Fraud ( Topic 3) Flashcards
Common Threats to AIS
Natural disasters (e.g. tsunami(s)) and terrorist threats (e.g., Sept 11)
Software errors and/or equipment malfunction (Queensland Health payroll debacle; Burger King Example, paying $4334.33 for a $4.33 burger!)
Unintentional acts (human error due to carelessness) Intentional acts (e.g., computer crimes) - cause of 80% of security issues
Intentional action -> computer crimes, fraud or sabotage
Sabotage
An intentional act where the intent is to de- stroy a system or some of its components.
Cookie
A text file created by a website and stored on a visi- tor’s hard drive. Cookies store information about who the user is and what the user has done on the site.
What is fraud
-What is the given criteria
Gaining an unfair advantage over another person: -conditions, if there are factors missing this may be an indicator of fraud or a internal control weakness
- A false statement, representation, or disclosure.
- A material fact that induces a person to act.
• An intent to deceive
• A justifiable reliance on the fraudulent fact in which a person takes action.
• An injury or loss suffered by the victim.
Who is likely to commit fraud
Individuals who commit fraud are referred to as white-collar criminals
Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources. Because employees understand a company’s system and its weaknesses, they are better able to commit and conceal a fraud.
white-collar criminals
Typically, businesspeople who commit fraud. White-collar criminals usually resort to trickery or cun- ning, and their crimes usually involve a violation of trust or confidence.
corruption
Dishonest con- duct by those in power which often involves actions that are illegitimate, immoral, or incom- patible with ethical standards. Examples include bribery and bid rigging.
Forms of Fraud
Misappropriation of assets
Fraudulent financial reporting
Misappropriation of assets
Misappropriation of assets:
• Theft of a company’s assets (e.g. payroll manager used internet banking to illegally transfer to personal A/C $20M in 18 months)
• Key factors for theft of assets
- Absence of internal control system
that safeguard against threats
- Failure to enforce internal control system that mitigates these treats
Fraudulent financial reporting
‘…intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements’ (The Treadway Commission).
Financial reports are falsified to deceive investors/creditors and to increase a company’s share price.
Fraudulent Financial Statements
The National Commission on Fraudulent Financial Reporting (the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
Reasons for Fraudulent Financial Statements
- Deceive investors or creditors.
- Increase a company’s stock price.
- Meet cash flow needs.
- Intense pressure to meet earning expectations
- Heavy competition
- Hide company losses or other problems.
What is the Treadway Commission Actions to Reduce Fraud ?
- Establish environment which supports the integrity of the financial reporting process.
- Identification of factors that lead to fraud.
- Assess the risk of fraud within the company.
- Design and implement internal controls to provide assurance that fraud is being prevented.
SOX Section 404 mandates financial reporting internal controls
Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial State- ment Audit, became effective in December 2002. SAS No. 99 requires auditors to:
Maintain skepticism (material misstatements always possible)
Understand fraud and how it evolves to mitigate it
Discuss the risks of material fraudulent misstatements
Understand governance (e.g. structures mitigating fraud risk)
Obtain information
Identify, assess and respond to risks
Evaluate results of their audit tests
Document and communicate findings (to both management and regulators)
Incorporate a technology focus
The fraud triangle
Framework to identify where fraud may occur
- Opportunity
-Rationalization
-Preasure
( diagram on image document)
Fraud perpetrators (white collar criminals) can be: dedicated; hardworking; trusted; ‘honest’; without criminal record; young; talented; not necessarily computing graduates)
Fraud triangle - pressure
Motivation or incentive to commit fraud Types 1. Employee • Financial • Emotional • Lifestyle
2. Financial reporting • Industry conditions • Management characteristics • Financial pressure ( diagram on image document)
Fraud triangle - opportunity
Condition or situation that allows a person or organisation to:
- Commit the fraud (e.g. asset theft)
The theft of assets is the most common type of misappropriation. Most instances of fraudulent financial reporting involve overstatements of assets or rev- enues, understatements of liabilities, or failures to disclose information.
- Conceal the fraud
- Lapping - Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable.
- Check kiting - Creating cash us- ing the lag between the time a check is deposited and the time it clears the bank.
To prevent detection when assets are stolen or financial statements are overstated, perpetrators must keep the accounting equation in balance by inflating other assets or decreasing liabilities or equity. Concealment often takes more effort and time and leaves behind more evidence than the theft or misrepresentation. Taking cash requires only a few seconds; altering records to hide the theft is more challenging and time-consuming. - Convert the theft or misrepresentation to personal gain (e.g. stolen goods sold for cash (e.g. on ebay)).
For example, employees who steal inventory or equipment sell the items or otherwise convert them to cash. In cases of falsified financial statements, perpe- trators convert their actions to personal gain through indirect benefits; that is, they keep their jobs, their stock rises, they receive pay raises and promotions, or they gain more power and influence.
Lapping
Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable
Check kitting
Creating cash us- ing the lag between the time a check is deposited and the time it clears the bank
Fraud triangle - Rationalisations
Justification of illegal behaviour:
1. Justification
• I am not being dishonest as I took what they owed me.
- Attitude
• I don’t need to be honest as these rules don’t apply to me. - Lack of personal integrity
• Theft is valued higher than honesty or integrity as getting what I want is more important than being honest.
Computer Fraud
Any illegal act in which knowledge of computer technology is necessary for:
• Perpetration
• Investigation
• Prosecution.
Examples include:
• Unauthorised theft, use, access, modification, copying or destruction of software or data
• Theft of assets by altering computer records
• Theft of computer time
• Theft or destruction of hardware, software, computer resources
• Intent to obtain tangible property illegally by using computers
Why is there a Rise of Computer Fraud
- Definition is not agreed on (software copying/piracy; browsing someone else’s files)
- Many go undetected (e.g. FBI estimates only 1% of computer crime is detected)
- High percentage is not reported
- Lack of network security
- Difficulty calculating/quantifying loss (e.g. data stolen; websites defaced; virus attack)
- Step-by-step guides are easily available
- Law enforcement is overburdened; hard to keep up with white collar crime
Cyber sleuths
The forensic experts breaking into the company and copying the data worked for a Big Four accounting firm. The accountants, turned cyber sleuths, specialize in catching fraud perpetrators. Cyber sleuths come from a variety of backgrounds, including accounting, information systems, government, law enforcement, military, and banking.
Skills cyber sleuths must maintain
• Ability to follow a trail, think analytically, and be thorough
• Good understanding of information technology (IT).
Cyber sleuths need to understand data storage, data communications, and how to retrieve hidden or deleted files and e-mails.
• Ability to think like a fraud perpetrator – what motivates them
• Ability to use hacking tools and techniques.
Cyber sleuths need to understand the tools computer crimi- nals use to perpetrate fraud and abuse.
Computer Fraud Classifications
Input fraud
• Alteration or falsifying input (e.g. issue invoices from fictitious vendors).
Processor fraud
• Unauthorised system use (e.g. use company servers for illicit purposes).
Computer instructions fraud
• Modifying software, illegal copying of software, using software in an unauthorised manner, creating software to undergo unauthorised activities.
Data fraud
• Illegally using, copying, browsing, searching, or harming company data. (e.g. Wikileaks) - The biggest cause of data breaches is employee negligence.
Output fraud
• Stealing, copying, or misusing computer printouts or displayed information.
Prevent and Detect Fraud
- Make fraud less likely to occur.
- Increase the difficulty of committing fraud.
- Improve detection methods.
- Reduce fraud losses.
Prevent and Detect Fraud
Make fraud less likely to occur
( read on document )
Prevent and Detect Fraud
Increase the difficulty of committing fraud.
( read on document )
Prevent and Detect Fraud
Improve detection methods.
( read on document )
Prevent and Detect Fraud
Reduce fraud losses.
( read on document )
Computer Attacks and Abuse
Hacking
Social Engineering
Malware
Hacking
• Unauthorised access, modification, or use of a computer system or other electronic device.
Examples -> Russian hackers broke into Citibank’s system and stole $10 million from customer accounts.
Social Engineering
- Techniques, usually psychological tricks, to gain access to sensitive data or information.
- Used to gain access to secure systems or locations.
Malware
• Any software which can be used to do harm.
Hacking
-Hijacking
Hijacking is gaining control of a computer to carry out illicit activities without the user’s knowledge
Botnet—Robot Network
- Network of hijacked computers.
- Hijacked computers carry out processes without users knowledge.
- Zombie—hijacked computer., typically part of a botnet, that is used to launch a variety of Internet attacks.
Bot herders install software that responds to the hacker’s electronic instructions on unwitting PCs. Bot software is deliv- ered in a variety of ways, including Trojans, e-mails, instant messages, Tweets, or an infected website
Hacking
-Denial of service attack
Denial-of-Service (DoS) Attack - Botnets are used to perform a denial-of-service (DoS) attack
• Constant stream of requests made to a web-server (usually via a Botnet) that overwhelms and shuts down service.
Example - A DoS attack shut down 3,000 websites for 40 hours on one of the busiest shopping weekends of the year.
CloudNine, an Internet service provider, went out of business after DoS attacks pre- vented its subscribers and their customers from communicating.
