Internal Auditors and the Prevention and

Detection of Computer Fraud

Claire Marston, Newcastle Business School
Rob Dixon, Newcastle Business School
Paul Collier, Exeter University

Abstract: This study examines the involvement and attitudes of internal auditors to the prevention and detection of
computer fraud. This approach differs from previous research which has concentrated on learning from frauds which
have occurred. The main enquiry was by means of a questionnaire sent to members of the Institute of Internal Auditors.
Verification and additional information was forthcoming by visiting some respondents.
Almost a fifth of internal audit departments reported that they had no specific responsibility for either prevention or
detection of computer fraud. It was clear that where responsibility was acknowledged, it is generally on an informal
basis or is self imposed.
Internal auditors reported that most reliance was placed on computer assisted tools and manual techniques like input/
output reconciliation for detection of computer fraud. Few of the organisations surveyed had any laid down guidelines
what to do in the case of a fraud discovery. Where guidelines did exist they called for dismissal and prosecution. In
smaller firms, external auditors have a larger role in the prevention and detection of computer fraud than in larger firms.
Opinion on the prevention and detection of computer fraud included the view that as network systems become more
common, so detection and prevention will become more difficult. In addition it was claimed that management did not
appreciate the level of the threat. Internal auditors feel that they have a role to play, but highlighted the fact that there
is a shortage of staff with the requisite skills.

Introduction had not experienced a computer crime in the past

Recent research on computer fraud in the UK has
concentrated on the circumstances surrounding
known computer frauds and has attempted to point
out the lessons which should be learned. The main
source of information has been the government
surveys conducted in 1981, 1984 and 1987, first by
the Audit Inspectorate but latterly by the Audit
Commission. The pattern of these studies, as
summarised in the Audit Commission (1987) is for
an increase in the number of incidents and the
average loss incurred (1981 67 incidents - £905,149
lost, 1984 77 indicents - £1,133,487 lost and 1987
118 incidents - £2,561,351 lost). Even more
dramatic is the change found in BIS Applied
Systems (1987) which reported the average loss per
incident up from £31,000 in 1983 to £262,000.
Abroad, studies like American Bar Association
(1984) in the US; and the Chisholm Institute of
Technology (1984) in Australia present a similar
picture. Despite these results the Audit Commission
survey also found that 920/0 of the 1,200 respondents
three years. This result suggests that although
computer fraud is a growing problem: it is not yet
widespread. Although this may not be the case in
specific business sectors. For example, a police
survey (Financial Times 26 September 1989) pointed
to £477m involved in cases of fraud or attempted
fraud, often relating to computer systems, in the
Square Mile. However, commentators suggest that
the threat of computer fraud will grow (for example
the Audit Commission (1987) observed that
"opportunities for misuse continue to increase in
line with technological advance").
This survey, in contrast to the studies discussed
above, focuses not on reported incidents, but seeks
to explore where responsibility is 'vested within
firms for computer fraud prevention and detection
and the role and opinions of internal auditors in
counteracting this threat.
Many definitions of computer fraud exist. These
range from any dishonesty taking place in a com-
puter environment to specific technical adjustments
 Internal Auditors and the Prevention and Detection of Computer Fraud 231
to hardware or software. For the purposes of
this study, the definition that was used by the
Audit Commission in the 1987 survey has been
applied. The concern of this study is therefore, 'any
fraudulent behaviour connected with computeri-
sation by which someone intends to gain a dishonest
advantage' .
Methodology and objectives
The specific objectives of the research were to:
(i) identify were the responsibility for computer
fraud prevention and detection resided within
the organisation;
(ii) examine the role of the internal audit depart-
ment in corporate efforts to prevent and detect
computer fraud; and
(iii) discover the opinions of internal auditors on
lev~l of risk and threat of computer fraud in
various areas.
The emphasis on internal auditors arises because
they are uniquely placed to provide information for
three reasons:
(i) the requirement of auditor independance pre-
cludes them from operating or otherwise being
involved in the systems through which
computer fraud might be committed;
(ii) internal auditors are responsible for examining
and evaluating the adequacy and effectiveness
of the organisation's system of internal
control. Internal controls are the means by
which organisations counter the threat of
internal fraud; and
(iii) internal audit departments as well as existing
in the vast majority of large and medium sized
organisations are also often present in smaller
firms and therefore a survey targeted at
internal auditors would cover a representative
cross-section of firms.
The research approach was to develop and field test
a questionnaire, which was sent to three hundred
members of a population defined as members of the
Institute of Internal Auditors and Chartered
Institute of Management Accountants, who were
working as internal auditors (a population at 31
Annualturnover
ortotalbudget
Large Over £50 million
Medium More than £20 million & less than £50 million
Small Less than £20 million
Table 1. Respondent organisations bysize
January 1988 of 2631). 184 usable responses were
received - a response rate of 61 % . The responses
were validated by contact through visits or by
phone to 32 respondents. The standard tests failed
to detect any non-response bias.
To establish the breadth of coverage of the responses
the respondents were analysed into groups by
reference to either annual turnover or total budget,
dependent upon which was applicable. Table 1
gives an indication of the range of organisations
surveyed.
Further, the responses were analysed between
public and private sector. Of the 184 respondents
125 (68 % ) were in the private sector and 59 (32 % )
were in the public domain. These analyses suggest
that the responses are representative of organi-
sations in the UK and there the results should give
a broad indication of current practice amongst
internal auditors and within firms.
Responsibility for Prevention and Detection
Table 2 shows that respondents considered that
specific responsibility for countering computer fraud
is not consistently attributed within organisations.
Fifty seven (31%) indicated that responsibility was
spread between three or more of the categories
given; ninety four (51%) limited responsibility to
one or two categories and the remaining 18%
reported that no specific responsibility was placed
on any person or function within the organisation
for the prevention or detection of computer fraud.
Nevertheless, the responses showed that internal
auditors are most commonly responsible for most
aspects of computer fraud prevention and detection
(see Table 2). Although internal audit departments
in many firms may shoulder the responsibility for
both prevention and detection, such responsibility
is assumed in an informal, unstructured way, rather
than being part of the documented department
function (see Table 3).
This lack of overall and specific responsibility
causes some disquiet. There is an apparent lack of
supervision in these matters on the part of senior
Number of 0/0 dj
responses sample
93 50
62 34
29 16
184 100