Accounting Information Systems 9th Edition
Download
Report
Transcript Accounting Information Systems 9th Edition
Computer-Based Information
Systems Controls
1
Learning Objectives
1.
2.
3.
Describe the threats to an AIS and
discuss why these threats are
growing.
Explain the basic concepts of control
as applied to business organizations.
Describe the major elements in the
control environment of a business
organization.
2
Learning Objectives, continued
4.
5.
6.
Describe control policies and procedures
commonly used in business organizations.
Evaluate a system of internal accounting
control, identify its deficiencies, and
prescribe modifications to remedy those
deficiencies.
Conduct a cost-benefit analysis for
particular threats, exposures, risks, and
controls.
3
Threats to Accounting
Information Systems
What are examples of natural and
political disasters?
–
–
–
–
–
fire or excessive heat
floods
earthquakes
high winds
war
4
Threats to Accounting
Information Systems
What are examples of software errors
and equipment malfunctions?
–
–
–
hardware failures
power outages and fluctuations
undetected data transmission errors
5
Threats to Accounting
Information Systems
What are examples of unintentional
acts?
–
–
–
–
–
accidents caused by human
carelessness
innocent errors of omissions
lost or misplaced data
logic errors
systems that do not meet company
needs
6
Threats to Accounting
Information Systems
What are examples of intentional
acts?
–
–
–
sabotage
computer fraud
embezzlement
7
Why are AIS Threats
Increasing?
Increasing numbers of client/server systems
mean that information is available to an
unprecedented number of workers.
Because LANs and client/server systems
distribute data to many users, they are
harder to control than centralized
mainframe systems.
WANs are giving customers and suppliers
access to each other’s systems and data,
making confidentiality a concern.
8
Overview of Control
Concepts
What is the traditional definition of internal
control?
Internal control is the plan of organization
and the methods a business uses to
safeguard assets, provide accurate and
reliable information, promote and improve
operational efficiency, and encourage
adherence to prescribed managerial
policies.
9
Overview of Control
Concepts
1
2
3
What is management control?
Management control encompasses the
following three features:
It is an integral part of management
responsibilities.
It is designed to reduce errors,
irregularities, and achieve organizational
goals.
It is personnel-oriented and seeks to help
employees attain company goals.
10
Internal Control
Classifications
The specific control procedures used in the
internal control and management control
systems may be classified using the
following four internal control classifications:
1
2
3
4
Preventive, detective, and corrective controls
General and application controls
Administrative and accounting controls
Input, processing, and output controls
11
The Foreign Corrupt
Practices Act
In 1977, Congress incorporated language
from an AICPA pronouncement into the
Foreign Corrupt Practices Act.
The primary purpose of the act was to
prevent the bribery of foreign officials in
order to obtain business.
A significant effect of the act was to require
corporations to maintain good systems of
internal accounting control.
12
Committee of Sponsoring
Organizations
The Committee of Sponsoring
Organizations (COSO) is a private sector
group consisting of five organizations:
1
2
3
4
5
American Accounting Association
American Institute of Certified Public
Accountants
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute
13
Committee of Sponsoring
Organizations
In 1992, COSO issued the results of a
study to develop a definition of
internal controls and to provide
guidance for evaluating internal
control systems.
The report has been widely accepted
as the authority on internal controls.
14
Committee of Sponsoring
Organizations
The COSO study defines internal control
as the process implemented by the
board of directors, management, and
those under their direction to provide
reasonable assurance that control
objectives are achieved with regard to:
–
–
–
effectiveness and efficiency of operations
reliability of financial reporting
compliance with applicable laws and
regulations
15
Committee of Sponsoring
Organizations
COSO’s internal control model has
five crucial components:
1
2
3
4
5
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
16
Information Systems Audit
and Control Foundation
The Information Systems Audit and Control
Foundation (ISACF) recently developed the
Control Objectives for Information and
related Technology (COBIT).
COBIT consolidates standards from 36
different sources into a single framework.
The framework addresses the issue of
control from three vantage points, or
dimensions:
17
Information Systems Audit
and Control Foundation
1
2
3
Information: needs to conform to certain
criteria that COBIT refers to as business
requirements for information
IT resources: people, application systems,
technology, facilities, and data
IT processes: planning and organization,
acquisition and implementation, delivery
and support, and monitoring
18
The Control Environment
The first component of COSO’s internal
control model is the control environment.
The control environment consists of many
factors, including the following:
1
2
3
Commitment to integrity and ethical values
Management’s philosophy and operating
style
Organizational structure
19
The Control Environment
4
5
6
7
The audit committee of the board of
directors
Methods of assigning authority and
responsibility
Human resources policies and
practices
External influences
20
Control Activities
The second component of COSO’s
internal control model is control
activities.
Generally, control procedures fall into
one of five categories:
1
2
Proper authorization of transactions
and activities
Segregation of duties
21
Control Activities
3
4
5
Design and use of adequate
documents and records
Adequate safeguards of assets and
records
Independent checks on performance
22
Proper Authorization of
Transactions and Activities
Authorization is the empowerment
management gives employees to
perform activities and make decisions.
Digital signature or fingerprint is a
means of signing a document with a
piece of data that cannot be forged.
Specific authorization is the granting
of authorization by management for
certain activities or transactions.
23
Segregation of Duties
Good internal control demands that no
single employee be given too much
responsibility.
An employee should not be in a
position to perpetrate and conceal
fraud or unintentional errors.
24
Segregation of Duties
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail
Recording Functions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Authorization Functions
Authorization of
transactions
25
Segregation of Duties
If two of these three functions are the
responsibility of a single person, problems
can arise.
Segregation of duties prevents employees
from falsifying records in order to conceal
theft of assets entrusted to them.
Prevent authorization of a fictitious or
inaccurate transaction as a means of
concealing asset thefts.
26
Segregation of Duties
Segregation of duties prevents an
employee from falsifying records to
cover up an inaccurate or false
transaction that was inappropriately
authorized.
27
Design and Use of Adequate
Documents and Records
The proper design and use of
documents and records helps ensure
the accurate and complete recording
of all relevant transaction data.
Documents that initiate a transaction
should contain a space for
authorization.
28
Design and Use of Adequate
Documents and Records
The following procedures safeguard assets
from theft, unauthorized use, and
vandalism:
–
–
–
–
effectively supervising and segregating
duties
maintaining accurate records of assets,
including information
restricting physical access to cash and paper
assets
having restricted storage areas
29
Adequate Safeguards of
Assets and Records
What can be used to safeguard
assets?
–
–
–
–
–
–
cash registers
safes, lockboxes
safety deposit boxes
restricted and fireproof storage areas
controlling the environment
restricted access to computer rooms,
computer files, and information
30
Independent Checks
on Performance
Independent checks ensure that
transactions are processed accurately are
another important control element.
31
Independent Checks
on Performance
What are various types of
independent checks?
–
–
–
–
reconciliation of two independently
maintained sets of records
comparison of actual quantities with
recorded amounts
double-entry accounting
batch totals
32
Independent Checks
on Performance
Five batch totals are used in computer
systems:
1
2
A financial total is the sum of a dollar
field.
A hash total is the sum of a field that
would usually not be added.
33
Independent Checks
on Performance
3
4
5
A record count is the number of
documents processed.
A line count is the number of lines of
data entered.
A cross-footing balance test compares
the grand total of all the rows with the
grand total of all the columns to check
that they are equal.
34
Risk Assessment
The third component of COSO’s internal
control model is risk assessment.
Companies must identify the threats they
face:
–
–
–
strategic — doing the wrong thing
financial — having financial resources lost,
wasted, or stolen
information — faulty or irrelevant information,
or unreliable systems
35
Risk Assessment
Companies that implement electronic
data interchange (EDI) must identify
the threats the system will face, such
as:
1
2
3
4
Choosing an inappropriate technology
Unauthorized system access
Tapping into data transmissions
Loss of data integrity
36
Risk Assessment
5
6
7
Incomplete transactions
System failures
Incompatible systems
37
Risk Assessment
Some threats pose a greater risk
because the probability of their
occurrence is more likely. For
example:
A company is more likely to be the
victim of a computer fraud rather than
a terrorist attack.
Risk and exposure must be
considered together.
38
Estimate Cost and Benefits
No internal control system can provide
foolproof protection against all internal
control threats.
The cost of a foolproof system would
be prohibitively high.
One way to calculate benefits involves
calculating expected loss.
39
Estimate Cost and Benefits
The benefit of a control procedure is
the difference between the expected
loss with the control procedure(s) and
the expected loss without it.
Expected loss = risk × exposure
40
Information and
Communication
The fourth component of COSO’s
internal control model is information
and communication.
41
Information and
Communication
Accountants must understand the following:
1
2
3
4
5
6
How transactions are initiated
How data are captured in machine-readable
form or converted from source documents
How computer files are accessed and
updated
How data are processed to prepare
information
How information is reported
How transactions are initiated
42
Information and
Communication
All of these items make it possible for the
system to have an audit trail.
An audit trail exists when individual
company transactions can be traced
through the system.
43
Monitoring Performance
The fifth component of COSO’s
internal control model is monitoring.
What are the key methods of
monitoring performance?
–
–
–
effective supervision
responsibility accounting
internal auditing
44
Computer Controls
and Security
45
Learning Objectives
1.
2.
3.
Identify and explain the four principles
of systems reliability and the three
criteria used to evaluate whether the
principles have been achieved.
Identify and explain the controls that
apply to more than one principle of
reliability.
Identify and explain the controls that
help explain that a system is available
to users when needed.
46
Learning Objectives
4.
5.
6.
Identify and explain the security
controls that prevent unauthorized
access to information, software, and
other system resources.
Identify and explain the controls that
help ensure that a system can be
properly maintained, while still providing
for system availability, security, and
integrity.
Identify and explain the integrity
controls that help ensure that system
processing is complete, accurate,
timely, and authorized.
47
The Four Principles of a
Reliable System
1.
2.
3.
4.
Availability of the system when needed.
Security of the system against
unauthorized physical and logical access.
Maintainability of the system as required
without affecting its availability, security,
and integrity.
Integrity of the system to ensure that
processing is complete, accurate, timely,
and authorized.
48
The Criteria Used To Evaluate
Reliability Principles
For each of the four principles of reliability, three
criteria are used to evaluate whether or not the
principle has been achieved.
1.
2.
3.
The entity has defined, documented, and
communicated performance objectives, policies, and
standards that achieve each of the four principles.
The entity uses procedures, people, software, data,
and infrastructure to achieve each principle in
accordance with established policies and standards.
The entity monitors the system and takes action to
achieve compliance with the objectives, policies,
and standards for each principle.
49
Controls Related to More Than
One Reliability Principle
Strategic Planning & Budgeting
Developing a Systems Reliability Plan
Documentation
50
Controls Related to More Than
One Reliability Principle
Documentation may be classified into three
basic categories:
Administrative documentation: Describes the
standards and procedures for data
processing.
Systems documentation: Describes each
application system and its key processing
functions.
Operating documentation: Describes what is
needed to run a program.
51
Availability
Availability
Minimizing Systems Downtime
• Preventive maintenance
• UPS
• Fault tolerance
• Disaster Recovery Plan
• Minimize the extent of disruption, damage,
and loss
• Temporarily establish an alternative means of
processing information
• Resume normal operations as soon as
possible
52
Availability
Disaster Recovery, continued
• Train and familiarize personnel with emergency
operations
• Priorities for the recovery process
• Insurance
• Backup data and program files
• Electronic vaulting
• Grandfather-father-son concept
• Rollback procedures
• Specific assignments
• Backup computer and telecommunication facilities
• Periodic testing and revision
• Complete documentation
53
Developing a Security Plan
Developing and continuously updating a
comprehensive security plan is one of
the most important controls a company
can identify.
What questions need to be asked?
Who needs access to what information?
When do they need it?
On which systems does the information
reside?
54
Segregation of Duties Within
the Systems Function
In a highly integrated AIS, procedures that
used to be performed by separate
individuals are combined.
Any person who has unrestricted access to
the computer, its programs, and live data
could have the opportunity to both
perpetrate and conceal fraud.
To combat this threat, organizations must
implement compensating control
procedures.
55
Segregation of Duties Within
the Systems Function
Authority and responsibility must be clearly divided
among the following functions:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Systems administration
Network management
Security management
Change management
Users
Systems analysis
Programming
Computer operations
Information system library
Data control
56
Segregation of Duties Within
the Systems Function
It is important that different people
perform these functions.
Allowing a person to perform two or
more of them exposes the company to
the possibility of fraud.
57
Physical Access Controls
How can physical access security be achieved?
– Place computer equipment in locked rooms and restrict
access to authorized personnel
– Have only one or two entrances to the computer room
– Require proper employee ID
– Require that visitors sign a log
– Use a security alarm system
– Restrict access to private secured telephone lines and
terminals or PCs.
– Install locks on PCs.
– Restrict access of off-line programs, data and equipment
– Locate hardware and other critical system components
away from hazardous materials.
– Install fire and smoke detectors and fire extinguishers
that don not damage computer equipment
58
Logical Access Controls
Users should be allowed access only to the
data they are authorized to use and then
only to perform specific authorized
functions.
What are some logical access controls?
–
–
–
–
passwords
physical possession identification
biometric identification
compatibility tests
59
Protection of PCs and
Client/Server Networks
Many of the policies and procedures for
mainframe control are applicable to PCs
and networks.
The following controls are also important:
Train users in PC-related control concepts.
Restrict access by using locks and keys on
PCs.
Establish policies and procedures.
60
Protection of PCs and
Client/Server Networks
Portable PCs should not be stored in cars.
Keep sensitive data in the most secure environment
possible.
Install software that automatically shuts down a
terminal after its been idle for a certain amount of
time.
Back up hard disks regularly.
Encrypt or password protect files.
Build protective walls around operating systems.
Ensure that PCs are booted up within a secure
system.
Use multilevel password controls to limit employee
access to incompatible data.
Use specialists to detect holes in the network.
61
Internet and e-Commerce
Controls
Why caution should be exercised
when conducting business on the
Internet.
–
–
the large and global base of people
that depend on the Internet
the variability in quality, compatibility,
completeness, and stability of network
products and services
62
Internet and e-Commerce
Controls
–
–
–
access of messages by others
security flaws in Web sites
attraction of hackers to the Internet
What controls can be used to secure
Internet activity?
–
–
–
passwords
encryption technology
routing verification procedures
63
Internet and e-Commerce
Controls
Another control is installing a firewall,
hardware and software that control
communications between a company’s
internal network (trusted network) and an
external network.
The firewall is a barrier between the
networks that does not allow information to
flow into and out of the trusted network.
Electronic envelopes can protect e-mail
messages
64
Maintainability
Two categories of controls help
ensure the maintainability of a system:
Project development and acquisition
controls
Change management controls
65
Project Development and
Acquisition Controls
Project development and acquisition
controls include:
Strategic Master Plan
Project Controls
Data Processing Schedule
System Performance Measurements
Postimplementation Review
66
Change Management
Controls
Change management controls include:
Periodically review all systems for needed
changes
Require all requests to be submitted in
standardized format
Log and review requests form authorized
users for changes and additions to systems
Assess the impact of requested changes on
system reliability objectives, policies and
standards
67
Change Management
Controls, continued
Categorize and rank all changes using
established priorities
Implement procedures to handle urgent
matters
Communicate all changes to management
Require IT management to review, monitor,
and approve all changes to software,
hardware and personnel responsibilities
Assign specific responsibilities to those
involved in the change and monitor their
work.
68
Change Management
Controls, continued
Control system access rights to avoid
unauthorized systems and data access
Make sure all changes go through the
appropriate steps
Test all changes
Make sure there is a plan for backing our of
any changes in the event they don’t work
properly
Implement a quality assurance function
Update all documentation and procedures
when change is implemented
69
Integrity
A company designs general controls
to ensure that its overall computer
system is stable and well managed.
Application controls prevent, detect
and correct errors in transactions as
they flow through the various stages
of a specific data processing program.
70
Integrity:
Source Data Controls
Companies must establish control
procedures to ensure that all source
documents are authorized, accurate ,
complete and properly accounted for,
and entered into the system or sent ot
their intended destination in a timely
manner.
Source data controls include:
71
Integrity:
Source Data Controls
Forms design
Prenumbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorization and segregation of duties
Visual scanning
Check digit verification
Key verification
72
Integrity:
Input Validation Routines
Input validation routines are programs the check
the integrity of input data. They include:
Sequence check
Limit check
Field check
Range check
Sign check
Reasonableness test
Validity check
Redundant data check
Capacity check
73
Integrity:
On-line Data Entry Controls
The goal of on-line data entry control is
to ensure the integrity of transaction
data entered from on-line terminals
and PCs by minimizing errors and
omissions.
They include:
74
Integrity:
On-line Data Entry Controls
Field, limit, range, reasonableness, sign, validity,
redundant data checks
User ID numbers
Compatibility tests
Automatic entry of transaction data, where possible
Prompting
Preformatting
Completeness check
Closed-lop verification
Transaction log
Error messages
Retain data for legal purposes
75
Integrity: Data Processing
and Storage Controls
Controls to help preserve the integrity of
data processing and stored data:
Policies and procedures
Data control function
Reconciliation procedure
External data reconciliation
Exception reporting
76
Integrity: Data Processing and
Storage Controls, continued
Data currency checks
Default values
Data matching
File labels
Write protection mechanisms
Database protection mechanisms
Data conversion controls
Data security
77
Output Controls
The data control functions should
review all output for reasonableness
and proper format and should
reconcile corresponding output and
input control totals.
Data control is also responsible for
distributing computer output to the
appropriate user departments.
78
Output Controls
Users are responsible for carefully
reviewing the completeness and
accuracy of all computer output that
they receive.
A shredder can be used to destroy
highly confidential data.
79
Data Transmission Controls
To reduce the risk of data transmission
failures, companies should monitor the
network.
How can data transmission errors be
minimized?
–
–
–
–
using data encryption (cryptography)
implementing routing verification
procedures
adding parity
using message acknowledgment
techniques
80
Data Transmission Controls
Data Transmission Controls take on
added importance in organizations
that utilize electronic data interchange
(EDI) or electronic funds transfer
(EFT).
81
Data Transmission Controls
In these types of environments, sound internal
control is achieved using the following control
procedures:
1
2
3
Physical access to network facilities should be
strictly controlled.
Electronic identification should be required for all
authorized network terminals.
Strict logical access control procedures are
essential, with passwords and dial-in phone
numbers changed on a regular basis.
82
Data Transmission Controls
Control procedures, continued
4
5
Encryption should be used to secure
stored data as well as data being
transmitted.
Details of all transactions should be
recorded in a log that is periodically
reviewed.
83
Computer Fraud
84
Learning Objectives
1. Describe fraud and describe the process one
follows to perpetuate a fraud.
2. Discuss why fraud occurs, including the
pressures, opportunities, and rationalizations
that are present in most frauds.
3. Compare and contrast the approaches and
techniques that are used to commit computer
fraud.
4. Describe how to deter and detect computer
fraud.
85
The Fraud Process
Most frauds involve three steps.
The theft of
something
The conversion
to cash
The
concealment
86
The Fraud Process
What is a common way to hide a
theft?
–
to charge the stolen item to an
expense account
What is a payroll example?
–
to add a fictitious name to the
company’s payroll
87
The Fraud Process
What is lapping?
In a lapping scheme, the perpetrator
steals cash received from customer A
to pay its accounts receivable.
Funds received at a later date from
customer B are used to pay off
customer A’s balance, etc.
88
The Fraud Process
What is kiting?
In a kiting scheme, the perpetrator
covers up a theft by creating cash
through the transfer of money
between banks.
The perpetrator deposits a check from
bank A to bank B and then withdraws
the money.
89
The Fraud Process
Since there are insufficient funds in bank A
to cover the check, the perpetrator deposits
a check from bank C to bank A before his
check to bank B clears.
Since bank C also has insufficient funds,
money must be deposited to bank C before
the check to bank A clears.
The scheme continues to keep checks from
bouncing.
90
Why Fraud Occurs
Researchers have compared the psychological and
demographic characteristics of three groups of people:
White-collar
criminals
Few differences
Significant
differences
General
public
Violent
criminals
91
Why Fraud Occurs
What are some common characteristics
of fraud perpetrators?
Most spend their illegal income rather than
invest or save it.
Once they begin the fraud, it is very hard for
them to stop.
They usually begin to rely on the extra income.
92
Why Fraud Occurs
Perpetrators of computer fraud tend to be
younger and possess more computer
knowledge, experience, and skills.
Some computer fraud perpetrators are more
motivated by curiosity and the challenge of
“beating the system.”
Others commit fraud to gain stature among
others in the computer community.
93
Why Fraud Occurs
Three conditions are necessary for
fraud to occur:
1
2
3
A pressure or motive
An opportunity
A rationalization
94
Pressures
What are some financial pressures?
–
–
–
–
–
–
living beyond means
high personal debt
“inadequate” income
poor credit ratings
heavy financial losses
large gambling debts
95
Pressures
What are some work-related
pressures?
–
–
–
–
–
low salary
nonrecognition of performance
job dissatisfaction
fear of losing job
overaggressive bonus plans
96
Pressures
What are other pressures?
–
–
–
–
–
challenge
family/peer pressure
emotional instability
need for power or control
excessive pride or ambition
97
Opportunities
An opportunity is the condition or
situation that allows a person to
commit and conceal a dishonest act.
Opportunities often stem from a lack
of internal controls.
However, the most prevalent
opportunity for fraud results from a
company’s failure to enforce its
system of internal controls.
98
Rationalizations
Most perpetrators have an excuse or a
rationalization that allows them to justify their
illegal behavior.
What are some rationalizations?
The perpetrator is just “borrowing” the stolen
assets.
The perpetrator is not hurting a real person, just a
computer system.
No one will ever know.
99
Computer Fraud
The U.S. Department of Justice defines
computer fraud as any illegal act for which
knowledge of computer technology is
essential for its perpetration, investigation,
or prosecution.
What are examples of computer fraud?
–
unauthorized use, access, modification,
copying, and destruction of software or data
100
Computer Fraud
–
–
–
–
theft of money by altering computer
records or the theft of computer time
theft or destruction of computer
hardware
use or the conspiracy to use computer
resources to commit a felony
intent to illegally obtain information or
tangible property through the use of
computers
101
The Rise in Computer Fraud
Organizations that track computer
fraud estimate that 80% of U.S.
businesses have been victimized by
at least one incident of computer
fraud.
102
The Rise in Computer Fraud
No one knows for sure exactly how much
companies lose to computer fraud. Why?
There is disagreement on what computer fraud is.
Many computer frauds go undetected, or
unreported.
Most networks have a low level of security.
Many Internet pages give instructions on how to
perpetrate computer crimes.
Law enforcement is unable to keep up with fraud.
103
Computer Fraud
Classifications
Data fraud
Input
fraud
Processor fraud
Output
fraud
Computer
instruction fraud
104
Computer Fraud and
Abuse Techniques
What are some of the more common
techniques to commit computer fraud?
–
–
–
–
–
–
Cracking
Data diddling
Data leakage
Denial of service attack
Eavesdropping
E-mail forgery and threats
105
Computer Fraud and
Abuse Techniques
–
–
–
–
–
–
–
–
Hacking
Internet misinformation and terrorism
Logic time bomb
Masquerading or impersonation
Password cracking
Piggybacking
Round-down
Salami technique
106
Computer Fraud and
Abuse Techniques
–
–
–
–
–
–
–
–
Software piracy
Scavenging
Social engineering
Superzapping
Trap door
Trojan horse
Virus
Worm
107
Preventing and Detecting
Computer Fraud
What are some measures that can
decrease the potential of fraud?
1
2
3
4
5
Make fraud less likely to occur.
Increase the difficulty of committing
fraud.
Improve detection methods.
Reduce fraud losses.
Prosecute and incarcerate fraud
perpetrators.
108
Preventing and Detecting
Computer Fraud
1
Make fraud less likely to occur.
Use proper hiring and firing practices.
Manage disgruntled employees.
Train employees in security and fraud
prevention.
Manage and track software licenses.
Require signed confidentiality
agreements.
109
Preventing and Detecting
Computer Fraud
2
Increase the difficulty of committing
fraud.
Develop a strong system of internal
controls.
Segregate duties.
Require vacations and rotate duties.
Restrict access to computer
equipment and data files.
Encrypt data and programs.
110
Preventing and Detecting
Computer Fraud
3
Improve detection methods.
Protect telephone lines and the
system from viruses.
Control sensitive data.
Control laptop computers.
Monitor hacker information.
111
Preventing and Detecting
Computer Fraud
4
Reduce fraud losses.
Maintain adequate insurance.
Store backup copies of programs and
data files in a secure, off-site location.
Develop a contingency plan for fraud
occurrences.
Use software to monitor system
activity and recover from fraud.
112
Preventing and Detecting
Computer Fraud
5
Prosecute and incarcerate fraud
perpetrators.
Most fraud cases go unreported and
unprosecuted. Why?
• Many cases of computer fraud are as yet
undetected.
• Companies are reluctant to report
computer crimes.
113
Preventing and Detecting
Computer Fraud
Law enforcement officials and the courts are
so busy with violent crimes that they have
little time for fraud cases.
It is difficult, costly, and time consuming to
investigate.
Many law enforcement officials, lawyers,
and judges lack the computer skills needed
to investigate, prosecute, and evaluate
computer crimes.
114