HAPTER 5

1
HAPTER 5

• Computer Fraud and Security

2
INTRODUCTION

• FOUR major topics
• AIS Threats (pp. 144 146).
• What is Auditors Responsibility? (pp. 146 149)
• What is Computer Fraud? (pp. 154 159)
• Computer Fraud Techniques (pp. 159 170)
• Skip material on these pages
• Who perpetrates fraud? (pp. 149 154)
• Preventing and detecting computer fraud. (pp. 170
  171)

3
INTRODUCTION

• Companies face four types of threats to their
  information systems
• Natural and political disasters
• Software errors and equipment malfunction
• Unintentional acts
• Intentional acts (computer crime)

4
THE FRAUD PROCESS

• Fraudulent financial reporting is intentional or
  reckless conduct, whether by act or omission,
  that results in materially misleading financial
  statements.
• Financial statements can be falsified to
• Deceive investors and creditors
• Cause a companys stock price to rise
• Meet cash flow needs
• Hide company losses and problems

5
Fraudulent Financial Reporting

• The National Commission on Fraudulent Financial
  Reporting (Treadway Commission)
• Fraudulent financial reporting is of great
  concern to independent auditors, because
  undetected frauds lead to half of the lawsuits
  against auditors.
• Sarbanes-Oxley Act of 2002 and Public Company
  Accounting Oversight Board (PCAOB)

6
COMPUTER FRAUD CLASSIFICATIONS
Data Fraud
Input Fraud
Output Fraud
Processor Fraud
Computer Instructions Fraud
7
COMPUTER FRAUD CLASSIFICATIONS
Data Fraud
Input Fraud
Output Fraud
Processor Fraud
Computer Instructions Fraud
8
APPROACHES TO COMPUTER FRAUD

• Input Fraud
• The simplest and most common way to commit a
  fraud is to alter computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the
  system operates
• Can take a number of forms, including
• Disbursement frauds
• Patterson UTI
• Inventory frauds
• Payroll frauds

9
COMPUTER FRAUD CLASSIFICATIONS
Data Fraud
Input Fraud
Output Fraud
Processor Fraud
Computer Instructions Fraud
10
APPROACHES TO COMPUTER FRAUD

• Processor Fraud
• Involves computer fraud committed through
  unauthorized system use.
• Includes theft of computer time and services.
• Incidents could involve employees
• Surfing the Internet
• Using the company computer to conduct personal
  business or
• Using the company computer to conduct a competing
  business.

11
COMPUTER FRAUD CLASSIFICATIONS
Data Fraud
Input Fraud
Output Fraud
Processor Fraud
Computer Instructions Fraud
12
APPROACHES TO COMPUTER FRAUD

• Computer Instructions Fraud
• Involves tampering with the software that
  processes company data.
• May include
• Modifying the software
• Making illegal copies
• Using it in an unauthorized manner
• Also might include developing a software program
  or module to carry out an unauthorized activity.

13
COMPUTER FRAUD CLASSIFICATIONS
Data Fraud
Input Fraud
Output Fraud
Processor Fraud
Computer Instructions Fraud
14
APPROACHES TO COMPUTER FRAUD

• Data Fraud
• Involves
• Altering or damaging a companys data files or
• Copying, using, or searching the data files
  without authorization.
• In many cases, disgruntled employees have
  scrambled, altered, or destroyed data files.
• Theft of data often occurs so that perpetrators
  can sell the data.

15
COMPUTER FRAUD CLASSIFICATIONS
Data Fraud
Input Fraud
Output Fraud
Processor Fraud
Computer Instructions Fraud
16
APPROACHES TO COMPUTER FRAUD

• Output Fraud
• Involves stealing or misusing system output.
• Output is usually displayed on a screen or
  printed on paper.
• Unless properly safeguarded, screen output can
  easily be read from a remote location using
  inexpensive electronic gear.
• This output is also subject to prying eyes and
  unauthorized copying.
• Fraud perpetrators can use computers and
  peripheral devices to create counterfeit outputs,
  such as checks.

17
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Data leakage
• Denial of service attacks
• Eavesdropping
• Email threats
• Email forgery (aka, spoofing)
• Hacking
• Phreaking
• Hijacking
• Identity theft

18
Kevin Moloney for The New York Times "They still
put their checks in their own mailboxes," Ms.
Carroll said, "and that was one of the biggest
things we did was watch for red flags on
mailboxes."
By JOHN LELAND July 11, 2006, The New York Times
19
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Identity theft
• Shoulder Surfing
• Scavenging
• Phishing

20
Beaware of Phishing

• You're checking e-mail and up pops a message. It
  looks legitlike it's from your bank, Internet
  Service Provider (ISP), or another business you
  deal with all the time. But, it's asking for
  sensitive financial informationyour credit card
  information, social security number, passwords,
  etc. "Just click on the link below," the message
  says. But you're suspicious. Is it a ruse? Have
  you been "phished'?

E-scams warnings
21
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Logic time bombs
• Masquerading
• Piggybacking
• Round-down technique
• Salami technique

22
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Social engineering
• Software piracy
• Spamming
• Spyware
• Keystroke loggers
• Trap doors
• Trojan horse

23
The Debate over Passwords

• Read the Textbook session on Debate over
  Passwords.