Susan and Scott reflected on what they had done to try and understand what decisions S&S would need to make and the information needed to make them. They began by obtaining an understanding of S&S’s basic business processes and of the key decisions that must be made to operate the business effectively. They followed that with an analysis of the internal and external parties that the AIS would have to interact with and the information the AIS would have to provide them.
Since S&S is a retail merchandising company, its business processes could be described in terms of four basic transaction cycles:
1. The revenue cycle encompasses all transactions involving sales to customers and the collection of cash receipts for those sales.
2. The expenditure cycle encompasses all transactions involving the purchase and payment of merchandise sold by S&S, as well as other services it consumes, such as rent and
3. The human resources/payroll cycle encompasses all the transactions involving the hiring, training, and payment of employees.
4. The financing cycle encompasses all transactions involving the investment of capital in the company, borrowing money, payment of interest, and loan repayments.
These four cycles interface with the general ledger and reporting system, which consists of all activities related to the preparation of financial statements and other managerial
Scott and Susan will need a well-designed AIS to provide the information they need to effectively plan, manage, and control their business. Their AIS must be able to process data about sales and cash receipts, purchasing and paying for merchandise and services, payroll and tax-related transactions, and acquiring and paying for fixed assets. The company’s AIS must also provide the information needed to prepare financial statements.
Fortunately, there are many computer-based accounting packages available for the retail industry. As they begin looking at various software packages, however, Scott and Susan quickly learn that considerable accounting knowledge is required to choose the one that will best fit their business. Because neither has an accounting background, Scott and Susan decide that their next task will be to hire an accountant.
Ashton is aware that Scott and Susan plan to open additional stores in the near future and want to develop a website to conduct business over the Internet. Based on this information, Ashton will select an accounting package that will satisfy S&S’s current and anticipated future needs.
The software should be able to take care of all data processing and data storage tasks. Ashton will also make sure that the software can interface with the source data automation devices he wants to use to capture most data input. The software must be capable of producing a full set of financial reports and be flexible enough to produce other useful information the company will need to be successful. Finally, Ashton realized his next step would be to select the software and produce some documentation of how the system worked.
Ashton prepared DFDs (Figures 3-6 and 3-7), a flowchart (Figure 3-9), and a BPD (Figure 3-13) of S&S’s payroll processing system to document and explain the operation of the existing system. He was pleased to see that Scott and Susan were able to grasp the essence of the system from this documentation. The DFDs indicated the logical flow of data, the flowcharts illustrated the physical dimensions of the system, and the BPD showed the activities in each business process.
Susan and Scott agreed that Ashton should document the remainder of the system. The documentation would help all of them understand the current system. It would also help Ashton and the consultants design the new system. In fact, the payroll documentation had already helped them identify a few minor changes they wanted to make in their system. Using Figure 3-9, Susan now understands why the payroll clerk sometimes had to borrow the only copy of the payroll report that was prepared. She recommended that a second copy be made and kept in the payroll department. Susan also questioned the practice of keeping all the payroll records in one employee/payroll file. To keep the file from becoming unwieldy, she recommended that it be divided into three files: personal employee data, pay period documentation, and payroll tax data. A discussion with the payroll clerk verified that this approach would make payroll processing easier and more efficient.
Over the next few weeks, Ashton documented the remaining business processes. This process helped him identify inefficiencies and unneeded reports. He also found that some system documents were inadequately controlled. In addition, he got several ideas about how an automated system could help him reengineer the business processes at S&S. By substituting technology for human effort, outdated processes and procedures could be eliminated to make the system more effective.
When Ashton completed his analysis and documentation of the current system, Susan and Scott asked him to continue his work in designing a new system. To do that, Ashton
must thoroughly understand the information needs of the various employees in the company.
Then he can design a new system using the tools that were explained in this chapter. Systems development is discussed in Chapters 20 through 22.
Ashton prepared a report for Scott and Susan summarizing what he knew about databases.
He explained that a database management system (DBMS), the software that makes a database system work, is based on a logical data model that shows how users perceive the way the data is stored. Many DBMSs are based on the relational data model that represents data as being stored in tables. Every row in a relational table has only one data value in each column. Neither row nor column position is significant. These properties support the use of simple, yet powerful, query languages for interacting with the database. Users only need to specify the data they want and do not need to be concerned with how the data are retrieved.
The DBMS functions as an intermediary between the user and the database, thereby hiding the complex addressing schemes actually used to retrieve and update the information stored in the database.
After reading Ashton’s report, Scott and Susan agreed that it was time to upgrade S&S’s AIS and to hire a consulting firm to help select and install the new system. They asked Ashton to oversee the design process to ensure that the new system meets their needs.
Needing evidence to support his belief that Don Hawkins had committed a fraud, Jason Scott
expanded the scope of his investigation. A week later, Jason presented his findings to the pres-
ident of Northwest. To make his case hit close to home, Jason presented her with a copy of
her IRS withholding report and pointed out her withholdings. Then he showed her a printout
of payroll withholdings and pointed out the $5 difference, as well as the difference of several
thousand dollars in Don Hawkins’s withholdings. This got her attention, and Jason explained
how he believed a fraud had been perpetrated.
During the latter part of the previous year, Don had been in charge of a payroll program
update. Because of problems with other projects, other systems personnel had not reviewed
the update. Jason asked a former programmer to review the code changes. She found program
code that subtracted $5 from each employee’s withholdings and added it to Don’s withhold-
ings. Don got his hands on the money when the IRS sent him a huge refund check.
Don apparently intended to use the scheme every year, as he had not removed the incrimi-
nating code. He must have known there was no reconciliation of payroll withholdings with the
IRS report. His simple plan could have gone undetected for years if Jason had not overheard
someone in the cafeteria talk about a $5 difference.
Jason learned that Don had become disgruntled when he was passed over the previous
year for a managerial position. He made comments to coworkers about favoritism and unfair
treatment and mentioned getting even with the company somehow. No one knew where he got
the money, but Don purchased an expensive sports car in April, boasting that he had made a
sizable down payment.
When the president asked how the company could prevent this fraud from happening
again, Jason suggested the following guidelines:
1. Review internal controls to determine their effectiveness in preventing fraud. An existing
control—reviewing program changes—could have prevented Don’s scheme had it been
followed. As a result, Jason suggested a stricter enforcement of the existing controls.
2. Put new controls into place to detect fraud. For example, Jason suggested a reconciliation
of the IRS report and payroll record withholdings.
3. Train employees in fraud awareness, security measures, and ethical issues.
Jason urged the president to prosecute the case. She was reluctant to do so because of the
adverse publicity and the problems it would cause Don’s wife and children. Jason’s supervisor
tactfully suggested that if other employees found out that Don was not prosecuted, it would
send the wrong message to the rest of the company. The president finally conceded to pros-
ecute if the company could prove that Don was guilty. The president agreed to hire a forensic
accountant to build a stronger case against Don and try to get him to confess.
It took RPC two days to get its system back up to the point that the audit team could continue
their work. RPC had been hit with multiple problems at the same time. Hackers had used
packet sniffers and eavesdropping to intercept a public key RPC had sent to Northwest. That
led to an MITM attack, which allowed the hacker to intercept all communications about the
pending merger. It also opened the door to other attacks on both systems.
Law enforcement was called in to investigate the problem, and they were following up on
three possibilities. The first was that hackers had used the intercepted information to purchase
stock in both companies, leak news of the purchase to others via Internet chat rooms, and,
once the stock price had been pumped up, to dump the stock of both companies. There did
seem to be significant, unusual trading in the two companies’ stock in the last few months.
The second possibility was hackers exploiting system weaknesses they had found, stealing
confidential data on RPC’s customers, and causing considerable harm when they were done
to cover their tracks. The third possibility was economic espionage and Internet terrorism.
They received an anonymous tip that one of Northwest’s competitors was behind the attack. It
would take weeks or even months to track down all the leads and determine who had caused
the problem and why.
Jason’s research helped him understand the many ways outside hackers and employees
attack systems. He never knew there were so many different things that could be spoofed in
systems. He was also intrigued by some of the more technical attacks, such as XSS, buffer
overflow attacks, MITM attacks, and SQL injection. He also found it interesting to learn how
people use computers to defraud or harm other individuals and companies, such as Internet
terrorism, misinformation, auction fraud, cyber-bullying, and cyber-extortion.
Jason was familiar with some of the social engineering techniques he read about, such
as pretexting, posing, pharming, and phishing. However, he was unfamiliar with many of the techniques such as Lebanese looping, evil twin, chipping, and typosquatting. He had a simi-
lar experience when learning about malware. He was familiar with spyware, adware, Trojan
horses, viruses, and key loggers. He learned many new things when he read about scareware,
ransomware, steganography, rootkits, and bluebugging.
Jason’s research also gave him a perspective on past and future uses of computer fraud
and abuse techniques. He learned that many hacker attacks use more than one technique.
For example, hackers often send spam e-mails that lure the victim to a website that down-
loads either a keylogger software or code that either hijacks the computer and turns it into
a botnet zombie or tries to trick the user into disclosing confidential information. He also
learned that hackers take advantage of people who share personal information on social
With the harvested personal information that makes it easier to target specific people,
cyber-attacks are increasingly successful in tricking even savvy users into making a mis-
take. For example, past phishing attacks used a generic spam e-mail message that was
obviously bogus. Newer attacks use current-events issues or hot-button topics. Attacks
that are even more sophisticated use information about the intended target to make them
look legitimate. For example, the e-mail may use stolen information, such as the victim’s
employer or a friend or family member, to induce them to open an attachment or visit a
Lastly, Jason learned there is a plethora of fraud software on the market and that hackers
compete to make the most easy-to-use tools. As a result, hackers do not need to be program-
mers; they just need to know whom they want to target and check a few boxes. For example,
with Zeus, one of the most popular and successful data-stealing toolkits, cyber criminals can
generate detailed reports on each website visited. They can also use the program’s powerful
search engine to browse through their victims’ machines and find detailed information, such
as which banks they use. Conversely, the best hackers are more knowledgeable than in the
past and use sophisticated technologies. For example, zombies on a botnet used an automated
SQL injection attack to compromise over 500,000 websites last year, stealing sensitive infor-
mation and injecting malware into the site.
One week after Jason and Maria filed their audit report, they were summoned to the office of Northwest’s director of internal auditing to explain their findings. Shortly thereafter, a fraud investigation team was dispatched to Bozeman to take a closer look at the situation.
Six months later, a company newsletter indicated that the Springer family sold its 10% interest in the business and resigned from all management positions. Two Northwest executives were transferred in to replace them. There was no other word on the audit findings.
Two years later, Jason and Maria worked with Frank Ratliff, a member of the high-level audit team. After hours, Frank told them the investigation team examined a large sample of purchasing transactions and all employee timekeeping and payroll records for a 12-month period. The team also took a detailed physical inventory. They discovered that the problems Jason identified—including missing purchase requisitions, purchase orders, and receiving reports, as well as excessive prices—were widespread. These problems occurred in transactions with three large vendors from whom Springer’s had purchased several million dollars of inventory. The investigators discussed the unusually high prices with the vendors but did not receive a satisfactory explanation. The county business-licensing bureau revealed that Bill Springer held a majority ownership interest in each of these companies. By authorizing excessive prices to companies he owned, Springer earned a significant share of several hundred thousand dollars of excessive profits, all at the expense of Northwest Industries.
Several Springer employees were paid for more hours than they worked. Inventory was materially overstated; a physical inventory revealed that a significant portion of recorded inventory did not exist and that some items were obsolete. The adjusting journal entry reflecting Springer’s real inventory wiped out much of their profits over the past three years.
When confronted, the Springers vehemently denied breaking any laws. Northwest considered going to the authorities but was concerned that the case was not strong enough to prove in court. Northwest also worried that adverse publicity might damage the company’s position in Bozeman. After months of negotiation, the Springers agreed to the settlement reported in the newsletter. Part of the settlement was that no public statement would be made about any alleged fraud or embezzlement involving the Springers. According to Frank, this policy was normal. In many fraud cases, settlements are reached quietly, with no legal action taken, so that the company can avoid adverse publicity.
2000-2016 CMS Fadak. ||| Version : 4.2-b1 ||| This page was produced in : 0.002 Seconds