Threats to AIS

• Companies face four types of threats to their

information systems:
– Natural and political disasters
– Software errors and equipment malfunction
– Unintentional acts
– Intentional acts (computer crime)
 Unintentional Acts include:
- Accidents caused by:
Human carelessness
Failure to follow established procedures
Poorly trained or supervised personnel
- Innocent errors or omissions
- Lost, destroyed, or misplaced data
-Logic errors
- Systems that do not meet needs or are incapable of
performing intended tasks
 Intentional Acts include(Fraud):
Occupational Other
• Fraudulent Statements • Intellectual property theft
– Financial • Financial institution fraud
– Non-financial
• Check and credit card fraud
• Asset Misappropriation
– Theft of cash • Insurance fraud
– Fraudulent disbursements • Healthcare fraud
– Inventory and other assets • Bankruptcy fraud
• Bribery and Corruption • Tax fraud
– Bribery
• Securities fraud
– Illegal gratuities
– Economic extortion • Money laundering
– Conflict of interest • Consumer fraud
• Computer and Internet fraud
Three types of Occupational Fraud
Misappropriation of assets
Involves theft, embezzlement, or misuse of company
assets for personal gain.
Examples include billing schemes, check tampering,
skimming, and theft of inventory.
In the 2004 Report to the Nation on Occupational
Fraud and Abuse, 92.7% of occupational frauds
involved asset misappropriation at a median cost of
$93,000.
Three types of Occupational Fraud
• Corruption
• Corruption involves the wrongful use of a
position, contrary to the responsibilities of
that position, to procure a benefit.
• Examples include kickback schemes and
conflict of interest schemes.
• About 30.1% of occupational frauds include
corruption schemes at a median cost of
$250,000.
Three types of Occupational Fraud
Fraudulent statements
• Financial statement fraud involves misstating
the financial condition of an entity by
intentionally misstating amounts or disclosures
in order to deceive users.
• Financial statements can be misstated as a
result of intentional efforts to deceive or as a
result of undetected asset misappropriations
that are so large that they cause misstatement.
The National Commission on Fraudulent
Financial Reporting (aka, the Treadway
Commission) defined fraudulent financial
reporting as intentional or reckless conduct,
whether by act or omission, that results in
materially misleading financial statements.
Financial statements can be falsified to:
Deceive investors and creditors
Cause a company’s stock price to rise
Meet cash flow needs
Hide company losses and problems
Fraudulent financial reporting is of great
concern to independent auditors, because
undetected frauds lead to half of the
lawsuits against auditors.

In the case of Enron, a financial statement

fraud led to the total elimination of Arthur
Andersen, a premiere international public
accounting firm.
The common approaches to “cooking the books” include:

– Recording fictitious revenues

– Recording revenues prematurely
– Recording expenses in later periods
– Overstating inventories or fixed assets (WorldCom)
– Concealing losses and liabilities
The Treadway Commission recommended four actions
to reduce the possibility of fraudulent financial reporting

• Establish an organizational environment that

contributes to the integrity of the financial
reporting process.
• Identify and understand the factors that lead to
fraudulent financial reporting.
• Assess the risk of fraudulent financial reporting
within the company.
• Design and implement internal controls to provide
reasonable assurance that fraudulent financial
reporting is prevented.
Typical Employee Fraud Characteristics
– The fraud perpetrator must gain the trust or confidence of the
person or company being defrauded in order to commit and
conceal the fraud.
– Instead of using a gun, knife, or physical force, fraudsters use
weapons of deceit and misinformation.
– Frauds tend to start as the result of a perceived need on the
part of the employee and then escalate from need to greed.
Most fraudsters can’t stop once they get started, and their
frauds grow in size.
– The fraudsters often grow careless or overconfident over time.
– Fraudsters tend to spend what they steal. Very few save it.
– In time, the sheer magnitude of the frauds may lead to
detection.
– The most significant contributing factor in most employee
frauds is the absence of internal controls and/or the failure to
enforce existing controls.
 The auditors responsibility to detect
financial statement fraud
• Understand fraud
Auditors can’t effectively audit something they
don’t understand.
The external auditor’s interest specifically relates
to acts that result in a material misstatement of
the financial statements.
Internal auditors will have a more extensive
interest in fraud than just those that impact
financial statements.
 The auditors responsibility to detect
financial statement fraud
• Discuss the risks of material fraudulent misstatements
While planning the audit, members of the audit team should discuss how
and where the company’s financial statements might be susceptible to
fraud.
• Obtain information
The audit team must gather evidence about the existence of fraud by:
– Looking for fraud risk factors
– Testing company records
– Asking management, the audit committee, and others if they know
of any past or current fraud or of fraud risks the organization faces.
Special care needs to be exercised in examining revenue accounts, since
they are particularly popular fraud targets.
 The auditors responsibility to detect
financial statement fraud
• Identify, assess, and respond to risks
Use the gathered information to identify, assess,
and respond to risks.
Auditors can respond by varying the nature,
timing, and extent of auditing procedures they
perform.
They should also carefully evaluate risks related
to management override of controls.
 The auditors responsibility to detect
financial statement fraud
• Evaluate the results of their audit tests
Auditors must assess the risk of fraud throughout the audit.
When the audit is complete, they must evaluate whether
any identified misstatements indicate the presence of
fraud.
If so, they should determine the impact on the financial
statements and the audit.
• Communicate findings
Auditors communicate their fraud findings to
management, the audit committee, and others.
 The auditors responsibility to detect
financial statement fraud
• Document their audit work
• Incorporate a technology focus (GAS)
 Who commits Fraud and why?
• White-collar criminals tend to mirror the general
public in:
– Education
– Age
– Religion
– Marriage
– Length of employment
– Psychological makeup
 WHO COMMITS FRAUD AND WHY

• Perpetrators of computer fraud tend to be

younger and possess more computer
knowledge, experience, and skills.
• Hackers and computer fraud perps tend to be
more motivated by:
– Curiosity
– A quest for knowledge
– The desire to learn how things work
– The challenge of beating the system
 WHO COMMITS FRAUD AND WHY
• They may view their actions as a game rather than
dishonest behavior.
• Another motivation may be to gain stature in the hacking
community.
• Some see themselves as revolutionaries spreading a
message of anarchy and freedom.
• But a growing number want to profit financially. To do so,
they may sell data to:
– Spammers
– Organized crime
– Other hackers
– The intelligence community
 WHO COMMITS FRAUD AND WHY

• Some fraud perpetrators are disgruntled and

unhappy with their jobs and are seeking revenge
against their employers.
• Others are regarded as ideal, hard-working
employees in positions of trust.
• Most have no prior criminal record.
• So why are they willing to risk everything?
 Factors that must be present for crime to
occur
– Pressure
– Opportunity
– Rationalization
• These three factors have come to be known as
the fraud triangle
 The “Fraud Triangle”
Donald Cressey

Op
e
r
su

po
es

r tu
Pr

ni
ty
Rationalization
 WHO COMMITS FRAUD AND WHY

• The most common pressures :

- Not being able to pay one’s debts, nor admit it to
one’s employer, family, or friends (which makes in
non-shareable).
- Fear of loss of status because of a personal failure
- Business reversals
- Physical isolation
- Status gaining
- Difficulties in employer-employee relations
 WHO COMMITS FRAUD AND WHY
• In the case of financial statement frauds, common
pressures include:
– To prop up earnings or stock price so that management can:
• Receive performance-related compensation.
• Preserve or improve personal wealth held in company stock
or stock options.
• Keep their jobs.
– To cover the inability to generate cash flow.
– To obtain financing.
– To appear to comply with bond covenants or other agreements.
– May be opposite of propping up earnings in cases involving
income-tax motivations, government contracts, or regulation.
PRESSURES THAT LEAD TO EMPLOYEE
FRAUD
FINANCIAL EMOTIONAL LIFESTYLE
• Living beyond • Greed • Support gambling
means • Unrecognized habit
• High personal performance • Drug or alcohol
debt/expenses • Job dissatisfaction addiction
• “Inadequate” • Fear of losing job • Support sexual
salary/income • Power or control relationships
• Poor credit ratings • Pride or ambition • Family/peer
• Heavy financial • Beating the system pressure
losses • Frustration
• Bad investments
• Non-conformity
• Tax avoidance
• Envy, resentment
• Meet unreasonable
• Arrogance,
quotas/goals
dominance
• Non-rules oriented
The “Fraud Triangle.”
Donald Cressey

Op
e
r
su

po
es

r tu
Pr

ni
ty
Rationalization
 Who commits..
Opportunity is the opening or gateway that allows an individual
to:
1. Commit the fraud
- Misappropriating assets.
- Issuing deceptive financial statements.
- Accepting a bribe in order to make an arrangement that is not in the
company’s best interest.
2. Conceal the fraud
- Concealing the fraud often takes more time and effort and leaves more
evidence than the actual theft or misrepresentation.
– Examples of concealment efforts:
– Charge a stolen asset to an expense account or to an account receivable that is
about to be written off.
– Create a ghost employee who receives an extra paycheck.
 Who commits…
Examples of concealing..
- Lapping:
• Steal a payment from Customer A.
• Apply Customer B’s payment to Customer A’s
account so Customer A won’t get a late notice.
• Apply Customer C’s payment to Customer B’s
account, so Customer B won’t get a late
notice, etc.
 Who commits…
- Kiting
Creates “cash” by transferring money between banks.
Requires multiple bank accounts.
Basic scheme:
Write a check on the account of Bank A.
Bank A doesn’t have sufficient funds to cover the check, so
write a check from an account in Bank B to be deposited in Bank
A.

Bank B doesn’t have sufficient funds to cover the check, so

write a check from an account in Bank C to be deposited in Bank B,
etc.
 Who commits…
3. Convert the proceeds
• Unless the target of the theft is cash, then
the stolen goods must be converted to cash
or some form that is beneficial to the
perpetrator.
– Checks can be converted through alterations,
forged endorsements, check washing, etc.
– Non-cash assets can be sold (online auctions
are a favorite forum) or returned to the company
for cash.
 Who commits…
• If the fraud is a financial statement fraud,
then the gains received may include:
– I have to keep my job.
– The value of my stock or stock options rose.
– I received a raise, promotion, or bonus.
– I have power.
 Who commits…
There are many opportunities that enable fraud.
Some of the most common are:
• Lack of internal controls
• Failure to enforce controls (the most prevalent
reason)
• Excessive trust in key employees
• Incompetent supervisory personnel
• Inattention to details
• Inadequate staff
 Who commits….
• Internal controls that may be lacking or un-
enforced include:
– Authorization procedures
– Clear lines of authority
– Adequate supervision
– Adequate documents and records
– A system to safeguard assets
– Independent checks on performance
– Separation of duties
 One control feature that many companies lack is
a background check on all potential employees
 The “Fraud Triangle”
Donald Cressey

Op
e
r
su

po
es

r tu
Pr

ni
ty
Rationalization
 Who commits…
• How many people do you know who regard
themselves as being unprincipled or sleazy?
• It is important to understand that fraudsters do
not regard themselves as unprincipled.
– In general, they regard themselves as highly
principled individuals.
– That view of themselves is important to them.
– The only way they can commit their frauds and
maintain their self image as principled individuals is to
create rationalizations that recast their actions as
“morally acceptable” behaviors.
 Who commits…
These rationalizations take many forms, including:
– I was just borrowing the money.
– It wasn’t really hurting anyone. (Corporations are
often seen as non-persons, therefore crimes against
them are not hurting “anyone.”)
– Everybody does it.
– I’ve worked for them for 35 years and been underpaid
all that time. I wasn’t stealing; I was only taking what
was owed to me.
– I didn’t take it for myself. I needed it to pay my child’s
medical bills.
 Who commits…
• Creators of worms and viruses often use
rationalizations like:
– The malicious code helped expose security flaws, so I
did a good service.
– It was an accident.
– It was not my fault—just an experiment that went bad.
– It was the user’s fault because they didn’t keep their
security up to date.
– If the code didn’t alter or delete any of their files, then
what’s the problem?
 Who commits and why?
• Fraud occurs when:
– People have perceived, non-shareable pressures;
– The opportunity gateway is left open; and
– They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).
• Fraud is much less likely to occur when:
– There is low pressure, low opportunity, and high integrity.
• Unfortunately, there is usually a mixture of these forces
in play, and it can be very difficult to determine the
pressures that may apply to an individual and the
rationalizations he/she may be able to produce.