Understanding the potential impact of information technology on the susceptibility of organizations...

International Journal of Accounting

Information Systems 4 (2003) 295–308

Understanding the potential impact of information

technology on the susceptibility of organizations to

fraudulent employee behavior

Antoinette Lynch*, Mohamed Gomaa

School of Accountancy, College of Business Administration, University of South Florida,

4202 East Fowler Avenue, BSN 3403, Tampa, FL 33620-5500, USA

Received 1 June 2002; received in revised form 1 February 2003; accepted 3 April 2003

Abstract

Although the infusion of progressively advanced information technology (IT) into business

organizations can improve the capturing, processing, and reporting of critical decision-making

information across the enterprise, such technology can also create an environment that is more

vulnerable to fraud. In this article, we develop a framework based on the theory of planned behavior

[Org. Behav. Human Decis. Process. 50 (2)(1991) 179] that addresses the potential impact of IT on the

susceptibility of an organization to employee fraud. We believe that this framework can serve as a

useful tool for management, internal auditors, and external auditors when assessing fraud risk.

D 2003 Elsevier Inc. All rights reserved.

Keywords: Theory of planned behavior; Fraud; Information technology

1. Introduction

As companies integrate progressively advanced information technology (IT) into business

organizations, unintended risks and consequences can be introduced into the business

environment. For instance, the capability of enterprise resource planning systems to

seamlessly integrate business processes across the entire organization offers managers the

1467-0895/$ – see front matter D 2003 Elsevier Inc. All rights reserved.

doi:10.1016/j.accinf.2003.04.001

* Corresponding author. Tel.: +1-813-974-6863; fax: +1-813-974-6528.

E-mail address: [email protected] (A. Lynch).

A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308296

means to redesign and improve outmoded business models; however, a breakdown in

automated workflow procedures can lead to serious business interruptions; electronic data

interchange technology has vastly improved the efficiency and effectiveness of procurement

processes, but when the electronic data interchange system is disrupted, production can come

to a sudden halt. Hence, the infusion of IT into organizations can be likened to a ‘‘double-

edged sword’’—on one hand, IT can dramatically improve business performance, while on

the other hand, IT can inject new, often unforeseen, risks into the environment. In this article,

we focus on an understudied but critical threat in this regard—the potential link between IT

integration and employee fraud.

In a recent study, the Association of Certified Fraud Examiners (ACFA, 2002) indicated

that the direct cost of fraud to American companies is projected to increase to approximately

$600 billion a year—an increase of 50% over the past 6 years. In addition to direct costs,

fraud can also consume valuable management resources, negatively impact the value of

companies, and result in huge legal fees (Colbert and Turner, 2000). Our thesis is that IT,

while necessary for creating viable competitive business practices, can also provide employ-

ees with the means and opportunity to commit fraud. In this light, this article develops a

conceptual framework aimed at investigating the potential link between the integration of IT

into business organizations and the vulnerability of such entities to fraudulent employee

behavior.

We characterize computer fraud as defined by the Virginia Computer Crimes Act: ‘‘any

person who uses a computer or computer network without authority and with the intent to: (1)

Obtain property or services by false pretenses; (2) Embezzle or commit larceny; or (3)

Convert the property of another’’ (Bro, 2000, p. 483). Using the theory of planned behavior

(Ajzen, 1991), we propose a linkage between the extent to which IT is used in organizations

and the propensity of employees to commit computer-based fraud. Our framework can help

business managers, internal auditors and external auditors assess the vulnerability of business

organizations to employee fraud.

This article makes two key contributions to extant literature. First, we identify critical

factors for assessing an employee’s intention to commit computer-based fraud. Second,

we suggest several ways in which IT may inadvertently provide sophisticated means and

opportunities for employees to perpetrate fraud in business organizations. The contribu-

tions of this article are particularly important given Statement on Auditing Standards

(SAS) No. 99 (Consideration of Fraud in a Financial Statement Audit), which requires

auditors to become more vigilant in assessing fraud risk (AICPA, 2002).

In Section 2, we address the theory of planned behavior and identify several measures

that are appropriate when applying the theory to fraud and IT. In Section 3, we present

the IT-fraud framework. Finally, we conclude with suggestions for future research.

2. Theory of planned behavior

The theory of planned behavior (Fig. 1) is a popular model for predicting human

intentions and actions (Ajzen, 2001, 2002). Ajzen’s (1985) theory of planned behavior

Fig. 1. Theory of planned behavior model. Adapted from Ajzen (1991).

A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 297

has been used by many researchers to understand and predict human behavior in various

contexts, such as recycling (Boldero, 1995), ethical behavior (Kurland, 1995), college

course selection (Randall, 1994), leisure activity selection (Ajzen and Driver, 1992), and

seatbelt use (Trafimow and Fishbein, 1994). The theory asserts that although people hold

many beliefs about performing a particular behavior, it is salient beliefs that determine

actual behavior. Salient beliefs reflect attitudes toward the behavior, subjective norms

related to the behavior, and perceived behavioral control over the behavior (Ajzen and

Fishbein, 1980).

Prior research has proposed two versions of the basic model (Ajzen and Madden, 1986).

The first version assumes that behavioral intention, alone, is the immediate determinant of the

actual behavior. Behavioral intention, in turn, has three antecedents (behavioral attitude,

subjective norms, and perceived behavioral control) that contribute to the prediction of the

behavior. The second version assumes that behavioral intentions and perceived behavioral

control are joint determinants of the actual behavior. Three conditions are necessary to apply

this second version of the theory. First, the behavior in question must lack volitional control.

That is, limitations are imposed on the individual that prevent him or her from carrying out

the behavior absent necessary opportunities and resources. Second, the behavior in question

must be one where there is variation in the degree of accuracy associated with the individual’s

perception about actual control. Finally, intentions to perform a behavior must depend on the

measure of perceived behavioral control. This accounts for the interaction between behavioral

intentions and perceived behavioral control (Ajzen and Madden, 1986). In the context of

computer-based fraud, we posit that actual behavior is a function of behavioral intention and

perceived behavioral control. We focus on the second version of the basic model of planned

behavior since sophisticated IT limits individual volitional control to execute unethical acts

and requires substantial resources to successfully engage in computer-based fraud.


Behavioral intention is a function of behavioral attitude, subjective norms, and perceived

behavioral control. Thus, an employee’s intention to engage in computer-based fraudulent

behavior depends largely on his or her attitude about computer fraud, subjective norms

toward computer fraud, and perceived behavioral control over computer fraud; and more

importantly, his or her actual behavior is a function of intentions to commit fraud and

perceived behavioral control.1

Only a few researchers have applied the theory of planned behavior to explain ethical

decision making (Chang, 1998). Randall and Gibson (1991) used the theory of planned

behavior to investigate the ethical decision making of reporting misconduct of colleagues by

medical professionals. Their results indicate that attitude and subjective norm explain a large

portion of the variance of intention, but adding perceived behavioral control did not add much

unique variance. They suggested that the failure of perceived behavioral control to contribute

to the model might be due to the behavior being studied, which may be perceived as being

under a person’s total volitional control. Hsu and Kuo’s (2003) research focused on the

perceived behavioral control construct. They manipulated the degree of volitional control to

test assertions under the theory of planned behavior. They found that the theory of planned

behavior model had a better fit under low volitional control than under high volitional control.

Chang (1998) makes a case for using the theory of planned behavior to predict unethical

behavior. Specifically, Chang (1998) states, ‘‘since unethical behavior, such as corruption and

computer hacking, require substantial resources and opportunities to perform successfully, it

is reasonable to hypothesize that the theory of planned behavior will better explain unethical

behavior than the theory of reasoned action’’ (p. 1827). Thus, Chang (1998) suggests that the

theory of planned behavior can be used to explain unethical decision making.

2.1. Behavioral attitude

Behavioral attitude refers to an individual’s favorable or unfavorable opinion about a

target behavior and related outcomes. Behavioral attitude can be divided into two

components. The instrumental value component reflects an individual’s belief about the

behavior, whereas the experiential component focuses on the overall feeling received

from engaging in the behavior. Studies have shown that behavioral attitude contributes

significantly to the prediction of behavioral intentions (Ajzen and Madden, 1986; Vardi

and Weitz, 2002). In the context of fraud, the attitudinal determinant of committing (or

considering) computer fraud is a function of the consequences of engaging in computer

crime and the expected beneficial outcomes (Fishbein and Ajzen, 1975; Ajzen and

Driver, 1991; Taylor and Todd, 1995). Because IT makes it possible for criminals to steal

more and faster and makes it possible for the effects of the criminal’s action to be

widespread, there is a definite incentive to use electronic versus manual means in the

1 Fig. 1 reflects intercorrelation among three antecedents of behavioral intention. However, we do not

emphasize the correlations identified in the original model, but direct attention toward the risk associated with

information technology.


commission of organizational fraud (Hull and Serio, 1987; Baird, 2001). Additionally, IT

can influence the attractiveness of fraud in that computer technology provides oppor-

tunities for the fraud perpetrator to (a) target victims more easily, and less expensively,

across time and geographic locations, (b) quickly record or retrieve information, (c) gain

access to documents less expensively across time and geographic locations, (d) achieve

manipulation results or reconfigure information at a more precise level, and (e) falsify

their identities and documents (Huber, 1990).

Measures of the behavioral attitude construct are typically obtained through questionnaires

wherein participants are asked to rate how they feel about a particular behavior. In this case,

the target behavior is committing computer-based fraud. Scales to measure socially undesir-

able attitudes of this nature must be carefully designed to warrant high validity. For example,

a person’s attitude about committing computer-based crime might be obtained by asking the

following statements: Using my company’s computer system to perpetrate fraud would be

(1 = very detrimental to me personally, 7 = very beneficial to me personally) [instrumental

attitude]; Stealing money from my employer using the company’s computer system would

make me feel (1 = very weak, 7 = very powerful) [experiential attitude]; Engaging in

fraudulent behavior using my company’s computer system would make me feel (1 = very

bad, 7 = very good) [overall attitude] (Ajzen and Madden, 1986; Madden et al., 1992;

Hartwick and Barki, 1994; Orbell et al., 2001).

2.2. Subjective norms

Subjective norms reflect how other people who are important to the individual (referent

others) would feel if he/she engaged in a target behavior (i.e., fraud), coupled with the

individual’s motivation to act in accordance with referent others’ beliefs (Fishbein and Ajzen,

1975; Taylor and Todd, 1995). When considering referent others, the strength of relationships

is defined by the frequency and intimacy of contact. When relationships are casual, relatively

weak ties are formed among the individual and referent others; hence, how referent others

might feel if the individual engaged in a given target behavior would have little impact. When

stronger relationships are formed, an individual tends to care more about how referent others

view his/her behavior. Jones (1991) indicates that the influence of social norms is positively

related to psychological proximity (e.g., feelings of nearness) among an individual and his/

her referent others.

The use of IT in organizations can inadvertently facilitate fraud potential by decreasing the

frequency and intimacy of contact among people in the workplace, thereby weakening

psychological ties among such individuals. For instance, the use of IT often increases

geographical distance among users, allows users to communicate asynchronously across global

time zones, and ‘‘spreads the responsibility for systems outcomes across individuals and groups

who are likely to hold very different assumptions about the purposes and intended con-

sequences of the systems’’ (Yuthas and Dillard, 1999, p. 35). As a result, psychological

proximity can be unintentionally weakened by IT; that is, an individual who is contemplating

fraud might be less influenced by referent others’ beliefs in a human-isolated as compared to a

human-centric work environment.


Measures of the social norm construct typically ask an individual to record his/her

perception about how referent others feel or would feel if he/she engaged in a target

behavior. Sample response items might be: If I committed fraud using the company’s

computer system, my peers at work who are important to me would be: 1 = very

disappointed in me, 7 = very proud of me; If I used the computer system to alter the

company’s financial statements, my supervisor would be: 1 = very angry with me, 7 = very

happy with me; I really care what other people at work think of me: 1 = strongly disagree,

7 = strongly agree. Answers to the first two response items might appear on the surface to

be obvious; but, what if IT was used in such a way throughout the organization that

employees and supervisors seldom interacted with one another via face-to-face contact?;

what if the corporate culture was such that most employees were committing some sort of

fraud (due to poor internal controls and lax corporate governance)?; or what if a supervisor

was pressuring an employee to ‘‘cook the books’’? In these cases, responses might be on

the high end of the scale (Ajzen and Madden, 1986; Madden et al., 1992; Hartwick and

Barki, 1994; Orbell et al., 2001).

2.3. Perceived behavioral control

Research has shown that perceived behavioral control is influential in predicting actual

behavior (Ajzen andMadden, 1986;Madden et al., 1992; Hartwick and Barki, 1994; Taylor and

Todd, 1995; Giles and Larmour, 2000; Furnham and Lovett, 2001; Okun and Sloane, 2002).

The theory of planned behavior includes the concept of perceived behavioral control to account

for actions that are not always under the individual’s control (Ajzen, 1991). By incorporating

perceived behavioral control into themodel, the theory of planned behavior accounts for actions

where partial volitional control exists.

If opportunities are not available to commit computer-based crime (e.g., due to sound

internal control practices), even the most sophisticated computer specialist would likely not

attempt such behavior. Also, the more a behavior is dependent on resources that are out of the

individual’s control, such as relying on computer skills and cooperation of others, the less likely

it is that a person will decide at will to engage in a given behavior (Ajzen and Madden, 1986).

Hence, computer-based fraud is unlikely to be committed by employees who believe they lack

sufficient opportunities and means necessary to perpetrate the act and avoid detection.

Management can alleviate computer-based fraud opportunities by implementing proper internal

control procedures, such as conducting unannounced job rotations, embedding monitoring

agents into software, and requiring authorization and justification to modifications made to

existing programs.

Measuring the perceived behavioral control construct requires assessing how participants

perceive their opportunities and means. For example, the computer system at work is designed

in such a way that committing fraud would be: 1 = very easy, 7 = very difficult; If I stole money

from my employer using the company’s computer system, the likelihood that I could be caught

would be: 1 = very low, 7 = very high); It would be very easy for me to use the company’s

computer system at work to commit fraud: 1 = strongly disagree, 7 = strongly agree) (Ajzen and

Madden, 1986).


3. Theoretical framework

3.1. Theory of planned behavior

The theoretical framework for this study (Fig. 2) utilizes constructs and relationships from

the theory of planned behavior (attitudes, subjective norms, perceived behavioral control,

intentions, and actions) to develop theoretical propositions regarding internal (employee)

computer fraud. In the remainder of this section, we present and discuss the framework,

discussing each construct in the theory of planned behavior and how each construct is

impacted by IT in the context of employee computer fraud.

This framework posits the determinants of employee computer fraud (employee fraudulent

behavior), and consistent with the theory of planned behavior, behavioral intention is an

antecedent of employee fraudulent behavior. By definition, fraudulent behavior is intentional,

as fraud is an act of commission, not an accident or omission, which leads to the following

proposition:

Proposition 1: There is a positive relationship between intentions to commit computer-based

fraud and employee fraudulent behavior.

In testing Proposition 1, researchers should be aware that directly measuring an individ-

ual’s intention to commit fraud can be difficult, as individuals may not be willing to honestly

respond to intentions to commit computer fraud for fear of negative consequences.

Fig. 2. Research model.

3.1.1. Behavioral attitude

Individuals may feel good about a behavior if they believe that their performance will lead

to more positive rather than negative outcomes (Fishbein, 1979). The positive outcomes

(benefits) can be subjective (e.g., feelings of power and control) or objective (quantifiable

resources acquired). Similarly, the negative outcomes (costs) can also be subjective (e.g.,

embarrassment, harassment, or confinement) or objective (e.g., acquiring necessary resour-

ces, paying fines, and making forfeitures). Behavioral attitude has an instrumental value

component and an experiential quality component. The benefit–cost ratio is a key aspect of

the instrumental value component of behavioral attitude. If the perceived ratio is 1:1 or less, it

is unlikely that a person will engage in fraud. However, perceived ratios that are considerably

greater than 1:1 might induce someone to perpetrate a fraud. The precise ratio that might trip

someone’s fraudulent behavior varies by individual. Thus, from an instrumental perspective,

individuals may characterize the net benefit of engaging in computer fraud on a spectrum that

ranges from beneficial to harmful or valuable to worthless.

The use of IT can increase the benefit side of the ratio because employees have potential

access to more corporate resources via the computer system (e.g., the electronic transfer of

funds). Also, some individuals gain a sense of cleverness, smugness, power, and control

(subjective benefits) from ‘‘beating the system’’ (Van Beveren, 2001; Jordan and Taylor,

1998). The use of IT can decrease the cost portion of the ratio by allowing perpetrators to

quickly target more victims at minimal cost and/or by reducing the probability of getting

caught through online anonymity and audit trail corruption. Thus, our next proposition is:

Proposition 2A: There is a positive relationship between an individual’s instrumental

attitude toward engaging in computer-based fraud and intentions to commit such fraud.

The experiential component of behavioral attitude reflects how the fraud perpetrator feels

about the act of committing computer fraud (e.g., good, bad, happy, sad). From an

experiential perspective, individuals may characterize the net benefit of engaging in computer

fraud on a spectrum that ranges from pleasant to unpleasant or interesting to boring. For

example, fraud perpetrators may experience a sense of power and control over computer

systems that they cannot replicate offline. Therefore, the motivation is not necessarily

financial in nature, but experiential since the computer fraud experience makes the individual

feel good, charged, and/or challenged. The following proposition follows:


Proposition 2B: There is a positive relationship between an individual’s experiential attitude

toward engaging in computer-based fraud and intentions to commit such fraud.

3.1.2. Subjective norms

Extant research (Yuthas and Dillard, 1999) suggests that face-to-face communication is

essential to effectively disseminate ethical expectations throughout an organization. When

committing fraud, an individual may believe that the act is not that egregious, especially when

isolated from ethical cultural norms or when the intended proper use of the technology is not

conveyed. Computer-networked environments create new social and organization problems,


as employees limit regular social interactions associated with noncomputerized systems

(Turban et al., 2002). For example, the use of e-mail, instant messaging, and Intranets create

physical and psychological distance among organizational employees and dehumanize

potential stakeholders and victims (i.e., investors, employer, and customers): ‘‘Once

dehumanized, [individuals] are no longer viewed as persons with feelings, hopes, and

concerns but as subhuman objects’’ (Bandura, 1986, p. 382). Hence, face-to-face interaction

is an important component of corporate culture that should not be overlooked in today’s

technology-centric organizations. Failure to adequately address this social issue can weaken

psychological proximity among organizational workers and increase the likelihood of

employee fraud, which suggests the following proposition:

Proposition 3A: There is a negative relationship between the level of face-to-face

communication within an organization and intentions to commit computer fraud.

The Report of the National Commission on Fraudulent Financial Reporting states ‘‘the

corporate environment or culture within which financial reporting occurs is the most

important factor contributing to the integrity of the financial reporting process. Notwith-

standing an impressive set of written rules and procedures, if the tone set by management is

lax, fraudulent financial reporting is more likely to occur’’ (NCFFR, 1987, p. 32; McMullen

et al., 1996). Whether supervisors are adhering to and enforcing company standards and

principles for computer usage is vital to understanding the likelihood that employees will

engage in computer-based fraud. Without such active support by superiors, technology may

impede opportunities for organizational values and norms to filter throughout the organ-

ization; thus, reducing conveyance of socially acceptable computer usage behavior (Desai and

Rittenburg, 1997). For instance, suppose policy states IT should not be used incorrectly or

illegally, however, managers use the computer to conduct unofficial business, such as web

surfing and downloading unauthorized software. This signals to employees that IT can be

used in an unethical manner. However, when managers comply with policy and only use IT

for its intended purpose, then employees are less likely to abuse the system. This discussion

leads us to the next proposition:

Proposition 3B: There is a negative relationship between the degree of visibility of

management’s ethical computer behavior and intentions to commit computer fraud.

3.1.3. Perceived behavioral control

Consistent with the theory of planned behavior, both perceived behavioral control and

behavioral intentions are determinants of computer-based fraud. Holding behavioral inten-

tions constant, an individual’s perceived behavioral control over committing computer-based

fraud directly impacts such fraudulent behavior (i.e., the extent to which an individual

believes he/she has actual control over performing a behavior will impact whether or not the

behavior is attempted). While in some cases, the individual committing the fraud does, in fact,

have total control over whether or not to commit the act, there may be instances where factors

outside the individual’s control limits the degree to which the behavior can be performed,


such as technology, skills, coworkers, time, and cost (Ajzen and Madden, 1986). Factors such

as these can impact degree of perceived behavioral control. Thus, we offer the following

proposition:

Proposition 4A: There is a positive relationship between perceived behavioral control over

committing computer-based fraud and employee fraudulent behavior.

Personal beliefs regarding the degree of control one possesses will impact an individual’s

intention to perform the behavior. One manifestation of this concept is past experience.

Overall, if an individual’s past experiences with computer-based fraud have been positive

(e.g., the person committed fraud, got away with it, and enjoyed it), then their perceived

behavioral control over attempting another fraud will be greater (Bandura, 1977, 1982). As a

result, we offer the following proposition:

Proposition 4B: There is a positive relationship between prior computer fraud experience

and intentions to commit computer fraud.

Highly restrictive technology tends to include more embedded control mechanisms that

limit the range of activities in which individuals can engage (Silver, 1991; Desanctis and

Poole, 1994). Therefore, an individual’s control over committing computer-based fraud will

be affected by the restrictiveness of the system. Accordingly,

Proposition 4C: There is a negative relationship between the perceived level of system

restrictiveness and intentions to commit computer fraud.

The reliance on others to complete a task limits volitional control. Thompson (1967) and

Van De Ven et al. (1976) categorize organizational task interdependence as pooled,

sequential, reciprocal, or team interdependent, where pooled and team interdependence are

at opposite ends of the ‘‘reliance on others’’ spectrum. Pooled interdependence tasks would

include those whose task performance does not directly rely on another’s input. Team

interdependence refers to tasks undertaken jointly by organizational members. Therefore, an

individual working in a pooled situation has more volitional control to process transactions

independently from start to finish, leading to a greater opportunity to commit fraud. Hence,

we offer the following proposition:

Proposition 4D: There is a negative relationship between the perceived level of task

interdependency and intentions to commit computer fraud.

Gaining unauthorized access to computer systems can be as easy as getting someone’s

password or understanding the flaws associated with a particular program, or as complex

as having a group of sophisticated technical experts brainstorm various ways to

accomplish the intrusion (Jordan and Taylor, 1998). The more complex the system, the

more difficult it is for potential fraud perpetrators to successfully gain unauthorized access

to the system.


System complexity is comprised of three factors, component complexity, coordinate

complexity, and the degree of stability in the relationship between component complexity

and coordinate complexity (Wood, 1986). Component complexity refers to the number of

steps to complete the task (e.g., gaining access to different components of the system)

while coordinate complexity refers to the level of sequential steps involved in the task.

Thus, the less stable the relationship between coordinate complexity and component

complexity the more complex the system. For example, perceived system complexity

increases when organizations constantly change passwords, rotate job assignments,

upgrade software, and change inquiry commands, making it difficult for fraud perpetrators

to be successful. As reflected below, a person’s perception about the complexity level of

the system will influence their perceived behavioral control and intentions to commit

fraud:

Proposition 4E: There is a negative relationship between system complexity perceptions and

intentions to commit computer fraud.

Perceived behavioral control is also influenced by how well the fraud perpetrator

understands the system internal controls and embedded fraud detection efforts. A recent

survey suggested that computer hacking within an organization may be difficult to uncover

if the hacker is familiar with the system and has the ability to cover his/her tracks

(Computer Fraud and Security, 2002). If users feel they can more accurately predict the

likelihood of being caught as well as how they could be caught, they can tailor their actions

to avoid detection. Once users understand system integrity and fraud detection controls,

they increase the likelihood that fraudulent acts will go undetected. Therefore, we offer the

final proposition:

Proposition 4F: There is a positive relationship between the perceived predictability of

organizational fraud detection patterns and intentions to commit computer fraud.

4. Conclusion and future research

This article posits a framework, based on measures of Ajzen’s (1991) theory of

planned behavior, for considering the likelihood of fraud in an environment that includes

integrated information systems embedded throughout the organization. This article makes

several contributions to extant literature. First, it identifies appropriate measures for

assessing an individual’s intention to commit fraud. Second, it identifies ways in which

technology may inadvertently provide different avenues for fraudulent behavior, and last,

by incorporating the theory of planned behavior into the context of computer fraud, we

are able to provide additional insight regarding the profiles of individuals most likely to

commit fraud.

Several propositions are presented that should be useful for future research. This frame-

work can be tested as a whole, or in part, to determine whether the factors presented can


predict fraudulent behavior, and to examine the possible interaction or correlation between the

constructs. For example, in testing Proposition 1, research could compare and contrast

respondents convicted of fraud charges with those respondents convicted of other types of

nonfraud crime.

This framework can be used as the basis for developing expert systems and statistical

techniques for fraud detection. Systems can be developed to assist auditors in detecting and

determining the magnitude of fraud risk. For example, the system might look at the frequency

of face-to-face communication in an organization and compare the frequency with that of

similar firms that have had incidents of fraud.

Systems could also be developed to track employee technical skills and the level of task

interdependency and assist auditors in measuring the visibility of management’s ethical

values. This could be accomplished by having the system scan documents or minutes of

meetings for certain keywords that would represent discussion of ethical values in organ-

ization. In addition, to alleviate the ease with which fraud detection efforts can be predicted, a

system interface could be developed that provides auditors with several methods of inquiry

for obtaining the same information.

This article focuses on employee fraud in an IT environment. However, computer

fraud can also be committed by parties external to the organization. For example, a

stockholder could hack into the system to change the financial reporting of the

organization’s financial position in an effort to receive personal gain. Future research

could test whether constructs used for internal fraud detection are also applicable when

the perpetrators are external to the organization. It is possible that results will vary across

various societal groups. What is considered morally appropriate for one group may be

different from what is considered morally appropriate for another group. It is also

possible that the model may vary by the type of fraud committed. This framework is

specific to fraud committed by individuals for personal gain, and may not generalize to

fraud committed by firm management, for example, fraudulent financial reporting to

avoid debt covenant violations.

Fraud can be approached from multiple angles, including the individual, the technol-

ogy, or the task that is being performed. By viewing fraud in a multidimensional way,

we are better able to identify precursors to fraud and potential flags that will help us

identify fraud.

Acknowledgements

We would like to thank the two anonymous reviewers, Tanya Benford, Monica

Garfield, Vanita Nottingham, Mohamed Shehata, and our discussant and participants at

the Third International Research Symposium on Accounting Information Systems and

participants at the accounting doctoral seminar held at the University of South Florida for

their helpful comments. Funding support was provided by the Florida Education Fund,

University of South Florida Office of Graduate Studies, School of Accountancy, and

Gaiennie doctoral fellowship.


References

Association of Certified Fraud Examiners (ACFA). Report to the nation occupational fraud and abuse. Austin

(TX): Association of Certified Fraud Examiners; 2002.

AICPA. Statement on Auditing Standards (SAS) No. 99: consideration of fraud in a financial statement audit.

Jersey City (NJ): American Institute of Certified Public Accountants; 2002.

Ajzen I. The theory of planned behavior. Org Behav Hum Decis Process 1991;50(2):179–211.

Ajzen I. Nature and operation of attitudes. Annu Rev Psychol 2001;52:27–58.

Ajzen I. Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. J Appl

Soc Psychol 2002;32(4):665–83.

Ajzen I, Driver BL. Prediction of leisure participation from behavioral, normative, and control beliefs—an

application of the theory of planned behavior. Leis Sci 1991;13(3):185–204.

Ajzen I, Driver BL. Application of the theory of planned behavior to leisure choice. J Leis Res 1992;24(3):207–24.

Ajzen I, Fishbein M. Understanding attitudes and predicting social behavior. Englewood Cliffs (NJ): Prentice-

Hall; 1980.

Ajzen I, Madden TJ. Prediction of goal-directed behavior—attitudes, intentions, and perceived behavioral-control.

J Exp Soc Psychol 1986;22(5):453–74.

Baird L. The detection of crimes and errors and omissions. EDP Audit Control Secur Newsl 2001;20(3):1–8.

Bandura A. Self-efficacy: toward a unifying theory of behavioral change. Psychol Rev 1977;84(2):191–215.

Bandura A. Self-efficacy mechanism in human agency. Am Psychol 1982;37(2):122–47.

Bandura A. Social foundations of thought and action: a social cognitive. Englewood Cliffs (NJ): Prentice-Hall;

1986.

Boldero J. The prediction of household recycling of newspapers: the role of attitudes, intentions, and situational

fact. J Appl Soc Psychol 1995;25(440–462):1825–34.

Bro RH. Criminal online conduct. In: Smedinghoff T, editor. Online law: the SPA’s legal guide to doing business

on the Internet. Canada: Addison-Wesley; 2000. p. 475–92.

Chang MK. Predicting unethical behavior: a comparison of the theory of reasoned action and the theory of

planned behavior. J Bus Ethics 1998;17:1825–34.

Colbert JL, Turner BS. Strategies for dealing with fraud. J Corp Account Finance 2000;11(4):43–9.

Computer Fraud & Security. Who can you trust more—those on the outside or on the inside? 2002;3:20.

Desai AB, Rittenburg T. Global ethics: an integrative framework for MNEs. J Bus Ethics 1997;16(8):791–800.

Desanctis G, Poole MS. Capturing the complexity in advanced technology use—adaptive structuration theory.

Organ Sci 1994;5(2):121–47.

Fishbein M. A theory of reasoned action: some applications and implications. In: Howe HE, editor. 1979 Nebraska

Symposium on Motivation. Lincoln (NE): University of Nebraska Press; 1980. p. 65–116.

Fishbein M, Ajzen I. Belief, attitude, intention, and behavior: an introduction to theory and research. Reading

(MA): Addison-Wesley; 1975.

Furnham A, Lovett J. Predicting the use of complementary medicine: a test of the theories of reasoned action and

planned behavior. J Appl Soc Psychol 2001;31(12):2588–620.

Giles M, Larmour S. The theory of planned behavior: a conceptual framework to view the career development of

women. J Appl Soc Psychol 2000;30(10):2137–57.

Hartwick J, Barki H. Explaining the role of user participation in information-system use. Manage Sci

1994;40(4):440–65.

Hsu MH, Kuo FY. An investigation of volitional control in information ethics. Behav Inf Technol

2003;22(1):53–62.

Huber GP. A theory of the effects of advanced information technologies on organization design, intelligence. Acad

Manage Rev 1990;15(1):47–71.

Hull RP, Serio LE. What managers should know about computer security. Business 1987;3–8.

Jones TM. Ethical decision-making by individuals in organizations—an issue-contingent model. Acad Manage

Rev 1991;16(2):366–95.


Jordan T, Taylor P. A sociology of hackers. Sociol Rev 1998;46(4):757–80.

Kurland NB. Ethical intentions and the theories of reasoned action and planned behavior. J Appl Soc Psychol

1995;25(4):297–313.

Madden TJ, Ellen PS, Ajzen I. A comparison of the theory of planned behavior and the theory of reasoned action.

Pers Soc Psychol Bull 1992;18(1):3–9.

McMullen DA, Raghunandan K, Rama DV. Internal control reports and financial reporting problems. Account

Horiz 1996;10(4):67–75.

NCFFR. Report of the National Commission on Fraudulent Financial Reporting. New York: AICPA; 1987.

Okun MA, Sloane ES. Application of planned behavior theory to predicting volunteer enrollment by college

students in a campus-based program. Soc Behav Pers 2002;30(3):243–9.

Orbell S, Blair C, Sherlock K, Conner M. The theory of planned behavior and ecstasy use: roles for habit and

perceived control over taking versus obtaining substances. J Appl Soc Psychol 2001;31(1):31–47.

Randall DM. Why students take elective business ethics courses—applying the theory of planned behavior. J Bus

Ethics 1994;13(5):369–78.

Randall DM, Gibson AM. Ethical decision-making in the medical-profession—an application of the theory of

planned behavior. J Bus Ethics 1991;10(2):111–22.

Silver MS. Systems that support decision makers: description and analysis. Chichester: Wiley; 1991.

Taylor S, Todd PA. Understanding information technology usage—a test of competing models. Inf Syst Res

1995;6(2):144–76.

Thompson JD. Organizations in action; social science bases of administrative theory. New York: McGraw-Hill;

1967.

Trafimow D, Fishbein M. The importance of risk in determining the extent to which attitudes affect intentions to

wear seat belts. J Appl Soc Psychol 1994;24(1):1–11.

Turban E, McLean E, Wetherbe JC. Information technology from management: transforming business in the

digital economy. New York: Wiley; 2002.

Van Beveren J. A conceptual model of hacker development and motivations. J E-Bus 2001;1(2):1–9.

Van De Ven AH, Delbecq AL, Koenig R. Determinants of coordination modes within organizations. Am Sociol

Rev 1976;41(2):322–38.

Vardi Y, Weitz E. Using the theory of reasoned action to predict organizational misbehavior. Psychol Rep

2002;91(3):1027–40.

Wood RE. Task complexity—definition of the construct. Org Behav Hum Decis Process 1986;37(1):60–82.

Yuthas K, Dillard JF. Ethical development of advanced technology: a postmodern stakeholder perspective. J Bus

Ethics 1999;19(1):35–49.

Understanding the potential impact of information technology on the susceptibility of organizations...

Documents

Transcript of Understanding the potential impact of information technology on the susceptibility of organizations...