Download Fraud - University of Wisconsin–Parkside: Computer Science

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts
no text concepts found
Transcript 
Fraud
The Environment of Fraud
Preventing Internal Fraud
External Fraud
Acknowledgments
Material is from:
 Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008
 The Art of the Steal, Frank Abignale, Broadway Books, 2001
 CISA Review Manual, 2009
 Check Fraud: A Guide to Avoiding Losses
 The Art of Deception, Mitnick & Simon, Wiley & Sons, 2002
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers:
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.
The Problem

Internal Fraud Recovery


$0 Recovered
Recovery<=25%
Substantial Recovery

Organizations lose 5-6%
of revenue annually due
to internal fraud = $652
Billion in U.S. (2006)
Average scheme lasts 18
months, costs $159,000
25% costs exceed $1M
Smaller companies suffer
greater average $ losses
than large companies
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Internal or Occupational Fraud
Definition
 Violates the employee’s fiduciary
responsibility to employer
 Is done secretly and is concealed
 Is done to achieve a direct or indirect
benefit
 Costs the organization assets, revenue, or
opportunity
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Fraud Categories
Categories
% of Cases,
$ Average
Examples
Asset Misappropriation
91%
$150,000
Theft of checks, cash, money orders, inventory, equipment,
supplies, info
31%
$538,000
Bribe to accept contractor bid or Kickback, Collusion, Bid
rigging.
Extortion: threat of harm if demand not met;
False Billing: Providing lower quality, overcharging
Conflict of interest in power decision
Corporate espionage: Sell secrets
Bribery &
Corruption
Financial
Statement
Fraud
10%
$2,000,000
Revenue Overstatement: False sales
Understating Expenses: Delayed or capitalization of
expenses
Overstating Assets: No write down of uncollectable
accounts, obsolete inventory, …
Understating Liabilities: Not recording owed amounts
Misapplication of Accounting Rules, etc.
Vocabulary
Skimming: Taking funds before they are recorded into company
records
Cash Larceny: Taking funds (e.g., check) that company recorded as
going to another party
Lapping: Theft is covered with another person’s check (and so on)
Check Tampering: Forged or altered check for gain
Shell Company: Payments made to fake company
Payroll Manipulation: Ghost employees, falsified hours, understated
leave/vacation time
Fraudulent Write-off: Useful assets written off as junk
Collusion: Two or more employees or employee & vendor defraud
together
False Shipping Orders or Missing/Defective Receiving Record:
Inventory theft
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Legal Considerations of Fraud

Intentionally false representation
 Not
an error
 Lying or concealing actions
 Pattern of unethical behavior
Personal material benefit
 Organizational or victim loss

Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Key Elements of Fraud
Motivation: Need or
perceived need
Opportunity: Access
to assets,
information,
computers, people
Rationalization:
Justification for
action
Motivation
3 Key
Elements
Opportunity
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Rationalization
How Fraud is Discovered
%
How Fraud is Discovered
40
35
30
25
20
15
10
5
0
Tip
By Accident
Internal Audit
Internal
Controls
External Audit
Notified by
Police
Some fraud is discovered via multiple reporting methods,
Thus results do not sum to 100%
Tips come from Employee 64%, Anonymous 18%, Customer 11%, Vendor 7%
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
After Fraud Discovered
Discipline May include
repayment
Termination
of Employment
Civil or Criminal
legal action
Why Fraud not Reported to Law Enforcement
50
%
40
30
20
10
0
Fear of bad publicity
Internal discipline
sufficient
Private settlement
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Too costly to pursue
Who Does Fraud?


Most $$$ internal frauds committed by longer-tenured,
older, and more educated staff
Executives commit most expensive fraud: $1M



Men & women commit fraud in nearly equal proportions,
but men’s are more expensive:





4.5 times more expensive than managers: $218K
13 times more expensive than line employees
Men’s average: $250k (or 4x)
Women’s average: $120k
92% have no criminal convictions related to fraud
To steal a lot of money, you must have a position of
power and access: highly degreed > HS grad, older >
younger people
Collusion dramatically increases duration and $ loss for
fraud
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Discussion Points
What types of fraud could computer
programmers or system administrators
commit?
 For each type of fraud, what methods may
help to prevent such fraud?

Example 1:
Financial Statement Fraud
Dunlap of Sunbeam had such high
expectations that employees needed to
meet the standards or be fired. To meet
his high standards, it was necessary to
play the game, and financial statement
fraud was accepted.
Methods of such fraud may include: manual
adjustments to accounts or improper
accounting procedures
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Example 2: Corruption
The Chief Financial Officer had divisional
controllers who oversaw various regions.
When one controller left, the CFO
permanently took over her responsibilities.
Checks and balances between the two
positions were violated, and the CFO was
able to embezzle from the company.
Temporary assumption of some
responsibilities may have been acceptable
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Example 3:
Asset Misappropriation
A manager took money from one account,
and when payment was due, paid via
another account. When that was due, she
paid via a third account, etc.
This lapping went on for years and was
finally caught when a sickness resulted in
her being absent from work for an
extended period.
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Detecting &
Preventing Fraud
How to Recognize Fraud
How to Prevent Fraud
Info. Systems Applications
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Fraud & Audit




Audits are not designed to detect fraud
Goal: Determine whether the financial statement
is free from material misstatements.
Auditors test only a small fraction of transactions
Auditors must:
 Be
aware of the potential of fraud
 Discuss how fraud could occur
 Delve into suspicious observations and report them
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Red Flags


Significant change in lifestyle: New wealth
Financial difficulties may create need
 Gambling
or drug addiction
 Infidelity is an expensive habit





Criminal background
Chronic legal problems: person looks for trouble
Dishonest behavior in other parts of life
Beat the system: Break rules commonly
Chronically dissatisfaction with job
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Work Habits of Fraudsters
One or more:
 Justifying poor work habits
 Desperately trying to meet performance
goals
 Over-protective of certain documents
(poor sharing or avoids documentation)
 Refusal to swap job duties
 Consistently at work in off-time (early or
late) or never absent
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Potential Transaction Red Flags
Unusual transactions:
 Unusual timing, too frequent or infrequent
 Unusual amount: too much or too little
 Unusual participant: involves unknown or
closely-related party
 Voided checks or receipts, with no explanation
 Insufficient supervision
 Pattern of adjustments to accounts
 Different addresses for same vendor, or vendors
with similar names
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Fraud Control Types
After Fraud
Corrective
Controls:
Fix problems
and prevent
future problems
Includes:
Punishment->
Amend controls
Time of
Fraud
Detective Controls:
Finding fraud when it
occurs
Includes:
Anonymous hotline*->
Surprise audits*->
Monitoring activities->
Complaint or fraud
investigation
Before Fraud:
***BEST***
Preventive Controls**:
Preventing fraud
Includes:
Risk assessment
Develop internal controls
Physical security & data security
Authorization (Passwords, etc)
Segregation of duties
Fraud education
Techniques to Discourage Fraud
Realistic job expectations
Adequate pay
Motivation Training in job duties
Key
Elements
Segregation of duties
Checks and balances Opportunity
Job rotation
Physical security of assets
Background checks
Mandatory vacations
Examination of required documentation
Trained in policies
and procedures
Rationalization Policy enforcement
Sr. Mgmt models
ethical behavior
to customers, vendors,
employees, share
holders
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Segregation of Duties
Authorization
Distribution
Approves
Acts on
Origination
Double-checks
CISA Review Manual 2009
Verification
Compensating Controls
When Segregation of Duties not possible, use:
 Audit Trails
 Transaction Logs: Record of all transactions in a
batch
 Reconciliation: Ensure transaction batches are not
modified during processing
 Exception reporting: Track rejected and/or
exceptional (non-standard) transactions
 Supervisory or Independent Reviews
Separation of duties: authorization, distribution,
verification
CISA Review Manual 2009
Software to Detect Fraud





Provide reports for customer credits, adjustment
accounts, inventory spoilage or loss, fixed-asset writeoffs.
Detect unusual anomalies such as unusual amounts or
patterns
Compare vendor addresses and phone numbers with
employee data
Use Range or Limit Validation to detect fraudulent
transactions
Logged computer activity, login or password attempts,
data access attempts, and geographical location data
access.
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Red flags software can detect







Out-of-sequence checks
Large number of voids or refunds made by
employee or customer
Manually prepared checks from large company
Payments sent to nonstandard (unofficial)
address
Unexplained changes in vendor activity
Vendors with similar names or addresses
Unapproved vendor or new vendor with high
activity
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Encourage Security in IT
Departments






Physical security
Segregation of duties
Employee monitoring
Surprise audits
Job rotation
Examination of
Documentation
Quality
Assurance
Programmer
Analyst
Business
Analyst
Business Application Checks
Checks locked up; access restricted
 Physical inventory of checks at least every
quarter
 New accounts payable vendors’ existence
and address double-checked by
management
 Returned checks sent to PO Box and
evaluated by someone independent of
Accts Payable

The Art of the Steal, Frank Abignale,
Broadway Books 2001
Question
What is the MOST effective means of
preventing fraud?
1. Effective internal controls
2. Fraud training program
3. Fraud hotline
4. Punishment when fraud is discovered
Question
1.
2.
3.
4.
A woman in the accounting department set up a
vendor file with her own initials, and was able
to steal more than $4 M after 3 years. The
auditor should have found that:
The vendor was a phony company
Purchases from the vendor did not result in
inventory received
The initials for the vendor matched an
employee in the accounting dept.
Management did not authorize new vendors
with a separate phone call
Question
1.
2.
3.
4.
What is: Origination, Authorization, Distribution,
Verification?
Four stages of software release
Recommended authority allocations for access
control
Stages for development of a Biometric Identity
Management System (BIMS)
Categories for Segregation of Duties
External Fraud
Social Engineering
Check Fraud
Other Scams
From: The Art of the Steal, Frank
Abignale, Broadway Books 2001 &
Check Fraud: A Guide to Avoiding
Losses
Social Engineering I
Email:
 The first 500 people to register at our Web site will win
free tickets to …
 Please provide company email address and choose a
password

You received a message from Facebook. Follow this
link … log in.

Social engineering: Getting people to do something they
would not ordinarily do for a stranger
Social engineering is nearly 100% effective

The Art of Deception, Mitnick & Simon,
Wiley, 2002
Social Engineering II
Telephone call from ‘IT’:
 Some company computers have been
infected with a virus that the anti-virus
software cannot fix. Let me walk you
through the fix…
 We need to test a new utility to change
your password…
Social Engineering III
Phone call 1:
 “I had a great experience at your store. Can you tell me
manager’s name, address?”
Phone call 2:
 “This is John from X. I got a call from Alice at your site
wanting me to fax a sig-card. She left a fax number but I
can’t read it can you tell me? What is the code?
 “You should be telling me the code…”
 “That’s ok, it can wait. I am leaving but Alice won’t get
her information…”
 “The code is … “
Phone call or fax 3:
 “I need … Code is …”
Social Engineering Techniques



Learns insider vocabulary and/or personnel
names
Pretends legit insider: “I am <VP, IT, other
branch, other dept>. Can you …?”
Pretends real transaction:
 Helping:
I am in trouble <or> you need help due to …
 <My,Your> computer is <virused, broke, busy, don’t
have one>. Can you <do, tell me> …?
 Deception: Hides real question among others.

Establishes relationship: Uses friendliness to
gain trust for future tasks
The Art of Decption, Mitnick & Simon,
Wiley 2002
Combating Social Engineering
Verification Procedure
 Verify requester is who
they claim to be
 Verify the requester is
currently employed in the
position claimed.
 Verify role is authorized
for request
 Record transaction
Organization security
 Data classification
defines treatment
 Policies define guidelines
for employee behavior
 Employees trained in
roles, need-to-know, and
policies
Fraud Statistics



Businesses lose $400 Billion a year in fraud = 2
x US military budget
1/3 of $400B is embezzlement = employees
stealing from employer
Next highest sources (KPMG 2000)
 Check
forgery
 Credit cards
 Fake invoices
 Theft

$350 Billion for counterfeit goods
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Check Fraud Examples
Altered Checks: Chemicals are used to erase the payee or amount,
then re-printed OR check is appended to.
 An Argentinian modified a ticket-overpayment refund check from
Miami, changing a $2 check to $1.45 Million
Counterfeit Checks or Identity Assumption
 Someone in your checkout line views your check, or does yard work
for you
 Fishes in a business’s in-mailbox or home’s out-mail for a check
 Checks can be purchased on-line or mail order
Telemarketing Fraud:
 “You’ve won a prize” or “Would you like to open a VISA?” “Now give
me your account information.”
Hot Check: “Insufficient Funds”
 90% of ‘insufficient funds’ checks are numbered between 101 and
200
 account opening year is printed on check
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Be Careful Printing Checks!


Paychecks & Accounts Payable should not be printed on
blank check paper
Laser printer is non-impact (ink does not go into paper
but sits on top)



Matrix printer puts ink into the paper


Easy to remove printing
‘Laser Lock’ or ‘Toner Lock’ seals laser printing
Chemical ‘washing’ removes the print
Good Practices




Use larger printing: 12 font
Reverse toner in software: white on black
Control check stock and guard checks
Check your bank statements – you have 30 days
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Check Security Features
Watermark: Subtle design viewable at 45-degree angle toward
light. Cannot be photo-copied
Void Pantograph: Background pattern of checks. When photocopied, the background patter disappears or prints ‘VOID’
Chemical Voids: When check is treated with eradicator
chemical, the word VOID appears
Microprinting: When magnified, the signature or check border
appears to be written words. The resolution is too fine for a
photo-copier
3-Dim. Reflective Holostripe: Metallic stripe contains at least
one hologram, similar to credit card.
Security ink: React to eradication chemicals, distorting check
Thermochromic Ink: Ink reacts to heat and moisture by fading
and reappearing
Check Fraud: A Guide to Avoiding
Losses
Processing Money Orders
Money order information provides info on
a ready checking account
 Non-negotiable incoming wire account
prevents out-going checks

I would like to send you a
money order. What is your
account number?
THANK YOU SO MUCH!!!
The Art of the Steal, Frank W Abagnale,
Broadway Books, 2001
Fraud Scams




Get a receipt from the trash, ‘return’ a product
Copy gift certificate and cash in at multiple
locations
Markdown sale prices reimbursed with receipt –
copied and collected at multiple locations
Fake UPC numbers to pay low prices then return
at higher price. If receipt total is sufficient, scam
may work.
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Preventing Scams






Receipts must have security marks on them (e.g., twocolored ink on special paper, or better: thermochromatic
ink)
Line-item detail on receipts and sales records in
company database
Garbage bins which may receive receipts should be
protected from access (e.g., bank garbage bins)
Register gift certificates – unique numbers
Shredders should be used for any sensitive information
Protect against shoulder surfing or device attachment for
card readers
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Study Questions







What are the key elements of fraud, and what
techniques can be used to counteract these key
elements?
What are the three categories of fraud?
What are the legal considerations of fraud?
Who commits fraud, and who commits the most
expensive fraud?
What are the red flags of potential fraud?
How does social engineering occur, and how can it be
prevented?
Apply the concept of segregation of duties.
Related documents
Consumer Fraud
Consumer Fraud
Consumer Advisory
Consumer Advisory
Locking down your web storefront
Locking down your web storefront
Combatting_fraud_and_corruption
Combatting_fraud_and_corruption
PRIVACY_IN_COMPUTINGbyWill
PRIVACY_IN_COMPUTINGbyWill
Lesson 3
Lesson 3
ing of accuracy for timely decisions, and social issues (privacy, discrimina-
ing of accuracy for timely decisions, and social issues (privacy, discrimina-
Privacy and Information Week 5
Privacy and Information Week 5
types of fraud - Sector Source
types of fraud - Sector Source
Insurance Fraud - Opal Consulting, LLC
Insurance Fraud - Opal Consulting, LLC
Information Quality Issues
Information Quality Issues
Employee fraud - CPA Australia
Employee fraud - CPA Australia
Information Security for Organizations and Accounting
Information Security for Organizations and Accounting
Cost Sensitive Credit Card Fraud Detection Using
Cost Sensitive Credit Card Fraud Detection Using
Investigation Section - Association of Certified Fraud Examiners
Investigation Section - Association of Certified Fraud Examiners
Introduction to Information Technology Introduction: Business and Information Technology (continue...) 2
Introduction to Information Technology Introduction: Business and Information Technology (continue...) 2
Intelligent Financial Fraud Detection Practices: An Investigation
Intelligent Financial Fraud Detection Practices: An Investigation
Chapter 6 – Yield Management
Chapter 6 – Yield Management
5 - Leadership Project Managers.ppt
5 - Leadership Project Managers.ppt
CHAPTER 1 - Department of Accounting and Information Systems
CHAPTER 1 - Department of Accounting and Information Systems