Pindi Yulinar Rosita

008201905023

Session 5

Chapter 5 : FRAUD
The four types of AIS threats a company faces are:
- Natural and political disasters.
Such as fires, floods and earthquakes can destroy an information system an cause many
companies to fail.

- Software errors and equipment malfunctions.

Software errors, operating system crashes, hardware failures, power outages and undetected data
transmission errors constitute a second type of threat.

- Unintentional acts.
The greatest risk to information systems and causes the greatest dollar losses. Human errors
cause 80% of security problems. Unintentional acts are caused by human carelessness, failure to
follow established procedures and poorly trained or supervised personnel.
- Intentional acts.
An intentional act is a computer crime, a fraud of sabotage.
Sabotage: deliberate destruction or harm to a system.
Cookie: a text file created by a web site and stored on a visitor’s hard drive. Cookies store
information about who the user is and what the user has done on the site.
Fraud: any and all means a person uses to gain an unfair advantage over another person. Legally,
for an act to be fraudulent there must be :

 False statement, representation or disclosure.

 Material fact.
 Intent to deceive.
 Justifiable reliance
 Injury or loss

White-collar criminals: typically, businesspeople who commit fraud. They usually resort to tricke
Corruption: dishonest conduct by those in power, which often involves actions that are
illegitimate, immoral or incompatible with ethical standards. ry or cunning and their crimes usually
involve a violation of trust or confidence.
Investment fraud: misrepresenting or leaving out facts in order to promote an investment that
promises fantastic profits with little or no risk.
Misappropriation of assets: theft of company assets by employees.
The most significant contributing factor in most misappropriations is the absence of internal
controls and/or the failure to enforce existing internal controls.
Fraudulent financial reporting: intentional or reckless conduct, whether by act of omission, that
results in materially misleading financial statements.
The fraud triangle
 1. Pressure : a person’s incentive or motivation for committing fraud.
2. Oppurtunities : the condition or situation that allows a person or organization to commit
and conceal a dishonest act and covert it to personal gain.
3. Rationalization: the excuse that fraud perpetrators use to justify their illegal behavior.

Computer fraud: any type of fraud that requires computer technology to perpetrate. Computer
fraud can be categorized using data processing model.
Input fraud: the simplest and most common way to commit a computer fraud is to alter or falsify
computer input. Perpetrators need only understand how the system operated so they can cover their
tracks.
Processor fraud: unauthorized system use, including the theft of computer time and service.
Computer instructions fraud: tampering with company software, copying software illegally,
using software in an unauthorized manner, and developing software to carry out an unauthorized
activity.
Data fraud: illegally using, copying, searching or harming company data constitutes data fraud.
Output fraud: unless properly safeguarded, displayed or printed output can be stolen, copied or
misused.

DISCUSSION QUESTION 5.1-5.3

5.1 You are the president of a multinational company where an executive confessed to
kiting $100,000. What is kiting and what can your company do to prevent it? How
would you respond to the confession? What issues must you consider before pressing
charges?
Answer
The statement is ironic because employees represent both the greatest control strength and the
greatest control weakness. Honest, skilled employees are the most effective fraud deterrent.
However, when fraud occurs, it often involves an employee in a position of trust. As many as
90% of computer frauds are insider jobs by employees.
Employers can do the following to maintain the integrity of their employees. (NOTE: Answers
are introduced in this chapter and covered in more depth in Chapter 7)

 Human Resource Policies. Implement human resource policies for hiring,

compensating, evaluating, counseling, promoting, and discharging employees
that send messages about the required level of ethical behavior and integrity

 Hiring and Firing Practices: Effective hiring and firing practices include:
o Screen potential employees using a thorough background checks and written
tests that evaluate integrity.
o Remove fired employees from all sensitive jobs and deny them access to the
computer system to avoid sabotage.

 Managing Disgruntled Employees: Some employees who commit a fraud are

disgruntled and they are seeking revenge or "justice" for some wrong that they
 perceive has been done to them. Companies should have procedures for
identifying these individuals and helping them resolve their feelings or removing
them from jobs that allow them access to the system. One way to avoid
disgruntled employees is to provide grievance channels that allow employees to
talk to someone outside the normal chain of command about their grievances.

 Culture. Create an organizational culture that stresses integrity and commitment

to both ethical values and competence

 Management Style. Adopt an organizational structure, management philosophy,

operating style, and appetite for risk that minimizes the likelihood of fraud

 Employee Training: Employees should be trained in appropriate behavior, which

is reinforced by the corporate culture. Employees should be taught fraud
awareness, security measures, ethical considerations, and punishment for
unethical behavior.
5.2 You are the president of a multinational company where an executive confessed to kiting
$100,000. What is kiting and what can your company do to prevent it? How would you
respond to the confession? What issues must you consider before pressing charges?
Answer
In a kiting scheme, cash is created using the lag between the time a check is deposited and the time
it clears the bank. Suppose a fraud perpetrator opens accounts in banks A, B, and C. The perpetrator
“creates” cash by depositing a $1,000 check from bank B in bank C and withdrawing the funds. If it
takes two days for the check to clear bank B, he has created $1,000 for two days. After two days,
the perpetrator deposits a $1,000 check from bank A in bank B to cover the created $1,000 for two
more days. At the appropriate time, $1,000 is deposited from bank C in bank A. The scheme
continues, writing checks and making deposits as needed to keep the checks from bouncing. Kiting
can be detected by analyzing all interbank transfers. Since the scheme requires constant transferring
of funds, the number of interbank transfers will usually increase significantly. This increase is a red
flag that should alert the auditors to begin an investigation.
When the employee confesses, the company should immediately investigate the fraud and
determine the actual losses. Employees often "underconfess" the amount they have taken. When the
investigation is complete, the company should determine what controls could be added to the
system to deter similar frauds and to detect them if they do occur.
Employers should consider the following issues before pressing charges:

 How will prosecuting the case impact the future success of the business?

 What effect will adverse publicity have upon the company's well being? Can the
publicity increase the incidence of fraud by exposing company weaknesses?

 What social responsibility does the company have to press charges?

 Does the evidence ensure a conviction?

 If charges are not made, what message does that send to other employees?

 Will not exposing the crime subject the company to civil liabilities?
5.3 Discuss the following statement by Roswell Steffen, a convicted embezzler: “For every
foolproof system, there is a method for beating it.” Do you believe a completely
 secure computer system is possible? Explain. If internal controls are less than 100%
effective, why should they be employed at all?
Answer
The old saying "where there is a will, there is a way" applies to committing fraud and to
breaking into a computer system. It is possible to institute sufficient controls in a system
so that it is very difficult to perpetrate the fraud or break into the computer system, but
most experts would agree that it just isn't possible to design a system that is 100% secure
from every threat. There is bound to be someone who will think of a way of breaking into
the system that designers did not anticipate and did not control against.

If there were a way to make a foolproof system, it would be highly likely that it would
be too cost prohibitive to employ.

Though internal controls can't eliminate all system threats, controls can:

 Reduce threats caused by employee negligence or error. Such threats

are often more financially devastating than intentional acts.
 Significantly reduce the opportunities, and therefore the likelihood,
that someone can break into the system or commit a fraud.

SUGGESTED ANSWERS TO THE CASES

5.1 1. How does Miller fit the profile of the average fraud perpetrator?

 Like many fraud perpetrators, David Miller was not much different than the
general public in terms of education, values, religion, marriage, and
psychological makeup.

 Like Miller, many white-collar criminals are regarded as ideal employees

until they are caught. Like him, they are dedicated and work long hours.

 He was well respected, occupied a position of trust, and was viewed as an

honest, upstanding citizen.

 Most fraud perpetrators spend all that they steal. Few invest it. Miller was
no exception.
i. How does he differ?

 Miller was not disgruntled and unhappy, nor was he seeking to get even
with his employer.

 Though David Miller was never convicted of fraud, he was involved in a

number of schemes. In contrast, most fraud perpetrators are first time
offenders.
ii. How did these characteristics make him difficult to detect?

It is often difficult to detect fraud perpetrators because they possess few

characteristics that distinguish them from the public. Most white-collar criminals are
talented, intelligent, and well educated. Many are regarded as the ideal employee that
occupies a position of trust, is dedicated, and works hard for the company. They are
otherwise honest, upstanding citizens that have usually never committed any other
criminal offense.
 2. Explain the three elements of the opportunity triangle (commit, conceal, convert) and
discuss how Miller accomplished each when embezzling funds from Associated
Communications. What specific concealment techniques did Miller use?

There are three elements to the opportunity triangle:

1. The perpetrator must commit the fraud by stealing something of value,
such as cash, or by intentionally reporting misleading financial information.
Miller was able to steal cash by undermining the internal controls that
required two signatures on checks. He asked company officials to sign
checks before they went on vacation "just in case" the company needed to
disburse funds while they were gone.
2. To avoid detection, the perpetrator must conceal the crime. Perpetrators
must keep the accounting equation in balance by inflating other assets or
decreasing liabilities or equity. Concealment often takes more effort and
time and leaves behind more evidence than the theft or misrepresentation.
Taking cash requires only a few seconds; altering records to hide the theft
is more challenging and time-consuming. To conceal the theft, Miller
retrieved the canceled check from the bank reconciliation and destroyed it.
The amount stolen was then charged to an expense account of one of the
units to balance the company's books. Miller was able to work himself into
a position of trust and influence. Because he occupied this position his
actions were not questioned and he was able to subvert some of the internal
controls intended to prevent the type of actions he was able to take.
3. The perpetrator must convert the stolen asset into some form usable by the
perpetrator if the theft is of an asset other than cash. For example, stolen
inventory and equipment must be sold or otherwise converted into cash. In
financial statement fraud, the conversion is more indirect, such as in
undeserved pay raises, promotions, more stock options, etc. Miller was able
to convert the check to cash by writing himself checks and depositing them
in his personal account.
3. What pressures motivated Miller to embezzle? How did Miller rationalize his actions?
Motivation. After David Miller had undergone therapy, he believed his problem with
compulsive embezzlement was an illness, just like alcoholism or compulsive gambling. He
stated that the illness was driven by a subconscious need to be admired and liked by others.
He thought that by spending all of that money others would like him. Ironically, he was
universally well liked and admired at each job and it had nothing to do with money. In fact,
one associate at Associated was so surprised at the news of the thefts that he said that it was
like finding out that your brother was an ax murderer. Miller also claimed that he is not a
bad person, that he never intended to hurt anyone, but once he got started he just could not
stop.
Rationalization. The case does not specify what Miller's rationalizations were. He may, in
fact, have had a number of different rationalizations. The case suggests that he "needed it" to
pay back the money he stole from previous employers. He was always "just borrowing" the
money and intended to pay it back. Miller may have also been convinced that he would
never be prosecuted for his crimes. Many of the rationalizations listed in the text are also
possibilities.
4. Miller had a framed T-shirt in his office that said, “He who dies with the most toys
wins.” What does this tell you about Miller? What lifestyle red flags could have tipped
off the company to the possibility of fraud?
Miller's life seemed to be centered on financial gain and the accumulation of material goods
or, as the quote says, "toys." Such gain, he felt, would lead to prestige and recognition
among his friends in the business community.

The wealth and extravagant spending in relation to Miller's salary was the primary red flag
that most companies never questioned. Consider that on his $130,000 a year salary he was
able to afford two Mercedes-Benz sedans; a lavish suburban house; a condominium at
Myrtle beach; expensive suits; tailored and monogrammed shirts; diamond, sapphire, ruby,
and emerald rings for his wife; and a new car for his father- in-law.
5. Why do companies hesitate to prosecute white-collar criminals?

 Negative publicity. Companies are reluctant to prosecute fraud because of

the financial damage that could result from negative publicity. A highly
visible fraud is a public relations disaster. The company could lose a lot of
business due to the adverse publicity.

 Exposes system weaknesses. Reporting and prosecuting fraud may reveal

vulnerabilities in a company's system. This could attract even more acts of
fraud.

 Concern for the perpetrator's family. If an employee is willing to make

retribution, companies may not press charges to protect the employee’s
family and reputation.

 Society is more concerned with "real" crime. Political considerations

motivate enforcement officials to focus their resources on more violent and
visible crimes such as rape, murder, and robbery. Some people see fraud as
an internal problem and not as a serious crime that demands prosecution.

 Unclear definition of computer fraud. One reason computer fraud is not

prosecuted more is that the definition of computer fraud is so vague. As a
result, no one really knows how much it really costs and there isn't as much
motivation to go after computer fraud cases.

 Prosecution difficulties. It is difficult, costly, and time consuming to

investigate fraud. It is even harder to prove. As a result, it can be hard to
prosecute fraud cases successfully and get convictions.

 Lack of expertise. Many law enforcement officers, lawyers, and judges lack
the skills necessary to investigate, prosecute and evaluate fraud, especially
computer fraud.

 Light sentences. When fraud cases are prosecuted and a conviction is

obtained, the sentences received are sometimes very light. This discourages
prosecution.
What are the consequences of not prosecuting?
When fraud is not prosecuted, it sends a message to employees and to
the public that enforcing laws is not important to the company. A
reputation for being "soft" on fraud may result in the companies
 becoming increasingly vulnerable to additional fraud.

Failure to report and prosecute a fraud also means that the perpetrator
goes free and can repeat his or her actions at another company, as
David Miller did. If the perpetrator does not have to pay the
consequences of his actions, she is more likely to repeat them because
she "got away with it" and was not punished.
How could law enforcement officials encourage more prosecution?
To encourage more fraud prosecution, law enforcement officials
must take actions to solve each of the problems mentioned above. In
addition, they must encourage more effective reporting of such
crimes. The public should be educated to recognize and report fraud
as a serious offense.

6. What could the victimized companies have done to prevent Miller’s embezzlement?

Not much is said in the case about how Miller committed many of the frauds. In each of
the frauds, it is likely that the theft of cash could have been prevented by tighter controls
over access to cash and blank checks and to the means of writing and signing checks.
Some could have been prevented or at least detected by better control over monthly
bank statements and their reconciliation.

In retrospect, Miller was given too much trust and authority and that led to a breakdown
of internal controls. However, companies have to trust their top level employees, such as
the CFO. Even though this trust is necessary, a greater separation of duties and more
supervision of Miller's work would have made it more difficult for him to perpetrate the
frauds.