Académique Documents
Professionnel Documents
Culture Documents
Acknowledgments
Material is from: Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008 The Art of the Steal, Frank Abignale, Broadway Books, 2001 CISA Review Manual, 2009 Check Fraud: A Guide to Avoiding Losses The Art of Deception, Mitnick & Simon, Wiley & Sons, 2002 Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers: Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
The Problem
Internal Fraud Recovery
$0 Recovered Recovery<=25% Substantial Recovery
Organizations lose 5-6% of revenue annually due to internal fraud = $652 Billion in U.S. (2006) Average scheme lasts 18 months, costs $159,000 25% costs exceed $1M Smaller companies suffer greater average $ losses than large companies
Fraud Categories
Categories Asset Misappropriation % of Cases, $ Average 91% $150,000 Examples Theft of checks, cash, money orders, inventory, equipment, supplies, info Bribe to accept contractor bid or Kickback, Collusion, Bid rigging. Extortion: threat of harm if demand not met; False Billing: Providing lower quality, overcharging Conflict of interest in power decision Corporate espionage: Sell secrets Revenue Overstatement: False sales Understating Expenses: Delayed or capitalization of expenses Overstating Assets: No write down of uncollectable accounts, obsolete inventory, Understating Liabilities: Not recording owed amounts Misapplication of Accounting Rules, etc.
31% $538,000
10% $2,000,000
Vocabulary
Skimming: Taking funds before they are recorded into company records Cash Larceny: Taking funds (e.g., check) that company recorded as going to another party Lapping: Theft is covered with another persons check (and so on) Check Tampering: Forged or altered check for gain Shell Company: Payments made to fake company Payroll Manipulation: Ghost employees, falsified hours, understated leave/vacation time Fraudulent Write-off: Useful assets written off as junk Collusion: Two or more employees or employee & vendor defraud together False Shipping Orders or Missing/Defective Receiving Record: Inventory theft
Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons
3 Key
Elements
Opportunity
Rationalization
Some fraud is discovered via multiple reporting methods, Thus results do not sum to 00% Tips come from Employee 6 %, Anonymous 8%, Customer %, Vendor 7%
Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons
0 20 0 0 Fear of ad pu licity nternal dis cipline s ufficient rivate s ettle ent Too cos tly to purs ue
Most $$$ internal frauds committed by longer-tenured, older, and more educated staff Executives commit most expensive fraud: $1M
4.5 times more expensive than managers: $218K 13 times more expensive than line employees
Men & women commit fraud in nearly equal proportions, but mens are more expensive:
Mens average: $250k (or 4x) Womens average: $120k
92% have no criminal convictions related to fraud To steal a lot of money, you must have a position of power and access: highly degreed > HS grad, older > younger people Collusion dramatically increases duration and $ loss for fraud Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Discussion Points
What types of fraud could computer programmers or system administrators commit? For each type of fraud, what methods may help to prevent such fraud?
Example 2: Corruption
The Chief Financial Officer had divisional controllers who oversaw various regions. When one controller left, the CFO permanently took over her responsibilities. Checks and balances between the two positions were violated, and the CFO was able to embezzle from the company. Temporary assumption of some responsibilities may have been acceptable
Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons
Audits are not designed to detect fraud Goal: Determine whether the financial statement is free from material misstatements. Auditors test only a small fraction of transactions Auditors must:
Be aware of the potential of fraud Discuss how fraud could occur Delve into suspicious observations and report them
Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons
Red Flags
Significant change in lifestyle: New wealth Financial difficulties may create need
Gambling or drug addiction Infidelity is an expensive habit
Criminal background Chronic legal problems: person looks for trouble Dishonest behavior in other parts of life Beat the system: Break rules commonly Chronically dissatisfaction with job
Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons
Corrective Controls: Fix problems and prevent future problems Includes: Punishment-> Amend controls
Detective Controls: Finding fraud when it occurs Includes: Anonymous hotline*-> Surprise audits*-> Monitoring activities-> Complaint or fraud investigation
Preventive Controls**: Preventing fraud Includes: Risk assessment Develop internal controls Physical security & data security Authorization (Passwords, etc) Segregation of duties Fraud education
Segregation of duties Checks and balances Opportunity Job rotation Physical security of assets Background checks Mandatory vacations Examination of required documentation
Key Elements
Trained in policies Rational- and procedures ization Policy enforcement Sr. Mgmt models ethical behavior to customers, vendors, employees, share holders
Segregation of Duties
Distribution
Origination
Double-checks
Verification
IT Segregation of Duties
Requirements/Design Systems Analyst Database Administrator User End User Data Entry Test Environment Quality Assurance Security Control Group Security Admin Development Environment: Application programmer Systems programmer Production Environment Computer Operator System Administrator Network Administrator Help Desk
Compensating Controls
When Segregation of Duties not possible, use: Audit Trails Transaction Logs: Record of all transactions in a batch Reconciliation: Ensure transaction batches are not modified during processing Exception reporting: Track rejected and/or exceptional (non-standard) transactions Supervisory or Independent Reviews Separation of duties: authorization, distribution, verification
CISA Review Manual 2009
Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset writeoffs. Detect unusual anomalies such as unusual amounts or patterns Compare vendor addresses and phone numbers with employee data Use Range or Limit Validation to detect fraudulent transactions Logged computer activity, login or password attempts, data access attempts, and geographical location data access.
Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons
Out-of-sequence checks Large number of voids or refunds made by employee or customer Manually prepared checks from large company Payments sent to nonstandard (unofficial) address Unexplained changes in vendor activity Vendors with similar names or addresses Unapproved vendor or new vendor with high activity Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Physical security Segregation of duties Employee monitoring Surprise audits Job rotation Examination of Documentation
Quality Assurance
Programmer Analyst
Business Analyst
Question
What is the MOST effective means of preventing fraud? 1. Effective internal controls 2. Fraud training program 3. Fraud hotline 4. Punishment when fraud is discovered
Question
Which of the following duties can be performed by one person in a well-controlled IS environment? 1. Software Developer and System Administration 2. Database administration and Data Entry 3. System Administrator and Quality Assurance 4. Quality Assurance and Software Developer
Question
A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that: The vendor was a phony company Purchases from the vendor did not result in inventory received The initials for the vendor matched an employee in the accounting dept. Management did not authorize new vendors with a separate phone call
1. 2. 3. 4.
External Fraud
Social Engineering Check Fraud Other Scams
From: The Art of the Steal, Frank Abignale, Broadway Books 2001 & Check Fraud: A Guide to Avoiding Losses
Social Engineering I
Email: The first 500 people to register at our Web site will win free tickets to Please provide company email address and choose a password
You received a message from Facebook. Follow this link log in. Social engineering: Getting people to do something they would not ordinarily do for a stranger Social engineering is nearly 100% effective
The Art of Deception, Mitnick & Simon, Wiley, 2002
Social Engineering II
Telephone call from IT: Some company computers have been infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix We need to test a new utility to change your password
Learns insider vocabulary and/or personnel names Pretends legit insider: I am <VP, IT, other branch, other dept>. Can you ? Pretends real transaction:
Helping: I am in trouble <or> you need help due to <My,Your> computer is <virused, broke, busy, dont have one>. Can you <do, tell me> ? Deception: Hides real question among others.
Fraud Statistics
Businesses lose $400 Billion a year in fraud = 2 x US military budget 1/3 of $400B is embezzlement = employees stealing from employer Next highest sources (KPMG 2000)
Check forgery Credit cards Fake invoices Theft
Paychecks & Accounts Payable should not be printed on blank check paper Laser printer is non-impact (ink does not go into paper but sits on top)
Easy to remove printing Laser Lock or Toner Lock seals laser printing
Good Practices
Use larger printing: 12 font Reverse toner in software: white on black Control check stock and guard checks Check your bank statements you have 30 days
The Art of the Steal, Frank W Abagnale, Broadway Books 2001
Fraud Scams
Get a receipt from the trash, return a product Copy gift certificate and cash in at multiple locations Markdown sale prices reimbursed with receipt copied and collected at multiple locations Fake UPC numbers to pay low prices then return at higher price. If receipt total is sufficient, scam may work.
The Art of the Steal, Frank W Abagnale, Broadway Books 2001
Preventing Scams
Receipts must have security marks on them (e.g., twocolored ink on special paper, or better: thermochromatic ink) Line-item detail on receipts and sales records in company database Garbage bins which may receive receipts should be protected from access (e.g., bank garbage bins) Register gift certificates unique numbers Shredders should be used for any sensitive information Protect against shoulder surfing or device attachment for card readers
The Art of the Steal, Frank W Abagnale, Broadway Books 2001
Study Questions
What are the key elements of fraud, and what techniques can be used to counteract these key elements? What are the three categories of fraud? What are the legal considerations of fraud? Who commits fraud, and who commits the most expensive fraud? What are the red flags of potential fraud? How does social engineering occur, and how can it be prevented? Apply the concept of segregation of duties.