Sie sind auf Seite 1von 7

Managerial Auditing Journal

Internal Auditor and Computer Fraud


P.A. Collier R. Dixon C.L. Marston
Article information:
To cite this document:
P.A. Collier R. Dixon C.L. Marston, (1990),"Internal Auditor and Computer Fraud", Managerial Auditing Journal, Vol. 5 Iss 4
pp.
Permanent link to this document:
http://dx.doi.org/10.1108/02686909010006553
Downloaded on: 01 May 2015, At: 06:27 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 408 times since 2006*
Users who downloaded this article also downloaded:
William Hillison, Carl Pacini, David Sinason, (1999),"The internal auditor as fraud-buster", Managerial Auditing Journal, Vol.
14 Iss 7 pp. 351-363 http://dx.doi.org/10.1108/02686909910289849
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Rocco R. Vanasco, (1998),"Fraud auditing", Managerial Auditing Journal, Vol. 13 Iss 1 pp. 4-71 http://
dx.doi.org/10.1108/02686909810198724
Harold Hassink, Roger Meuwissen, Laury Bollen, (2010),"Fraud detection, redress and reporting by auditors", Managerial
Auditing Journal, Vol. 25 Iss 9 pp. 861-881 http://dx.doi.org/10.1108/02686901011080044

Access to this document was granted through an Emerald subscription provided by 463575 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please visit
www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.


INTERNAL AUDITOR AND COMPUTER FRAUD 37

R
esults of a 1988 research study into the Table I. Respondents by Size
area of computer fraud are presented.
Annual Turnover or Number of % of
Total Budget Responses Sample

Large Over £50 million 93 50

Internal
Medium Between £20 million
and £50 million 62 34
Small Below £20 million 29 16

Auditor and 184 100

Computer
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

definition chosen for the research was that used by the


Audit Commission in their 1987 survey: "any fraudulent
behaviour connected with computerisation, by which
someone intends to gain a dishonest advantage".

Fraud Methodology and Population


The research was based on a questionnaire sent to 300
members of a population which was defined so as to obtain
P.A. Collier, R. Dixon and C.L. Marston a representative cross-section of UK organisations. The
questionnaire covered four main subject areas:
(1) Responsibility within the organisation for computer
fraud prevention and detection.
(2) What the internal audit department does to prevent
computer fraud.
Introduction
(3) What the internal audit department does to detect
Despite a lack of information on the scale of computer computer fraud.
fraud in the UK* it is generally accepted that it poses
a potentially serious threat in many organisations. In (4) Opinions of internal auditors on computer fraud.
recognition of this, the Chartered Institute of Management The population circularised were IIA members and CIMA
Accountants (CIMA) and the Institute of Internal Auditors members whose job descriptions alluded to internal audit.
(IIA), have jointly funded a research study in this area. A total population of 2,631 was identified at the survey
In contrast to previous research studies (see for example: date of 1 January 1988. Usable responses were received
BIS Applied Systems [2] and the Audit Commission[1] in from 184 organisations (61 per cent response rate). Tests
the UK; the American Bar Association[3] in the US; and revealed no non-response bias. An indication of the broad
the Chisholm Institute of Technology[4] in Australia), this spectrum of firms covered is given in Table I, which
project focuses on the action taken by organisations to analyses responding organisations by reference to their
prevent and detect computer frauds, and the role and size, as determined by annual turnover or total budget.
opinion of internal auditors.
Of the respondents, 68 per cent worked in the private
Although the term "computer fraud" is widely used, a sector and the balance in the public sector.
range of definitions exist. At one extreme a computer fraud
is considered to be any dishonesty which takes place in
a computer environment and is in any way connected with Responsibility for Computer Fraud Prevention
the facilities; while a narrower definition is to limit ana Detection
computer fraud to any dishonesty that involves the Table II shows that specific responsibility for computer
technical manipulation of hardware or software. The fraud prevention and detection is perceived by respondents
as residing in four main areas:
* Regrettably, there are still no reliable official statistics on how
widespread the problem is or how muchfinancialloss is actually (1) internal audit;
incurred[1]. (2) line management;
38 MANAGERIAL AUDITING JOURNAL 5,4

Table II. Specific Responsibility for Prevention and auditors should be alert to indications of fraud and
Detection recommend the adoption or strengthening of
controls which make fraud more difficult, it is not
the primary purpose of audit tests to detect
% of Total % of Total isolated incidents of fraud.
Total responses Prevention Responses Detection Responses
The source of the responsibility in respect of the internal
Internal audit audit department is shown in Table III. "Formally docu-
department 96 52 109 59 mented" refers to the specific responsibility being included
Line management 93 51 85 46 in the departmental objectives or job descriptions, and "no
formal documentation" relates to situations where the
Information systems
function 96 52 52 28 specific responsibility is informally agreed or self imposed.
Finance function 69 37 37 20
From the table, the specific responsibility of the internal
Chief executive 22 12 10 5 audit department for the prevention and detection of
Board of directors 10 5 5 3 computer fraud arises principally from informal agreement
or is self imposed. However, in large organisations the level
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Audit committee 8 4 3 2
of formalisation was higher, and the response in the
"formally documented" category exceeded that in the "no
formal documentation" category. The results suggest that
computer fraud is not considered a high priority by many
(3) the finance department; firms since, even where specific responsibility is allocated
(4) the information systems department. to the internal audit department, in approximately two-thirds
of cases the responsibility is not formally documented. This
The findings are: suggests that the risks from computer fraud are not fully
(1) In many organisations specific responsibility for appreciated by many managements.
computer fraud is not concentrated in one officer.
The diffuse nature of responsibility is emphasised
by the incidence of multiple responses to the What the Internal Audit Department Does in
question; 17 respondents ticking over five of the Preventing Computer Fraud
listed possibilities; 40 respondents ticking three One of the questions asked was the prevention of
to five; and 94 respondents stated that computer fraud was specifically considered by internal
responsibility was assigned to one or two of the auditors at various stages in the systems life cycle. The
listed possibilities. overwhelming majority of respondents, 95 per cent for
(2) In 33 (18 per cent) of the sample, specific new systems and 96 per cent for existing systems,
responsibility was not assigned for either reported this level of involvement. Table IV shows an
prevention or detection. analysis of this by various stages.
(3) Internal audit departments in the respondents'
organisations had no specific responsibility for
computer fraud prevention and detection in almost
half, and 40 per cent of cases respectively. The Table III. Source of Specific Responsibility
results cause a degree of concern because there
is an apparent lack of senior management
involvement, and many line managements are not Number of % of Positive
seen as being specifically responsible, despite it Responses Responses
being generally agreed (see, for example, SIAS
No. 1[5]) that responsibility for security resides Prevention
with senior and line management. This was well Formally documented 37 38
expressed by one respondent, who enclosed a
No formal documentation 59 62
departmental standard on fraud which included the
following: "The responsibility for the prevention 96 100
and detection of fraud rests with line management,
who should institute an adequate system of internal Detection
control to discharge this responsibility". It is Formally documented 40 37
surprising that more internal audit departments No formal documentation 69 63
reported specific responsibility for detection than
for prevention, since this is at variance with SIAS 109 100
No. 3[6]. This suggests that although internal
INTERNAL AUDITOR AND COMPUTER FRAUD 39

Table IV. Stages at which Computer Fraud Prevention The majority of internal audit departments gave specific
is Specifically Considered by the Internal consideration to the prevention of computer fraud at the
Audit Department in the Systems Life Cyclesix stages specified. The amendment of existing systems
does seem to be relatively neglected despite internal audit
department involvement at this stage being extremely
%of
Number of Positive % of Total valuable in fraud prevention.
Instances Responses* Responses
Another question examined the emphasis placed by the
internal audit department on various controls used in
New systems: preventing computer fraud. Respondents were asked to
Design 139 79 76 classify the importance of the control on a scale of high,
Testing 100 57 54 moderate, low and none. The averages were derived by
Implementation 104 59 57
Post implementation
coding high as 4 and none as 1. Such a scaling gives a
audit 141 80 77 mean value of 2.5 if answers are equally distributed. Table
V shows the controls with the assessment and the mean
Existing systems: value.
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Amendment 97 55 53
Specific reviews 159 90 86 As might be expected, since the controls listed are fairly
standard, all have a mean in excess of the scale mean,
(*176 for new systems and 177 for existing systems) and all but four have a mean in excess of 3, which indicates
a moderate to high emphasis on the controls listed.

Table V. Emphasis in Fraud Prevention

High Moderate Low None Mean


(4) (3) (2) (1)

General
Personnel selection procedures 45 61 35 43 2.59
Segregation of duties within the computing function 150 27 1 6 3.74
Physical security of the computer installation 132 44 6 2 3.66
Internal audit input at the design and
implementation stage of new systems 85 63 26 10 3.21
Education of management 66 80 33 5 3.13
Librarian function 36 61 47 40 2.52

Input
Physical security over terminals and other remote
access devices 87 72 21 4 3.32
Passwords 154 28 0 2 3.82
Security of communication lines 69 64 39 2 3.04
Validation checks 100 69 13 2 3.45
Data transfer validation 79 86 5 14 3.25
Access to pre-printed stationery 69 81 24 10 3.10
Encryption 37 47 42 58 2.34

Processing
Control of the use of systems utilities 112 58 5 9 3.48
Run-to-run controls 108 53 9 4 3.48
Control over program amendments 122 41 12 9 3.50
Review of computer logs 54 79 36 15 2.94

Output
Input to output reconciliations 103 66 15 0 3.48
Controls over the distribution of output 49 92 36 7 3.00
Control over error and exception report 112 61 9 2 3.54
40 MANAGERIAL AUDITING JOURNAL 5,4

Respondents emphasised controls in three main areas: The approach was balanced between through the computer
techniques like interrogation software, and installation
(1) Administrative controls over the data processing review and round the computer methods like input/output
department like segregation of duties and physical reconciliations.
security of computer installations.
(2) Control over input such as data validation, pass- A question asked whether there were formal guidelines on
words and terminal security. the action to be taken if a fraud was discovered. The
(3) Processing controls including the reconciliation of majority of organisations reported an absence of such
input to output. guidance, although there was more likelihood of formal
guidelines in large organisations (82 per cent) than in
Least significance was accorded to controls with restricted medium (32.4 per cent) and small (24.7 per cent) ones.
applicability like encryption, librarian function and review Private sector organisations were less likely to have
of computer logs. An exception to this was the lack of guidelines than public sector organisations — 36.8 per cent
emphasis on personnel selection. Fraud is committed by and 44.1 per cent respectively. Where guidelines existed,
people, and therefore the selection of trustworthy staff the most commonly adopted policies on discovery of a
should be a key defensive measure. Further evidence computer fraud were to prosecute the perpetrator (78 per
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

of a failure to appreciate this point was provided by the cent of cases) and automatic dismissal (74 per cent of cases).
responses to a question which sought to establish what It is surprising to note the popularity of prosecution since
controls are in operation over staff working in areas with the received wisdom in this area is that organisations rarely
a high risk of computer fraud. In only 16 per cent of prosecute because of the bad publicity*. The result,
responses were staff subject to special vetting; while in however, must be taken in context of the whole sample,
less than a third of firms was it compulsory for such staff of which it constitutes only 30 per cent.
to take holidays, or were the staff prevented from working
out periods of notice.
Another question asked how much weight is given to the
detection of computer frauds, in formulating the organ-
Respondents were asked how much weight is given to isation's policies on computer systems. Using the same
the prevention of computer frauds in formulating scale as Table V, the mean value of the responses was
organisational policies on computer systems. Using the 2.86. This indicates that, in general, moderate importance
same scale as Table V, the mean value of responses was is given to fraud detection in policy formation. However,
3.09. This indicates that, in general, moderate importance 29 per cent of respondents gave a low or none rating.
is given to fraud prevention in policy formulation. However,
19 per cent of respondents gave a low or none rating.
Opinions
What the Internal Audit Department Does in Thefinalsection of the questionnaire examined the opinions
of internal auditors on various aspects of computer fraud.
Detecting Computer Fraud A question asked what level of risk of computer fraud the
The results of a question to discover which techniques respondents associated with various listed aspects of
were employed by the internal audit department in the computer systems. Table VII shows the responses.
detection of computer fraud are shown in Table VI.
As might be expected, batch processing is perceived as
being less risky than on-line and real-time processing, a
Table IV. Fraud Detection Techniques finding supported by the Audit Commission[1], who found
81 incidents associated with on-line processing compared
Number of % of with only 24 for batch processing. The most risky areas
Responses Responses identified outside on-line processing were a mini-computer
under user control and EFT systems, a finding that supports
Interrogation software 113 61
the emphasis in Table V on access controls. Table VIII
shows opinions of the level of threat of computer fraud
Computer audit software 67 36 posed by a selection of activities.
Test packs 21 11
Installation review 124 67 All the listed activities were considered to provide a
Computer based comparison moderate to high level of threat apart from hardware
of object and source versions 19 10 changes. Input fraud was seen as the most significant area;
Program review 38 21 afindingwhich again concurs with the Audit Commission[1]
Log analysis 56 30
Integrated test facility 29 16 * Although the Audit Commission states that: "Contrary to
Input/output reconciliations 121 66 popular belief, most of those caught abusing the system were
penalised in some way"[1].
INTERNAL AUDITOR AND COMPUTER FRAUD 41

Table VII. Levels of Risk

High Moderate Low No opinion Mean


(4) (3) (2) (1)
Processing:
Batch processing 33 92 57 2 2.85
On-line processing 85 83 12 4 3.35
Real-time processing 126 46 9 3 3.60
Software:
Database systems 65 85 26 8 3.13
4 GLs 65 77 29 13 3.12
Equipment:
Mainframe 43 93 42 6 2.94
Mini-computer under user control 106 61 17 0 3.48
Mini-computer under dept. control 43 100 39 2 3.00
Microcomputers 94 54 32 4 3.29
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Local area networks 34 105 37 8 2.89


Wide area networks 53 98 25 8 3.06
Automated payment systems:
ATM networks 63 78 20 23 2.98
EFT systems 105 47 14 28 3.39
EPOS networks 65 70 22 27 2.94
EFTPOS networks 81 61 16 26 3.13

Table VIII. Level of Threat

High Moderate Low No opinion Mean


(4) (3) (2) (1)
General:
Misuse of facilities 63 98 20 3 3.20
Misuse of utilities 107 58 16 3 3.46
Input:
Unauthorised access 119 59 5 1 3.61
False computer input 130 42 11 1 3.64
Processing:
Alteration of job control language 49 85 45 5 2.97
Program patch 70 63 40 11 3.04
Hardware changes 15 72 90 7 2.51
Unauthorised access through networks 95 66 17 6 3.36
Output:
Manipulation of control totals 106 59 18 1 3.46
Output manipulation 95 75 14 0 3.44

findings where 62 per cent of computer frauds reported responsible for both, and in a fifth of responses
were in this category. there was no specific responsibility for either. In
the majority of cases the specific responsibility was
Summary of Findings attributed in an unstructured way, and was not
formally documented in departmental objectives
A number of important points can be concluded from an or included in job descriptions.
analysis of the responses.
(2) Organisations also placed specific responsibility for
Responsibility computer fraud prevention and detection on other
(1) A majority of internal audit departments reported personnel. According to respondents, such
a specific responsibility for the prevention and responsibility was placed to a significant degree
detection of computer fraud. However, in only a on line management and the information systems
minority of firms was the department specifically function.
42 MANAGERIAL AUDITING JOURNAL 5,4

What is Done to Prevent Computer Fraud (1) Acknowledge the threat and seek to educate
(1) Virtually all internal auditor respondents stated that relevant staff on their role in its prevention and
computer fraud prevention was specifically detection.
considered by their staff at some stage in the (2) Allocate responsibility for the prevention and
systems life cycle. In particular, internal auditors detection of computer fraud to appropriate staff.
addressed this issue at the post-implementation As responsibility may be jointly shared by users and
stage for new systems, and when carrying out support functions, it may be necessary to appoint
specific reviews of existing systems. a person in overall charge to co-ordinate the
(2) Internal auditors gave the highest priority to corporate response.
computer-based controls in the prevention of (3) Implement a programme for identifying the
computer fraud ranking segregation of duties within exposures to computer fraud and providing for their
the computer department, physical security of the cost-effective treatment. Complete security cannot
computer installation and passwords most highly be obtained and therefore management must
from a list of typical controls. It was noted that little balance the cost of controls with the likelihood of
importance was attributed to personnel selection losses. The choice of controls will depend upon the
risk identified, but will include controls in the areas
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

procedures or special measures for staff working


in areas with a high risk of computer fraud. of physical access, passwords, software security,
communications networks, personnel management
and systems development. Consideration should be
What is Done to Detect Computer Fraud given to insuring any residual risks not covered by
(1) Internal audit departments favoured interrogation controls.
software, installation review and input/output
reconciliations for the detection of computer fraud.
(2) There was a lack of formalisation of the action to Conclusion
be taken in the event of a computer fraud being Computer fraud is a threat that business must take
discovered. Formalisation varied with size but less seriously. This requires that a systematic approach is taken
than half of the organisations had formal guidelines. to its prevention and detection. The time to act is before
the organisation is alerted to the risks by a fraud being
Opinions perpetrated.
(1) Internal auditors perceived the main areas at risk
from computer fraud to be real-time and on-line
processing, automated payments systems and References
minicomputers under user control. 1. Audit Commission, Survey of Computer Fraud and Abuse,
HMSO, London, 1987.
(2) The major threat of computer fraud was seen as
arising from the low skill area including input frauds 2. BIS Applied Systems, Computer-Related Fraud Casebook,
London, 1987.
(unauthorised access and false computer input),
rather than sophisticated techniques like program 3. American Bar Association, Report on Computer Crime,
Chicago, 1984.
patches and alteration of JCL.
4. Chisholm Institute of Technology, Computer-related Crime
in Australia in 1984, Melbourne, 1985.
Implications 5. Institute of Internal Auditors, Statement on Internal
Auditing Standards 1, Control: Concepts and
Advances in information technology will make organisations Responsibilities, Orlando, Florida, 1983.
increasingly vulnerable to computer fraud. In order to 6. Institute of Internal Auditors, Statement of Internal
counteract this threat management should take the Auditing Standards 3, Deterrence, Detection, Investigation
following steps: and Reporting of Fraud, Orlando, Florida, 1985.

Paul A. Collier is a Lecturer in Accounting at the University of Exeter; R. Dixon and C.L. Marston are respectively
Principal Lecturer and Senior Lecturer at Newcastle-upon-Tyne Polytechnic.