Computer Fraud: Financial and Ethical implications.

Estimates of computer fraud run as high as $9 billion a year, but the full extent is unknown because most crimes are not reported. These misdeeds distort the integrity of financial statements and harm both investors and creditors. The nature of computer crime is not well-known and difficult to detect during a conventional audit. The public and regulators believe that auditors can and should discover fraud in the normal course of their work. As a result, the accounting profession is taking steps to decrease the incidence of fraud and increase the integrity of the financial reporting process. A three-tier line of defense to deal with computer crime includes prevention, detection and minimization through corporate ethics policies. Financial managers and accountants should be aware of these strategies and take appropriate actions to minimize fraudulent activities.

Introduction

The consequences of computer fraud are significant with estimates as high as $9 billion a year in the U.S. alone [9]. No one knows the correct figure since most crimes go unreported. Fraudulent activities distort the integrity of financial statements generated by corrupted processing systems. Computer criminals are found at different levels: data processing operators, entry clerks, accounting personnel, programmers, supervisors and managers. Since the nature of computer crime is not well-known, it is difficult to detect. Many business managers and auditors are not prepared by attitude or training to detect and prevent fraud, but the public, legislators and regulators believe that auditors should discover computer fraud during the normal course of their work. However, auditors have a responsibility only to develop well-integrated and realistic approaches to detecting fraud.

To enhance the auditor's role, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) recently issued Statement on Auditing Standards (SAS) No. 82, "Consideration of Fraud in Financial Statement Audits" [2]. The objective is to increase the probability of detecting fraud in order to improve the integrity of the financial reporting process. The management of a business entity has the primary responsibility for developing internal control systems and ethics policies that will discourage fraud and reduce its occurrence. A three-tier line of defense can help thwart computer fraud: prevention, detection and minimization of occurrences through corporate ethics policies.

Characteristics of Fraud

The National Commission on Fraudulent Financial Reporting (NCFFR, also known as the Treadway Commission) defines fraudulent financial reporting as "intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements" [8]. Outsiders as well as insiders within an organization are responsible for computer fraud. People with or without a high level of expertise can commit fraud; however, the former are more dangerous and more difficult to stop.

Both employees and management commit internal fraud. Between 85-90% of all computer security problems involve an unethical individual inside the corporation [6]. Unfortunately, the majority of computer crime goes unreported because companies fear bad publicity and future attacks by hackers who perceive a weakness in the company's security system. A person seeking financial gain often commits employee fraud by using a computer to illegally access payroll records to increase his salary. Management fraud is of greater concern to independent auditors because management is often able to override internal controls. The aim of management fraud is to benefit the company rather than particular individuals by intentionally reporting misleading financial data about the company.

Treadway Commission Report

In 1987, the Treadway Commission suggested several ways to reduce the possibility of fraudulent financial reporting:

* Identify factors of fraudulent financial reporting

* Establish an environment of integrity

* Design internal controls to prevent fraudulent reporting

* Assess the risk of fraudulent reporting.

Identify factors of fraudulent financial reporting. People with low ethical standards are at the heart of every computer fraud [5]. To understand why fraud occurs, known perpetrators need to be investigated. Perpetrators are mostly white-collar criminals with technical computer knowledge and skills, usually younger than other white-collar criminals who do not think that they are committing a serious crime.

Research has indicated the following necessary conditions for fraud to occur: (a) pressure or motive, (b) opportunity and (c) rationalization [6,9,10] A person's motivation for committing fraud is due to financial or work-related problems, such as strong feelings of resentment, being taken advantage of or being underpaid. Other motivations include family or peer pressure and the challenge of "beating the system" [9]. Second, a company's internal controls and/or its computer security system are weak and provide the perpetrator an opportunity to commit fraud. Finally, most perpetrators consider themselves to be honest and upright citizens, even when they break the law. They rationalize that their fraudulent action is more important than honesty and integrity.

Society has become increasingly dependent on computerized information systems, and these systems have grown more complex in order to meet an increasing need for information. As the complexity of these systems and society's dependence on them increase, companies face a growing risk of their security systems being compromised. Computer fraud is serious and will continue to increase with advances in technology. Organization and experts who tracks computer fraud have different estimates of how serious the problem is. Estimates range from $300 million to nine billion dollars a year and from an average of $50,000 to over one million dollars per incident [9]. The FBI estimates that only one percent of all computer crime is detected -- other estimates range from 25%. No one is sure about how much is lost to computer fraud annually.

Studies have examined cases of computer fraud to determine the kinds of assets stolen and the approaches used by perpetrators. The results indicate that there are many different types of fraud and ways to commit them [4,9]. One study found that:

* 44% of computer frauds involves theft of money

* 18% involves illegal trespasses, theft of services and other miscellaneous acts

* 16% involves damage to software

* 12% involves alterations to data

* ten percent involves theft of information.

One way to assess computer fraud is to evaluate where and how it occurs in the data processing system -- input, processor, computer software, data storage or output stage.

Altering computer input is the most popular type of fraud, because it is the simplest to commit [3]. It requires little, if any, computer skills, and perpetrators only need to know how the system operates in order to cover their tracks. For example to steal inventory, a perpetrator would enter data to show that the stolen inventory had been scrapped from the system.

Computer processor fraud occurs when the operating system is used in an unauthorized way, which may include the theft of computer time and services. For example, some employees use the company computer to keep personal records or records for an outside organization. Software fraud involves altering the software that processes data or making illegal copies to be used in an unauthorized manner. This type of fraud is not common because it requires specialized programming knowledge.

Data storage fraud can be perpetrated by altering, damaging, copying, using or searching data files without authorization. Data files can be scrambled or destroyed by perpetrators. Finally, output fraud is achieved by stealing or misusing a system's output displayed on monitors or printed on paper.

Fraud perpetrators can gain unauthorized access to computer systems by pretending to be an authorized user. Once inside the system, a perpetrator enjoys the same privileges as the legitimate user. For example, hacking is the unauthorized access and use of computer systems, usually achieved with only a personal computer and telecommunications networks. Hackers are usually motivated only by the challenge of breaking and entering, but hacking can be used to obtain unauthorized access to confidential information.

Second, perpetrators can steal data, software or other company resources, or data can be deleted, changed or added to the system. Company data can be copied without leaving any indication that it was copied. Software piracy is the unauthorized copying of software. It is estimated that only 67% of the software currently in use in the U.S. marketplace was purchased legally. The software industry loses between two billion and four billion dollars per year [9].

Third, a computer virus is an executable code that attaches itself to an application program or some other executable system component and can do extensive damage to the contents of the computer. Viruses are contagious and can spread rapidly when introduced into a network with a large number of computers. Fortunately, there are virus protection programs, some of which are free of charge. Some protection programs remain in the computer memory and monitor system activity by searching for any indication that a virus is trying to infiltrate the system. Other programs detect an infection soon after it starts. Finally, virus identification programs can scan all executable programs to find and remove known viruses from a system.