Fraud and Accounting Information Systems (AIS)
Fraud, Errors, Computer Fraud and Abuse Techniques
Module 1: Accounting Systems, Transaction Processing and Internal Control
Common Threats to Accounting Information Systems (AIS)
Natural Disasters
Examples:
Tsunami(s)
Floods, earthquakes, landslides, hurricanes, tornadoes, blizzards, snowstorms, and freezing rain
Terrorist Threats
Example: September 11 attacks
Software Errors and Equipment Malfunctions
Example: Queensland Health payroll debacle
Example: Burger King incident where a payment of $4334.33 was processed for a $4.33 burger
Unintentional Acts
Human error due to carelessness
Intentional Acts
Computer crimes (e.g., malware)
Statistic: McAfee detected an average of 60,000 pieces of malware daily.
Breakdown of Threat Types
Natural Disasters
Fire or excessive heat
Floods, earthquakes, and other severe weather conditions
Political Disasters
War and terrorist attacks
Software Errors and Equipment Malfunctions
Hardware or software failure leading to disruptions
Software bugs and operating system crashes
Power outages and fluctuations
Undetected data transmission errors
Unintentional Acts
Human carelessness, incorrectly following established procedures, or poor training
Innocent errors/omissions leading to data issues
Intentional Acts
Various fraudulent actions including sabotage, misrepresentation of data, and frauds
Notable issues include asset misappropriation, financial statement fraud, and corruption
Understanding Fraud
Definition:
Gaining an unfair advantage over another through a false statement, representation, or disclosure, which influences a person’s actions
Essential Elements of Fraud
Material fact that induces an action
Intent to deceive
Justifiable reliance on fraudulent fact
Resulting injury or loss to the victim
Reference: Individuals who commit fraud are termed white-collar criminals.
Economic Impact:
Cost to the Australian community: $8.5 billion annually
Exposure to fraud: 35.8% of the Australian population (Australian Bureau of Statistics)
Forms of Fraud
Misappropriation of Assets
Definition: Theft of a company’s assets
Example: A payroll manager illegally transferring $20 million to a personal account over 18 months
Key Factors Leading to Theft:
Absence and/or improper enforcement of internal control systems
Fraudulent Financial Reporting
Definition:
Intentional or reckless conduct leading to materially misleading financial statements (according to The Treadway Commission)
Purpose: Deception of investors/creditors to enhance share prices
Notable Cases of Corporate Fraud
Boral/CSR/Pioneer/Ampol: price fixing incidents
AWA: Forex losses
BHP: Oil and mining disasters
Coles Myer: Governance issues
TNT: Accounting errors in Spain
Harris Scarfe: Revaluations and inventory issues
Clive Peeters Ltd: Fraud cases
Tricontinental: Loan losses
Public demands for improved control mechanisms
Enron: Earnings fraud cases
DOFA fraud, State Bank SA: Loan losses
Air New Zealand: Financial management issues
Barings: Derivatives fraud
HIH/FAI: Earnings management
OneTel Ltd: Reporting inaccuracies
Mayne Nickless/TNT: Transaction Processing Control (TPC) issues
National Safety Council: Major fraud incidents
Reasons for Fraudulent Financial Statements
Intentions behind fraud:
Deception of investors or creditors
Increase the company’s stock price
Meet cash flow requirements
Pressure to meet earnings expectations
Intense market competition
Conceal company losses or problematic issues
Treadway Commission Recommendations
Actions to Reduce Financial Statement Fraud
Create a supportive environment for the integrity of financial reporting.
Identify factors contributing to fraud
Assess fraud risk within the organization
Design and implement effective internal controls to prevent fraud
SOX Section 404 emphasizes the necessity for financial reporting internal controls
SAS No. 99 / AU-C 240
Auditor Responsibilities Relating to Fraud in Financial Reports
Maintain a skeptical awareness of potential material misstatements.
Understand various forms of fraud.
Discuss risks associated with material fraudulent misstatements.
Comprehend governance structures that mitigate fraud risks.
Gather relevant information and assess risks.
Evaluate results of audit tests.
Document and communicate findings effectively to management and regulators.
Consider a technology focus in fraud detection and prevention.
The Fraud Triangle
Components of the Triangle
Crime Perpetrators Characteristics:
They may be dedicated, hardworking, trusted individuals—often without prior criminal records.
Profile includes young, talented people, potentially without computer science backgrounds.
Pressure:
Types of pressure leading to employee fraud:
Financial (debt, living beyond means)
Emotional (ego, job dissatisfaction)
Lifestyle (drug addiction, gambling)
Financial Pressures Leading to Employee Fraud
Living beyond one's means
High personal debt/expenses
Inadequate salary/income
Poor credit ratings
Heavy losses or bad investments
Tax avoidance motivations
Imposing quotas or goals
Emotional Pressures for Fraud
Excessive greed, envy, or resentment
Job dissatisfaction or fear of job loss
Ambition or need for power/control
Coercion by management for unrealistic performance
Opportunities for Fraud
Conditions Allowing Fraud
Opportunity: Conditions enabling fraud commission
Commit the fraud (e.g., asset theft)
Conceal the fraud (e.g., through methods like lapping)
Convert funds or assets (e.g., stolen goods sold for cash)
Factors Permitting Employee and Financial Statement Fraud
Internal Control Factors
Lack of enforcement or monitoring of internal controls
Managerial neglect or carelessness
Overriding controls by management
Poorly defined lines of authority
Inadequate supervision and oversight
Weak documentation and records
External Factors Contributing to Fraud
Large or complex transactions
High employee turnover
Understaffed accounting departments
Overall lack of integrity or understanding of corporate ethics
Rationalizations Behind Fraudulent Behavior
Justifications for Illegal Behavior
Perceived entitlement (I deserve this)
Attitude of disregard for rules
Low personal integrity commitment
Computer Fraud
Definition
A legal act requiring knowledge of computer technology for:
Perpetration, investigation, and prosecution
Examples of Computer Fraud:
Unauthorized use of data or software; theft of assets by altering records; destruction of hardware
Rise of Computer Fraud
Definition varies among sectors (e.g., software piracy).
Many instances remain undetected (FBI: only 1% detected).
High levels of unreported incidents.
Insufficient network security measures in place.
Accessibility to criminal guidance online.
Law enforcement struggles to keep pace with white-collar crime.
Challenges in quantifying losses from such frauds.
Classifications of Computer Fraud
Types of Computer Fraud
Input Fraud: Altering input data (e.g., issuing false invoices).
Processor Fraud: Unauthorized system usage (e.g., misuse of company servers).
Computer Instructions Fraud: Modifying software and unauthorized actions.
Data Fraud: Illegally accessing or damaging company data.
Output Fraud: Theft or misuse of printed/computer-displayed information.
Preventing and Detecting Fraud
Key Strategies
Make fraud less likely to occur.
Increase difficulty for fraudulent actions.
Enhance detection methods for fraud.
Reduce potential losses from fraud incidents.
Detailed Strategies for Fraud Prevention and Detection
1. Make Fraud Less Likely to Occur
Foster a culture of integrity in the organization
Create robust governance structures (e.g., Board of Directors)
Communicate clear policies and expectations
2. Increase Difficulty of Fraud Commission
Develop strong internal controls
Apply system authentication mechanisms
Regular system updates and maintenance
3. Improve Fraud Detection Systems
Implement external and internal audits regularly
Establish a dedicated fraud hotline
Utilize fraud detection software effectively
4. Reduce Fraud Losses
Establish effective insurance mechanisms
Prepare a structured disaster recovery plan
Monitor system activity consistently
Computer Attacks and Abuse Techniques
Computer Attacks
Hacking: Unauthorized alterations or access to computer systems.
Social Engineering: Psychological tricks that exploit human factors to access confidential information.
Malware: Software designed with malicious intentions to harm systems.
Types of Hacking Attacks
Common Hacking Techniques
Botnet: Networks of hijacked computers used for malicious processes.
Denial-of-Service (DoS) Attack: Flooding a server with requests to overwhelm it.
Spamming: Sending unsolicited emails, predominantly for selling purposes.
Spoofing: Imitating trusted sources to extract sensitive data.
Additional Hacking Attacks
Man-in-the-Middle: Attackers intercept communications between clients and hosts.
Masquerading: Pretending to be authorized users to gain access to systems.
Password Cracking: Attempts to steal user passwords.
Data Leakage: Unauthorized duplication of data.
Embezzlement Schemes
Techniques Used for Fraud
Salami Technique: Taking small amounts from multiple accounts.
Economic Espionage: Theft of trade secrets and intellectual property.
Cyber-Bullying: Use of communication technologies to harass two other individuals.
Computer Fraud in the Digital World
Messaging and Auction Frauds
Internet Misinformation: Spreading false information online.
Online Auctions: Manipulating bids and failing to deliver products.
Pump-and-Dump Schemes: Inflating stock prices through misinformation and selling at a profit.
Software Piracy: Unauthorized distribution of software.
Social Engineering Techniques
Common Methods of Deception
Identity Theft: Assuming another person's identity.
Pretexting: Tricking victims into disclosing information.
Phishing: Emails that appear legitimate asking for sensitive data.
Scavenging: Searching physical trash for confidential information.
Shoulder Surfing: Observing someone from a close distance to acquire their private information.
Trojan Horse: Malicious software embedded in legitimate programs.
Malware Variants
Types of Malware
Spyware: Monitors user behavior stealthily.
Ransomware: Blocks access to files until a ransom is paid.
Keylogger: Records keystrokes for harvesting passwords and sensitive information.
Virus: Self-replicating code that attaches itself to legitimate programs.
Worm: Stand-alone self-replicating software that spreads across networks without human interaction.
Control Concepts and COSO Framework
Overview of Internal Control Objectives
Safeguard assets and maintain accurate records.
Provide reliable information and prepare accurate financial reports.
Support operational efficiency and regulatory compliance.
Functions of Internal Control
Preventive: Deterrence of issues (e.g., access controls)
Detective: Discovery of issues (e.g., double-checking calculations)
Corrective: Correcting identified issues (e.g., restoring backups)
Sarbanes-Oxley Act (SOX 2002)
Purpose and Implications
Established to prevent corporate fraud in the aftermath of scandals (e.g., Enron, WorldCom).
Strengthens internal controls and enhances financial reporting transparency.
Section 404 mandates management to maintain an adequate internal control system and report its effectiveness.
Components of the COSO Framework
Control Environment: Organizational structure and standards.
Risk Assessment: Identification and evaluation of risks.
Control Activities: Measures to ensure risk responses are implemented.
Information and Communication: Sharing relevant information throughout the organization.
Monitoring: Ongoing assessments of control processes.
Protecting Information Security
Trust Services Framework Overview
Security: Secure system access and data control.
Confidentiality: Protection of sensitive organizational data.
Privacy: Safeguarding personal information of stakeholders.
Processing Integrity: Accurate processing of data.
Availability: Ensuring system and information accessibility.
Defense-in-Depth Strategy
Model Overview
Implement multiple control layers to enhance security (e.g., firewalls, intrusion detection systems).
Maintain a combination of preventive, detective, and corrective measures to respond to threats.
Mitigating Risks of Cyber Attacks
Control Types and Examples
Preventive Controls: User access controls, training for a security-aware culture, and firewall protections.
Detective Controls: Logging and analyzing system access and alerts for irregularities.
Corrective Controls: Computer incident response teams for managing breaches and patching vulnerabilities.
User Access and Network Security
Access Control Measures
Types of Authentication
Knowledge: Something the user knows (passwords/PINs).
Possession: Something the user has (smart cards).
Biometric Characteristics: Unique physical traits (fingerprints).
Network Access Control Structures
Implementing firewalls and intrusion prevention systems to protect against unauthorized access.
Creating a Demilitarized Zone (DMZ) to facilitate controlled access to networked resources.
Device and Software Hardening Practices
Disabling unnecessary features on servers, printers, and workstations to minimize vulnerabilities.
User management practices ensuring input from external users is treated with skepticism.
Incident Detection and Response
Detective Controls Strategies
Analyzing logs for evidence of potential intrusions and employing intrusion detection systems.
Conducting penetration tests to genuinely assess the integrity of internal security protocols.
Conclusion
A comprehensive understanding of fraud, its types, prevention, detection strategies, and the overarching controls necessary for integrity within accounting systems and organizations is vital in mitigating risks associated with computer fraud and abuse.