Part II.

Control and Audit of AIS

Focus on threats to the reliability of AIS and applicable
controls for addressing and mitigating the risks.
CHAPTER 5: Fraud
CHAPTER 6: Computer Fraud and Abuse Techniques
CHAPTER 7: Internal Control and AIS
CHAPTER 8: Controls for Information Security
CHAPTER 9: Confidentiality and Privacy Controls
CHAPTER 10: Processing Integrity and Availability Controls
CHAPTER 11: Auditing Computer-Based Info Systems
1
 CHAPTER 5: Fraud

After studying this chapter, you should be able to:

1. Explain the threats faced by modern IS.
2. Define fraud and describe both the different types of
fraud and the auditor’s responsibility to detect fraud.
3. Discuss who perpetrates fraud and why it occurs,
4. Define computer fraud & discuss the different fraud types
• Why sometimes firm’s fail to detect fraud? How to detect
if there is a breakdown in controls?
5. Explain how to prevent and detect computer fraud and
abuse.
2
AIS threats Remarks

Natural & Political such as fires, floods, earthquakes, tornadoes, blizzards, wars, and
Disaster attacks by terrorists—can destroy an IS and cause firms to fail
Example -The 9/11 attack on world trade organization has destroyed many IS

HW & SW related SW errors, operating system crashes, HW failures, power outages and
fluctuations, and undetected data transmission errors
Example -As a result of tax system bugs, California failed to collect $635 million
in business taxes.
-A bug in Burger King’s software resulted in a $4,334.33 debit card
charge for four hamburgers. The cashier accidentally keyed in the $4.33
charge twice, resulting in the overcharge.
- SW problem that resulted Crash in Ethiopian Airline on March, 2019

Unintended acts - caused by human carelessness, failure to follow established

procedures, and poorly trained or supervised personnel.
Example A bank programmer mistakenly calculated interest for each month
using 31 days. Before the mistake was discovered, over $100,000 in
excess interest was paid.
3
Intentional attack - such as computer crime, fraud, or sabotage, which is deliberate
destruction or harm to a system.

In a recent three-year period, the number of networks that were

compromised rose 700%.
- Usually firms do not report this
Example - Shortly after Obama was elected President, he authorized
cyber-attacks on computer systems that run Iran’s main nuclear
enrichment plants
-DoS Attack
- Cyber thieves have stolen more than $1 trillion worth of intellectual
property from businesses worldwide. General Alexander, director of
the National Security Agency, called cyber theft “the greatest transfer
of wealth in history.”

4
• hackers could shut down power grids, derail trains,
crash airplanes, spill oil and gas, contaminate water
supplies, and blow up buildings
• They can disrupt financial and government networks,
destroy critical data, and illegally transfer money.
• They can also cripple a nation’s armed forces, as they
rely on vulnerable computer networks.
• All of these attacks are especially scary because they
can be done remotely, in a matter of seconds,
5
bolstering cyber security and safeguarding systems is
lagging the advancement of technology and the
constant devt of new cyber-attack tools.
• Most companies and govt agencies need to
increase their security budgets significantly to
develop ways to combat the attacks.
• It is estimated that the market demand for cyber
security experts is more than 100,000 people per
year and the median pay is close to six figures.
6
 CH 5: Fraud: 5.1. Introduction

Fraud is any means a person uses to gain an unfair

advantage over another person.
Legally, for an act to be fraudulent there must be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a
person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the
misrepresentation to take an action
5. An injury or loss suffered by the victim
7
•Association of Certified Fraud Examiners (ACFE) conducts fraud studies. (2000
pages of docts to certify). According to ACFE :
•A typical organization loses 5% of its annual revenue to fraud, indicating
yearly global fraud losses of over $3.7 trillion.
• Owner/executive frauds took much longer to detect and were more than 4
times as costly as manager-perpetrated frauds and more than 11 times as
costly as employee frauds. [CEO> MGR> Employees]
•Small businesses, with fewer and less effective internal controls, were more
vulnerable to fraud than large businesses.
•Lack of internal control is the prominent cause for fraud
•Presence of control procedures to prevent fraud resulted in lower fraud losses
and quicker fraud detection.
•Most fraudsters are kgable insiders with the requisite access, skills, and
resources. B/c employees understand firm’s system and its weaknesses, they
are better able to commit and conceal fraud.

8
 Two types of frauds:

Two types of frauds that are common in bu/s are:

– misappropriation of assets (sometimes called
employee fraud)
• The most significant contributing factor in most
misappropriations is the absence of internal controls
and/or the failure to enforce existing internal controls.
– fraudulent financial reporting (sometimes called
management fraud).
• Intentional or reckless conduct, whether by act or omission, that
results in materially misleading financial statements (f/S manipulation)

9
 MISAPPROPRIATION OF ASSETS

It is the theft of company assets by employees.

Examples include the following:
• Forging supervisor's signature for extra pyts
• Approving bank loans for some quick kick backs
• Passing over info to competitors'’ for some
benefits
• Staling firm assets (like data) when they leave
firms
• Staling fuel and company time
10
A typical misappropriation has the following ch/s. The
perpetrator:
• Gains the trust or confidence of the entity being
defrauded.
• Uses trickery, cunning, false or misleading info to
commit fraud.
• Conceals the fraud by falsifying records or other info.
• Rarely terminates the fraud voluntarily.
– Consider cases like (quest net, bitcoin, some other prdts)

11
 FRAUDULENT FINANCIAL REPORTING
• Mgt falsifies f/s to deceive investors and creditors, increase a
company’s stock price, meet cash flow needs, or hide company
losses and problems.
• misrepresented f/s led to huge financial losses and a number
of bankruptcies.
• The most frequent “cook the books” schemes involve:
– fictitiously inflating revenues,
– holding the books open (recognizing revenues before they are
earned),
– closing the books early (delaying current expenses to a later period),
– overstating inventories or fixed assets, and
– concealing losses and liabilities
• Consider cases like (quest net, bitcoin, some other prdts)
12
 Four actions to reduce fraudulent f/ reporting
1. Develop the integrity of the f/ reporting process.
2. Identify and understand the factors that lead to
fraudulent f/ reporting.
3. Assess the risk of fraudulent f/ reporting within
the company.
4. Design and implement internal controls to
provide reasonable assurance of preventing
fraudulent financial reporting.
• Role of Financial intelligence center
• Assessing the validity & reliability of invt proposals?
13
Auditors’ responsibility for detecting material fraud.
• Understand fraud- (how and why it is committed)
• Discuss the risks of material fraudulent
misstatements – (discuss on how and where the
company’s f/s are susceptible to fraud)
• Identify, assess, and respond to risks.
• Evaluate the results of their audit tests.
• Document and communicate findings.
• Incorporate a technology focus (use technology
to design fraud-auditing procedures)
14
 5.2. Who are computer fraud Perpetrates and Why?
• seek revenge against employers.
• Are typically younger and possess more IT skill
and experience.
• Some are motivated by curiosity, a quest for kge,
the desire to learn how things work, and the
challenge of beating the system.
• Some view their actions as a game rather than as
dishonest behavior.
• To gain stature in the hacking community.

15
 THE FRAUD TRIANGLE
conditions for fraud to occur, When there is (are):
• a pressure (financial, emotional, life style)
• an opportunity (like lack of internal controls)
• a rationalization (having some kind of justifn)

16
17
 Opportunities
opportunity is the situation, including personal
abilities, that allows a perpetrator to do three
things:
- Commit the fraud.
- Conceal the fraud.
- Convert the theft or misrepn to personal gain.

18
19
 RATIONALIZATIONS
• Rationalization allows perpetrators to justify their
illegal behavior.
• this can take the form of:
– a justification (“I only took what they owed me”),
– an attitude (“The rules do not apply to me”), or
– a lack of personal integrity (“Getting what I want is
more important than being honest”).

20
 5.3. Computer Fraud

Is any fraud that requires computer technology to

perpetrate.
Examples include:
• Unauthorized theft, use, access, modification,
copying, or destruction of SW, HW, or data
• Theft of assets covered up by altering computer
records
• Obtaining info/ tangible property illegally using computers

21
 THE RISE IN COMPUTER FRAUD (CF)

• Computer fraud can be much more difficult to

detect than other types of fraud.
• People who break into corporate dbs can steal,
destroy, or alter data in little time, leaving little
evidence.
• Many instances of computer fraud go undetected.
• A high percentage of fraud are not reported.
• Law enforcement cannot keep up with growth of CF.

22
 COMPUTER FRAUD CLASSIFICATIONS
1. Input Fraud: is to alter computer input. It requires little
skill; perpetrators need only understand how the system
operates so that they cover tracks.
2. Processor F: includes unauthorized system use, including
the theft of computer time and services.
3. Computer instruction F: tampering with company sw,
copying sw illegally, using sw in an unauthorized manner,
and developing sw to carry out an unauthorized activity.
4. Data F: Illegally using, copying, browsing, searching, or
harming company data
23
 5.4. Detecting Fraud and Abuse and
Preventing
• Make fraud less likely to occur
• Reduce fraud losses: Have adequate insurance.
• Increase the difficulty of committing fraud
– Develop and implement a strong internal controls.
• Improve detection methods
– Install fraud detection software,
–

Implement a fraud hotline.

24
 Exercise
1. Do you agree that the most effective way to
obtain adequate system security is to rely on the
integrity of company employees? Why, or why
not? Does this seem ironic? What should a firm
do to ensure the integrity of its employees?

25
2. You were asked to investigate extremely high, unexplained merchandise
shortages at a department store chain. You found the following:
a. The receiving department supervisor owns and operates a boutique carrying
many of the same labels as the chain store. The general manager is unaware of
the ownership interest.
b. The receiving supervisor signs receiving reports showing that the total quantity
shipped by a supplier was received and then diverts 5% to 10% of each
shipment to the boutique.
c. The store is unaware of the short shipments because the receiving report
accompanying the merchandise to the sales areas shows that everything was
received.
d. A/P paid vendors for the total quantity shown on the receiving report.
e. Based on the receiving department supervisor’s instructions, quantities on the
receiving reports were not counted by sales personnel.
REQUIRED
• Classify each of the five situations as a fraudulent act, a red flag or symptom of
fraud, an internal control weakness, or an event unrelated to the investigation.
Justify your answers. 26
3. The computer frauds that are publicly revealed represent only the
tip of the iceberg. Although many people perceive that the major
threat to computer security is external, the more dangerous
threats come from insiders. Management must recognize these
problems and develop and enforce security programs to deal with
the many types of computer fraud.
REQUIRED
• Explain how each of the following six types of fraud is committed.
Identify a different method of protection for each, and describe
how it works.

27
 Q4
a. Identify two company pressures that would increase the
likelihood of fraudulent financial reporting.
b. Identify three corporate opportunities that make fraud easier
to commit and detection less likely.
c. For each of the ff, identify the external envtl factors that should
be considered in assessing the risk of fraudulent f/ reporting:
• The company’s industry
• The company’s business environment
• The company’s legal and regulatory environment
d. What can top management do to reduce the possibility of
fraudulent financial reporting?
28
5. For each of the ff independent cases of employee fraud, recommend how to
prevent similar problems in the future.
a. Abnormal inventory shrinkage in the audiovisual department at a retail
chain store led internal auditors to conduct an in-depth audit of the dept.
They learned that one customer frequently bought large numbers of small
electronic components from a certain cashier. The auditors discovered that
they had colluded to steal electronic components by not recording the sale
of items the customer took from the store.
b. During an unannounced audit, auditors discovered a payroll fraud when
they, instead of department supervisors, distributed paychecks. When the
auditors investigated an unclaimed paycheck, they discovered that the
employee quit four months previously after arguing with the supervisor. The
supervisor continued to turn in a time card for the employee and pocketed
his check.
c. Auditors discovered an accounts payable clerk who made copies of
supporting documents and used them to support duplicate supplier
payments. The clerk deposited the duplicate checks in a bank account she
had opened using a name similar to that of the supplier.
29