Chapter 5

5.3

The computer frauds that are publicly revealed represent only the tip of the iceberg. Although many
people perceive that the major threat to computer security is external, the more dangerous threats
come from insiders. Management must recognize these problems and develop and enforce security
programs to deal with the many types of computer fraud.

Explain how each of the following six types of fraud is committed. Using the format provided, also
identify a different method of protection for each and describe how it works.

Type of Fraud Explanation Identification and Description of

Protection Methods

Input -Least amount of technical skill and Documentation and Authorization

manipulation little knowledge of how the computers − Data input format authorized and
operate properly documented.
− Control over blank documents.
Input data are improperly altered or − Comprehensive editing
revised without authorization. − Control source of data
Programmed Terminal/User protection
− Programs that only accept inputs from
certain designated users, locations,
terminals, and/or times of the day.
Program - requires programming skills and Programmers should not be allowed to
alteration knowledge of the program. make changes to actual production
source programs and data files.
Program coding is revised for Segregation of Duties
fraudulent purposes. − Programmers should not have access to
production programs or data files.
Periodic Comparisons
− Internal Audit or an independent group
should periodically process actual data,
and compare the output with output
from normal operations. Differences
indicate unauthorized program changes.
− Periodic comparisons of on-line
programs to off-line backup copies to
detect changes.
− Independent file librarian function who
controls custody/access to programs
File alteration Defrauder revises specific data or Restrict Access to Equipment/Files
manipulates data files. −Restrict access to computer center.
−Programmers and analysts should not
have direct access to production data
files.
−Have a librarian maintain production
 data files in a library.
−Restrict computer operator access to
applications documentation, except
where needed to perform their duties,
to minimize their ability to modify
programs and data files
Data theft Smuggling out data on: Electronic sensitization of all library
- Hard copies of reports/files. materials to detect unauthorized
- Magnetic devices in briefcases, removals.
employees' pockets, etc. Encrypt sensitive data transmissions.
Tap or intercept data transmitted by
data communication lines
Sabotage Physical destruction of hardware or Terminated employees immediately
software. denied access to all computer
equipment.
Maintain backup files at secure off-site
Theft of Unauthorized use of a company's Assigning blocks of time to processing
Computer computer for personal or outside jobs and using the operating system to
Time business activities. This can result in the block out the user once the allocated
computer being fully utilized and lead time is exhausted. Any additional time
to unnecessary computer capacity would require special authorization.
upgrades.

5.4

Environmental, institutional, or individual pressures and opportune situations, which are present to
some degree in all companies, motivate individuals and companies to engage in fraudulent financial
reporting. Fraud prevention and detection require that pressures and opportunities be identified and
evaluated in terms of the risks they pose to a company. Adapted from the CMA Examination.

a. Identify two company pressures that would increase the likelihood of fraudulent financial reporting.

• Sudden decreases in revenue or market share

• Financial pressure from bonus plans that depend on short-term economic performance

• Intense pressure to meet/exceed earnings expectations or improve reported performance

• Poor or deteriorating financial position

b. Identify three corporate opportunities that make fraud easier to commit and detection less likely.

• Weak or nonexistent internal controls

• Failure to enforce/monitor internal controls

• Managerial carelessness, inattention to details

• Dominant and unchallenged management

• Ineffective oversight by board of directors

 • Nonexistent or ineffective internal auditing staff

• Lack of proper authorization procedures

• No physical or logical security system

• No audit trails

c. For each of the following, identify the external environmental factors that should be considered in
assessing the risk of fraudulent financial reporting

• The company’s industry

o Specific industry trends such as overall demand for the industry's products, economic
events affecting the industry, and whether the industry is expanding or declining.

• The company’s business environment

o Sensitivity of the company's operations and profits to economic and political factors.

• The company’s legal and regulatory environment

o The existence of significant litigation.

d. What can top management do to reduce the possibility of fraudulent financial reporting?

• Set the proper tone to establish a corporate environment contributing to the integrity of the
financial reporting process.

• Assess the risk of fraudulent financial reporting that these factors can cause within the
company.

• Enforce the internal controls

5.5

For each of the following independent cases of employee fraud, recommend how to prevent similar
problems in the future.

A. Abnormal inventory shrinkage in the audiovisual department at a retail chain store led internal
auditors to conduct an in-depth audit of the department. They learned that one customer frequently
bought large numbers of small electronic components from a certain cashier. The auditors discovered
that they had colluded to steal electronic components by not recording the sale of items the customer
took from the store.

Collusion fraud or fraud where two or more people work together to commit a fraudulent act. It
is hard to discover because usually the people involve are taking the precautions to not be
caught. One way to prevent this case of fraud is by rotating employees to different job stations,
which will prevent one employee being able to commit fraud without it being detected. Another
way is to separate the areas if picking up and pay for expensive merchandise.
B. During an unannounced audit, auditors discovered a payroll fraud when they, instead of department
supervisors, distributed paychecks. When the auditors investigated an unclaimed paycheck, they
discovered that the employee quit four months previously after arguing with the supervisor. The
supervisor continued to turn in a time card for the employee and pocketed his checks.

Payroll fraud can be prevented by updating employee records weekly or monthly, separate the
duties of who dispute the checks and the person entering the time sheet, checking payroll
checks against active working employees.

C. Auditors discovered an account payable clerk who made copies of supporting documents and used
them to support duplicate supplier payments. The clerk deposited the duplicate checks in a bank
account she had opened using a name similar to the supplier.

To prevent account payable fraud the company should only pay invoices that actually from
original invoices and not from supporting documents, have a person with the authority to sign
the checks for vendors, handle payments and invoices from vendors electronically versus having
to deposit it in the bank and a written document, and put an alert in the company bank account
that say payment should not be paid if it requested by supporting documents.

Chapter 6

6.1

A few years ago, news began circulating about a computer virus named Michelangelo that was set to
“ignite” on March 6, the birthday of the famous Italian artist. The virus attached itself to the computer’s
operating system boot sector. On the magical date, the virus would release itself, destroying all of the
computer’s data. When March 6 arrived, the virus did minimal damage. Preventive techniques limited
the damage to isolated personal and business computers. Though the excitement surrounding the virus
was largely illusory, Michelangelo helped the computer-using public realize its systems’ vulnerability to
outside attack.

a. What is a computer virus? Cite at least three reasons why no system is completely safe from a
computer virus.

Computer virus: a segment of executable code that attaches itself to an application program or some
other executable component. When the hidden program is triggered, it makes unauthorized alterations
in the way a system operates.

There are a number of reasons why no one is completely safe from a virus:

•Viruses are contagious and are easily spread from one system to another. A virus spreads
when users share programs or data files, download data from the Internet, or when they access
and use programs from external sources such as suppliers of free software.
 •Many viruses lie dormant for extended periods without doing any specific damage except
propagating itself. The hidden program leaves no external signs of infection while it is
reproducing itself.

•Many computer viruses have long lives because they can create copies of themselves faster
than the virus can be destroyed.

b. Why do viruses represent a serious threat to information systems? What damage can a virus do to a
computer system?

Viruses are a significant threat to information systems because they make unauthorized
alterations to the way a system operates and cause widespread damage by destroying or
altering data or programs. If adequate backup is not maintained, viral damage may also mean
permanent loss of important or unique information, or time-consuming reentry of the lost
information.

A virus can cause significant damage when it takes control of the computer, destroys the hard
disk's file allocation table, and makes it impossible to boot (start) the system or to access data
on a hard drive. They can also intercept and change transmissions, print disruptive images or
messages on the screen, or cause the screen image to disappear. As the virus spreads, it takes
up space, clogs communications, and hinders system performance.

c. How does a virus resemble a Trojan horse?

A virus is like a Trojan horse in that it can lie dormant for extended periods, undetected until
triggered by an event or condition.

d. What steps can be taken to prevent the spread of a computer virus?

• Install reputable and reliable antivirus software that scans for, identifies, and destroys viruses.
Only use one antivirus program, as multiple programs conflict with each other.

• Do not fall for ads touting free anti-virus software, as much of it is fake and contains malware.
Some hackers create websites stuffed with content about breaking news so that the site appears
on the first page of search results. Anyone clicking on the link is confronted with a pop-up with a
link to fake anti-virus software.

•Do not fall for pop-up notices that warn of horrible threats and offer a free scan of your
computer. Although no scan actually takes place, the program reports dozens of dangerous
infections and tells you to purchase and download their fake anti-virus program to clean it up.

•Make sure that the latest versions of the antivirus programs are used. National City Bank in
Cleveland, Ohio, installed some new laptops. The manufacturer and the bank checked the
laptops for viruses but did not use the latest antivirus software. A virus spread from the laptop
hard drives to 300 network servers and 12,000 workstations. It took the bank over two days to
eradicate the virus from all bank systems.

•Scan all incoming e-mail for viruses at the server level as well as when it hits users’ desktops.
 •Do not download anything from an email that uses noticeably bad English, such as terrible
grammar and misspelled words. Real companies hire people to produce quality writing. Many
viruses come from overseas. English is obviously not their first language.

•All software should be certified as virus-free before loading it into the system. Be wary of
software from unknown sources, as they may be virus bait—especially if their prices or
functionality sound too good to be true.

•Deal with trusted software retailers.

•Some software suppliers use electronic techniques to make tampering evident. Ask if the
software you are purchasing has such protection.

•Check new software on an isolated machine with virus detection software. Software direct
from the publisher has been known to have viruses.

•Have two backups of all files. Data files should be backed up separately from programs to avoid
contaminating backup data.

•If you use flash drives, diskettes, or CDs, do not put them in strange machines as they may
become infected. Do not let others use those storage devices on your machine. Scan all new
files with antiviral software before any data or programs are copied to your machine.

6.2

A. What should Justin do about these e-mails?

Justin should alert all employees of the potential fraud going on as it relates to Big Bank and no
information should be given to the website, all emails sent should be deleted once receive
without opening it, notify Big Bank by going into a branch, and develop a way that the company
can prevent this fraud in the future.

B. What should Big Bank do about this e-mail?

Big Bank should notify all clients in another method than e-mail of the fraud, work with
authorizes and their IT department to discover how the information was leak, demand that the
culprit stop through the means of law enforcement, set up a way for the clients to contact the
bank with their suspensions, and develop ways to stop this from happening again.

C. Identify the computer fraud and abuse technique illustrated.

The computer fraud and abuse technique illustrated was phishing or a communication that
request recipients to disclose confidential information by responding to an e-mail or visiting a
Web site.

6.4

Match the internet related computer fraud and abuse technique in the left column with the scenario in
the right column. Terms may be used once, more than once, or not at all.
 1. Adware i. Software that collects consumer surfing and purchasing data.
2. Botnet o. A network of hijacked computers.
3. Bot herder r. Hackers that control hijacked computers.
4. Click fraud u. Inflating advertising revenue by clicking online ads numerous
times.
5. DoS t. Overloading an Internet service provider’s e-mail server by
sending hundreds of e-mail messages per second from randomly
generated false addresses.
6. E-mail threats c. Sending an e-mail instructing the recipient to do something or
they will suffer adverse consequences.
7. Hijacking l. Gaining control of a computer to carry out unauthorized illicit
activities.
8. Internet s. Circulating lies or misleading information using the world’s largest
misinformation network.
9. Internet terrorism m. Using the Internet to disrupt communications and e-commerce.
10. Key logger q. Use of spyware to record a user’s keystrokes.
11. Pharming n. Diverting traffic from a legitimate Web site to a hacker’s Web site
to gain access to personal and confidential information.
12. Phishing j. E-mails that look like they came from a legitimate source but are
actually from a hacker who is trying to get the user to divulge
personal information.
13. Spamming e. E-mailing an unsolicited message to many people at the same
time.
14. Splog h. A spam blog that promotes affiliated Web sites to increase their
Google PageRank.
15. Spyware a. Software that monitors and reports a user’s computing habits.
16. Spoofing k. Making an e-mail look like it came from someone else.
17. Typosquatting f. Creating Web sites with names similar to real Web sites so users
making errors while entering a Web site name are sent to a hacker’s
site.

Chapter 7

7.2

Explain how the principle of separation of duties is violated in each of the following situations. Also,
suggest one or more procedures to reduce the risk and exposure highlighted in each example.

a. A payroll clerk recorded a 40-hour workweek for an employee who had quit the previous week. He
then prepared a paycheck for this employee, forged her signature, and cashed the check.
 PROBLEM: Segregation of duties is violated here because the payroll clerk had the ability to
record time worked and to prepare the payroll check (custody). This allowed the payroll clerk to
both commit and conceal the fraud. The payroll clerk ignored the authorization process or had
the authority to authorize the payment.

SOLUTION: These three functions should be segregated. One person should authorize
payments, another should record the payments, a third should prepare the check, and a fourth
should sign it.

b. While opening the mail, a cashier set aside, and subsequently cashed, two checks payable to the
company on account.

PROBLEM: The cashier who opened the mail had custody of the cash. The cashier opening the
mail can pocket the checks and forge a signature, never giving the authorized endorser a chance
to be involved. For this reason, many companies have the mail opened by two people or have
those opening the mail videotaped.

SOLUTION: While the cashier can get away with this fraud for a few weeks or months, the
missing checks will eventually be noticed – usually when the customer complains – because the
cashier has no way to conceal the fraud (recording function). An investigation would include an
examination of the stolen checks and that could lead to the cashier as the person cashing the
checks. To be successful in the long term, the cashier needs access to the recording function to
indicate that customer accounts are paid so that their complaints do not start an investigation.

c. A cashier prepared a fictitious invoice from a company using his brother-in-law’s name. He wrote a
check in payment of the invoice, which the brother-in-law later cashed.

PROBLEM: Segregation of duties is violated here because the cashier had the ability to both
write the check (custody) and approve the invoice for payment (authorization).

SOLUTION: The functions of authorizing invoices for payment and preparing checks for signature
should be organizationally independent.

d. An employee of the finishing department walked off with several parts from the storeroom and
recorded the items in the inventory ledger as having been issued to the assembly department.
 PROBLEM: Employees can commit and conceal fraud when they have access to physical
inventory (custody) and to inventory records (recording).

SOLUTION: This can be prevented by restricting storeroom access to authorized employees.

Likewise, access to inventory records should be limited to authorized employees. Where
possible, no storeroom employee should have access to both the physical inventory and the
inventory records.

e. A cashier cashed a check from a customer in payment of an account receivable, pocketed the cash,
and concealed the theft by properly posting the receipt to the customer’s account in the accounts
receivable ledger.

PROBLEM: The cashier had custody of the checks and was responsible for posting (recording) to
the accounts receivable ledger.

SOLUTION: Custody of the checks and posting to the Accounts Receivable Ledger should be
organizationally independent. In addition, there should be an independent reconciliation of the
three items:

1. dollar amounts of the checks received

2. dollar amounts of the checks deposited in the bank

3. dollar amounts credited to customer accounts.

f. Several customers returned clothing purchases. Instead of putting the clothes into a return bin to be
put back on the rack, a clerk put the clothing in a separate bin under some cleaning rags. After her shift,
she transferred the clothes to a gym bag and took them home.

PROBLEM: The clerk was authorized to accept the return, grant credit, and had custody of the
inventory. It is also possible that the clerk may have had responsibility to record the returns, but
did not do so to cover the theft.

SOLUTION: All purchase returns should be documented by preparing a customer receipt and
recording the return in a purchase returns journal. No cash or credit can be given without the
 return being authorized by a supervisor and recorded in the data files recorded in the cash
register.

The purchase returns area should be kept clean and orderly so that returns cannot be "hid" among
excess returns. Employees should not be allowed to have gym bags or other personal items that could
conceal stolen items in work areas.

g. A receiving clerk noticed that four cases of MP3 players were included in a shipment when only three
were ordered. The clerk put the extra case aside and took it home after his shift ended.

PROBLEM: The receiving clerk had custody of arriving goods, counted the goods, and compared
the count to a purchase order. The problem is that, while the receiving clerk did not record the
purchase order, she did have access to a document that showed the amount ordered. This
allows her to steal any excess items shipped without having to record anything to conceal it.

SOLUTION: Purchase orders sent to the receiving area should not indicate how many items or
cases were ordered, thus helping ensure that all shipments are counted and recorded. The
purchasing department should reconcile items received against items ordered.

h. An insurance claims adjuster had check signing authority of up to $6,000. The adjuster created three
businesses that billed the insurance company for work not performed on valid claims. The adjuster
wrote and signed checks to pay for the invoices, none of which exceeded $6,000.

PROBLEM: The adjuster had authorization to add vendors to vendor master file, authorization to
write checks up to $6,000, and had custody of the signed the checks. Apparently, the adjuster
also had some recording duties (maintaining the vendor master file).

SOLUTION: The functions of signing checks for invoices, approving vendors, and maintaining the
vendor master file should be organizationally independent. Payments should not be made to
anyone that is not on the approved vendor list. Controls should be put into place to endure that
employees cannot add an unauthorized or unapproved vendor to the vendor master file.

i. An accounts payable clerk recorded invoices received from a company that he and his wife owned and
authorized their payment.
 PROBLEM: The accounts payable clerk had recording duties and he authorized payments.

SOLUTION: The functions of recording invoices and authorizing payments should be

organizationally independent.

In addition, vendors should only be allowed to purchase goods and services from approved vendors.
Controls should be put into place to endure that employees cannot add an unauthorized or unapproved
vendor to the vendor master file. The company needs to establish policies and a code of conduct that
prohibits conflicts of interest and related party transactions, such as buying goods from a company in
which you have ownership interest.

j. A cashier created false purchase return vouchers to hide his theft of several thousand dollars from his
cash register.

PROBLEM: The cashier had recording (creating return vouchers), custody (cash in the cash
register), and authorization (authorize the return of goods) duties.

SOLUTION: These three duties should be performed by three separate people. A cashier should
only have custody duties. Cashiers and others with access to cash should not be allowed to have
recording or authorization duties. Cashiers should not pay out on cash on purchase return
vouchers until they are authorized by a supervisor.

k. A purchasing agent received a 10% kickback of the invoice amount for all purchases made from a
specific vendor.

PROBLEM: The purchasing agent has both recording (prepare the purchase order) and
authorization (select a vendor from a list of authorized vendors) duties. The purchasing agent
gets custody to cash when the vendor gives her the kickback.

SOLUTION: Purchasing agents should only be allowed to purchase goods and services from
approved vendors. Controls should be put into place to ensure that employees cannot add an
unauthorized or unapproved vendor to the vendor master file.
Vendor performance with respect to reliability, quality of goods, and prices charged should be tracked
and periodically reviewed. Prices should periodically be compared to those charged by other vendors to
make sure they are fair, competitive, and reasonable. Analytical procedures can be performed to track
the percentage of business a purchasing agent gives to vendors.

The company needs to establish policies and a code of conduct that prohibits conflicts of interest,
related party transactions, and kickbacks.

7.3

One function of the AIS is to provide adequate controls to ensure the safety of organizational assets,
including data. However, many people view control procedures as “red tape.” They also believe that,
instead of producing tangible benefits, business controls create resentment and loss of company
morale. Discuss this position.

Well-designed controls should not be viewed as “red tape” because they can actually improve both
efficiency and effectiveness. The benefits of business controls are evident if one considers the losses
that frequently occur due to the absence of controls.

Consider a control procedure mandating weekly backup of critical files. Regular performance of this
control prevents the need to spend a huge amount of time and money recreating files that are lost when
the system crashes, if it is even possible to recreate the files at all. Similarly, control procedures that
require workers to design structured spreadsheets can help ensure that the spreadsheet decision aids
are auditable and that they are documented well enough so that other workers can use them.

It is probably impossible to eliminate resentment or loss of morale among all employees, but these
factors may be minimized if controls are administered fairly and courteously.

Of course, there is a cost-benefit tradeoff in implementing internal controls. If an organization has too
many controls, this may justifiably generate resentment and loss of morale among employees. Controls
having only marginal economic benefit may be rejected for this reason.

Another factor is the obtrusiveness of the controls. When the user sees no clear need or purpose to a
control it can appear to be there only to control them and little more than that.

When the user does not understand their purpose, controls can often provoke resentment.

7.4

In recent years, Supersmurf’s external auditors have given clean opinions on its financial statements and
favorable evaluations of its internal control systems. Discuss whether it is necessary for this corporation
to take any further action to comply with the Sarbanes–Oxley Act.
The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly held companies and their auditors and was
intended to prevent financial statement fraud, make financial reports more transparent, provide
protection to investors, strengthen the internal controls at public companies, and punish executives who
perpetrate fraud.

SOX has had a material impact on the way boards of directors, management, and accountants of publicly
held companies operate. It has also had a dramatic impact on CPAs of publicly held companies and the
audits of those companies.

As a result of SOX, Supersmurf’s management and their audit committee must take a more active role in
the financial disclosure process. Some of the more prominent roles include:

Audit Committee

• Audit committee members must be on the company’s board of directors and be independent
of the company. One member of the audit committee must be a financial expert.

• Audit committees hire, compensate, and oversee any registered public accounting firm that is
employed

• Auditors report to the audit committee and not management

• Audit committees must pre-approve all audit and non-audit services provided by its auditor

Management

• The CEO and CFO at companies with more than $1.2 billion in revenue must prepare a
statement certifying that their quarterly and annual financial statements and disclosures are
fairly presented, were reviewed by management, and are not misleading.

• Management must prepare an annual internal control report that states

o Management is responsible for establishing and maintaining an adequate internal

control structure

o Management assessed the company’s internal controls and attests to their accuracy,
including notations of significant defects or material noncompliance found during their
internal control tests.

o Auditors were told about all material internal control weaknesses and fraud

o Significant changes to controls after management’s evaluation were disclosed and

corrected

• Management must base its evaluation on a recognized control framework, developed using a
due-process procedure that allows for public comment. The report must contain a statement
identifying the framework used by management to evaluate internal control effectiveness. The
most likely framework is one of those formulated by COSO and discussed in the chapter.

• SOX also specifies that a company’s auditor must attest to as well as report on management’s
internal control assessment.