ACCOUNTING IRREGULARITIES AND COMPUTER FRAUD

Irregularities and fraudulent activities are of much concern to the manager, the accountant and the auditor. Computer fraud alone is estimated to amount to more than $6 billion dollars a year in this country. Accountants know very little about fraud in general and computer fraud in particular because, traditionally, if the auditor suspects fraud, he declines the engagement, and if he comes across fraudulent activities, he withdraws from the engagement. In addition, less than 25% of all white-collar crimes are ever reported, making it very difficult to study and analyze cases of fraud. In fact, many believe that thousands of large scheme computer crimes may be still going on without anyone knowing about them. Many fraudulent acts, particularly computer crimes, have been discovered not through regular audits, but by someone reporting them and exposing the perpetrators.

Pronouncements

Statement on Auditing Standards (SAS) Numbers 53, 54 and 55, which were released in July 1988 and are effective as of January 1, 1989, for the issues of fraud and illegal acts and as of January 1, 1990, for internal control requirements deal with the updated auditor's responsibilities in conjunction with detection and reporting of errors, irregularities and illegal acts (1).

The issuance of these statements is very timely and important for auditors in lieu of high dollar-value lawsuits charging auditors with negligence in detecting certain fraudulent activities. In many instances, the court did not buy the argument that the purpose of an audit is not detection of fraud. These recent pronouncements provide clearer guidelines from the auditor.

Computer Crime

More attention must be paid to computer crime, as the losses related to these crimes can be staggering.

In the wake of increase in computer crimes, Congress in 1980 passed a bill making unauthorized acts in, around or with a computer criminal activities subject to prosecution and punishment. These acts may include introduction of fraudulent records or data into a computer system; unauthorized use of computer related facilities; the alteration or destruction of information or files and stealing money, property, services, financial instruments and valuable data.

Areas of Fraud

It is not surprising to note that the discovered cases of fraud basically cover all areas within an organization. Fraud is known to have occurred in the areas of petty cash, purchasing and accounts payable, invoicing and accounts receivable, personnel and payroll, lapping on cash collections, inventory manipulation and abuse, or simply kickbacks of various kinds (2).

The following classification on computer crime gives us a good focus on the specific areas of computer fraud (3). Tampering with the equipment is a computer crime. This could be in the form of fraudulent representation of a system's capabilities or simply stealing or damaging some computer hardware.

Tampering with media is another form of computer crime. Instances of removing computer tapes, input data or checks for personal gain abound. The third case of computer crime deals with tampering with software. This could be either tampering with operating system software or application program software. A change in an operating system could result in serious and unrecoverable damage. A simple change to a program routine could result in overpayment and miscalculation of items such as interest, dividend, deductions and other critical items.

Tampering with files is another form of computer crime. The criminal in this case goes to the file itself and changes critical items such as his (or someone else's) credit rating, payrate, balance due or other data. The last group of computer crimes deals with tampering with data and transactions. Data could simply be entered erroneously at its source. Items such as number of hours worked, number of items received, or amount to be credited to a customer or an employee account could be changed resulting in overpayments or undeserved reduction in an account's balance.

Who Commits Computer

Crime?

Computer criminals are in different ranks, including many individuals who were data processing operators, data entry clerks, accounting personnel, programmers, supervisors and managers (4).

Data processing operators who had easy access to programs, documentation and files were able to tamper with the equipment, media and reports. Data entry clerks and accountants whose input was not checked could tamper with data being entered into the system. Programmers who had easy access to the production copy of the program and to program documentation and whose work was not adequately supervised and checked were able to tamper with programs and add or delete certain routines. Data processing supervisors who could do things in place of or in conjunction with their employees were able to override many controls which are normally achieved through separation of duties and other controls. Managers and executives who got involved in computer crime did so mainly for manipulation of income and achieving a higher than actual income level.

What is particularly revealing is that the average computer criminal is the first-time offender: he/she is relatively honest in other dealings and associations and is often motivated to take this devious route in order to beat the system.

Where is Computer Crime

Committed?

The various cases revealed indicate that no particular strata of society is spared from the scourge of computer crime, and society needs to deal with this phenomenon at various levels. Computer crime is committed in corporations, banks and savings and loan associations, at the federal government and state and local governments. Revealed cases indicate that computer crime at corporate level has been much larger than those discovered at the federal and state levels, whereas crimes at banks and savings associations fall somewhere in between.

Examples of Computer

Crime

The following are among the landmarks in computer crime and serve as important reminders of how no level of organization and no type of organization is immune to computer criminal activities. The Equity Funding Case is the largest example of computer crime in history. The direct loss from this crime is estimated to be around $200 million, while the indirect loss is estimated to amount to over $2 billion. The case involves top management and a number of key employees who got involved in a scheme of creating phony insurance policies to the extent that over two-thirds of policies issued were phony. Through this scheme the firm was able to boost the value of its shares and defraud a substantial number of investors.

A case dealing with tampering with credit history involves a dishonest employee of a credit reporting agency who regularly contacted people with poor credit ratings and changed their credit history for a fee. There are also many examples of programmers who were able to defraud organizations through adding a routine which allowed an increase in their pay, reduction of their withholdings or elimination of their receivable balances.

A number of cases in banks deal with tampering with data and files by tellers or branch supervisors who withdrew money from customer accounts. Still others achieved their goal by entering deposits manually in the customer's savings book and pocketing the cash received.

Many discovered cases deal with inventory manipulations. Items not received may be considered received, vendor balances may be changed, vendor history files may be tampered with, minimum/maximum balances may be changed and outstanding balances may be tampered with. In the latter cases, we see a number of tampering situations with files, data, documentation and passwords.

A New Look at Computer

Crime

In the absence of adequate documented history on computer crime and the traditional auditor's approach to cases involving fraud, there is insufficient data to form concrete conclusions on how such crimes need to be prevented or detected. Ernst & Whinney has come up with what they call "The Fraud Cube" (5). It is suggested that computer crime has three-dimensions--relationship, expertise and motivation--which are explained in these terms respectively.

Computer fraud can be perpetrated by those within an organization and by people outside the organization. Computer fraud may be committed by those who have a high level of expertise on how the system works, or by a novice who only gains access to certain files or transactions. Finally, computer fraud may be committed through manipulation of information or misappropriation of assets such as theft of trade secrets or destruction of assets.

Dealing With Computer

Fraud

Ernst & Whinney suggests a three-level line of defense in dealing with computer crime: prevention, detection and limitation. Within each category, the auditor must be conversant with the administrative, physical and technical aspects of the problem (6). Management information systems textbooks as well as some advanced auditing texts discuss these issues at length, and we will discuss them here very briefly.

The administrative controls on fraud prevention include security checks on personnel, segregation of duties and program authorization. Security checks on personnel should reveal any prior criminal history. Proper segregation of duties among data processing employees and between data processing and user departments avoids potential fraud situations. Program authorization procedures ensure that no changes are made to programs without the authorization of the user department.

Physical controls for fraud prevention are suggested to include inconspicuous location and controlled access to facilities. An inconspicuous location helps protect the computer facility from intruders. Controlled access to the facility by use of keys or magnetic cards and/or use of security guards and wearing of clearance badges physically restricts unauthorized users from unauthorized entry.

Technical aspects of preventive control include encoding of data and access control software and passwords. Encoding involves intermixing of data or other similar procedures to inhibit intruders from finding out what a firm's sensitive or confidential data are. Access control software and passwords restrict unauthorized access to terminals, programs and files. More advanced password schemes use sophisticated ways of dealing with intruders through changing of passwords, masking of passwords, preassigning of passwords, termination of access when unauthorized entry is attempted and use of multi-level passwords for entry to a program, file, record or even a certain field within a record.

The detection line of defense is also divided into administrative, physical and technical aspects. On the administrative side, access and execution logs reveal who has accessed the system and executed a program by time and location. Regular review of such logs may detect fraudulent activities. Program testing may also be conducted to verify approved program changes before allowing implementation.

On the physical side, the detection procedures include using computer room guards and limiting entry to computer facilities through the use of entry logs, special entry keys and wearing of identification badges. From a technical point of view, the detection line of defense covers these instances. Use of transaction logs provides the instrument for detecting both accidental and fraudulent data errors. Use of batch or hash totals of critical fields between the users and the computer operation results in valuable means of dealing with discovered errors during the data entry and processing phases. Source code comparison programs compare one source code version to another, revealing whether the program has been tampered with or not.

Limitation is the third line of defense against computer crime. From an administrative point of view, rotation of duties in data processing can limit fraud losses, since an individual will probably not be able to perpetrate the fraud by being moved to another area. Transaction limits are administrative ceilings on transactions that may limit fraud losses. Physical limitation can include pre-printed limits on checks or purchase orders, and data backup measures limit potential losses in case of file destruction. Limitation of loss from a technical standpoint can include various checks that can put limitations on potential errors.

SAS 53

Implementation of SAS No. 53 is an important step that can guide the auditor in understanding the circumstances under which fraudulent activities can occur. The auditor is cautioned to use skepticism in his judgment in conjunction with any engagement to avoid potential losses and embarrassments resulting from the client's irregularities and fraudulent activities.

SAS 53 cautions the auditor to be cognizant of the risk factors in respect to management characteristics, operating and industry characteristics and engagement characteristics. Management characteristics include operating and financing decisions dominated by one single person; unduly aggressive management attitudes toward financial reporting; high management turnover, particularly among senior accounting employees; management placing undue emphasis on meeting earnings projections; and poor management reputation in the business community. If a management group contains some of these characteristics, the auditor must be quite skeptical in accepting and auditing such an engagement.

SAS 53 identifies the following operating and industry characteristics which must be scrutinized in conjunction with an engagement: lower or inconsistent profitability relative to other firms; high sensitivity of operating results to economic factors such as inflation, interest rates, unemployment, etc.; rapid rate of change in industry; decentralized organization with inadequate monitoring; and internal or external factors that raise substantial doubt about the ability of the firm to continue as a going concern. The auditor must use skepticism with regard to these operating and industry characteristics as well.

SAS 53 also cautions the auditor to be skeptical when the following engagement characteristics are present: many difficult or unresolved accounting issues; significant and unusual related party transactions; significant misstatements in prior year financial statements; or a new client with inadequate prior audit history.

A further note of caution relates to computerized entities. The auditor is cautioned to watch for conditions that indicate lack of control of activities; lack of control over computer processing; and inadequate procedures for security of assets or data.

The purpose of SAS 53 is more for protection of the auditor in refusing engagements where the risk of fraud is high or discovering cases of fraud if such engagements are accepted. SAS 55 deals with internal control matters which are of significance from the auditors point of view. The pronouncement deals with the issues of environment of control, the accounting system and control procedures which the auditor should deal with in conjunction with measuring the adequacy and reliability of internal controls before an engagement is accepted.

Conclusion

Considering the difficulty in detecting fraudulent activities, particularly in a computerized entity, the auditor is well-advised to be skeptical in acceptance and implementation of audit engagements. Special attention must be paid to adequacy and reliability of compliance testing in conjunction with an engagement. Awareness and familiarity with preventive, detective and corrective controls are of special significance when reviewing the reliability and sufficiency of internal controls