Managerial Auditing Journal

Internal Auditor and Computer Fraud

P.A. Collier R. Dixon C.L. Marston
Article information:
To cite this document:
P.A. Collier R. Dixon C.L. Marston, (1990),"Internal Auditor and Computer Fraud", Managerial Auditing Journal, Vol. 5 Iss 4
pp.
Permanent link to this document:
http://dx.doi.org/10.1108/02686909010006553
Downloaded on: 01 May 2015, At: 06:27 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 408 times since 2006*
Users who downloaded this article also downloaded:
William Hillison, Carl Pacini, David Sinason, (1999),"The internal auditor as fraud-buster", Managerial Auditing Journal, Vol.
14 Iss 7 pp. 351-363 http://dx.doi.org/10.1108/02686909910289849
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Rocco R. Vanasco, (1998),"Fraud auditing", Managerial Auditing Journal, Vol. 13 Iss 1 pp. 4-71 http://
dx.doi.org/10.1108/02686909810198724
Harold Hassink, Roger Meuwissen, Laury Bollen, (2010),"Fraud detection, redress and reporting by auditors", Managerial
Auditing Journal, Vol. 25 Iss 9 pp. 861-881 http://dx.doi.org/10.1108/02686901011080044

Access to this document was granted through an Emerald subscription provided by 463575 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please visit
www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 INTERNAL AUDITOR AND COMPUTER FRAUD 37

R
esults of a 1988 research study into the Table I. Respondents by Size
area of computer fraud are presented.
Annual Turnover or Number of % of
Total Budget Responses Sample

Large Over £50 million 93 50

Internal
Medium Between £20 million
and £50 million 62 34
Small Below £20 million 29 16

Auditor and 184 100

Computer
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

definition chosen for the research was that used by the

Audit Commission in their 1987 survey: "any fraudulent
behaviour connected with computerisation, by which
someone intends to gain a dishonest advantage".

Fraud Methodology and Population

P.A. Collier, R. Dixon and C.L. Marston
Introduction
Despite a lack of information on the scale of computer
fraud in the UK* it is generally accepted that it poses
a potentially serious threat in many organisations. In
recognition of this, the Chartered Institute of Management
Accountants (CIMA) and the Institute of Internal Auditors
(IIA), have jointly funded a research study in this area.
In contrast to previous research studies (see for example:
BIS Applied Systems [2] and the Audit Commission[1] in
the UK; the American Bar Association[3] in the US; and
the Chisholm Institute of Technology[4] in Australia), this
project focuses on the action taken by organisations to
prevent and detect computer frauds, and the role and
opinion of internal auditors.
Although the term "computer fraud" is widely used, a
range of definitions exist. At one extreme a computer fraud
is considered to be any dishonesty which takes place in
a computer environment and is in any way connected with
the facilities; while a narrower definition is to limit
computer fraud to any dishonesty that involves the
technical manipulation of hardware or software. The
* Regrettably, there are still no reliable official statistics on how
widespread the problem is or how muchfinancialloss is actually
incurred[1].
The research was based on a questionnaire sent to 300
members of a population which was defined so as to obtain
a representative cross-section of UK organisations. The
questionnaire covered four main subject areas:
(1) Responsibility within the organisation for computer
fraud prevention and detection.
(2) What the internal audit department does to prevent
computer fraud.
(3) What the internal audit department does to detect
computer fraud.
(4) Opinions of internal auditors on computer fraud.
The population circularised were IIA members and CIMA
members whose job descriptions alluded to internal audit.
A total population of 2,631 was identified at the survey
date of 1 January 1988. Usable responses were received
from 184 organisations (61 per cent response rate). Tests
revealed no non-response bias. An indication of the broad
spectrum of firms covered is given in Table I, which
analyses responding organisations by reference to their
size, as determined by annual turnover or total budget.
Of the respondents, 68 per cent worked in the private
sector and the balance in the public sector.
Responsibility for Computer Fraud Prevention
ana Detection
Table II shows that specific responsibility for computer
fraud prevention and detection is perceived by respondents
as residing in four main areas:
(1) internal audit;
(2) line management;
 38 MANAGERIAL AUDITING JOURNAL 5,4

Table II. Specific Responsibility for Prevention and auditors should be alert to indications of fraud and
Detection recommend the adoption or strengthening of
controls which make fraud more difficult, it is not
the primary purpose of audit tests to detect
% of Total % of Total isolated incidents of fraud.
Total responses Prevention Responses Detection Responses
The source of the responsibility in respect of the internal
Internal audit audit department is shown in Table III. "Formally docu-
department 96 52 109 59 mented" refers to the specific responsibility being included
Line management 93 51 85 46 in the departmental objectives or job descriptions, and "no
formal documentation" relates to situations where the
Information systems
function 96 52 52 28 specific responsibility is informally agreed or self imposed.
Finance function 69 37 37 20
From the table, the specific responsibility of the internal
Chief executive 22 12 10 5 audit department for the prevention and detection of
Board of directors 10 5 5 3 computer fraud arises principally from informal agreement
or is self imposed. However, in large organisations the level
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Audit committee 8 4 3 2
of formalisation was higher, and the response in the
"formally documented" category exceeded that in the "no
formal documentation" category. The results suggest that
computer fraud is not considered a high priority by many
(3) the finance department; firms since, even where specific responsibility is allocated
(4) the information systems department. to the internal audit department, in approximately two-thirds
of cases the responsibility is not formally documented. This
The findings are: suggests that the risks from computer fraud are not fully
(1) In many organisations specific responsibility for appreciated by many managements.
computer fraud is not concentrated in one officer.
The diffuse nature of responsibility is emphasised
by the incidence of multiple responses to the What the Internal Audit Department Does in
question; 17 respondents ticking over five of the Preventing Computer Fraud
listed possibilities; 40 respondents ticking three One of the questions asked was the prevention of
to five; and 94 respondents stated that computer fraud was specifically considered by internal
responsibility was assigned to one or two of the auditors at various stages in the systems life cycle. The
listed possibilities. overwhelming majority of respondents, 95 per cent for
(2) In 33 (18 per cent) of the sample, specific new systems and 96 per cent for existing systems,
responsibility was not assigned for either reported this level of involvement. Table IV shows an
prevention or detection. analysis of this by various stages.
(3) Internal audit departments in the respondents'
organisations had no specific responsibility for
computer fraud prevention and detection in almost
half, and 40 per cent of cases respectively. The Table III. Source of Specific Responsibility
results cause a degree of concern because there
is an apparent lack of senior management
involvement, and many line managements are not Number of % of Positive
seen as being specifically responsible, despite it Responses Responses
being generally agreed (see, for example, SIAS
No. 1[5]) that responsibility for security resides Prevention
with senior and line management. This was well Formally documented 37 38
expressed by one respondent, who enclosed a
No formal documentation 59 62
departmental standard on fraud which included the
following: "The responsibility for the prevention 96 100
and detection of fraud rests with line management,
who should institute an adequate system of internal Detection
control to discharge this responsibility". It is Formally documented 40 37
surprising that more internal audit departments No formal documentation 69 63
reported specific responsibility for detection than
for prevention, since this is at variance with SIAS 109 100
No. 3[6]. This suggests that although internal
 INTERNAL AUDITOR AND COMPUTER FRAUD 39

Table IV. Stages at which Computer Fraud Prevention The majority of internal audit departments gave specific
is Specifically Considered by the Internal consideration to the prevention of computer fraud at the
Audit Department in the Systems Life Cyclesix stages specified. The amendment of existing systems
does seem to be relatively neglected despite internal audit
department involvement at this stage being extremely
%of
Number of Positive % of Total valuable in fraud prevention.
Instances Responses* Responses
Another question examined the emphasis placed by the
internal audit department on various controls used in
New systems: preventing computer fraud. Respondents were asked to
Design 139 79 76 classify the importance of the control on a scale of high,
Testing 100 57 54 moderate, low and none. The averages were derived by
Implementation 104 59 57
Post implementation
coding high as 4 and none as 1. Such a scaling gives a
audit 141 80 77 mean value of 2.5 if answers are equally distributed. Table
V shows the controls with the assessment and the mean
Existing systems: value.
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Amendment 97 55 53
Specific reviews 159 90 86 As might be expected, since the controls listed are fairly
standard, all have a mean in excess of the scale mean,
(*176 for new systems and 177 for existing systems) and all but four have a mean in excess of 3, which indicates
a moderate to high emphasis on the controls listed.

Table V. Emphasis in Fraud Prevention

High Moderate Low None Mean

(4) (3) (2) (1)

General
Personnel selection procedures 45 61 35 43 2.59
Segregation of duties within the computing function 150 27 1 6 3.74
Physical security of the computer installation 132 44 6 2 3.66
Internal audit input at the design and
implementation stage of new systems 85 63 26 10 3.21
Education of management 66 80 33 5 3.13
Librarian function 36 61 47 40 2.52

Input
Physical security over terminals and other remote
access devices 87 72 21 4 3.32
Passwords 154 28 0 2 3.82
Security of communication lines 69 64 39 2 3.04
Validation checks 100 69 13 2 3.45
Data transfer validation 79 86 5 14 3.25
Access to pre-printed stationery 69 81 24 10 3.10
Encryption 37 47 42 58 2.34

Processing
Control of the use of systems utilities 112 58 5 9 3.48
Run-to-run controls 108 53 9 4 3.48
Control over program amendments 122 41 12 9 3.50
Review of computer logs 54 79 36 15 2.94

Output
Input to output reconciliations 103 66 15 0 3.48
Controls over the distribution of output 49 92 36 7 3.00
Control over error and exception report 112 61 9 2 3.54
 40 MANAGERIAL AUDITING JOURNAL 5,4

Respondents emphasised controls in three main areas:
(1) Administrative controls over the data processing
department like segregation of duties and physical
security of computer installations.
(2) Control over input such as data validation, pass-
words and terminal security.
(3) Processing controls including the reconciliation of
input to output.
Least significance was accorded to controls with restricted
applicability like encryption, librarian function and review
of computer logs. An exception to this was the lack of
emphasis on personnel selection. Fraud is committed by
people, and therefore the selection of trustworthy staff
should be a key defensive measure. Further evidence
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)
The approach was balanced between through the computer
techniques like interrogation software, and installation
review and round the computer methods like input/output
reconciliations.
A question asked whether there were formal guidelines on
the action to be taken if a fraud was discovered. The
majority of organisations reported an absence of such
guidance, although there was more likelihood of formal
guidelines in large organisations (82 per cent) than in
medium (32.4 per cent) and small (24.7 per cent) ones.
Private sector organisations were less likely to have
guidelines than public sector organisations — 36.8 per cent
and 44.1 per cent respectively. Where guidelines existed,
the most commonly adopted policies on discovery of a
computer fraud were to prosecute the perpetrator (78 per

of a failure to appreciate this point was provided by the cent of cases) and automatic dismissal (74 per cent of cases).
responses to a question which sought to establish what It is surprising to note the popularity of prosecution since
controls are in operation over staff working in areas with the received wisdom in this area is that organisations rarely
a high risk of computer fraud. In only 16 per cent of prosecute because of the bad publicity*. The result,
responses were staff subject to special vetting; while in however, must be taken in context of the whole sample,
less than a third of firms was it compulsory for such staff of which it constitutes only 30 per cent.
to take holidays, or were the staff prevented from working
out periods of notice.
Another question asked how much weight is given to the
detection of computer frauds, in formulating the organ-
Respondents were asked how much weight is given to isation's policies on computer systems. Using the same
the prevention of computer frauds in formulating scale as Table V, the mean value of the responses was
organisational policies on computer systems. Using the 2.86. This indicates that, in general, moderate importance
same scale as Table V, the mean value of responses was is given to fraud detection in policy formation. However,
3.09. This indicates that, in general, moderate importance 29 per cent of respondents gave a low or none rating.
is given to fraud prevention in policy formulation. However,
19 per cent of respondents gave a low or none rating.
Opinions
What the Internal Audit Department Does in Thefinalsection of the questionnaire examined the opinions
of internal auditors on various aspects of computer fraud.
Detecting Computer Fraud A question asked what level of risk of computer fraud the
The results of a question to discover which techniques respondents associated with various listed aspects of
were employed by the internal audit department in the computer systems. Table VII shows the responses.
detection of computer fraud are shown in Table VI.
As might be expected, batch processing is perceived as
being less risky than on-line and real-time processing, a
Table IV. Fraud Detection Techniques finding supported by the Audit Commission[1], who found
81 incidents associated with on-line processing compared
Number of % of with only 24 for batch processing. The most risky areas
Responses Responses identified outside on-line processing were a mini-computer
under user control and EFT systems, a finding that supports
Interrogation software 113 61
the emphasis in Table V on access controls. Table VIII
shows opinions of the level of threat of computer fraud
Computer audit software 67 36 posed by a selection of activities.
Test packs 21 11
Installation review 124 67 All the listed activities were considered to provide a
Computer based comparison moderate to high level of threat apart from hardware
of object and source versions 19 10 changes. Input fraud was seen as the most significant area;
Program review 38 21 afindingwhich again concurs with the Audit Commission[1]
Log analysis 56 30
Integrated test facility 29 16 * Although the Audit Commission states that: "Contrary to
Input/output reconciliations 121 66 popular belief, most of those caught abusing the system were
penalised in some way"[1].
 INTERNAL AUDITOR AND COMPUTER FRAUD 41

Table VII. Levels of Risk

High Moderate Low No opinion Mean

(4) (3) (2) (1)
Processing:
Batch processing 33 92 57 2 2.85
On-line processing 85 83 12 4 3.35
Real-time processing 126 46 9 3 3.60
Software:
Database systems 65 85 26 8 3.13
4 GLs 65 77 29 13 3.12
Equipment:
Mainframe 43 93 42 6 2.94
Mini-computer under user control 106 61 17 0 3.48
Mini-computer under dept. control 43 100 39 2 3.00
Microcomputers 94 54 32 4 3.29
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)

Local area networks 34 105 37 8 2.89

Wide area networks 53 98 25 8 3.06
Automated payment systems:
ATM networks 63 78 20 23 2.98
EFT systems 105 47 14 28 3.39
EPOS networks 65 70 22 27 2.94
EFTPOS networks 81 61 16 26 3.13

Table VIII. Level of Threat

High Moderate Low No opinion Mean

(4) (3) (2) (1)
General:
Misuse of facilities 63 98 20 3 3.20
Misuse of utilities 107 58 16 3 3.46
Input:
Unauthorised access 119 59 5 1 3.61
False computer input 130 42 11 1 3.64
Processing:
Alteration of job control language 49 85 45 5 2.97
Program patch 70 63 40 11 3.04
Hardware changes 15 72 90 7 2.51
Unauthorised access through networks 95 66 17 6 3.36
Output:
Manipulation of control totals 106 59 18 1 3.46
Output manipulation 95 75 14 0 3.44

findings where 62 per cent of computer frauds reported
were in this category.
Summary of Findings
A number of important points can be concluded from an
analysis of the responses.
(2) Organisations also placed specific responsibility for
Responsibility
(1) A majority of internal audit departments reported
a specific responsibility for the prevention and
detection of computer fraud. However, in only a
minority of firms was the department specifically
responsible for both, and in a fifth of responses
there was no specific responsibility for either. In
the majority of cases the specific responsibility was
attributed in an unstructured way, and was not
formally documented in departmental objectives
or included in job descriptions.
computer fraud prevention and detection on other
personnel. According to respondents, such
responsibility was placed to a significant degree
on line management and the information systems
function.
 42 MANAGERIAL AUDITING JOURNAL 5,4
What is Done to Prevent Computer Fraud
(1) Virtually all internal auditor respondents stated that
computer fraud prevention was specifically
considered by their staff at some stage in the
systems life cycle. In particular, internal auditors
addressed this issue at the post-implementation
stage for new systems, and when carrying out
specific reviews of existing systems.
(2) Internal auditors gave the highest priority to
computer-based controls in the prevention of
computer fraud ranking segregation of duties within
the computer department, physical security of the
computer installation and passwords most highly
from a list of typical controls. It was noted that little
importance was attributed to personnel selection
Downloaded by UNIVERSITY OF EXETER At 06:27 01 May 2015 (PT)
procedures or special measures for staff working
in areas with a high risk of computer fraud.
What is Done to Detect Computer Fraud
(1) Internal audit departments favoured interrogation
software, installation review and input/output
reconciliations for the detection of computer fraud.
(2) There was a lack of formalisation of the action to
be taken in the event of a computer fraud being
discovered. Formalisation varied with size but less
than half of the organisations had formal guidelines.
Opinions
(1) Internal auditors perceived the main areas at risk
from computer fraud to be real-time and on-line
processing, automated payments systems and
minicomputers under user control.
(2) The major threat of computer fraud was seen as
arising from the low skill area including input frauds
(unauthorised access and false computer input),
rather than sophisticated techniques like program
patches and alteration of JCL.
Implications
Advances in information technology will make organisations
increasingly vulnerable to computer fraud. In order to
counteract this threat management should take the
following steps:
Paul A. Collier is a Lecturer in Accounting at the University of Exeter; R. Dixon and C.L. Marston are respectively
Principal Lecturer and Senior Lecturer at Newcastle-upon-Tyne Polytechnic.
(1) Acknowledge the threat and seek to educate
relevant staff on their role in its prevention and
detection.
(2) Allocate responsibility for the prevention and
detection of computer fraud to appropriate staff.
As responsibility may be jointly shared by users and
support functions, it may be necessary to appoint
a person in overall charge to co-ordinate the
corporate response.
(3) Implement a programme for identifying the
exposures to computer fraud and providing for their
cost-effective treatment. Complete security cannot
be obtained and therefore management must
balance the cost of controls with the likelihood of
losses. The choice of controls will depend upon the
risk identified, but will include controls in the areas
of physical access, passwords, software security,
communications networks, personnel management
and systems development. Consideration should be
given to insuring any residual risks not covered by
controls.
Conclusion
Computer fraud is a threat that business must take
seriously. This requires that a systematic approach is taken
to its prevention and detection. The time to act is before
the organisation is alerted to the risks by a fraud being
perpetrated.
References
1. Audit Commission, Survey of Computer Fraud and Abuse,
HMSO, London, 1987.
2. BIS Applied Systems, Computer-Related Fraud Casebook,
London, 1987.
3. American Bar Association, Report on Computer Crime,
Chicago, 1984.
4. Chisholm Institute of Technology, Computer-related Crime
in Australia in 1984, Melbourne, 1985.
5. Institute of Internal Auditors, Statement on Internal
Auditing Standards 1, Control: Concepts and
Responsibilities, Orlando, Florida, 1983.
6. Institute of Internal Auditors, Statement of Internal
Auditing Standards 3, Deterrence, Detection, Investigation
and Reporting of Fraud, Orlando, Florida, 1985.