Professional Documents
Culture Documents
Abstract: This study examines the involvement and attitudes of internal auditors to the prevention and detection of
computer fraud. This approach differs from previous research which has concentrated on learning from frauds which
have occurred. The main enquiry was by means of a questionnaire sent to members of the Institute of Internal Auditors.
Verification and additional information was forthcoming by visiting some respondents.
Almost a fifth of internal audit departments reported that they had no specific responsibility for either prevention or
detection of computer fraud. It was clear that where responsibility was acknowledged, it is generally on an informal
basis or is self imposed.
Internal auditors reported that most reliance was placed on computer assisted tools and manual techniques like input/
output reconciliation for detection of computer fraud. Few of the organisations surveyed had any laid down guidelines
what to do in the case of a fraud discovery. Where guidelines did exist they called for dismissal and prosecution. In
smaller firms, external auditors have a larger role in the prevention and detection of computer fraud than in larger firms.
Opinion on the prevention and detection of computer fraud included the view that as network systems become more
common, so detection and prevention will become more difficult. In addition it was claimed that management did not
appreciate the level of the threat. Internal auditors feel that they have a role to play, but highlighted the fact that there
is a shortage of staff with the requisite skills.
to hardware or software. For the purposes of January 1988 of 2631). 184 usable responses were
this study, the definition that was used by the received - a response rate of 61 % . The responses
Audit Commission in the 1987 survey has been were validated by contact through visits or by
applied. The concern of this study is therefore, 'any phone to 32 respondents. The standard tests failed
fraudulent behaviour connected with computeri- to detect any non-response bias.
sation by which someone intends to gain a dishonest
To establish the breadth of coverage of the responses
advantage' .
the respondents were analysed into groups by
reference to either annual turnover or total budget,
Methodology and objectives dependent upon which was applicable. Table 1
The specific objectives of the research were to: gives an indication of the range of organisations
(i) identify were the responsibility for computer surveyed.
fraud prevention and detection resided within
Further, the responses were analysed between
the organisation;
public and private sector. Of the 184 respondents
(ii) examine the role of the internal audit depart-
125 (68 % ) were in the private sector and 59 (32 % )
ment in corporate efforts to prevent and detect
were in the public domain. These analyses suggest
computer fraud; and
that the responses are representative of organi-
(iii) discover the opinions of internal auditors on
sations in the UK and there the results should give
lev~l of risk and threat of computer fraud in
a broad indication of current practice amongst
various areas.
internal auditors and within firms.
The emphasis on internal auditors arises because
they are uniquely placed to provide information for Responsibility for Prevention and Detection
three reasons:
Table 2 shows that respondents considered that
(i) the requirement of auditor independance pre- specific responsibility for countering computer fraud
cludes them from operating or otherwise being is not consistently attributed within organisations.
involved in the systems through which Fifty seven (31%) indicated that responsibility was
computer fraud might be committed; spread between three or more of the categories
(ii) internal auditors are responsible for examining given; ninety four (51%) limited responsibility to
and evaluating the adequacy and effectiveness one or two categories and the remaining 18%
of the organisation's system of internal reported that no specific responsibility was placed
control. Internal controls are the means by on any person or function within the organisation
which organisations counter the threat of for the prevention or detection of computer fraud.
internal fraud; and
(iii) internal audit departments as well as existing Nevertheless, the responses showed that internal
in the vast majority of large and medium sized auditors are most commonly responsible for most
organisations are also often present in smaller aspects of computer fraud prevention and detection
firms and therefore a survey targeted at (see Table 2). Although internal audit departments
internal auditors would cover a representative in many firms may shoulder the responsibility for
cross-section of firms. both prevention and detection, such responsibility
is assumed in an informal, unstructured way, rather
The research approach was to develop and field test
than being part of the documented department
a questionnaire, which was sent to three hundred
function (see Table 3).
members of a population defined as members of the
Institute of Internal Auditors and Chartered This lack of overall and specific responsibility
Institute of Management Accountants, who were causes some disquiet. There is an apparent lack of
working as internal auditors (a population at 31 supervision in these matters on the part of senior