Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
5.3 The computer frauds that are publicly revealed represent only the tip of the iceberg.
Although many people perceive that the major threat to computer security is
external, the more dangerous threats come from insiders. Management must
recognize these problems and develop and enforce security programs to deal with the
many types of computer fraud.
Explain how each of the following six types of fraud is committed. Using the format
provided, also identify a different method of protection for each and describe how it
works. Adapted from the CMA Examination.
Type of
Fraud
Explanation
Identification and Description of
Protection Methods
Input
manipulation
This requires the least amount of
technical skill and little
knowledge of how the computers
operate.
Input data are improperly altered
or revised without authorization.
For example, payroll time sheets
can be altered to pay overtime or
an extra salary.
Documentation and Authorization
− Data input format authorized and
properly documented.
− Control over blank documents.
− Comprehensive editing
− Control source of data
Programmed Terminal/User protection
− Programs that only accept inputs from
certain designated users, locations,
terminals, and/or times of the day.
Program
alteration
Program alteration requires
programming skills and
knowledge of the program.
Program coding is revised for
fraudulent purposes. For
example:
− Ignore certain transactions
such as overdrafts against the
programmers' account
− Grant excessive discounts to
Programmers should not be allowed to
make changes to actual production
source programs and data files.
Segregation of Duties
− Programmers should not have access to
production programs or data files.
Periodic Comparisons
− Internal Audit or an independent group
should periodically process actual data,
File
alteration
Defrauder revises specific data or
manipulates data files. For example:
− Using program instructions to
fraudulently change an
employee’s pay rate in the payroll
master file
− Transferring balances among
dormant accounts to conceal
improper withdrawals of funds.
Restrict Access to Equipment/Files
− Restrict access to computer center.
− Programmers and analysts should not
have direct access to production data
files.
− Have a librarian maintain production
data files in a library.
− Restrict computer operator access to
applications documentation, except
where needed to perform their duties,
to minimize their ability to modify
programs and data files.
Data theft
Smuggling out data on:
- Hard copies of reports/files.
- Magnetic devices in briefcases,
employees' pockets, etc.
Tap or intercept data transmitted by
data communication lines
Electronic sensitization of all library
materials to detect unauthorized
removals.
Encrypt sensitive data transmissions.
Sabotage
Physical destruction of hardware or
software.
Terminated employees immediately
denied access to all computer
equipment and information to prevent
them from destroying or altering
equipment or files.
Maintain backup files at secure off-site
locations.
Theft of
computer
time
Unauthorized use of a company's
computer for personal or outside
business activities. This can result
in the computer being fully utilized
and lead to unnecessary computer
capacity upgrades.
Assigning blocks of time to processing
jobs and using the operating system to
block out the user once the allocated
time is exhausted. Any additional time
would require special authorization.
5.4 Environmental, institutional, or individual pressures and opportune situations, which
are present to some degree in all companies, motivate individuals and companies to
a. Identify two company pressures that would increase the likelihood of fraudulent
financial reporting.
b. Identify three corporate opportunities that make fraud easier to commit and
detection less likely.
c. For each of the following, identify the external environmental factors that should
be considered in assessing the risk of fraudulent financial reporting.
• The company’s industry
• The company’s business environment
• The company’s legal and regulatory environment
d. What can top management do to reduce the possibility of fraudulent financial
reporting?
5.5 For each of the following independent cases of employee fraud, recommend how to
prevent similar problems in the future. Adapted from the CMA Examination
a. Abnormal inventory shrinkage in the audiovisual department at a retail chain
store led internal auditors to conduct an in-depth audit of the department. They
learned that one customer frequently bought large numbers of small electronic
components from a certain cashier. The auditors discovered that they had
colluded to steal electronic components by not recording the sale of items the
customer took from the store.
b. During an unannounced audit, auditors discovered a payroll fraud when they
distributed paychecks instead of department supervisors. When the auditors
investigated an unclaimed paycheck, they discovered that the employee quit four
months previously after arguing with the supervisor. The supervisor continued to
turn in a time card for the employee and pocketed his check.
c. Auditors discovered an accounts payable clerk who made copies of supporting
documents and used them to support duplicate supplier payments. The clerk
deposited the duplicate checks in a bank account she had opened using a name
similar to the supplier’s.
5.6 An auditor found that Rent-A-Wreck management does not always comply with its
stated policy that sealed bids be used to sell obsolete cars. Records indicated that
several vehicles with recent major repairs were sold at negotiated prices.
Management vigorously assured the auditor that performing limited repairs and
negotiating with knowledgeable buyers resulted in better sales prices than the sealed-
bid procedures. Further investigation revealed that the vehicles were sold to
employees at prices well below market value. Three managers and five other
employees pleaded guilty to criminal charges and made restitution.
Adapted from the CIA Examination
a. List the fraud symptoms that should have aroused the auditor’s suspicion.
b. What audit procedures would show that fraud had in fact occurred?
5.7 A bank auditor met with the senior operations manager to discuss a customer’s
complaint that an auto loan payment was not credited on time. The customer said the
payment was made on May 5, its due date, at a teller’s window using a check drawn
on an account in the bank. On May 10, when the customer called for a loan pay-off
balance so he could sell the car, he learned that the payment had not been credited to
the loan. On May 12, the customer went to the bank to inquire about the payment
and meet with the manager. The manager said the payment had been made on May
11. The customer was satisfied because no late charge would have been assessed until
May 15. The manager asked whether the auditor was comfortable with this situation.
The auditor located the customer’s paid check and found that it had cleared on May
5. The auditor traced the item back through the computer records and found that
the teller had processed the check as being cashed. The auditor traced the payment
through the entry records of May 11 and found that the payment had been made with
cash instead of a check.
What type of embezzlement scheme is this, and how does it work?
Adapted from the CIA Examination
The circumstances are symptomatic of lapping, which is a common form of embezzlement
by lower-level employees in positions that handle cash receipts.
5.8 An accountant with the Atlanta Olympic Games was charged with embezzling over
$60,000 to purchase a Mercedes-Benz and to invest in a certificate of deposit. Police alleged
that he created fictitious invoices from two companies that had contracts with the Olympic
Committee: International Protection Consulting and Languages Services. He then wrote
checks to pay the fictitious invoices and deposited them into a bank account he had opened
under the name of one of the companies. When he was apprehended, he cooperated with
police to the extent of telling them of the bogus bank account and the purchase of the
Mercedes-Benz and the CD. The accountant was a recent honors graduate from a
respected university who, supervisors stated, was a very trusted and loyal employee.
a. How does the accountant fit the profile of a fraudster?
The accountant fit the fraud profile in that he was
How does he not fit the profile?
b. What fraud scheme did he use to perpetrate his fraud?
c. What controls could have prevented his fraud?
d. What controls could have detected his fraud?
