Study Guide on Chapter 5 PDF

Preview

Summary

Study Guide on Chapter 5...

Description

Study Guide on Chapter 5 - Computer Fraud The four types of threats to an AIS a company faces are: 1. Natural and political disasters 2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional acts (computer crimes) See Table 5-1 on page 123 of the text for more details. In our class, we focus on # 2 and # 4 Software Errors and Equipment Malfunctions  Losses due to software bugs are at almost $60 billion a year.  More than 60 percent of the companies studied had significant software errors in the previous year. For example, Bugs in the new tax accounting system were to blame for California’s failure to collect $635 million in business taxes. Intentional Acts (Computer Crimes) The most frequent type of crime in organizations is fraud. Usually the intent is to steal something of value.  The Association of Certified Fraud Examiners estimates total yearly global fraud losses to be about $2.9 trillion a year.  75 to 90 percent of all computer crimes are perpetrated by insiders. Fraud generally takes two forms 1. Misappropriation of assets 2. Fraudulent financial reporting Misappropriation of Assets It is often also referred to as employee fraud. It can take many forms ranging from kickbacks in exchange of approving bad loans worth millions to illegally withdrawing cash by making fictitious refunds, under ringing, voiding sales and providing discounts to friends.  

The most significant contributing factors in most employee frauds are the absence of internal controls or failure to enforce existing internal controls. If a person that is already dishonest in his or her nature finds out the management is not concerned about internal controls, then this makes it very easy for him or her to become a fraud perpetrator and start stealing cash or property.

Fraudulent Financial Reporting  The National Commission on Fraudulent Financial Reporting or The Treadway Commission defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.  The Treadway Commission studied 450 lawsuits against auditors and found undetected fraud to be a factor in half of them.  In order to establish financial health of corporations, executives cook the books by fictitiously inflating revenues, overstating inventories or fixed assets, and concealing losses and liabilities. Some prime examples are Enron, WorldCom, Tyco, Adelphia, HealthSouth, Global Crossing, and Xerox. The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting: 1. Establish an organizational environment that contributes to the integrity of the financial reporting process. 2. Identify and understand the factors that lead to fraudulent financial reporting.

3. Assess the risk of fraudulent financial reporting within the company. 4. Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented. A study by the Association of Certified Fraud Examiners found that misappropriation of assets by employees is more than 17 times more likely than fraudulent financial reporting. However, the amounts involved in fraudulent financial reporting is much higher, and so both the auditors and management are more concerned about preventing and detecting fraudulent financial reporting. Table 5-4 on page 133 lists some of the more frequently mentioned opportunities that permit employee and financial statement fraud. It must be noted that opportunities for fraud often stem from internal control factors. For example, a control feature many companies lack is a thorough background check on all potential employees. Computer Fraud The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution. More specifically, computer fraud includes the following: 1. Unauthorized use, access, modification, copying, and destruction of software or data 2. Theft of money by altering computer records 3. Theft of computer time 4. Theft or destruction of computer hardware 5. Use or the conspiracy to use computer resources to commit a felony 6. Intent to illegally obtain information or tangible property through the use of computers The Association of the Certified Fraud Examiners (ACFE) defines computer fraud as any defalcation or embezzlement accomplished by tampering with computer programs, data files, operations, equipment, or media and resulting in losses sustained by the organization whose computer system was manipulated. The computer is involved—directly or indirectly in committing a computer fraud. Sabotage of computer facilities is classified as a direct computer crime and unauthorized access of stored data is an indirect computer crime because the presence of the computer created the environment for the fraud to occur. The Rise in Computer Fraud  

Computer systems are particularly vulnerable to computer crimes for the following reasons: 1. Organizations want employees, customers, and suppliers to have access to their systems and databases. The number and variety of these access points significantly increase the risks. 2. Modern systems utilize personal computers (PCs), which are inherently more vulnerable to security risks. It is difficult to control physical access to each networked PC. In addition, PCs and their data can be lost, stolen, or misplaced. 3. People who manage to break into company information systems can steal, destroy, or alter massive amounts of data in very little time. 4. An illegally modified computer program can cause huge financial damage.

The increase in computer fraud schemes is due to reasons: 1. Not everyone agrees on what constitutes computer fraud. 2. Many computer frauds go undetected. According to most estimates, only 5 to 20 percent of all computer crime gets detected. 3. A high percentage of uncovered frauds are not reported. 4. Many networks have a low level of security. 5. Many websites on the Internet provide step-by-step instructions on how to perpetrate computer crimes and abuses. 6. Law enforcement is unable to keep up with the growing number of computer frauds. 7. The total dollar value of losses is difficult to calculate. The increase in computer fraud has created the need for professionals called "Cyber Sleuths". See Focus 5-2 on page 135 of the text for more information. Computer Fraud Classifications As shown in Figure 5-2 on page 136, one way to categorize computer fraud is to use the data processing model: input, processing time, software/instructions, stored data, and output. Input The simplest and most common way to commit fraud is to alter computer input. For example: To commit payroll fraud, perpetrators can enter incorrect salary, create a fictitious employee, or retain a terminated employee on the records. Example of input fraud: a New York bank employee changes the company deposit slips to forged deposit slips. For three days he deposited bank deposits in his personal account. There are more examples on page 136. Processing Time Computer fraud can be committed through unauthorized system use, including the theft of computer processing time and services. Example of processor fraud: employees of an insurance company running an illegal gambling Website using company computers and network. Computer Software/Instructions Computer fraud can be accomplished by tampering with the software that processes company data. Data  The most frequent type of data fraud is the illegal use of company data, typically by copying it, using it, or searching it without permission. For example, Employees with access to sensitive confidential data can steal and remove it without being detected. Example of stolen data: The office manager of a Wall Street law firm sold the information about prospective mergers and acquisitions to friends and relatives who made several million dollars trading the securities illegally. 

By having proper internal controls, most of data theft related frauds can be prevented or detected.

For example: A software engineer tried to steal Intel’s plans for a new microprocessor by taking screen by screen photographs late at night in his office. One of Intel’s internal controls was to notify security when the plans were viewed after hours. He was caught photographing the plans.  Data can also be changed, damaged, destroyed, or defaced especially by disgruntled employees.  Finally, data can be lost due to negligence or carelessness. For example, not many people know that deleting files does not erase them permanently. Even reformatting a hard drive often does not erase files or wipe the drive "clean" permanently. "Professionals" can still retrieve data from these drives. So, an internal control could be to have a policy to physically destroy all hard disks before disposing of computers. Output  

Computer output, displayed on monitors or printed on paper, can be stolen, copied or misused. Fraud perpetrators can use computers and output devices to forge authentic-looking outputs.

For example, a company laser-printer could be used to prepare paychecks. Losses to check fraud in the US total more than $20 billion a year. The threat to information systems can also be in the form of sabotage, in which the intent is to destroy or harm a system or some of its components. Focus 5-1 “electronic warfare” on page 124 of the text describes recent cyber-attacks. Information systems are increasingly vulnerable to attack. In a recent three-year period, the number of networks that were compromised rose 700 percent. Surveys show that in the recent past,  

67 percent of companies had a security breach 60 percent reported financial losses

Preventing and Detecting Computer Fraud and Abuse Table 5-5 on pages 138 and 139 provides a variety of ways to prevent and detect computer fraud. You can use many of them as you design internal controls for your PRJ3....