The vulnerability of computerised accounting information systems to computer crime
Abstract
With the information technology development day-by-day, Computerised Accounting Information System (CAIS) plays an increasingly significant role in the successful operation of today's business. CAIS has been used more and more broadly and had as much impact on organisations, however the computer crime is also an important issue related to CAIS. As the expenditures of computer spending on control and securities are increasing in recently years, as well as the larger proportion of companies suffers computer related losses (Bagranoff & Moscove & Simkin 2003). Therefore, we can believe that the connection between growing dependence on information technologies and computer crime is positive correlated. The main objectives of this essay are to explain what computer crime is and look at the connections between vulnerabilities of Computerised Accounting Information System and computer crime.
E-crime presents have become one of the major challenges of the future to Australasian law enforcement (Barbara 2001.p2.).Using
Chart indicating the number of crimes in time and ...
Crime Time
High Crimeaccounting software can pose significant vulnerability to computer crime. There are several risks when using finance data files software such as authorized access to data and program, undetected changes to file and processing of unauthorized transactions by outsiders and internal employees
An internal employee is able to deceive their employer by taking company assets (Rabinovitch 2001). For instance, A rogue trader at Société Générale, Jérôme Kerviel, began making unauthorized transactions beginning in 2005, and lapses in the internal controls allowed the trades to go undiscovered until January 2008, according to a preliminary report released
ï¼Âhttp://www.nytimes.com/2008/02/21/business/worldbusiness/21bank.html?_r=2&oref=slogin&oref=slogins 2008ï¼Â. In this case, in CAIS, an employee establishes fake company's accounts and has the accounts to pay for goods that are not actually delivered. The inspection is not conducted by a third party; funds from the fake companies come straight to an employee's pocket.
As well as employees, management can manipulate financial statements in software to gain a bonus or to gain interest. The company consists of an automated payroll system. The payroll system could be venerable to fraud if adequate internal controls are not implemented (Craig, S.H. 1995). For example, if an employee leaves the company, the payroll officer is able to delay the termination order and changes the mailing address. A payroll officer also has the opportunity to input fake names into the system without independent confirmation.
CAIS such as MYOB has an automated bank reconciliation system. It is vulnerable to fraud as it involves reconciling cash resources. Reconciliation should be conducted by separate employees to prevent fraud as it opens the door for covering up discrepancies if it is prepared by the same employee. It is also important to keep files confidential. File such as financial information, customer's or suppliers' account numbers, payroll information and other personal data. A survey (Barbara 2001.p6) by Computer Security Institute's 1996 reported that 42% of their respondents had experienced some form of system intrusion or unauthorized system use in Australia Therefore, proper operating system must be used to prevent unauthorized access to confidential data.
To prevent this issue it can be suggested to carefully review the data input controls in the payroll system (Bagranoff & Moscove & Simkin 2003). Keep all physical records of payroll data and have payroll changes authorised by a manager before inputting them into the database.
Adequate separation of duties is a useful control for making sure individuals who execute transactions are different from who actually authorises them an employee can involve into a bribery situation when they become too close to customers and vendors. Adequate segregation of duties prevents bribery due to the fact that employees don't have complete control of transaction. Furthermore, rotating staff among different tasks makes it more difficult to get close to a vendor or supplier due to the reason that employee taking bribe is constantly changing his/her duties and cannot stay in one role and keep concealing his or her trails Another useful tool for detecting fraud is annual leave as it lets someone else do the tasks while the designated employee is on holidays which can detect any irregularities that have previously taken place
Jones, L. and Rama V. (2003) Confirm that Database queries of data also can be a powerful tool for detecting fraudulent activities. Such as setting dummy vendors a query to cross back check of employee's address and vendors address can easily detect any fraudulent activities. Alternatively, if staffs are keeping funds paid by accounts receivable through sales returns and credit note entry, a query of sales returns by customers and sales staff can be handy for detecting inconsistent returns. An employee is also able to take bribes from vendors and customers to allow for lower sales price, higher purchase price or non delivery of goods or delivery of inferior goods. Controls suggested to prevent these can be password protection and physical control over computer hardware such as locks and read only access. . A control to offset these risks could include documentation and checklists and regular maintenance of software and hardware
In fact, it is hard to define what actually a computer crime is. Doney (2001, p30) defines computer crime as crimes in which perpetrators use a computer as a tool. A lack of technical knowledge by the uses of CAIS can raise potential risks such as hardware failure or release or confidential data. Defines computer crime as crimes in which perpetrators use a computer as a tool. However, it is should not be ignored that sometimes user can make errors accidentally but in fact it cannot be measured as a crime. (Etter, C. 2001) For example, if incorrect data is mistakenly entered in a computerised financial statement, it cannot be considered as a computer crime due to the fact that it was not done with the intent of gaining advantage over another through false pretence. If in the same situation, someone purposely enters incorrect data to trick investors or to steal funds, it could be judged as a crime.
Hacking is also one of the major issues over the security of data stored in the organisation's systems. It is gaining unauthorised access to a system. There have been many cases of organisation's systems been hacked and the data been used for the hacker's advantage. In one of the cases (Summers, 1997, chapter 4) two 'heavy manufacturing' firms were bidding on a $900 million contract; one outbid the other by a fraction of a percent. This was no co-incidence as the losing company later discovered that someone had broken into the company's computer network and accessed files that contained bidding strategy information. Beyond selling the trade secrets to a company's competition, some hackers resort to extortion of the company. In Sweden, a 15 and 17 year old tried to extort $2 million from a cellular company to destroy information they had illegally downloaded. (Poole, B. 1995) These attacks threaten security and cost companies and organizations billions of dollars. A survey in 1999 estimates 1000 companies had a loss of $45 billion from information theft
A primary method of maintaining the security of data, both on internal system and transmitted data is by encrypting the data if the data is encrypted, it could be quite difficult for an unauthorized person to view the data as the data is altered. Using better computer operating systems is another way to protect system security. UNIX has built in security for each file in the system such as read only access; execute access, and different level of access In addition to installing proper operating system, password and users ids are important information that must be kept secret. (http://www.unix.org/what_is_unix.html) Frequently, the password information should even be kept secret from the administrators. An administrator should not be allowed to see a user's password, however, he/she should be only able to set new password. In addition if a proper firewall is installed data and information can be viewed that passes along a network communication channel .Unauthorized parties cannot use this option to capture password and other sensitive information.
In conclusion, most organisations increasingly relied on Computerised Accounting Information System to perform its business operation. But, every organisation is direct or indirectly vulnerable to becoming a victim of computer crime. There are many types of computer crime, but the motivation can be divided into financial gain, revenged and intelligent challenge.(Trembly, A.C. 1999) As the Internet broadly used and some vulnerabilities of Computerised Accounting Information System, result in computer crime related to CAIS continue rise in recently years. The common types of computer crime with CAIS are Internet illegal obtain and destroy program, unauthorised access and theft valuable information, and theft money by altering computer record. All in all, the best way to protect accounting information system far away from computer crime is to increase the system security.
Bibliography
Bagranoff, N.A. , Simkin, M.G. & Moscove, S.A. 2001, Core Concepts of Accounting Information systems, 7th edition, John Wiley& Sons Inc., Australia.
Clark, N. (2008) French Bank Says Its Controls Failed for 2 Years. [Online] New York Times. Available from:
http://www.nytimes.com/2008/02/21/business/worldbusiness/21bank.html?_r=2&oref=slogin&oref=slogin [Accessed 27 April 2008]
Considine, B., Razeed, A., Lee, M., Speer, D. and Collier, P. (2008) Accounting Information Systems: understanding business processes. 2nd ed. Australia, John Wiley & Sons
Craig, S.H. (1995) Can computer security really make a difference? Managerial Auditing Journal [Online] 10(5), 10-15. Available from:
http://www.emeraldinsight.com/10.1108/02686909510087937 [Accessed 25 June 2008]
Dray, J. (1988) Computer security and crime: implications for policy and action. Information Technology & People [Online] 4(3), 297-313. Available from:
http:// www.emeraldinsight.com.library.vu.edu.au/10.1108/eb022662 [Accessed 27 April 2008]
Etter, C. (2001) Computer Crime, Australia Insitute of Criminology
Gallegos, F., Manson, D. and Allen-Senft, S. (1999) Information Technology Control and Audit. London, Auerbach.
Forkner, I. 1982, Computerised Business Information System, 2nd edition, John Wiley & Sons Inc., Canada.
Icove, D., Seger, K. & Vonstorch, W. 1995, Computer Crime: A Crimefighter's Handbook, O'Reilly & Associates Inc., America.
Jones, L. and Rama V. (2003) Accounting Information Systems: A Business Process Approach, Australia, South-Western Thomson.
Jancura, G and Boos, R (1999) Establishing Controls and Auditing The Computerized Accounting System. London, Van Nostrand Reinhold Company
McLeod, Jr., R. (1996) Systems Analysis and Design: An Organizational Approach. Sydney, The Dryden Press
Masciandaro, D. 2004, Global Financial Crime, Ashgate Publishing Limited. , England.
Nazik, S.R. (1990) Computer-related Crimes: An Educational and Professional Challenge. Managerial Auditing Journal [Online] 5(4), Available from:
http://www.emeraldinsight.com/10.1108/02686909010005707 [Accessed 1 May 2008]
Poole, B. 1995, Education for an Information Age: Teaching in the Computerised Classroom, Wm. C. Brown Communications Inc., londen
Power, R. 2000, Tangled Web: Tables of Digital Crime from the Shadows of Cyberspace, Que Corporation, the USA.
Paul, B., Chaffey, D., Greasley, A., Hickie, S. and Chaffey, D. (2003) Business Information Systems: Technology, Development and Management for the e-business. 2nd ed. San Francisco, Prentice Hall.
Poole, B. 1995, Education for an Information Age: Teaching in the Computerised Classroom, Wm. C. Brown Communications Inc., londen
Romney, M. and Steinbart, P. (2006) Accounting Information Systems. 10th ed. New Jersey, Prentice Hall.
Rushinek, A. and Rushinek, S. (1993) Using Experts for Detecting and Litigating Computer Crime. Managerial Auditing Journal [Online] 8(7). Available from:
http://www.emeraldinsight.com/10.1108/02686909310046862 [Accessed 27 April 2008]
Rabinovitch, I. 2001, 'The Top Ten Tech Issues for 2001', CPA magazine, Jan. Feb., p.2.
Summers, E. (1997) Accounting Information Systems. Boston, Houghton Miffli Company
Seetharaman, A., Senthilvelmurugan, M. and Periyanayagam, R. (2004) Anatomy of computer accounting frauds. Managerial Auditing Journal [Online] 19(8), 1055-1072. Available from: http://www.emeraldinsight.com.library.vu.edu.au/10.1108/02686900410557953 [Accessed 1 May 2008]
Trembly, A.C. 1999, 'Cyber Crime Means Billions in Losses', National Underwriter, vol.103, no.26, 28 Jun, p.19.
The Age[Homepage of the Age Newspaper] [Online] 2008
Available from: http://www.theage.com.au/ [Accessed 27 April 2008]
The New York Times[Homepage of The New York Times Newspaper] [Online] 2008
Available from: http://www.nytimes.com/ [Accessed 27 April 2008]
Wilkinson, J. (1993) Accounting Information Systems: Essential Concepts And Applications. 2nd ed. Canada, John Wiley & Sons