page 21 of 34
Social Engineering
In social engineering, perpetrators trick employees into giving
them the information they need to get into the system.
Identity theft is assuming someones identity, usually for
economic gain, by illegally obtaining and using confidential
information such as the persons Social Security number or their
bank account or credit card number. Identity thieves benefit
financially by taking funds out of the victims bank accounts,
taking out mortgages or other loan obligations, and taking out
credit cards and running up large debts.
In one case, a convicted felon incurred $100,000 of credit card
debt, took out a home loan, purchased homes and consumer goods,
and then filed for bankruptcy in the victims name.
In pretexting, people act under false pretenses to gain
confidential information. For example, they might conduct a
security and lull the person into disclosing confidential
information by asking 10 innocent questions before asking the
confidential ones.
Posing is creating a seemingly legitimate business, collecting
personal information while making a sale, and never delivering a
product.
Phishing sending out an email, instant message, or text message
pretending to be a legitimate company, usually a financial
institution, and requesting information. The recipient is asked to
either respond to the email request or visit a Web page and submit
the data or responding to a text message.
Page 22 of 34
Page 23 of 34
Malware
This section describes malware, which is any software that can be
used to do harm.
Spyware software secretly collects personal information about
users and sends it to someone else without the users permission.
The information is gathered by logging keystrokes, monitoring
computing habits such as Web sites visited, and scanning documents
on the computers hard disk.
Spyware infections, of which users are usually unaware, come from
the following:
A worm or virus
Page 24 of 34
Page 25 of 34
Page 26 of 34
2.
3.
Posing
Salami technique
Vishing
Data diddling
Multiple Choice 9
Software that can be used to do harm is
a.
b.
c.
d.
Adware
Evil twin
Malware
None of the above
Page 27 of 34
Table 5-6 on Page 174 provides a Summary of ways to Prevent and Detect
Computer Fraud.
- Make Fraud Less Likely To Occur
- Increase The Difficulty Of Committing Fraud
- Improve Detection Methods
- Reduce Fraud Losses
Multiple Choice 10
Ways to prevent and detect computer fraud include
a. Develop a strong system of internal controls
b. Install fraud detection software
c. Integrate the accounting functions of authorization,
recording and custody.
d. All of the above
e. A and B
Page 28 of 34
COMPUTER CRIME
At Omega Engineering*
A fired employee intentionally launched a logic bomb that permanently
caused irreparable damage to Omegas computer system by deleting all of
the firms software, inflicting $10 million in damages. Could it have
been prevented? Maybe! Could the damages and computer downtime have been
minimized through effective internal controls? Definitely. Thats the
assessment of control experts after the recent indictment of Timothy
Lloyd, the former chief computer network program designer and network
administrator at Omega Engineering in Bridgeport, N.J.
Omega is the classic situation of an inside hack attack, in this case a
logic bomb that detonates at a specified time. They are the most
difficult to defend against, said William Cook, a partner at Brinks
Hofer Gilson & Lione, a Chicago-based law firm. That is exactly what
happened, said Al DiFrancesco, Omegas director of human resources.
Three weeks after Lloyd was fired, our employees came to work and could
not boot their computers, he said.
Like many victimized businesses, Omega had thought it had implemented
reliable control mechanisms into its information systems. These control
mechanisms did lead back to Lloyd and resulted in his indictment,
Difrancesco said. Moreover, Omega canceled all of Lloyds access rights
and privileges on the date of his termination.
So what went wrong? For starters, besides being Omegas chief computer
network program designer, Lloyd was also the companys network
administrator. Thus he knew the ins and outs of the system and had all
Page 29 of 34
Page 30 of 34
Page 31 of 34
Page 32 of 34
Page 33 of 34
Cut off from Sylvias supply of cash, Grandones account with the
Bank of Boston was left overdrawn by $907,000. Grandone was
ordered to make restitution to the Bank of Boston.
Page 34 of 34