FRAUD DETECTION & CONTROL

COMPUTER BASED FRAUDS

© Paul Lower and Henry Hardoon 2010

Computer Fraud

Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT

Chartered Accountant & Chartered Management Consultant
COMPUTER BASED FRAUD
-CBF

By…

Henry Hardoon
CBF - Intro

  Computer fraud is a fraud related to information technology,

electronic commerce, etc. Computer fraud also known as
“cyber fraud”, is increasing rapidly with the increase in use of
internet by the people.
CBF - statistics

•  Top Ten Countries By Count (Perpetrators)

in 2009
• United States 66.1%; United Kingdom 10.5%; Nigeria 7.5%

• Canada 3.1%; China 1.6%; South Africa 0.7%; Ghana 0.6%

• Spain 0.6%; Italy 0.5%; Romania 0.5%

CBF - statistics
CBF - statistics
Amount Lost by Selected Fraud Type
for Individuals Reporting Monetary Loss 2009

Complaint Type Percentage of Of those who reported a loss the

Reported Total Average (median) $ Loss per
Loss Complaint

Check Fraud 7.8% $3,000.00

Confidence Fraud 14.4% $2,000.00

Nigerian Letter Fraud 5.2% $1,650.00

Computer Fraud 3.8% $1,000.00

Non-delivery (merchandise and 28.6% $800.00

payment)

Auction Fraud 16.3% $610.00

Credit/Debit Card Fraud 4.7% $223.00

CBF perpetrators - statistics
77.4% were male and
50% resided in one of the following states: California, New
York, Florida, Texas, District of Columbia, and Washington.
The majority of reported perpetrators
(66.1%) were from the United States;
however, a significant number of perpetrators where also
located in the United Kingdom , Nigeria , Canada , China,
and South Africa.
CBF targets - statistics
55.4% were male, nearly half were between the ages of 30
and 50 and one-third resided in one of the four most
populated states: California, Florida, Texas, and New York.

A number of complaints from Canada, United Kingdom,

Australia, India, and France.

Males lost more money than females (ratio of $1.69 dollars

lost per male to every $1.00 dollar lost per female). This
may be a function of both online purchasing differences by
gender and the type of fraudulent schemes by which the
individuals were victimized.
E-mail (74.0%) and web pages (28.9%) were the two
primary mechanisms by which the fraudulent contact took
place.
CBF – Cost to Economy

•  NFA reveals true cost of fraud in UK is £30bn a

year

• The figures issued by the NFA equate to £621 for every adult in the
UK. The report from the agency set up in October 2008 to take charge
of fighting fraud, is the UK's first comprehensive survey into the crime .
CBF - Intro

 Computer fraud is any dishonest misrepresentation of fact

intended to let another to do or refrain from doing something
which causes loss.[citation needed] In this context, the fraud will
result in obtaining a benefit by:

• altering computer input in an unauthorized way. This requires

little technical expertise and is not an uncommon form of theft
by employees altering the data before entry or entering false
data, or by entering unauthorized instructions or using
unauthorized processes;
CBF - Intro

 
• altering or deleting stored data;

• altering or misusing existing system tools or software

packages, or altering or writing code for fraudulent purposes.
This requires real programming skills and is not common.

• Other forms of fraud may be facilitated using computer

systems, including bank fraud, identity theft, extortion, and 
theft of classified information.
CBF - examples

Common types of computer fraud include:

• Establishing phony accounts. 

• Draining established accounts.

• Changing ownership of assets or shipping assets to false addresses. 

• Purchasing assets for private use, 

• Creating phantom sales transactions, 

• Giving individuals personal credentials or rewards, they have not

earned. 
CBF types
There are various types of computer frauds [also known as
cyber frauds] which are follows:

•Hackers [Hacking].

•Viruses.

•Fraud.

•Phreakers.

•Data fiddling

•Crackers

•Violation of privacy, etc.

Hacking

• Every year, huge amounts of funds are generated from

illegal activities. These funds are mostly in the form of
cash. Section 66 Clause (1) of the Information Technology
Act, 2000 defines hacking as follows:

“Whoever with the intent to cause or knowing that he is likely

to cause wrongful loss or damage to the public or any
person destroys or deletes or alters any information
residing in a computer resource or diminishes its value or
utility or affects it injurious by any means, commits
hacking”.
Viruses

• Presently, the most notorious type of computer fraud is

creation of computer viruses.

• A virus usually affects numerous computer systems and

usually is transferred from one system to another.

• A virus may occur through transfer of disks or any other kind

of storage devices.

• A virus can be in variety of forms. One of the less harmful

types others are of dangerous kinds which can corrupt data.
Viruses- What to do?

 Use antivirus software

 Use alerts to tell you when antivirus software is out of date

 Ensure users are vigilant in downloading files

 Prevent users from downloading files

 Only load CD’s and DVD’s from a reputable source or check

them on a standalone machine first

 Update personnel skills

Malware

• Malware, short for malicious software, is software designed

to infiltrate a computer system without the owner's
informed consent.

• Examples- infections that install key-loggers on the PCs of

website visitors

• Financial institutions are particularly susceptible to

keylogging attacks as account numbers and passwords
entered at banks' websites can immediately be captured by
a keylogger. You tube video – key logger scam
Malware – What to do?

 Configure computers correctly

 Prepare for the impact of third party application exploits

 Maintenance of default configurations 

 Update personnel skills

Fraud

• Fraud is defined as any behavior by which one person

intends to gain a dishonest advantage over another. In
other words fraud is an act or omission which is intended to
cause wrongful gain to one person & wrongful loss to the
other either by way of concealment of facts or otherwise.
Phreaking

• Phreaking is a slang term coined to describe the activity of a

subculture of people who study, experiment with, or explore
telecommunication systems; such as equipment and systems
connected to public telephone networks. As telephone
networks have become computerised, phreaking has become
closely linked with computer hacking. This is sometimes called
the H/P culture (with H standing for Hacking and P standing
for Phreaking).

• The term "phreak" is a portmanteau of the words "phone" and

"freak", and may also refer to the use of various audio
frequencies to manipulate a phone system.
Harassment

• Harassment covers a wide range of offensive behavior. It is

commonly understood as behavior intended to disturb or
upset. In the legal sense, it is behavior which is found
threatening or disturbing. Harassment is words, conduct, or
actions directed at a specific person that annoys, alarms,
or causes a lot of emotional distress for no legitimate
purpose.
Data Fiddling

• Data Fiddling is the changing of data before or during entry

into the computer system. Examples include forging or
counterfeiting documents used for data entry and
exchanging valid disks and tapes with modified
replacements. This kind of an attack involves altering the
raw data just before it is processed by a computer and then
changing it back after the processing is completed.
Crackers

• A computer professional who gains illegal access into

computers by hacking passwords is known as a cracker.
Instead of a hacker – cracker dichotomy, they give more
emphasis to a spectrum of different categories, such as
white hat (ethical hacking), grey hat, black hat and script
kiddie.

•  
Crackers cont…

•  White hat

• A white hat hacker breaks security for non-malicious

reasons, for instance testing their own security system. This
type of hacker enjoys learning and working with computer
systems, and consequently gains a deeper understanding of
the subject. Such people normally go on to use their hacking
skills in legitimate ways, such as becoming security
consultants. The word 'hacker' originally included people like
this, although a hacker may not be someone into security.
Crackers cont…

•  Grey hat

• A grey hatted hacker is a hacker of ambiguous ethics

and/or borderline legality, often frankly admitted.
Crackers cont…

•  Black hat
• A black hat hacker, sometimes called "cracker", is
someone who breaks computer security without
authorization or uses technology (usually a computer,
phone system or network) for vandalism, credit card fraud,
identity theft, piracy, or other types of illegal activity.
Crackers cont…

• Script kiddie

• A script kiddie is a non-expert who breaks into computer

systems by using pre-packaged automated tools written by
others, usually with little understanding. These are the
outcasts of the hacker community.
Violation of privacy

• When an individual wants to keep a data or information

hidden and for his or own private use is said have kept it
private.
Importance of Red Flags

• Red flags are warnings that something

could be or is wrong.
• Auditors, employees, and management need to be aware
of red flags in order to monitor the situation and then take
corrective action as needed.

• Employees who notice that red flags are ignored may

mistakenly believe that it is okay to game the system or
that they won’t get caught.

• A little fraud soon becomes a large one if left to grow.

Red Flags

• What Red flags can you think of?

Red Flags of computer fraud
• Employee Red Flags

I. Employee lifestyle changes: expensive cars, jewellery,

homes, clothes

II. Significant personal debt and credit problems

III. Behavioural changes: these may be an indication of drugs,

alcohol, gambling, or just fear of losing the job

IV. High employee turnover, especially in those areas which

are more vulnerable to fraud

V. Refusal to take vacation or sick leave

VI. Lack of segregation of duties in the vulnerable area

Red Flags of computer fraud
• Management Red Flags

I. Reluctance to provide information to auditors

II. Managers engage in frequent disputes with auditors

III. Management decisions are dominated by an individual

or small group

IV. Managers display significant disrespect for regulatory

bodies
Red Flags of computer fraud
• Management Red Flags cont...

I. There is a weak internal control environment

II. Accounting personnel are lax or inexperienced in their

duties

III. Decentralisation without adequate monitoring

IV. Excessive number of checking accounts

Red Flags of computer fraud
• Management Red Flags – cont...

I. Frequent changes in banking accounts

II. Frequent changes in external auditors

III. Company assets sold under market value

IV. Significant downsizing in a healthy market

Red Flags of computer fraud
• Management Red Flags – cont...

I. Continuous rollover of loans

II. Excessive number of year end transactions

III. High employee turnover rate

IV. Unexpected overdrafts or declines in cash balances

Red Flags of computer fraud
• Management Red Flags – cont...

I. Refusal by company or division to use serial numbered

documents (receipts)

II. Compensation program that is out of proportion

III. Any financial transaction that doesn’t make sense - either

common or business

IV. Service Contracts result in no product

V. Photocopied or missing documents

Red Flags of computer fraud
• Management Red Flags – cont...

I. Frequent changes in banking accounts

II. Frequent changes in external auditors

III. Company assets sold under market value

IV. Significant downsizing in a healthy market

V. Continuous rollover of loans

Red Flags of computer fraud
• Changes in Behaviour “Red Flags”

• The following behaviour changes can be “Red Flags” for

Embezzlement:

I. Borrowing money from co-workers

II. Creditors or collectors appearing at the workplace

III. Gambling beyond the ability to stand the loss

IV. Excessive drinking or other personal habits

Red Flags of computer fraud
• Changes in Behaviour “Red Flags”

I. Easily annoyed at reasonable questioning

II. Providing unreasonable responses to questions

III. Refusing vacations or promotions for fear of detection

IV. Bragging about significant new purchases

V. Carrying unusually large sums of money

VI. Rewriting records under the guise of neatness in

presentation
Red Flags of computer fraud

• Cash/Accounts Receivable

Since cash is the asset most often misappropriated, local

government officials and auditors should pay

I. close attention to any of these warning signs.

II. Excessive number of voids, discounts and returns

III. Unauthorized bank accounts

IV. Sudden activity in a dormant banking accounts

Red Flags of computer fraud

• Cash/Accounts Receivable cont...

I. Taxpayer complaints that they are receiving non-payment

notices

II. Discrepancies between bank deposits and posting

III. Abnormal number of expense items, supplies, or

reimbursement to the employee

IV. Presence of employee checks in the petty cash for the

employee in charge of petty cash

V. Excessive or unjustified cash transactions

Red Flags of computer fraud
• Cash/Accounts Receivable cont...

I. Large number of write-offs of accounts

II. Bank accounts that are not reconciled on a timely basis

Red Flags of computer fraud
• Red Flags in Payroll

• Red flags that show up in payroll are generally worthy of

looking into. Although payroll is usually an automated
function, it is a vulnerable area, especially if collusion is
involved.

I. Inconsistent overtime hours for a cost centre

II. Overtime charged during a slack period

Red Flags of computer fraud
• Red Flags in Payroll cont..

I. Overtime charged for employees who normally would not

have overtime wages

II. Budget variations for payroll by cost centre

III. Employees with duplicate Social Security numbers, names,

and addresses (UK Only)

IV. Employees with few or no payroll deductions

Red Flags of computer fraud
• Red Flags in Purchasing/Inventory

I. Increasing number of complaints about products or service

II. Increase in purchasing inventory but no increase in sales

III. Abnormal inventory shrinkage

IV. Lack of physical security over assets/inventory

Red Flags of computer fraud
• Red Flags in Purchasing/Inventory
cont..

I. Charges without shipping documents

II. Payments to vendors who aren’t on an approved vendor

list

III. High volume of purchases from new vendors

IV. Purchases that bypass the normal procedures

Red Flags of computer fraud
• Red Flags in Purchasing/Inventory
cont...

I. Vendors without physical addresses

II. Vendor addresses matching employee addresses

III. Excess inventory and inventory that is slow to turnover

IV. Purchasing agents that pick up vendor payments

rather than have it mailed
Red Flags of computer fraud
• Red Flags in other areas

I. Creating fictitious employees and collecting the pay

cheques (impersonation)

II. Recording fictitious transactions on the books to

cover up theft

III. No supporting documentation for adjusting entries

Red Flags of computer fraud
• Red Flags in other areas cont...

I. Incomplete or untimely bank reconciliations

II. Increased customer complaints

III. Write-offs of inventory or cash shortages with no

attempt to determine the cause

IV. Unrealistic performance expectations

Red Flags – next steps..
• What is the effect on the business at hand? Sometimes red
flags that have no financial impact may not require a
change in procedure. Remember though, that a red flag is
a warning that something is or could be wrong. If you
discover fraud, then an investigation is usually the next
step. If it is just an error, then steps should be taken to
correct the error and a procedure or follow up should be
initiated to prevent it from occurring again.
Red Flags – prevention v costs
• Financial analysis has several applications when red
flags are present. The most common is to determine

• what effect it has on the conduct of the local government.

For example, what is the potential as well as the historical
loss as the result of the red flag? What is the cost to
prevent a potential loss from occurring and what will it cost
to recoup the identified loss?
Controlling CBF
• How many ways can you think to control Computer Fraud:

• A resources problem?

• A people problem?

• A systems problem?

• A culture problem?

• A country problem?

• A global problem?
Auditing around the computer

Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT

Chartered Accountant & Chartered Management Consultant
Using auditors to control CBF
Internal auditing involves:

• A review of the reliability and integrity of financial and

operating information

• A review of the controls employed to safeguard assets

• An assessment of employees' compliance with

management policies, procedures and applicable laws and
regulations

• An evaluation of the efficiency and effectiveness with which

management achieves its organizational objectives.

• Evaluating the effectiveness of existing policies, procedures

and controls. 
Using auditors to control CBF
cont…
For internal audits to be effective, it is important to have a
competent internal audit department

Training Computer Auditors

• Training of computer auditors is seen as a perennial

problem within the profession. The questionnaire sought to
establish how computer audit skills are achieved. On-the-
job experience was rated most important, with professional
examinations being considered least important of the six
methods specified on the questionnaire.
Using auditors to control CBF
cont…
For internal audits to be effective, it is important to have a
competent internal audit department

Training Internal auditors

The AICPA's new audit standard on fraud, SAS No. 82, is

designed to help auditors detect material fraud resulting
from fraudulent financial reporting and misappropriation of
assets and also to clarify for users and practitioners the
auditors' responsibilities for detecting fraud.
Using staff and management to
control CBF

• Provide training to directors and senior managers on how

to identify and monitor these fraud risks and handling fraud
situations. 

• Provide training to company employees on how to identify,

communicate and handling uncovered fraudulent
activities. 
Using effective deterrents to
control CBF
Develop formal guidelines concerning the actions to be taken
against the perpetrator of a computer fraud.

All dishonest acts should be investigated, and the guilty

should be prosecuted and dismissed immediately. The very
existence of these policies deters fraud and enhances internal
control.
Using HR to control CBF
• Computer Fraud: A People Problem?

If organisations are to counter computer fraud, they must

adopt suitable personnel procedures to deter computer
crime. 

The most important consideration is to hire and retain

honest people.

Selecting employees with high integrity. Companies should

have an applicant fill out a written application, solicit
resumes and letters of reference, and obtain credit bureau
reports on the applicant. 
Auditing with the Computer

Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT

Chartered Accountant & Chartered Management Consultant
Using CAAT’s to control CBF
– Computer programs (interrogation software) have been
developed that identify red flags of computer fraud and can
even quantify it.

– As early as 1982 CAATs was a powerful audit tool for

detecting financial errors.

– In the last 10 years use of CAATs standard practice.

– Audit software permits auditors to obtain a quick overview of

the business operations and drill down into the details of
specific areas of interest.

– CAATs can perform 100% at minimal costs

– Allows continuous monitoring

Using CAAT’s to control CBF
Some examples of routines that can identify red flags include:

•No of complaints

•Computer-based comparisons of object and source versions

•Lots of deleted transactions

•Lots of Journals

•No of transactions per month

Using CAAT’s to control CBF
Some examples of routines that can identify red flags include:

– comparing actual vs. budgeted expenditures for to

determine unusual patterns;

– duplicate or non existent Social Security numbers for

employees or vendors;

– comparing employee addresses with vendor addresses

to identify employees that are also vendors;

–  searching for duplicate check numbers to find

photocopies of company checks;
Using CAAT’s to control CBF
Some examples of routines that can identify red flags include:

– searching for vendors with post office boxes for

addresses;

– analyzing the sequence of all transactions to identify

missing checks or invoices;

– identifying vendors with more than one vendor code or

more than one mailing address;

– Unusual patterns of overtime payments;

Using CAAT’s to control CBF
Some examples of routines that can identify red flags include:

– finding several vendors with the same mailing address;

– sorting payments by amount to identify transactions

that fall just under financial control on contract limits;

–  patterns such as negative entries in inventory received

fields;

–  voided transactions followed by "No Sale,“;

–  or a high percentage of returned items.

Using computer controls to control
CBF cont…
Another simple digital analysis technique is to search for invoices
with even sterling/dollar amounts, such as 200.00 or 5,000.00. The
existence of particular even amounts may be a symptom of fraud and
should be examined.
Case Study: Even Amounts
Travel expenses had always been a concern for the auditors of X
Company since it was an area where the controls were weak.
Employees had a maximum per diem rate when travelling but had to
submit receipts to cover the actual expenses. Maximums were also
established for meals: breakfast $10.00, lunch $20.00, dinner $30.00,
and hotel lodging $100.00. The auditors configured the audit software
to identify meal expenses that were multiples of $10.00. These
transactions were compared to receipts to ensure that the amounts
expensed were appropriate. A detailed review determined that many
travelers were charging the maximum rates for meals even though
their receipts did not justify the amounts.
Using computer controls to control
CBF cont…
Case Study: Doctored Bills
The auditors reviewed the patient billing system at Company Y to
determine if the appropriate charges were being assessed by health
care providers. An initial analysis of the data was performed to
calculate the ratio of the highest and lowest charges for each
procedure. A judgment was made those procedures with a max/min
ratio of greater than 1.30 be noted and subjected to additional review.
For a particular quarter, three procedures had ratios higher than 1.30,
the highest being 1.42. A filter was used to identify the records
related to the three procedures in question, and additional analysis
was performed. This quickly determined that one doctor was
charging significantly more than the other doctors for the same
procedures. A comparison of charges from the billing system with
payments in the accounts receivable system revealed that the doctor
was skimming off the patient payments. The amount recorded in the
receivable system was in line with the usual billing amount for the
procedures. The doctor was unable to justify the higher prices or
explain the difference in the billing and the receivable systems.
Using computer controls to control
CBF cont…
Case Study: Contracting Kickbacks
Jonathan, one of the contracting officers, had devised a great win/win
kickback scheme. The auditors decided to use digital analysis as part
of their review of the contracting section. One of the analyses
calculated the total contract amount by supplier for each of the past
two years. A ratio of current year to previous year was calculated and
the minimum, maximum, average, and highest and lowest five ratios
were displayed. While the average was close to 1.0, the highest and
lowest five values showed that some companies had significant
decreases in business, while others had experienced significant
increases in business.
The auditors reviewed the details of all companies that had a ratio of
less than 0.7 or more than 1.30. For companies with an increase in
business, the results revealed that Jonathan had raised many of the
contracts and he had raised no contracts with the companies that
had seen a decrease in business. Salesmen said that they were told
they would only get business if they paid Jonathan a kickback.
Using auditors to control CBF
Carrying out more frequent audits

A second technique for minimizing fraud risk is to intensify

internal audits. Most crimes go undetected and often last
for some time before being discovered. One way to
increase the likelihood of detecting fraud is to conduct
more frequent internal audits [7,10]. Internal auditors can
provide an independent appraisal of the effectiveness of
internal controls and the quality of managerial performance
in carrying out assigned responsibilities.
Using risk analysis to control CBF
The use of risk analysis in the prevention of computer fraud is
important. There should be control procedures over staff in
high-risk areas-

Prevent staff from working out periods of notice

Compel staff to take holidays (it is important that all

employees who have custody of assets or are responsible for
sensitive record keeping or authorization functions take an
annual vacation). 

Make use of special vetting or periodic job rotation among key

employees.

Firms should not place a high level of trust in their employees

who operate in high-risk areas.
Computer controls

Henry Hardoon ACA, FCCA, FAIA, CMC, APM, MIIT

Chartered Accountant & Chartered Management Consultant
Using computer controls to control
CBF
Computer controls is of two kinds. Physical access controls
and logical access controls. Physical access controls has to
do with physical security measures taken to protect the
computer, for example, keeping the computer in a locked
room.

Logical access controls are those measures taken to limit the

use of computer and its resources. More information on
computer controls can be found on this
websitehttp://www.isaca.org they have sections that can be
accessed by non-members or better still, you can register with
them to get more benefit.
Using Physical access controls to
control CBF
• Physical access controls

– Lock and Key

– CCTV

– Biometric Web Based systems

Using Logical access controls to
control CBF
• Logical access controls

– Biometric Web Based systems

– Passwords

– Access rights
Using computer controls to control
CBF
• Spyware gets onto your system through
the manipulation of a technology
called ActiveX
 Use software to control to Stop Spyware (which is often
used in computer fraud) 

 Use Software to Automatically block Malicious ActiveX,

which hackers and identity thieves will use to gain entrance
to your PC and commit computer fraud.
Using computer controls to control
CBF cont…
• Spyware gets onto your system through
the manipulation of a technology
called ActiveX
 Use software to designate which websites get certain
privileges.

 Use software to Intercept Malicious File Downloads

 Use Software to warn of dangerous Web sites

 Use Software to force changes in passwords periodically

 Use Software like FraudBreaker to that captures your

transaction data and performs real time checks on a wide
range of risk factors. 
Using computer controls to control
CBF cont…
FraudBreaker allows you to:

•Assign weight factors to all the risk elements you configure

FraudBreaker to check. FraudBreaker then measures and
correlates all individual risk scores and calculates the overall risk
factor on your transactions.

•Set up rules that allow you to correlate fraud elements with AND-

OR-NOT logic

•Set up accept/reject/manual review thresholds

•Configure and blacklists  whitelists

•And get detailed reports and statistics as a spreadsheet for

custom analysis.

http://www.fraudbreaker.com/fraudbreaker-hosted-fraud-detection-software
Using substantive testing to control
CBF
Input/output reconciliations

Installation review

Test packs
Using Embedded audit facilities
Embedded Audit Modules are utilised to monitor ongoing
processes and to discreetly alert internal auditors to possible
irregularities, errors or weak areas.

These include:

•i. Snapshots: This technique involves taking a picture of a

transaction as it flows through the computer systems. Audit
software routines are embedded at different points in the
processing logic to capture images of the transaction as it
progresses through the various stages of the processing.
Such a technique permits auditors to track data and evaluate
the computer processes applied to the data.
Using Embedded audit facilities
These include:

• ii. System Control Audit Review File: This involves

embedding audit software modules within an application
system to provide continuous monitoring of the system‘s
transactions. The information is collected into a special
computer file that the auditors can examine.
Setting up formal procedures to
control CBF
A lack of formal procedures specifically designed to combat
computer fraud appears to leave many organizations relatively
unprepared and unprotected.

Employees should know the rules and standards required by

the company. The company should prepare clearly stated
policies that explicitly describe honest and acceptable
behaviour, covering all issues from conflicts of interest to the
acceptance of gratuities. 

Defining and documenting a company ethic/fraud policy

addressing company expectations from employees,
customers, suppliers and stake holders. 
Using segregation of duties to
control CBF
• The most effective internal control is to segregate tasks
among employees so that no single employee can both
perpetrate and conceal a fraud or an unintentional error. In
particular, the authorization, recording and custody of
assets functions must be separated to effectively
segregate the duties.
Using segregation of duties to
control CBF
• In highly integrated computer-based accounting
information systems, procedures that might otherwise be
performed by separate individuals may be combined within
the computer processing function. Any person who has
unrestricted access to the computer can both perpetrate
and conceal fraud.
Using segregation of duties to
control CBF
Authority and responsibility must be clearly divided among the
following functions:

• Application systems analysis and programming

• Computer operations

• Systems programming

• Transaction authorization

• File library maintenance and data control.

• With an effective separation of duties, it will be difficult for an

employee to embezzle funds.
Supervision to control CBF
Effective supervision that (a) assists employees engaged in
operating or data processing tasks, (b) monitors the
effectiveness with which employees carry out their assigned
tasks and (c) safe-guards assets by watching over employees
who have access to assets. Supervision is an important
means of control in organizations that are too small to afford
adequate separation of duties for internal control purposes.  
Using internal controls to control
CBF
 

•Control procedures are preventive, detective or corrective in

nature. Preventive controls are the most important, because
they eliminate problems before they occur. Many control
problems can be prevented by hiring honest, well-trained
individuals, appropriately segregating duties, effectively
controlling physical access to facilities, utilizing well-designed
documents and authorizing transactions.
Using internal controls to control
CBF
 

•Detective controls discover problems after they arise and

include double checking calculations, periodic performance
reporting that highlights variances between actual and
standard costs, reporting past due accounts or out-of-stock
inventory items, preparing bank reconciliations and verifying
the use of pre-numbered documents. Detective control
procedures are a necessary part of any effective control
system because all potential control problems cannot be
prevented.
Using internal controls to control
CBF
 

•Corrective controls remedy problems discovered by detective

controls. They include procedures to identify the cause of a
problem, correct errors arising from the problem and modify
the system so that future errors may be minimized or
eliminated. One such procedure is to maintain backup copies
of key transaction and master files so that damaged or
destroyed files can be restored.
Corporate Culture FACT
Enron happened because of individual and collective greed—
company, its employees, analysts, auditors, bankers, rating
agencies and investors—didn’t want to believe the company
looked too good to be true
Setting up a culture to control CBF
Management's attitude toward internal control can be a very
important fraud deterrent.

Statements and actions by management become apparent to

all members of the organization.

If management considers internal control to be important, other

members of the organization will strive harder to adhere to
control policies and procedures in order to accomplish the
organization's objectives.

Fraud is much less likely to occur in an environment where

company employees believe that security is everyone's
business. 
Setting up a culture to control CBF
The ethical values of an organization play an important role in
both detecting and minimizing the occurrences of fraudulent
activities.

Assist senior management in the development and

establishment policy to encourage the reporting of fraudulent
activities and protect the 'whistleblowers'?
Setting up a culture to control CBF
• Many companies incorporate their key ethical values into a
formal policy document, typically referred to as a “code of
ethics” or “code of conduct.” Establishing and
communicating such a code is an excellent way to ensure
that employees and business associates understand the
corporate values and

• the expected behaviors in support of those values.

Communicating this code

• often includes training programs that further articulate the

conduct and

• behaviors expected of all company employees and, in many

cases, of those who do business with the company.
Setting up a culture to
control CBF cont…
• Many companies incorporate their key ethical values into a
formal policy document, typically referred to as a “code of
ethics” or “code of conduct.”

• Establishing and communicating such a code is an

excellent way to ensure that employees and business
associates understand the corporate values and the
expected behaviors in support of those values.

• Communicating this code often includes training programs

that further articulate the conduct and behaviors expected
of all company employees and, in many cases, of those
who do business with the company.

• Set up an independent committee to set up the code

What's in a code of ethics
A code of ethics or code of conduct commonly includes
specific segments that address:

■ Behaving with honesty and integrity.

■ Complying with laws and regulations.

■ Disclosing/reporting conflicts of interest.

■ Maintaining confidentiality of information.

■ Receiving or giving gifts.

■ Reporting instances of company code violations.

■ Using company assets and resources.

Reward honesty to control CBF
Corporate practices to prevent employee fraud include hiring
and retaining honest individuals.

The company should consistently recognize and publicly

reward honesty. A high standard of integrity accompanied by a
policy of recognition and rewards will reduce the temptation to
commit fraud.
Thank you !