Computer Fraud: Financial and Ethical implications.

Establish an environment of integrity.

Some computer fraud experts claim that the most effective security system is a reliance on the integrity of honest company employees. Since 85-90% of computer frauds involves insider jobs, employees might be the greatest control strength, but they are also the greatest weakness [9]. However, any steps taken to increase employee integrity and reduce the likelihood of employees' committing fraud can yield big returns.

The most important consideration is to hire and retain honest people. A great deal of fraud can be eliminated by carefully selecting employees with high integrity. Companies should have an applicant fill out a written application, solicit resumes and letters of reference, and obtain credit bureau reports on the applicant. Employees should know the rules and standards required by the company. The company should prepare clearly stated policies that explicitly describe honest and acceptable behavior, covering all issues from conflicts of interest to the acceptance of gratuities. The company should consistently recognize and publicly reward honesty. A high standard of integrity accompanied by a policy of recognition and rewards will reduce the temptation to commit fraud.

Often frauds committed by employees are discovered when illness or an accident suddenly forces them to take time off. Therefore, it is important that all employees who have custody of assets or are responsible for sensitive record keeping or authorization functions take an annual vacation. Someone else should perform these duties during their absence. Periodic rotation of duties among key employees can achieve similar results. All dishonest acts should be investigated, and the guilty should be prosecuted and dismissed immediately. The very existence of these policies deters fraud and enhances internal control. Finally, a company should be careful when dismissing employees. Unsavory employees should be removed immediately from sensitive jobs and denied access to the computer to prevent them from seeking retribution by damaging the system.

Management's attitude toward internal control can be a very important fraud deterrent. Statements and actions by management become apparent to all members of the organization. If management considers internal control to be important, other members of the organization will strive harder to adhere to control policies and procedures in order to accomplish the organization's objectives. Fraud is much less likely to occur in an environment where company employees believe that security is everyone's business.

Fraud can be deterred by effective supervision that (a) assists employees engaged in operating or data processing tasks, (b) monitors the effectiveness with which employees carry out their assigned tasks and (c) safe-guards assets by watching over employees who have access to assets. Supervision is an important means of control in organizations that are too small to afford adequate separation of duties for internal control purposes.

Design internal controls to prevent fraudulent reporting. An effective internal control system can insure the accuracy, integrity and safety of all information systems resources. The ultimate objective is to enhance the reliability and integrity of an organization's financial reporting systems. The overall responsibility for a secure system lies with top management, but the design of the system usually falls to systems analysts and often end-users. The security officer and the operations staff of an organization are both responsible for insuring that control procedures are followed.

To develop an effective internal control system, a company must determine the potential dollar loss from software errors, hardware mal-functions, unintentional accidents and computer fraud. Next, management must determine the controls needed to detect any danger. Designers must prioritize their objectives and select the most efficient controls to achieve the desired objectives. The company should evaluate each control on a cost/benefit basis and implement those that are most cost effective.

Control procedures are preventive, detective or corrective in nature. Preventive controls are the most important, because they eliminate problems before they occur. Many control problems can be prevented by hiring honest, well-trained individuals, appropriately segregating duties, effectively controlling physical access to facilities, utilizing well-designed documents and authorizing transactions.

Detective controls discover problems after they arise and include double checking calculations, periodic performance reporting that highlights variances between actual and standard costs, reporting past due accounts or out-of-stock inventory items, preparing bank reconcilations and verifying the use of pre-numbered documents. Detective control procedures are a necessary part of any effective control system because all potential control problems cannot be prevented.

Corrective controls remedy problems discovered by detective controls. They include procedures to identify the cause of a problem, correct errors arising from the problem and modify the system so that future errors may be minimized or eliminated. One such procedure is to maintain backup copies of key transaction and master files so that damaged or destroyed files can be restored.

Assess the risk of fraudulent reporting.

The most effective internal control is to segregate tasks among employees so that no single employee can both perpetrate and conceal a fraud or an unintentional error. In particular, the authorization, recording and custody of assets functions must be separated to effectively segregate the duties. In highly integrated computer-based accounting information systems, procedures that might otherwise be performed by separate individuals may be combined within the computer processing function. Any person who has unrestricted access to the computer can both perpetrate and conceal fraud.

To compensate for potential control weaknesses, an organization must effectively segregate duties within the information systems function. Authority and responsibility must be clearly divided among the following functions:

* Application systems analysis and programming

* Computer operations

* Systems programming

* Transaction authorization

* File library maintenance and data control [9].

With an effective separation of duties, it will be difficult for an employee to embezzle funds. Collusion or conspiracy by two or more persons to commit fraud is still possible, although a well designed system can minimize the chances of successful collusion.

A second technique for minimizing fraud risk is to intensify internal audits. Most crimes go undetected and often last for some time before being discovered. One way to increase the likelihood of detecting fraud is to conduct more frequent internal audits [7,10]. Internal auditors can provide an independent appraisal of the effectiveness of internal controls and the quality of managerial performance in carrying out assigned responsibilities. Internal auditing involves:

* A review of the reliability and integrity of financial and operating information

* A review of the controls employed to safeguard assets

* An assessment of employees' compliance with management policies, procedures and applicable laws and regulations

* An evaluation of the efficiency and effectiveness with which management achieves its organizational objectives.

For internal audits to be effective, it is important to have a competent internal audit department composed of honest individuals. The ethical values of an organization play an important role in both detecting and minimizing the occurrences of fraudulent activities.

Conclusion

The proliferation of computer technology and associated crimes has created a challenge for corporate managers and imposed a threatening extension of an auditors responsibility to discover fraud. The AICPA's new audit standard on fraud, SAS No. 82, is designed to help auditors detect material fraud resulting from fraudulent financial reporting and misappropriation of assets and also to clarify for users and practitioners the auditors' responsibilities for detecting fraud. Auditors are now required to plan and perform audits to obtain reasonable assurance that financial statements are free from material misstatement caused by error or fraud.

Since unethical employees commit most fraudulent activities, the best way to minimize fraud is to stop them. Corporate practices to prevent employee fraud include hiring and retaining honest individuals, establishing sound corporate ethics policies and related training programs, monitoring compliance to these policies and openly rewarding individuals who consistently demonstrate honesty. Additionally, strong internal controls will help in the detection of fraud, and an effective internal audit department together with appropriate segregation of duties will further minimize fraudulent computer activities.

References

(1.) American Institute of Certified Public Accountants. "Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55." Statement on Auditing Standards No. 78, New York, NY, 1995.

(2.) _____. "Consideration of Fraud in Financial Statement Audits." Statement on Auditing Standards No. 82, New York, NY, 1997.

(3.) Collier, P. et al. "The Role of Internal Auditors in the Prevention and Detection of Computer Fraud." Public Money & Management, Winter 1991, pp. 61.