Industrial Management & Data Systems

Identifying and controlling computer crime and employee fraud

Susan Haugen J. Roger Selin
Article information:
To cite this document:
Susan Haugen J. Roger Selin, (1999),"Identifying and controlling computer crime and employee fraud", Industrial
Management & Data Systems, Vol. 99 Iss 8 pp. 340 - 344
Permanent link to this document:
http://dx.doi.org/10.1108/02635579910262544
Downloaded on: 20 February 2016, At: 09:04 (PT)
References: this document contains references to 14 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 4087 times since 2006*
Users who downloaded this article also downloaded:
Kirsty Rae, Nava Subramaniam, (2008),"Quality of internal control procedures: Antecedents and moderating
effect on organisational justice and employee fraud", Managerial Auditing Journal, Vol. 23 Iss 2 pp. 104-124 http://
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)

dx.doi.org/10.1108/02686900810839820
James L. Bierstaker, Richard G. Brody, Carl Pacini, (2006),"Accountants' perceptions regarding fraud detection and
prevention methods", Managerial Auditing Journal, Vol. 21 Iss 5 pp. 520-535 http://dx.doi.org/10.1108/02686900610667283
William Hillison, Carl Pacini, David Sinason, (1999),"The internal auditor as fraud-buster", Managerial Auditing Journal, Vol.
14 Iss 7 pp. 351-363 http://dx.doi.org/10.1108/02686909910289849

Access to this document was granted through an Emerald subscription provided by emerald-srm:126209 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 Identifying and controlling computer crime and
employee fraud

Susan Haugen
University of Wisconsin-Eau Claire, Eau Claire, Wisconsin, USA
J. Roger Selin
University of Wisconsin-Eau Claire, Eau Claire, Wisconsin, USA

Keywords The economic losses from computer fraud

Fraud, Computer fraud, Introduction are staggering. The Computer Security In-
Internal control
During the past several years modern orga- stitute (1998) reports a 36 percent increase in
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)

Abstract
Organizations today are more sus- a multitude of tasks, including electronic
ceptible to computer crime and
employee fraud than ever before.
This paper presents some statis-
tics about the growth on fraud,
factors which cause fraud in the
workplace, how businesses can
protect their assets, and common
computer-based frauds, techni-
ques, and controls. Managers of
all types of organizations need to for the enterprise. As organizations struggle
be knowledgeable about their
internal control system, and make
sure it has sufficient checks and place, systems are left open to employee
balances to ward against employ- manipulation, and without a finely tuned
ees committing fraudulent acts.
No organization is immune today
from both external and internal
threats to the safety and security
of their data and information.
Therefore, it is imperative that
managers understand the pro-
blems that fraud can cause and
how they can protect the organi-
zation.
Industrial Management &
Data Systems
99/8 [1999] 340±344
The current issue and full text archive of this journal is available at
# MCB University Press
[ISSN 0263-5577] http://www.emerald-library.com
[ 340 ]
nizations have come to rely on computers for
messaging, transaction processing, informa-
tion retrieval and storage, and electronic
commerce. Organizations are increasing
efforts to gain efficiencies and increase the
bottom line by shifting jobs from people to
technology. As they make these shifts, man-
agement is creating new risks and exposures
to remain competitive in a global market-
internal control system, the opportunity for
significant loss is always present.
How serious is this problem of fraud in the
workplace? The Association of Certified
Fraud Examiners (1996) conducted a study
which found that losses from fraud amounted
to over $9 per day per employee. While fraud
other than computer fraud is included in
these figures, they are nonetheless quite
staggering, with the total cost to US organi-
zations exceeding $400 billion per year.
Another interesting outcome of the study was
that men committed more than 75 percent of
all fraud, and the average losses caused by
executives were 16 times those of their
employees. KPMG Canada (1997) found that
62 percent of the respondents to a recent
survey of large public and private organiza-
tions indicated that fraud had taken place in
their organization in the past year, and that
38 percent of the respondents believe that
fraud is a major problem for business today.
As business becomes more complex and
management strategists fret over slashing
costs and boosting profits, employees are
gaining additional opportunities to commit
fraud.
reported losses over 1997 from computer
security breaches. Only 46 percent of the
respondents to their ``1998 Computer Crime
and Security Survey'' were able to quantify
their losses, but they still added up to almost
$137 million. The New York State Society of
Certified Public Accountants found that half
the business and government institutions
surveyed uncovered at least one fraud during
1996. Based on survey responses, they esti-
mated the average loss from computer fraud
to be in excess of $100,000. Romney (1996)
found that up to 90 percent of the companies
he surveyed have lost money to computer
fraud at one time or another.
Fraud and computer crime are not limited
to the USA. KPMG Canada found that Cana-
da's largest companies reported an average
loss of $1.3 million to fraud in 1997 (KPMG
Fraud Survey Report, 1998). The same survey
reported that 47 percent of respondents
believe fraud will increase in 1998, and only
11 percent of survey participants believe
the Internet is a secure way to send infor-
mation.
If these studies accurately reflect the
national, perhaps even international, trends,
then annual fraud losses are in the billions
of dollars. We know that many computer
frauds go undetected, and many of those that
are uncovered are never publicly reported.
According to Federal Bureau of Investigation
estimates reported by Lohr (1997), only about
1 percent of all computer crime is detected by
management. A high proportion of those
detected are never reported for fear of
adverse publicity, management liability or
concern for providing public information
about system weaknesses.
Factors which cause fraud
There are many internal forces which can
make fraud more likely in the workplace,
 Susan Haugen and
J. Roger Selin
Identifying and controlling
computer crime and employee
fraud
Industrial Management &
Data Systems
99/8 [1999] 340±344
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)
such as poor internal controls, poor person-
nel policies and practices, and poor examples
of honesty at the top levels of an organization
(Bologna, 1993). There are eight factors which
Bologna identifies as enhancing the prob-
ability of fraud: inadequate rewards, inade-
quate management controls, lack of or
inadequate reinforcement and performance
feedback mechanisms, inadequate support,
inadequate operation reviews, lax enforce-
ment of disciplinary rules, fostering hostility,
and other motivational issues. If manage-
ment pays too little attention to their em-
ployees and their internal control systems,
fraud will be perpetrated by those insiders in
a company who have access to assets and
accounting systems. The dollar amounts
involved are
always higher when computers are used to
assist the employee in committing a fraud.
Therefore, computer controls and other
internal controls are very important in order
to protect business assets.
Protecting business assets
Internal controls are often thought of as the
primary defense against fraud. An internal
control system has four broad objectives:
1 to safeguard assets of the firm;
2 to ensure the accuracy and reliability of
accounting records and information;
3 to promote efficiency in the firm's opera-
tions; and
4 to measure compliance with manage-
ment's prescribed policies and procedures
(AICPA, 1987).
Internal controls are designed to keep honest
people honest (Bologna, 1993), and in today's
competitive environment not every organi-
zation can afford to address the problems and
issues associated with fraud (Albrecht et al.,
1994).
Internal control systems are not only
designed to prevent fraud, but also detect it
when it has occurred. An effective system
includes preventive, detective, and correc-
tive controls. Management is ultimately
responsible for the internal control system in
place in an organization, so controls are in
reality management controls, not accounting
controls (Treadway Commission Report,
1987). The purpose of an internal control
system is not to entrap employees, but to
provide a working environment in which
good employees are not tempted to do some-
thing they would not ordinarily do. Good
controls make it difficult to conceal fraudu-
lent activity from other people in the orga-
nization. For management controls to be
successful they need to create:
1 an environment that does not tolerate
fraud against the organization;
2 an environment that prohibits fraud for
the benefit of the organization; and
3 executives, managers and operating per-
sonnel trained to know fraud exposures
and symptoms (Thompson, 1992).
Wells (1997) argues that raising the percep-
tion of detection is the key to deterrence, and
this can be done with:
1 employee education;
2 proactive fraud policies;
3 increased use of analytical reviews;
4 surprise audits; and
5 dequate reporting programs.
It is important to remember that the vast
majority of internal frauds are discovered by
accident rather than by someone looking
specifically for fraud. Internal auditing is not
designed to detect frauds, only to deter them,
along with other deterrent measures. There
are, however, a number of red flags which
provide a tip-off to management that some-
thing may be wrong, including:
1 Anomalies in account relationships,
vendor activity and bidding activities.
2 Excessive internal expenses in areas such
as travel.
3 Personal indicators such as high lifestyle,
secretive behavior or not taking vaca-
tions.
With the recent trends towards downsizing,
reengineering and corporate layoffs, organi-
zations have a very volatile workforce, often
without much company loyalty. This envir-
onment is ripe for computer crime and
employee fraud.
Computer fraud
The use of computer systems for all types of
business processes continues to grow. As the
complexity of these systems and our depen-
dence on them grows, organizations risk
having their systems compromised by both
intentional and unintentional acts. Uninten-
tional acts, while costly at times, can often be
corrected or avoided through training and
supervision, with employees and customers
looking for means to rectify any problem that
exists. Intentional acts, on the other hand,
generally fall into the designation of compu-
ter crime. These crimes may be acts of
sabotage intended to destroy computer sys-
tem components or acts of computer fraud
where the intent is to steal money, data,
computer time and/or services. They would
also include manipulative activities such as
deleting or altering records and files to
remove damaging information or create false
[ 341 ]
 Susan Haugen and
J. Roger Selin
Identifying and controlling
computer crime and employee
fraud
Industrial Management &
Data Systems
99/8 [1999] 340±344
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)
[ 342 ]
information. The Year 2000 software bug is
seen as a new threat in controlling fraud,
which criminals are already using to run
fraudulent billing scams (Bank Administra-
tion Institute, 1998).
Computer sabotage is the easiest crime to
deal with for most organizations, as it
involves the physical protection of the sys-
tem components. We have widespread
knowledge and experience with safeguarding
physical assets using access control methods
such as physical barriers, including locks
and windowless computer rooms, and pla-
cing computer facilities away from public
areas. This results in securing computer
systems in much the same way as we would
secure valuable inventory, trade secrets or
cash. This is not to say a disgruntled
employee would not be able to circumvent
these controls and gain access to the system,
but only to suggest physical security is
something most organizations have experi-
enced.
Computer fraud, on the other hand, pre-
sents an ever-changing landscape of oppor-
tunity for manipulation, especially for the
unhappy but trusted employee with knowl-
edge of computer technology. Periodic audits
may not be enough to contain this type of
fraud. Manipulation of data and files may be
the most difficult to deal with as there are no
outward signs or indicators that anything is
amiss. A problem facing most organizations
is that computer knowledge is also required
for the investigation and prosecution of
computer fraud. In the fast-paced and ever-
changing world of information technology
and computers, skilled fraud investigators
are currently in short supply.
There are a variety of ways that computer
fraud is perpetrated. The techniques used to
commit the fraud are as extensive as the
frauds themselves. The first list below
describes some of the most common types
of computer-based fraud, and the second list
illustrates some of the more common fraud
techniques:
. Common types of computer-based fraud:
± Altering input. Altering input does not
require extensive computer skills; the
perpetrators only need understand
how the system operates to cover their
tracks.
± Theft of computer time. Using a com-
puter system for unauthorized pur-
poses constitutes fraud, such as
running a personal business or keep-
ing little league statistics, even though
in many cases the individual is not
aware that they are doing anything
wrong.
± Software piracy. It has been estimated
(Levi, 1997) that for every legal copy
of software there are from one to
five illegal copies, costing the soft-
ware industry between $2-4 billion a
year.
± Altering or stealing data files. Data
can be changed, deleted, scrambled
or manipulated, often by disgruntled
employees, to reduce value or elimi-
nate derogatory impact. It can also be
stolen or replicated and marketed to
competition or others that could gain a
competitive advantage.
± Theft or misuse of computer output.
Local area networks expose computer-
generated output to a larger audience
with shared printers, usually main-
tained in a public location for ease of
access. Desktop screens are often easily
observable, and output sent through
interoffice mail is subject to intercep-
tion. The more sensitive the informa-
tion contained on the output, the more
care and control needed.
± Unauthorized access to systems or net-
works. With the proliferation of Inter-
net usage, and the flexibility and ease
of use found with most networked
systems, care needs to be taken to
restrict and protect sensitive files.
Networks are particularly vulnerable
to hackers taking advantage of the
weak security provided for dial-in and
remote access.
. Computer-based fraud techniques:
± Trojan horse. A Trojan Horse is a set of
unauthorized computer instructions in
a program that performs some illegal
act at a pre-appointed time or under a
predetermined set of conditions.
± Salami technique. This fraud takes
advantage of small sums gained when
rounding thousands of transactions,
diverting only part of a cent for each
one every time accruals or financial
calculations are done. Another
approach is to slice off a small sum,
a few cents or a few dollars, from
accounts that are generally not care-
fully checked.
± Trapdoor. A trapdoor is a set of com-
puter instructions that allows a user to
bypass the system's normal controls,
allowing them to modify programs
after they have been accepted and
made operational.
± SuperZap. The unauthorized use of
special system programs to bypass
regular controls and perform illegal
acts.
 Susan Haugen and
J. Roger Selin
Identifying and controlling
computer crime and employee
fraud
Industrial Management &
Data Systems
99/8 [1999] 340±344
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)
± Piggybacking. This technique involves
tapping into a telecommunications
system and attaching a fraudulent
signal to a legitimate signal in the
perpetration of a fraud.
± Masquerading. This occurs when an
unauthorized user uses a legitimate
user's identification numbers and
passwords to gain illegal access to a
computer system.
± Hacking. The unauthorized access and
use of computer systems, usually
through a telecommunications link,
often for the challenge of breaking and
entering into supposedly secure sys-
tems.
± Evesdropping. Listening to transmis-
minimize and control the critical exposure
points and reinforce system weak points. The
objective of managing risk is to balance the
exposure to loss and the cost of protecting the
organization from that loss. Just as with auto
insurance, financial institutions making
auto loans may insist on low deductible
collision insurance, whereas a car that is
paid for is insured at the discretion of the
owner. If the value is small, the owner may
wish to assume the risk of loss without
insurance protection, saving premium costs.
If the value is high, the premium can be
reduced with a high deductible policy with
the owner assuming some of the risk. We all
balance risk and reward (the cost of protec-
tion) in our personal lives in much the same
way that organizations do. The list below

sions intended for someone else is

evesdropping.
± Browsing. Searching memory for pass-
word and other critical information.
± Viruses. Destructive programs which
attach to a legitimate program and can
do significant damage to hard disks,
memory, and files. A logic bomb is a
type of virus triggered by a pre-deter-
mined event or date.
Computer-based controls
In general terms, employee integrity can be a
company's major strength or its greatest
weakness, since most computer fraud begins
with an insider. Hiring and firing practices
are critical to acquiring honest employees
and controlling opportunities for system
manipulation should an employee be dis-
missed. Written documentation such as
applications and letters of recommendation,
background investigations and reference
checks all go a long way towards hiring
honest employees and reducing the threat of
computer fraud. When dismissing employees,
they should be restricted as to computer
access and sensitive activities, and pass-
words and access controls should be changed
immediately to prevent any last minute
sabotage to the company's computer system.
Employees should also be trained in fraud
prevention. Fraud is less likely to occur
when employees believe that security is
everyone's business, when they see them-
selves as protecting the company assets, and
when they believe it is their responsibility to
watch for and report evidence of computer
fraud.
Computer system security and fraud pre-
vention is not about high-tech tools and
software, it is about identifying risks and
incorporating into the organization proce-
dures to minimize those risks. You can never
be 100 percent free of risk, but you can
describes some of the more commonly uti-
lized system controls to help mitigate the risk
of fraud.
Computer controls
. Passwords. Passwords are usually the first
line of defense against unauthorized com-
puter usage. Unfortunately, passwords
may be the weakest link in the security
chain as they are easy to attack with
software, often incorporate known perso-
nal information, and for many are diffi-
cult to remember, so they are taped to the
keyboard or console for easy reference.
. Firewalls. Firewalls involve the combina-
tion of software and hardware to achieve a
safety valve for controlling information
entering into your system. The purpose is
to monitor the information going in or out
of the organization, initiating restrictions
when the information seems inappropri-
ate or unauthorized.
. Connectivity security. Direct connections
(modem to modem) avoid the exposure
associated with the Internet or other
shared communications services.
Switched lines are always more secure
than leased lines, as each communication
is assigned randomly to an available
circuit. Additional security can be built
into the system using dial-back systems,
allowing access only to those phones on an
authorized list.
. Cryptography. Cryptographic techniques
such as encryption and digital signatures
can be used to maintain privacy and
authenticate that the message has not
been changed along the telecommunica-
tions pathway.
Conclusions
Why do employees commit computer crimes
and steal from the business they work for?
[ 343 ]
 Susan Haugen and
J. Roger Selin
Identifying and controlling
computer crime and employee
fraud
Industrial Management &
Data Systems
99/8 [1999] 340±344
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)
[ 344 ]
There are many reasons, the more common
being revenge, overwhelming personal debt,
substance abuse, and lack of internal con-
trols. Business today is very competitive, and
employees can feel very stressed. As a result,
they have feelings of being overworked,
underpaid, and unappreciated. If employees
are also struggling with serious personal
problems, their motivation to commit fraud is
very high. Add to the equation poor internal
controls and readily available
computer technology to assist in the crime,
and the opportunity to commit fraud is now
a reality. Assessing the organization's risk
to computer crime is sometimes difficult, but
by initiating a proper internal control system,
including good employment practices and
training programs, organizations can take a
proactive stance in warding off computer
crime and keep losses to a minimum.
References
Albrecht, S., McDermott, E. and Williams, T.
(1994), ``Reducing the cost of fraud'', Internal
Auditor, February, pp. 28-33.
American Institute of Certified Public Accoun-
tants (1987), AICPA Professional Standards,
Vol. 1, AU Sec. 320.30-35, New York, NY.
Association of Certified Fraud Examiners (1996),
Report to the Nation on Occupational Fraud
and Abuse, Austin, TX.
Bank Administration Institute (1998), ``Current
trends: Y2K bug a big opportunity for crooks'',
Bank Fraud, Vol. 13 No. 10, November, p. 1.
Bologna, J. (1993), Handbook on Corporate Fraud,
Butterworth-Heinemann, Stoneham, MA,
pp. 54-62.
Computer Security Institute (1998), Results of
``Computer Crime and Security Survey'',
available at: http://www.gocsi.com
KPMG Canada (1997), 1997 Fraud Survey Report,
available at: http://www.kpmg.ca/isi/vl/
frsur97e.htm
KPMG Canada (1998), 1998 Fraud Survey Report,
available at: http://www.kpmg.ca/isi/vl/
frsur98e.htm
Levi, P. (1997), ``Are your computers secure?'', The
White Paper, October, pp. 7-8, 47.
Lohr, S. (1997), ``Be paranoid. Hackers are out to
get you'', New York Times Ondisk, Access No.
13503819970317.
National Commission on Fraudulent Financial
Reporting (Treadway Commission) (1987),
Report of the National Commission on
Fraudulent Financial Reporting, American
Institute of Certified Public Accountants,
New York, NY.
Romney, M. (1996), ``Reducing fraud losses'',
New York State Society of Certified Public
Accountants Study, pp. 2-7.
Thompson, C. Jr (1992), ``Fraud'', Internal Auditor,
August, pp. 19-23.
Wells, J. (1997), Occupational Fraud and Abuse,
Obsidian Publishing Company, Inc., Austin, TX.
 This article has been cited by:

1. Elham Hady Nia, Jamaliah Said. 2015. Assessing Fraud Risk Factors of Assets Misappropriation: Evidences from Iranian
Banks. Procedia Economics and Finance 31, 919-924. [CrossRef]
2. Madan Lal Bhasin. 2013. Corporate Accounting Fraud: A Case Study of Satyam Computers Limited. Open Journal of
Accounting 02, 26-38. [CrossRef]
3. Guido Nassimbeni, Marco Sartor, Daiana Dus. 2012. Security risks in service offshoring and outsourcing. Industrial
Management & Data Systems 112:3, 405-440. [Abstract] [Full Text] [PDF]
4. Michel Dion. 2009. Corporate crime and the dysfunction of value networks. Journal of Financial Crime 16:4, 436-445.
[Abstract] [Full Text] [PDF]
5. Russell Haines, Lori N.K. Leonard. 2007. Individual characteristics and ethical decision‐making in an IT context. Industrial
Management & Data Systems 107:1, 5-20. [Abstract] [Full Text] [PDF]
6. Ahmad A. Abu‐Musa. 2006. Exploring perceived threats of CAIS in developing countries: the case of Saudi Arabia.
Managerial Auditing Journal 21:4, 387-407. [Abstract] [Full Text] [PDF]
7. Lori N.K. Leonard, Timothy Paul Cronan. 2005. Attitude toward ethical behavior in computer use: a shifting model.
Industrial Management & Data Systems 105:9, 1150-1171. [Abstract] [Full Text] [PDF]
8. Charles B. Foltz, Timothy Paul Cronan, Thomas W. Jones. 2005. Have you met your organization's computer usage policy?.
Industrial Management & Data Systems 105:2, 137-146. [Abstract] [Full Text] [PDF]
9. A. Seetharaman, M. Senthilvelmurugan, Rajan Periyanayagam. 2004. Anatomy of computer accounting frauds. Managerial
Downloaded by Florida Atlantic University At 09:04 20 February 2016 (PT)

Auditing Journal 19:8, 1055-1072. [Abstract] [Full Text] [PDF]

10. Bassam Hassan. 2003. Examining data accuracy and authenticity with leading digit frequency analysis. Industrial Management
& Data Systems 103:2, 121-125. [Abstract] [Full Text] [PDF]