Threat to accounting information systems

1. Natural and political disasters

Such as fires, excessive heat, floods, earthquakes, high winds, war and attacks by terrorists – can destroy an
information system and cause many companies to fail. For example:
a. Terrorist attacks on the World trade center in New York city and on the federal building in Oklahoma city
destroyed or disrupted all the systems in those buildings
b. A Flood in Chicago destroyed or damaged 400 data processing centers. A flood in des moines, lowa, buried
the city’s computer systems under eight feet or water. Hurricanes and earthquakes have destroyed numerous
computer systems and severed communication lines. Other systems were damage by falling debris, water
from ruptured sprinkler systems, and dust.
c. Heavy rains in Mississippi and Missouri rivers
d. Earthquakes in los engels and san Francisco
e. Attacks on government information systems by foreign countries, espionage agents, and terrorists
2. Software errors and equipment malfunction
Software errors, operating system crasher, hardware failures, power outages and fluctuations, and undetected
data transmission errors constitute a second type of threat. A federal study estimated yearly economic losses due
to software bugs at almost $60 billion. More than 60% of the companies studied had significant software errors
in the previous year. For example:
a. Over 50 million people in the northeast were left without power when an industrial control system in part of
the grid failed. Some areas were powerless for four days, and damages from the outage ran close to $10
billion.
b. At facebook, an automated system for verifying configuration value errors backfired, causing every single
client to try to fix accurate data it perceived as invalid. Since the fix involved querying a cluster of databases,
that cluster was quickly overwhelmed by hundreds of thousands of queries a second. The resultant crash took
the facebook system offline for two and a half hours.
c. Bugs in new tax accounting system were to blame for california’s failure to collect $635 million in business
taxes
d. There have been a number of massive power failures that have left hundreds of thousands of people and
many businesses without power
e. A software bug in burger king’s software resulted in a $4,334.33 debit card change for four hamburgers. The
cashier accidentally keyed in the $4,334.33 change twice
3. Unintentional acts (human error)
Unintentional acts such as accidents or innocent errors and omissions, is the greatest risk to information systems
and causes the greatest dollar losses. The computing technology industry association estimates that human errors
cause 80% of security problems. Forrester research estimates that employees unintentionally create legal,
regulatory, or financial risks in 25% of their outbound e-mails.
Unintentional acts are caused by human carelessness, failure to follow established procedures, and poorly trained
or supervised personnel. Users lose or misplace data and accidentally erase or alter files, data, and programs.
Computer operators and users enter the wrong input or erroneous input, use the wrong version of a program or
the wrong data files. Or misplace data files. Systems analysts develop systems that do not meet company needs,
that leave them vulnerable to attack. Or that are incapable of handling their intended tasks. Programmers make
logic error. Example include the following:
a. In japan, a data entry clerk at mizuho security mistakenly keyed in a sale for 610,000 shares of J-Corn for 1
yen instead of the sale of 1 shares for 610,000 yen. The error cost the company $250 million
b. A bank programmer mistakenly calculated interest for each month using 31 days. Resulted in more than
$100.000 in excess interest paid
c. A data entry clerk at giant food mistake in quarterly dividend $2,50 should be $0,25. Resulted in $10 million
in excess dividend
4. Intentional acts (computer crimes)
a fourth threat is an intentional act such as a computer crime, a fraud, or sabotage. Which is deliberate destruction
or harm to a system. Information systems are increasingly vulnerable to attacks. Examples of intentional acts
include the following:
a. In a recent three – year period, the number of networks that were compromised rose 700%. Experts believe
the actual number of incidents is six times higher than reported because companies tend not to report security
breacher. Symantec estimates that hackers attack computers more than 8.6 million times per day. One
computer – security company reported that in the cases they handled that were perpetrated by Chinese
hackers, 94% of the targeted companies didn’t realize that their systems had been compromised until
 someone else told them. The median number of days between when an intrusion started and when it was
detected was 416.
b. The sobig virus wreaked havoc on millions of computers, including shutting down train systems for up to six
hours
c. In Australia, a disgruntled employee hacked into a sewage system 46 times over two months. Pumps failed,
and a quarter of a million gallons of raw sewage poured into nearby streams, flooding a hotel and park.
The most frequent type of computer crime in fraud. This is where the intent is to steal something of value
The threat can also be in the form of sabotage. In which the intent is to destroy or harm a system or some of its
components

What’s fraud?
1. Gaining an unfair advantage over another person. Legally for an act to be fraudulent there must be:
a. A false statements, representation, or disclosure
b. A material fact, which is something that induces a person to act
c. An intent to deceive
d. A justifiable reliance that is, the person relies on the fraudulent fact in which a person takes action
e. An injury or loss suffered by the victim
2. Individuals who commit fraud are referred to as white-collar criminals
Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources. Because
employees understand a company’s system and its weaknesses, they are better able to commit and conceal a
fraud. The controls used to protect corporate assets make it more difficult for an outsider to steal from a company.
Fraud perpetrators are often referred to as white-collar criminals

There are a great many different types of frauds. We briefly define and give example of some of those and then provide
a more extended discussion of some of the most important ones to businesses
1. Corruption
Is dishonest conduct by those in power and it often involves actions that are illegitimate, immoral, or incompatible
with ethical standards. There are many types of corruption
Examples: include bribery and bid rigging
2. Investment fraud
Is misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little
or no risk. There are many types of investment fraud
Examples: include ponzi schemes and securities fraud
Two types of frauds that are important to businesses are misappropriation of assets (sometimes called employee fraud)
and fraudulent financial reporting (sometimes called management fraud). These two types of fraud are now discussed
in greater depth.

Forms of fraud
1. Misappropriation of assets is the Theft of a companies assets by employees
Example include the following
a. Albert Milano, a manager at reader’s digest responsible for processing bills, embezzled $1 million over a five
– year period. He forged a superior’s signature on invoice for services never performed, submitted them to
accounts payable, forged the endorsement on the check, and deposited it in his account. Milano used the
stolen funds to buy an expensive home, five cars, and a boat
b. A bank vice president approved $1 billion in bad loans in exchange for $585,000 in kickbacks. The loans cost
the bank $800 million and helped trigger its collapse
c. A manager at a florida newspaper went to work for competitor after he was fired. The first employer soon
realized its reporters were being scooped. An investigation revealed the manager still had an active account
and password and regularly browsed its computer files for information on exclusive stories
d. In a recent survey of 3,500 adult, half said they would take company property when they left and were more
likely to steal e-data than assets. More 25% said they would take customer data, including contact
information. Many employees did not believe taking company data is equivalent to stealing
Largest factors for theft of assets;
- Absence of internal control system
- Failure to enforce internal control system
A typical misappropriation has the following important elements or characteristics. The perpetrator:
- Gains the trust or confidence of the entity being defrauded
 - Uses trickery, cunning, or false or misleading information to commit fraud
- Conceals the fraud by falsifying records or other information
- Rarely terminates the fraud voluntarily
- Sees how easy it is to get extra money; need or greed impels the person to continue, some frauds are self-
perpetuating; if perpetrators stop, their actions are discovered.
2. Fraudulent financial reporting
“… intentional or reckless conduct, whether by act or commission, that results in materially misleading financial
statements”
Reasons for fraudulent financial statements
1. Deceive investors or creditors
2. Increase a company’s stock price
3. Meet cash flow needs
4. Hide company losses or other problems
The treadway commission studied 450 lawsuits against auditors and found undetected fraud to be a factors in half of
them

Treadway commission actions to reduce fraud

1. Establish environment which supports the integrity of the financial reporting process
2. Identification of factors that leaf to fraud
3. Assess the risk of fraud within the company
4. Design and implement internal control to provide assurance that fraud and being prevented

SAS no.99 (au-c section 240): the Auditors responsibility to detect fraud
Statement on auditing standard (sas) no,99, consideration of fraud in a financial statement audit, became effective in
December 2002. SAS no.99 requires auditor to:
1. Understans fraud.
Because auditor cannot effectively audit something they do not understands, they must understand fraud and
how and why it is committed
2. Discuss risks of material fraudulent statements.
While planning the audit, team members discuss among themselves how and where the company’s financial
statements are susceptible to fraud
3. Obtain information.
the audit team gathers evidence by looking for fraud risk factors; testing company records; and asking
management, the audit committee of the board of directors, and other whether they know of past or current
fraud. Because many frauds involve revenue recognition, special care is exercised in examining revenue accounts
4. Identify, assess, and respond to risk
The evidence is used to identify, assess, and respond to fraud risks by varying the nature, timing, and extent of
audit procedures and by evaluating carefully the risk of management overriding internal control
5. Evaluate the results of audit tests
Auditors must evaluate whether identified misstatements indicate the presence of fraud and determine its impact
on the financial statement and the audit
6. Document and communicate findings
Auditors must document and communicate their findings to management and the audit committee
7. Incorporate a technological focus
SAS No.99 recognized the impact technology has on fraud risks and provides commentary and examples
recognizing this impact. It also notes the opportunities auditors have to use technology to design fraud-auditing
procedures

The Fraud Triangle

Next document

Computer fraud
Computer fraud is any fraud that requires computer technology to perpetrate it. Examples include:
1. Unauthorized theft, use, access, modification, copying, and destruction of software, hardware, or data
2. Theft of assets covered up by altering computer records
3. Obtaining information or tangible property illegally using computer
4. Theft of computer time
5. Theft or destruction of computer hardware
6. Use or the conspiracy to use computer resources to commit a felony

Rise of computer fraud

It is estimated that computer fraud costs the united states somewhere between $70 billion and $125 billion a year and
thay the costs increase significantly each year. Computer systems are particularly vulnerable for the following reasons:
1. People who break into corporate databases can steal, destroy, or alter massive amounts of data in very litter time,
often leaving little evidence. One bank lost $10 million just a few minutes
2. Computer fraud can be much more difficult to detect that other types of fraud
3. Some organizations grant employees, costumers, and suppliers access to their system. The number and variety of
these access points significantly increase the risks
4. Computer programs need to be modified illegally only once for them to operate improperly for as long as they are
in use

The number of incidents, the total dollar losses, and the sophistication of the perpetrators and the schemes used to
commit computer fraud are increasing rapidly for several reasons:
1. Not everyone agrees on what
2.