Computer Fraud: Financial and Ethical implications.

Estimates of computer fraud run as high as $9 billion a year, but the full extent is unknown because most crimes are not reported. These misdeeds distort the integrity of financial statements and harm both investors and creditors. The nature of computer crime is not well-known and difficult to detect during a conventional audit. The public and regulators believe that auditors can and should discover fraud in the normal course of their work. As a result, the accounting profession is taking steps to decrease the incidence of fraud and increase the integrity of the financial reporting process. A three-tier line of defense to deal with computer crime includes prevention, detection and minimization through corporate ethics policies. Financial managers and accountants should be aware of these strategies and take appropriate actions to minimize fraudulent activities.

Introduction

The consequences of computer fraud are significant with estimates as high as $9 billion a year in the U.S. alone [9]. No one knows the correct figure since most crimes go unreported. Fraudulent activities distort the integrity of financial statements generated by corrupted processing systems. Computer criminals are found at different levels: data processing operators, entry clerks, accounting personnel, programmers, supervisors and managers. Since the nature of computer crime is not well-known, it is difficult to detect. Many business managers and auditors are not prepared by attitude or training to detect and prevent fraud, but the public, legislators and regulators believe that auditors should discover computer fraud during the normal course of their work. However, auditors have a responsibility only to develop well-integrated and realistic approaches to detecting fraud.

To enhance the auditor's role, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) recently issued Statement on Auditing Standards (SAS) No. 82, "Consideration of Fraud in Financial Statement Audits" [2]. The objective is to increase the probability of detecting fraud in order to improve the integrity of the financial reporting process. The management of a business entity has the primary responsibility for developing internal control systems and ethics policies that will discourage fraud and reduce its occurrence. A three-tier line of defense can help thwart computer fraud: prevention, detection and minimization of occurrences through corporate ethics policies.

Characteristics of Fraud

The National Commission on Fraudulent Financial Reporting (NCFFR, also known as the Treadway Commission) defines fraudulent financial reporting as "intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements" [8]. Outsiders as well as insiders within an organization are responsible for computer fraud. People with or without a high level of expertise can commit fraud; however, the former are more dangerous and more difficult to stop.

Both employees and management commit internal fraud. Between 85-90% of all computer security problems involve an unethical individual inside the corporation [6]. Unfortunately, the majority of computer crime goes unreported because companies fear bad publicity and future attacks by hackers who perceive a weakness in the company's security system. A person seeking financial gain often commits employee fraud by using a computer to illegally access payroll records to increase his salary. Management fraud is of greater concern to independent auditors because management is often able to override internal controls. The aim of management fraud is to benefit the company rather than particular individuals by intentionally reporting misleading financial data about the company.

Treadway Commission Report

In 1987, the Treadway Commission suggested several ways to reduce the possibility of fraudulent financial reporting:

* Identify factors of fraudulent financial reporting

* Establish an environment of integrity

* Design internal controls to prevent fraudulent reporting

* Assess the risk of fraudulent reporting.

Identify factors of fraudulent financial reporting. People with low ethical standards are at the heart of every computer fraud [5]. To understand why fraud occurs, known perpetrators need to be investigated. Perpetrators are mostly white-collar criminals with technical computer knowledge and skills, usually younger than other white-collar criminals who do not think that they are committing a serious crime.

Research has indicated the following necessary conditions for fraud to occur: (a) pressure or motive, (b) opportunity and (c) rationalization [6,9,10] A person's motivation for committing fraud is due to financial or work-related problems, such as strong feelings of resentment, being taken advantage of or being underpaid. Other motivations include family or peer pressure and the challenge of "beating the system" [9]. Second, a company's internal controls and/or its computer security system are weak and provide the perpetrator an opportunity to commit fraud. Finally, most perpetrators consider themselves to be honest and upright citizens, even when they break the law. They rationalize that their fraudulent action is more important than honesty and integrity.

Society has become increasingly dependent on computerized information systems, and these systems have grown more complex in order to meet an increasing need for information. As the complexity of these systems and society's dependence on them increase, companies face a growing risk of their security systems being compromised. Computer fraud is serious and will continue to increase with advances in technology. Organization and experts who tracks computer fraud have different estimates of how serious the problem is. Estimates range from $300 million to nine billion dollars a year and from an average of $50,000 to over one million dollars per incident [9]. The FBI estimates that only one percent of all computer crime is detected -- other estimates range from 25%. No one is sure about how much is lost to computer fraud annually.

Studies have examined cases of computer fraud to determine the kinds of assets stolen and the approaches used by perpetrators. The results indicate that there are many different types of fraud and ways to commit them [4,9]. One study found that:

* 44% of computer frauds involves theft of money

* 18% involves illegal trespasses, theft of services and other miscellaneous acts

* 16% involves damage to software

* 12% involves alterations to data

* ten percent involves theft of information.

One way to assess computer fraud is to evaluate where and how it occurs in the data processing system -- input, processor, computer software, data storage or output stage.

Altering computer input is the most popular type of fraud, because it is the simplest to commit [3]. It requires little, if any, computer skills, and perpetrators only need to know how the system operates in order to cover their tracks. For example to steal inventory, a perpetrator would enter data to show that the stolen inventory had been scrapped from the system.

Computer processor fraud occurs when the operating system is used in an unauthorized way, which may include the theft of computer time and services. For example, some employees use the company computer to keep personal records or records for an outside organization. Software fraud involves altering the software that processes data or making illegal copies to be used in an unauthorized manner. This type of fraud is not common because it requires specialized programming knowledge.

Data storage fraud can be perpetrated by altering, damaging, copying, using or searching data files without authorization. Data files can be scrambled or destroyed by perpetrators. Finally, output fraud is achieved by stealing or misusing a system's output displayed on monitors or printed on paper.

Fraud perpetrators can gain unauthorized access to computer systems by pretending to be an authorized user. Once inside the system, a perpetrator enjoys the same privileges as the legitimate user. For example, hacking is the unauthorized access and use of computer systems, usually achieved with only a personal computer and telecommunications networks. Hackers are usually motivated only by the challenge of breaking and entering, but hacking can be used to obtain unauthorized access to confidential information.

Second, perpetrators can steal data, software or other company resources, or data can be deleted, changed or added to the system. Company data can be copied without leaving any indication that it was copied. Software piracy is the unauthorized copying of software. It is estimated that only 67% of the software currently in use in the U.S. marketplace was purchased legally. The software industry loses between two billion and four billion dollars per year [9].

Third, a computer virus is an executable code that attaches itself to an application program or some other executable system component and can do extensive damage to the contents of the computer. Viruses are contagious and can spread rapidly when introduced into a network with a large number of computers. Fortunately, there are virus protection programs, some of which are free of charge. Some protection programs remain in the computer memory and monitor system activity by searching for any indication that a virus is trying to infiltrate the system. Other programs detect an infection soon after it starts. Finally, virus identification programs can scan all executable programs to find and remove known viruses from a system.

Establish an environment of integrity.

Some computer fraud experts claim that the most effective security system is a reliance on the integrity of honest company employees. Since 85-90% of computer frauds involves insider jobs, employees might be the greatest control strength, but they are also the greatest weakness [9]. However, any steps taken to increase employee integrity and reduce the likelihood of employees' committing fraud can yield big returns.

The most important consideration is to hire and retain honest people. A great deal of fraud can be eliminated by carefully selecting employees with high integrity. Companies should have an applicant fill out a written application, solicit resumes and letters of reference, and obtain credit bureau reports on the applicant. Employees should know the rules and standards required by the company. The company should prepare clearly stated policies that explicitly describe honest and acceptable behavior, covering all issues from conflicts of interest to the acceptance of gratuities. The company should consistently recognize and publicly reward honesty. A high standard of integrity accompanied by a policy of recognition and rewards will reduce the temptation to commit fraud.

Often frauds committed by employees are discovered when illness or an accident suddenly forces them to take time off. Therefore, it is important that all employees who have custody of assets or are responsible for sensitive record keeping or authorization functions take an annual vacation. Someone else should perform these duties during their absence. Periodic rotation of duties among key employees can achieve similar results. All dishonest acts should be investigated, and the guilty should be prosecuted and dismissed immediately. The very existence of these policies deters fraud and enhances internal control. Finally, a company should be careful when dismissing employees. Unsavory employees should be removed immediately from sensitive jobs and denied access to the computer to prevent them from seeking retribution by damaging the system.

Management's attitude toward internal control can be a very important fraud deterrent. Statements and actions by management become apparent to all members of the organization. If management considers internal control to be important, other members of the organization will strive harder to adhere to control policies and procedures in order to accomplish the organization's objectives. Fraud is much less likely to occur in an environment where company employees believe that security is everyone's business.

Fraud can be deterred by effective supervision that (a) assists employees engaged in operating or data processing tasks, (b) monitors the effectiveness with which employees carry out their assigned tasks and (c) safe-guards assets by watching over employees who have access to assets. Supervision is an important means of control in organizations that are too small to afford adequate separation of duties for internal control purposes.

Design internal controls to prevent fraudulent reporting. An effective internal control system can insure the accuracy, integrity and safety of all information systems resources. The ultimate objective is to enhance the reliability and integrity of an organization's financial reporting systems. The overall responsibility for a secure system lies with top management, but the design of the system usually falls to systems analysts and often end-users. The security officer and the operations staff of an organization are both responsible for insuring that control procedures are followed.

To develop an effective internal control system, a company must determine the potential dollar loss from software errors, hardware mal-functions, unintentional accidents and computer fraud. Next, management must determine the controls needed to detect any danger. Designers must prioritize their objectives and select the most efficient controls to achieve the desired objectives. The company should evaluate each control on a cost/benefit basis and implement those that are most cost effective.

Control procedures are preventive, detective or corrective in nature. Preventive controls are the most important, because they eliminate problems before they occur. Many control problems can be prevented by hiring honest, well-trained individuals, appropriately segregating duties, effectively controlling physical access to facilities, utilizing well-designed documents and authorizing transactions.

Detective controls discover problems after they arise and include double checking calculations, periodic performance reporting that highlights variances between actual and standard costs, reporting past due accounts or out-of-stock inventory items, preparing bank reconcilations and verifying the use of pre-numbered documents. Detective control procedures are a necessary part of any effective control system because all potential control problems cannot be prevented.

Corrective controls remedy problems discovered by detective controls. They include procedures to identify the cause of a problem, correct errors arising from the problem and modify the system so that future errors may be minimized or eliminated. One such procedure is to maintain backup copies of key transaction and master files so that damaged or destroyed files can be restored.

Assess the risk of fraudulent reporting.

The most effective internal control is to segregate tasks among employees so that no single employee can both perpetrate and conceal a fraud or an unintentional error. In particular, the authorization, recording and custody of assets functions must be separated to effectively segregate the duties. In highly integrated computer-based accounting information systems, procedures that might otherwise be performed by separate individuals may be combined within the computer processing function. Any person who has unrestricted access to the computer can both perpetrate and conceal fraud.

To compensate for potential control weaknesses, an organization must effectively segregate duties within the information systems function. Authority and responsibility must be clearly divided among the following functions:

* Application systems analysis and programming

* Computer operations

* Systems programming

* Transaction authorization

* File library maintenance and data control [9].

With an effective separation of duties, it will be difficult for an employee to embezzle funds. Collusion or conspiracy by two or more persons to commit fraud is still possible, although a well designed system can minimize the chances of successful collusion.

A second technique for minimizing fraud risk is to intensify internal audits. Most crimes go undetected and often last for some time before being discovered. One way to increase the likelihood of detecting fraud is to conduct more frequent internal audits [7,10]. Internal auditors can provide an independent appraisal of the effectiveness of internal controls and the quality of managerial performance in carrying out assigned responsibilities. Internal auditing involves:

* A review of the reliability and integrity of financial and operating information

* A review of the controls employed to safeguard assets

* An assessment of employees' compliance with management policies, procedures and applicable laws and regulations

* An evaluation of the efficiency and effectiveness with which management achieves its organizational objectives.

For internal audits to be effective, it is important to have a competent internal audit department composed of honest individuals. The ethical values of an organization play an important role in both detecting and minimizing the occurrences of fraudulent activities.

Conclusion

The proliferation of computer technology and associated crimes has created a challenge for corporate managers and imposed a threatening extension of an auditors responsibility to discover fraud. The AICPA's new audit standard on fraud, SAS No. 82, is designed to help auditors detect material fraud resulting from fraudulent financial reporting and misappropriation of assets and also to clarify for users and practitioners the auditors' responsibilities for detecting fraud. Auditors are now required to plan and perform audits to obtain reasonable assurance that financial statements are free from material misstatement caused by error or fraud.

Since unethical employees commit most fraudulent activities, the best way to minimize fraud is to stop them. Corporate practices to prevent employee fraud include hiring and retaining honest individuals, establishing sound corporate ethics policies and related training programs, monitoring compliance to these policies and openly rewarding individuals who consistently demonstrate honesty. Additionally, strong internal controls will help in the detection of fraud, and an effective internal audit department together with appropriate segregation of duties will further minimize fraudulent computer activities.

References

(1.) American Institute of Certified Public Accountants. "Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55." Statement on Auditing Standards No. 78, New York, NY, 1995.

(2.) _____. "Consideration of Fraud in Financial Statement Audits." Statement on Auditing Standards No. 82, New York, NY, 1997.

(3.) Collier, P. et al. "The Role of Internal Auditors in the Prevention and Detection of Computer Fraud." Public Money & Management, Winter 1991, pp. 61.

(4.) Doost, R.K. "Accounting Irregularities and Computer Fraud." National Accountant, May 1990, pp. 36-39.

(5.) Ford, J.C. "Security and Control of Information Systems." Internal Auditing, Winter 1988, pp. 29-35.

(6.) Knowles, A. "The Enemy Within." CIO, Jun. 15, 1996, pp. 84-90.

(7.) Leinicke, L.M. et al. "Computer Fraud Auditing: It Works." Internal Auditor, Aug. 1990, pp. 26-33.

(8.) "Report of the National Commission on Fraudelent Financial Reporting." Journal of Accountancy, Nov. 1987, pp. 39-48.

(9.) Romney, M.B. "Computer Fraud: Detection an Detterence." Micromash, New Jersey, Sept. 1994.

(10.) Roufaiel, N.S. et al. "White-Collar Computer Crimes: A Threat to Auditors and Origination." Managerial Auditing Journal, 1994, pp. 3-12.

The authors wish to thank Mary Maury for her help in revising and editing this article for publication.