SAS-99 and Fraud Examination

Questions and Answers

What are the key steps auditors must take according to SAS-99?

Understand fraud, assess and respond to risks, evaluate test results, communicate findings, and document the process.

Identify, assess, and respond to risks, obtain information, evaluate test results, communicate findings and document work.

Understand fraud, discuss the risks, obtain information, identify and respond to risks, evaluate test results, communicate findings, document work. (correct)

Understand fraud, discuss the risks, obtain information, identify risks, respond to risks, evaluate, and communicate findings, and document the process.

What is a significant difference between white-collar criminals and violent criminals?

White-collar criminals tend to be more religious.

White-collar criminals tend to be less educated.

White-collar criminals tend to be more educated.

White-collar criminals tend to have a different psychological makeup. (correct)

White-collar criminals tend to be older.

What is the main focus of the content provided?

The techniques used to commit computer fraud. (correct)

The different types of computer fraud.

The importance of ethical considerations in computer fraud.

The legal consequences of computer fraud.

Which of the following is NOT considered a type of fraud?

Data Breach (D)

What is SAS-99's focus on technology?

SAS-99 emphasizes that technology impacts fraud risks, highlighting the importance of technology-oriented tools during audits. (D)

Which of the following is a key characteristic of perpetrators of computer fraud?

They are typically younger and possess more computer knowledge and skills. (B)

What is a common characteristic of white-collar criminals?

They tend to mirror the general population in terms of education, age, and religious beliefs. (C)

Why is it important to document audit work according to SAS-99?

To comply with all of the above. (D)

Which of the following is NOT a common pressure leading to fraud as stated in the passage?

A desire to improve credit score (A)

According to the passage, how does a person's perception of pressure affect their likelihood of committing fraud?

Perceiving an inability to share one's financial woes increases the pressure to commit fraud. (B)

What is a key difference between financial statement fraud and other types of fraud, as described in the passage?

The perpetrators in financial statement fraud are not the direct beneficiaries. (B)

Which of the following is NOT mentioned as a common pressure in financial statement fraud?

Securing additional funding for unrelated investments. (A)

How does a person's actual financial situation relate to their propensity to commit fraud, according to the passage?

An individual's worry about their financial position is more impactful than their actual financial standing. (B)

What action might a company's management take to prop up their company's earnings?

Manipulating financial statements to make the company's performance appear better than it actually is. (C)

Which of the following BEST describes the passage's main focus?

A discussion of the pressures and motivations behind fraudulent behavior. (D)

According to the passage, what is the main focus of financial statement fraud?

To protect the company's long-term financial stability. (B)

What is a logic time bomb?

A program that is triggered by a specific event or date, causing damage to the system. (B)

Which of these is NOT a technique used for committing computer fraud and abuse?

Data encryption (C)

What is the primary objective of 'data diddling' in computer fraud?

Altering or manipulating data within a system for personal gain. (A)

How does a packet sniffer work?

It intercepts and captures data packets traveling over networks, potentially revealing confidential information. (D)

What is the main aim of internet terrorism?

To disrupt electronic commerce and destroy communication systems. (A)

What is a common outcome of 'denial-of-service attacks'?

The disruption of normal operation of a computer system or network. (D)

How can someone commit masquerading or impersonation?

By gaining access to a system by pretending to be an authorized user, using a legitimate user's ID and password. (A)

Which of the following techniques is NOT directly related to the theft of sensitive information?

Denial-of-service attacks (A)

What is the most accurate description of 'hacking' in the context of computer fraud?

The unauthorized use of someone else's computer to carry out illegal or malicious actions. (D)

What is an example of internet misinformation?

A website spreading false information about a political candidate. (C)

What is the main purpose of 'email forgery' (also known as 'spoofing')?

To create a false sense of legitimacy and trick recipients into action. (C)

How can password cracking be used to gain access to a system?

By using a program to systematically try different combinations of characters until the correct password is found. (C)

How does 'phreaking' typically involve the use of phone lines?

To gain access to computer systems and steal sensitive information through dial-up modem lines. (B)

What is the most common type of internet terrorism?

The use of computer viruses and worms to damage and disrupt computer systems and networks. (A)

Which of the following is NOT a typical financial gain for criminals who engage in identity theft?

Disrupting the victim's credit history to gain access to resources. (A)

What is the primary difference between 'data leakage' and 'data diddling'?

Data leakage focuses on the unauthorized disclosure of data, while data diddling involves intentionally modifying data within a system. (B)

What is a significant difference between a virus and a worm?

A virus is only a segment of code hidden in a host program, while a worm is a standalone program. (B)

Why is it important to apply software patches as soon as possible?

Patches can help to prevent viruses and worms from exploiting known software vulnerabilities. (B)

How can a worm reproduce and spread?

By replicating itself and sending copies to email addresses in a recipient's mailing list. (D)

What is a concern with 'low-tech, do-it-yourself' attacks?

They can be carried out by individuals with limited technical skills. (A)

Which of the following is NOT a device that is vulnerable to a virus attack?

Refrigerator (B)

What is a phishing scam?

A method of tricking users into revealing personal information by sending them emails that appear to be from a legitimate source. (D)

Which of these is NOT a technique commonly used to commit computer fraud and abuse?

Malware encryption (D)

How can you protect yourself from phishing scams?

Being cautious of suspicious emails and verifying information before providing sensitive data. (D)

What effect does a script downloaded through a phishing email have on a user's web browser?

It redirects the user to a fake version of a legitimate website. (B)

Why is it recommended to type "https:" in the URL instead of "http:" when accessing PayPal?

It ensures you are connecting to PayPal's secured server. (B)

What is the significance of the South American bank phishing scam mentioned in the text?

It showcases a sophisticated phishing scam that exploited user trust and vulnerabilities. (B)

What is the purpose of a logic bomb?

To disrupt a system’s functionality at a specific time or event. (B)

How can you mitigate the risk of falling victim to impersonation or masquerading online?

Verifying the identity of the person you are interacting with, especially during financial transactions. (B)

Flashcards

SAS-99 Requirements

SAS-99 mandates auditors to understand fraud and its risks, gather information, assess risks, communicate findings, and document their work.

Fraud Process

The series of steps involved in fraud detection and prevention, including understanding, assessment, and communication of risks.

Technology in SAS-99

SAS-99 incorporates technology to address fraud risks and encourages auditors to use tech tools in audits.

Types of Fraud

Various methods of committing fraud, including bribery, skimming, embezzlement, and others.

White-Collar Criminals

Individuals who commit fraud and generally resemble the demographics of the general public in various aspects.

Young Perpetrators

Individuals committing computer fraud are usually younger and more technically skilled than others.

Auditor Documentation

Auditors must document their work to show compliance with SAS-99, ensuring their audit processes are transparent.

Psychological Characteristics

White-collar criminals share many psychological traits with the general public, making them harder to profile.

Common pressures for fraud

Circumstances that push individuals towards committing fraud, like financial distress or isolation.

Perception of pressure

The belief that one cannot share financial burdens increases the pressure to commit fraud.

Propensity to commit fraud

An individual's tendency to commit fraud, often affected by anxiety over financial issues rather than actual wealth.

Financial statement fraud

A type of fraud where the perpetrators are not the direct beneficiaries but the company is.

Management incentives

Reasons that compel management to commit financial statement fraud, like bonuses or job security.

Covering cash flow issues

Using fraud to disguise difficulties generating legitimate cash flow.

Bond covenants compliance

Fraud may occur to make financial statements appear compliant with bond agreements.

Income-tax motivations

Fraud driven by the desire to evade taxes or meet government regulations.

Data Diddling

Manipulating data before or after entry to commit fraud.

Data Leakage

Unauthorized transmission of data from within an organization.

Denial of Service Attacks

Overwhelming a system to disrupt service for users.

Eavesdropping

Unauthorized listening to private communications.

Email Spoofing

Creating a fake email to appear as if sent by someone else.

Phreaking

Hacking phone systems to steal services or data.

Hacking

Gaining unauthorized access to computer systems to commit illegal activities.

Identity Theft

Illegally obtaining and using someone else's personal information for financial gain.

Internet Misinformation

False or misleading information spread via the Internet.

Internet Terrorism

Use of the Internet to carry out harmful acts, such as disrupting services.

Logic Bomb

A program that activates under specific conditions to sabotage a system.

Masquerading

Gaining unauthorized access by impersonating an authorized user.

Packet Sniffer

Programs that capture data packets as they travel over networks.

Password Cracking

The process of recovering passwords from data, often to gain unauthorized access.

Viruses and Worms

Malware types used in Internet terrorism to disrupt systems.

Computer Fraud

Illegal activities that involve deceitful conduct in computing environments.

Virus

A malicious software that attacks computer systems and can spread across devices on a network.

Worm

A self-replicating program that spreads independently and can infect various devices without user action.

Virus vs. Worm

Viruses need a host to operate; worms stand alone and replicate without user interaction.

Email virus warning

An often misguided warning from friends about an infected email attachment that can lead to accidental system damage.

Software patches

Updates that fix known vulnerabilities in software, crucial to prevent virus and worm attacks.

Logic Time Bombs

Malicious code that triggers at a specific time or condition.

Phishing

Fraudulent attempts to obtain sensitive information via email.

Secure Website Protocol

Using 'https:' instead of 'http:' for secure connections.

Study Notes

Computer Fraud and Security

• This chapter addresses fraud, who perpetrates it, and its computer forms.
• It discusses the fraud process, reasons for fraud, computer fraud approaches, and methods companies use to prevent and detect fraud.
• Information systems are becoming increasingly complex, and society relies more on them.
• Companies face a growing risk of these systems being compromised, with recent surveys indicating that 67% of companies suffered a security breach in the last year, and nearly 60% reported financial losses.

Introduction

• Questions to be addressed include: What is fraud, how are frauds perpetrated, who perpetrates fraud and why, what is computer fraud and what forms it takes, and what approaches and techniques are used to commit computer fraud?
• Companies face threats from natural and political disasters, software errors/equipment malfunction, and intentional acts (computer crime).

Natural and Political Disasters

• Includes fire, excessive heat, floods, earthquakes, and high winds.
• War and terrorist attacks can affect many companies simultaneously (e.g., the World Trade Center bombing).
• The Defense Science Board predicts widespread attacks on information systems by foreign nations, espionage agents, and terrorists.

Software Errors and Equipment Malfunction

• Includes hardware or software failures, software errors/bugs, operating system crashes, power outages/fluctuations, and undetected data transmission errors.
• Annual economic losses due to software bugs are estimated at $60 billion.
• Almost 60% of companies studied experienced significant software errors in the previous year.

Unintentional Acts

• Accidents caused by human carelessness, failure to follow procedures, inadequately trained personnel, innocent errors/omissions, lost/destroyed/misplaced data, logic errors, and systems not meeting needs or performing intended tasks.
• Information Systems Security Association estimates 65% of security problems are caused by human error.

Intentional Acts (Computer Crime)

• Includes sabotage, which encompasses computer fraud (misrepresentation, false use, unauthorized disclosure of data), misappropriation of assets, and financial statement fraud.
• Information systems are increasingly vulnerable to these malicious attacks.

The Fraud Process

• Fraud is any means a person uses to gain an unfair advantage over another person.
• Fraudulent acts typically involve a false statement (oral or written) about a material fact, knowledge that the statement was false when made (intent to deceive), the victim relying on the statement, and the victim suffering injury/loss.
• The burden of proof differs between criminal and civil cases, with criminal cases requiring "beyond a reasonable doubt" and civil cases requiring "preponderance of the evidence."
• ACFE estimates total fraud losses in the US at approximately $660 billion in 2004, exceeding spending on education and roads and the criminal justice system.
• Income tax fraud estimates are over $200 billion annually, and healthcare fraud exceeds $100 billion annually.
• Fraud against companies can be committed by an employee (knowledgeable insider) or an external party, and insiders are often more successful.
• Fraud perpetrators are often referred to as white-collar criminals, although some white-collar crimes have violent outcomes (e.g., suicide, patient deaths).
• Types of occupational fraud include misappropriation of assets (theft/embezzlement), corruption (wrongful use of position for personal benefit), and fraudulent statements (misstating financial condition).

Fraud Perpetration

• Typical elements include gaining trust, using deceit/misinformation, starting with need and escalating to greed, becoming careless/overconfident, spending stolen money, and detecting theft. The absence of internal controls is a significant factor.
• The Treadway Commission defined fraudulent financial reporting as intentional or reckless conduct resulting in materially misleading financial statements.
• This can involve deceiving investors and creditors, inflating stock prices, or hiding losses/problems.
• Enron fraud led to the demise of Arthur Andersen, a premier international accounting firm, highlighting the concern for undetected frauds for independent auditors and resulting lawsuits.

Common Approaches to “Cooking the Books”

• Fictitious revenues, premature revenue recognition, recording expenses in later periods, overstating inventories/fixed assets (like WorldCom), and concealing losses/liabilities.

Treadway Commission Recommendations

• Establish organizational environments that promote financial reporting integrity.
• Identify and understand factors related to fraudulent financial reporting risk.
• Assess risk of fraudulent financial reporting within the company.
• Design and implement internal controls to prevent fraudulent financial reporting.

PSA 20

• The primary responsibility for fraud prevention and detection falls on those responsible for the entity's governance and its management.

Understand Fraud

• Auditors need to understand fraud to effectively audit, specifically to know that they are not lawyers. Their concern should focus on acts that create a material misstatement in the financial statements.

Discuss the Risks of Material Fraudulent Misstatements

• Audit team members should discuss areas of the company's financial statements that are susceptible to fraud.

Obtain Information

• Fraud risk factors must be identified, and company records tested. Management, the audit committee, and others should be asked if there is existing or prior fraud, or fraud risks. Revenue accounts are scrutinized, as they are popular targets.

Identify, Assess, and Respond to Risks

• Assess the risk of fraud throughout the audit. Determine any identified misstatements that indicate fraud, the impact on financial statements, and the impact on the audit itself.

Communicate Findings

• Auditors communicate fraud findings to management, the audit committee, and others.

Document Their Audit Work

• Auditors must document their compliance with SAS-99 requirements.

Incorporate a Technology Focus

• Technology impacts fraud risks, and auditors should leverage technology-oriented tools for fraud auditing.

Why Fraud Occurs

• Fraud occurs when there are perceived non-shareable pressures, the opportunity for fraud is open, and the individual can rationalize their actions. Fraud will be less common when pressures are low, opportunities are limited, and integrity is high.

Who Commits Fraud and Why

• Research indicates white-collar criminals exhibit similar demographic characteristics to the general public, differing primarily in psychological makeup from violent criminals, showing few similarities to the general public, and perpetrators of computer fraud often are younger, with more computer skills, knowledge, and experience.
• Rationalizations can include viewing fraud as a game, believing their actions do not have harmful impacts, wanting to gain stature within the hacking community, wanting to spread a rebellious message, or viewing gaining financially from the theft as valid motives. Difficulties in employer relations can create significant pressures.
• The perception of pressure plays a significant role, and three factors often present in fraud are stress or need (pressure), opportunity, and rationalization.
• Common pressures for financial statement fraud include supporting personal wealth, maintaining jobs, covering cash flow deficiencies, and complying with financial covenants.

Approaches to Computer Fraud

• The U.S. Department of Justice defines computer fraud as any illegal action requiring computer technology for perpetration, investigation, or prosecution. This includes unauthorized theft, use, access, modification, or destruction of software/data; theft of money by altering records; theft of computer time; theft or destruction of hardware; use of resources for a felony; intent to obtain property.

Computer Fraud Techniques

Common Techniques Include:

• Data diddling: Changing data before, during, or after entry.
• Data leakage: Unauthorized copying of data.
• Denial of service attacks: Overloading a system to shut it down.
• Eavesdropping: Intercepting communications.
• Email threats: Sending messages to induce actions.
• Email forgery (spoofing): Creating emails that appear to come from others.
• Hacking: Unauthorized access to systems.
• Phreaking: Utilizing phone systems for illicit activity.
• Hijacking: Gaining control of another's computer.
• Identity theft: Assuming someone's identity for financial gain.
• Shoulder surfing: Watching individuals enter information.
• Scavenging/dumpster diving: Searching for discarded documents.
• Redirecting mail: Intercepting and changing mail delivery.
• Internet misinformation: Spreading false information.
• Internet terrorism: Disrupting e-commerce and communications.
• Logic time bombs: Programs acting at a predetermined time.
• Masquerading/impersonation: Pretending to be an authorized user.
• Packet sniffers: Capturing data from network traffic.
• Password cracking: Accessing accounts with stolen passwords.
• Piggybacking: Unauthorized use of a legitimate user's log-in.
• Round-down technique: A fraudulent method of rounding down numbers.
• Salami technique: Repeatedly stealing small amounts of money.
• Social engineering: Tricking employees into revealing information.
• Software piracy: Copying software without permission.
• Spamming: Sending unsolicited messages.
• Spyware: Software that monitors computer usage without permission
• Superzapping: Unauthorized use of special system programs to bypass controls.
• Trap doors: Hidden ways into a system.
• War dialing: Checking for idle modems on phone lines.
• War driving: Driving around searching for unprotected wireless networks.

Preventing and Detecting Computer Fraud

• Organizations must take precautions to protect their systems.
• Creating a culture of ethical values; formal/rigorous controls; conducting periodic audits; installing fraud detection software; employing security officers/consultants; monitoring system activities; using intrusion detection systems; and maintaining adequate insurance/contingency plans are all part of preventing/detecting computer fraud.

Description

This quiz explores critical aspects of SAS-99, including the steps auditors must take, the nature of white-collar crime, and key characteristics of fraud perpetrators. It is essential for students of accounting and finance to understand these concepts as they prepare for real-world auditing scenarios.