International Journal of Accounting
Information Systems 4 (2003) 295–308
Understanding the potential impact of information
technology on the susceptibility of organizations to
fraudulent employee behavior
Antoinette Lynch*, Mohamed Gomaa
School of Accountancy, College of Business Administration, University of South Florida,
4202 East Fowler Avenue, BSN 3403, Tampa, FL 33620-5500, USA
Received 1 June 2002; received in revised form 1 February 2003; accepted 3 April 2003
Abstract
Although the infusion of progressively advanced information technology (IT) into business
organizations can improve the capturing, processing, and reporting of critical decision-making
information across the enterprise, such technology can also create an environment that is more
vulnerable to fraud. In this article, we develop a framework based on the theory of planned behavior
[Org. Behav. Human Decis. Process. 50 (2)(1991) 179] that addresses the potential impact of IT on the
susceptibility of an organization to employee fraud. We believe that this framework can serve as a
useful tool for management, internal auditors, and external auditors when assessing fraud risk.
D 2003 Elsevier Inc. All rights reserved.
Keywords: Theory of planned behavior; Fraud; Information technology
1. Introduction
As companies integrate progressively advanced information technology (IT) into business
organizations, unintended risks and consequences can be introduced into the business
environment. For instance, the capability of enterprise resource planning systems to
seamlessly integrate business processes across the entire organization offers managers the
1467-0895/$ – see front matter D 2003 Elsevier Inc. All rights reserved.
doi:10.1016/j.accinf.2003.04.001
* Corresponding author. Tel.: +1-813-974-6863; fax: +1-813-974-6528.
E-mail address: [email protected] (A. Lynch).
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308296
means to redesign and improve outmoded business models; however, a breakdown in
automated workflow procedures can lead to serious business interruptions; electronic data
interchange technology has vastly improved the efficiency and effectiveness of procurement
processes, but when the electronic data interchange system is disrupted, production can come
to a sudden halt. Hence, the infusion of IT into organizations can be likened to a ‘‘double-
edged sword’’—on one hand, IT can dramatically improve business performance, while on
the other hand, IT can inject new, often unforeseen, risks into the environment. In this article,
we focus on an understudied but critical threat in this regard—the potential link between IT
integration and employee fraud.
In a recent study, the Association of Certified Fraud Examiners (ACFA, 2002) indicated
that the direct cost of fraud to American companies is projected to increase to approximately
$600 billion a year—an increase of 50% over the past 6 years. In addition to direct costs,
fraud can also consume valuable management resources, negatively impact the value of
companies, and result in huge legal fees (Colbert and Turner, 2000). Our thesis is that IT,
while necessary for creating viable competitive business practices, can also provide employ-
ees with the means and opportunity to commit fraud. In this light, this article develops a
conceptual framework aimed at investigating the potential link between the integration of IT
into business organizations and the vulnerability of such entities to fraudulent employee
behavior.
We characterize computer fraud as defined by the Virginia Computer Crimes Act: ‘‘any
person who uses a computer or computer network without authority and with the intent to: (1)
Obtain property or services by false pretenses; (2) Embezzle or commit larceny; or (3)
Convert the property of another’’ (Bro, 2000, p. 483). Using the theory of planned behavior
(Ajzen, 1991), we propose a linkage between the extent to which IT is used in organizations
and the propensity of employees to commit computer-based fraud. Our framework can help
business managers, internal auditors and external auditors assess the vulnerability of business
organizations to employee fraud.
This article makes two key contributions to extant literature. First, we identify critical
factors for assessing an employee’s intention to commit computer-based fraud. Second,
we suggest several ways in which IT may inadvertently provide sophisticated means and
opportunities for employees to perpetrate fraud in business organizations. The contribu-
tions of this article are particularly important given Statement on Auditing Standards
(SAS) No. 99 (Consideration of Fraud in a Financial Statement Audit), which requires
auditors to become more vigilant in assessing fraud risk (AICPA, 2002).
In Section 2, we address the theory of planned behavior and identify several measures
that are appropriate when applying the theory to fraud and IT. In Section 3, we present
the IT-fraud framework. Finally, we conclude with suggestions for future research.
2. Theory of planned behavior
The theory of planned behavior (Fig. 1) is a popular model for predicting human
intentions and actions (Ajzen, 2001, 2002). Ajzen’s (1985) theory of planned behavior
Fig. 1. Theory of planned behavior model. Adapted from Ajzen (1991).
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 297
has been used by many researchers to understand and predict human behavior in various
contexts, such as recycling (Boldero, 1995), ethical behavior (Kurland, 1995), college
course selection (Randall, 1994), leisure activity selection (Ajzen and Driver, 1992), and
seatbelt use (Trafimow and Fishbein, 1994). The theory asserts that although people hold
many beliefs about performing a particular behavior, it is salient beliefs that determine
actual behavior. Salient beliefs reflect attitudes toward the behavior, subjective norms
related to the behavior, and perceived behavioral control over the behavior (Ajzen and
Fishbein, 1980).
Prior research has proposed two versions of the basic model (Ajzen and Madden, 1986).
The first version assumes that behavioral intention, alone, is the immediate determinant of the
actual behavior. Behavioral intention, in turn, has three antecedents (behavioral attitude,
subjective norms, and perceived behavioral control) that contribute to the prediction of the
behavior. The second version assumes that behavioral intentions and perceived behavioral
control are joint determinants of the actual behavior. Three conditions are necessary to apply
this second version of the theory. First, the behavior in question must lack volitional control.
That is, limitations are imposed on the individual that prevent him or her from carrying out
the behavior absent necessary opportunities and resources. Second, the behavior in question
must be one where there is variation in the degree of accuracy associated with the individual’s
perception about actual control. Finally, intentions to perform a behavior must depend on the
measure of perceived behavioral control. This accounts for the interaction between behavioral
intentions and perceived behavioral control (Ajzen and Madden, 1986). In the context of
computer-based fraud, we posit that actual behavior is a function of behavioral intention and
perceived behavioral control. We focus on the second version of the basic model of planned
behavior since sophisticated IT limits individual volitional control to execute unethical acts
and requires substantial resources to successfully engage in computer-based fraud.
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308298
Behavioral intention is a function of behavioral attitude, subjective norms, and perceived
behavioral control. Thus, an employee’s intention to engage in computer-based fraudulent
behavior depends largely on his or her attitude about computer fraud, subjective norms
toward computer fraud, and perceived behavioral control over computer fraud; and more
importantly, his or her actual behavior is a function of intentions to commit fraud and
perceived behavioral control.1
Only a few researchers have applied the theory of planned behavior to explain ethical
decision making (Chang, 1998). Randall and Gibson (1991) used the theory of planned
behavior to investigate the ethical decision making of reporting misconduct of colleagues by
medical professionals. Their results indicate that attitude and subjective norm explain a large
portion of the variance of intention, but adding perceived behavioral control did not add much
unique variance. They suggested that the failure of perceived behavioral control to contribute
to the model might be due to the behavior being studied, which may be perceived as being
under a person’s total volitional control. Hsu and Kuo’s (2003) research focused on the
perceived behavioral control construct. They manipulated the degree of volitional control to
test assertions under the theory of planned behavior. They found that the theory of planned
behavior model had a better fit under low volitional control than under high volitional control.
Chang (1998) makes a case for using the theory of planned behavior to predict unethical
behavior. Specifically, Chang (1998) states, ‘‘since unethical behavior, such as corruption and
computer hacking, require substantial resources and opportunities to perform successfully, it
is reasonable to hypothesize that the theory of planned behavior will better explain unethical
behavior than the theory of reasoned action’’ (p. 1827). Thus, Chang (1998) suggests that the
theory of planned behavior can be used to explain unethical decision making.
2.1. Behavioral attitude
Behavioral attitude refers to an individual’s favorable or unfavorable opinion about a
target behavior and related outcomes. Behavioral attitude can be divided into two
components. The instrumental value component reflects an individual’s belief about the
behavior, whereas the experiential component focuses on the overall feeling received
from engaging in the behavior. Studies have shown that behavioral attitude contributes
significantly to the prediction of behavioral intentions (Ajzen and Madden, 1986; Vardi
and Weitz, 2002). In the context of fraud, the attitudinal determinant of committing (or
considering) computer fraud is a function of the consequences of engaging in computer
crime and the expected beneficial outcomes (Fishbein and Ajzen, 1975; Ajzen and
Driver, 1991; Taylor and Todd, 1995). Because IT makes it possible for criminals to steal
more and faster and makes it possible for the effects of the criminal’s action to be
widespread, there is a definite incentive to use electronic versus manual means in the
1 Fig. 1 reflects intercorrelation among three antecedents of behavioral intention. However, we do not
emphasize the correlations identified in the original model, but direct attention toward the risk associated with
information technology.
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 299
commission of organizational fraud (Hull and Serio, 1987; Baird, 2001). Additionally, IT
can influence the attractiveness of fraud in that computer technology provides oppor-
tunities for the fraud perpetrator to (a) target victims more easily, and less expensively,
across time and geographic locations, (b) quickly record or retrieve information, (c) gain
access to documents less expensively across time and geographic locations, (d) achieve
manipulation results or reconfigure information at a more precise level, and (e) falsify
their identities and documents (Huber, 1990).
Measures of the behavioral attitude construct are typically obtained through questionnaires
wherein participants are asked to rate how they feel about a particular behavior. In this case,
the target behavior is committing computer-based fraud. Scales to measure socially undesir-
able attitudes of this nature must be carefully designed to warrant high validity. For example,
a person’s attitude about committing computer-based crime might be obtained by asking the
following statements: Using my company’s computer system to perpetrate fraud would be
(1 = very detrimental to me personally, 7 = very beneficial to me personally) [instrumental
attitude]; Stealing money from my employer using the company’s computer system would
make me feel (1 = very weak, 7 = very powerful) [experiential attitude]; Engaging in
fraudulent behavior using my company’s computer system would make me feel (1 = very
bad, 7 = very good) [overall attitude] (Ajzen and Madden, 1986; Madden et al., 1992;
Hartwick and Barki, 1994; Orbell et al., 2001).
2.2. Subjective norms
Subjective norms reflect how other people who are important to the individual (referent
others) would feel if he/she engaged in a target behavior (i.e., fraud), coupled with the
individual’s motivation to act in accordance with referent others’ beliefs (Fishbein and Ajzen,
1975; Taylor and Todd, 1995). When considering referent others, the strength of relationships
is defined by the frequency and intimacy of contact. When relationships are casual, relatively
weak ties are formed among the individual and referent others; hence, how referent others
might feel if the individual engaged in a given target behavior would have little impact. When
stronger relationships are formed, an individual tends to care more about how referent others
view his/her behavior. Jones (1991) indicates that the influence of social norms is positively
related to psychological proximity (e.g., feelings of nearness) among an individual and his/
her referent others.
The use of IT in organizations can inadvertently facilitate fraud potential by decreasing the
frequency and intimacy of contact among people in the workplace, thereby weakening
psychological ties among such individuals. For instance, the use of IT often increases
geographical distance among users, allows users to communicate asynchronously across global
time zones, and ‘‘spreads the responsibility for systems outcomes across individuals and groups
who are likely to hold very different assumptions about the purposes and intended con-
sequences of the systems’’ (Yuthas and Dillard, 1999, p. 35). As a result, psychological
proximity can be unintentionally weakened by IT; that is, an individual who is contemplating
fraud might be less influenced by referent others’ beliefs in a human-isolated as compared to a
human-centric work environment.
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308300
Measures of the social norm construct typically ask an individual to record his/her
perception about how referent others feel or would feel if he/she engaged in a target
behavior. Sample response items might be: If I committed fraud using the company’s
computer system, my peers at work who are important to me would be: 1 = very
disappointed in me, 7 = very proud of me; If I used the computer system to alter the
company’s financial statements, my supervisor would be: 1 = very angry with me, 7 = very
happy with me; I really care what other people at work think of me: 1 = strongly disagree,
7 = strongly agree. Answers to the first two response items might appear on the surface to
be obvious; but, what if IT was used in such a way throughout the organization that
employees and supervisors seldom interacted with one another via face-to-face contact?;
what if the corporate culture was such that most employees were committing some sort of
fraud (due to poor internal controls and lax corporate governance)?; or what if a supervisor
was pressuring an employee to ‘‘cook the books’’? In these cases, responses might be on
the high end of the scale (Ajzen and Madden, 1986; Madden et al., 1992; Hartwick and
Barki, 1994; Orbell et al., 2001).
2.3. Perceived behavioral control
Research has shown that perceived behavioral control is influential in predicting actual
behavior (Ajzen andMadden, 1986;Madden et al., 1992; Hartwick and Barki, 1994; Taylor and
Todd, 1995; Giles and Larmour, 2000; Furnham and Lovett, 2001; Okun and Sloane, 2002).
The theory of planned behavior includes the concept of perceived behavioral control to account
for actions that are not always under the individual’s control (Ajzen, 1991). By incorporating
perceived behavioral control into themodel, the theory of planned behavior accounts for actions
where partial volitional control exists.
If opportunities are not available to commit computer-based crime (e.g., due to sound
internal control practices), even the most sophisticated computer specialist would likely not
attempt such behavior. Also, the more a behavior is dependent on resources that are out of the
individual’s control, such as relying on computer skills and cooperation of others, the less likely
it is that a person will decide at will to engage in a given behavior (Ajzen and Madden, 1986).
Hence, computer-based fraud is unlikely to be committed by employees who believe they lack
sufficient opportunities and means necessary to perpetrate the act and avoid detection.
Management can alleviate computer-based fraud opportunities by implementing proper internal
control procedures, such as conducting unannounced job rotations, embedding monitoring
agents into software, and requiring authorization and justification to modifications made to
existing programs.
Measuring the perceived behavioral control construct requires assessing how participants
perceive their opportunities and means. For example, the computer system at work is designed
in such a way that committing fraud would be: 1 = very easy, 7 = very difficult; If I stole money
from my employer using the company’s computer system, the likelihood that I could be caught
would be: 1 = very low, 7 = very high); It would be very easy for me to use the company’s
computer system at work to commit fraud: 1 = strongly disagree, 7 = strongly agree) (Ajzen and
Madden, 1986).
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 301
3. Theoretical framework
3.1. Theory of planned behavior
The theoretical framework for this study (Fig. 2) utilizes constructs and relationships from
the theory of planned behavior (attitudes, subjective norms, perceived behavioral control,
intentions, and actions) to develop theoretical propositions regarding internal (employee)
computer fraud. In the remainder of this section, we present and discuss the framework,
discussing each construct in the theory of planned behavior and how each construct is
impacted by IT in the context of employee computer fraud.
This framework posits the determinants of employee computer fraud (employee fraudulent
behavior), and consistent with the theory of planned behavior, behavioral intention is an
antecedent of employee fraudulent behavior. By definition, fraudulent behavior is intentional,
as fraud is an act of commission, not an accident or omission, which leads to the following
proposition:
Proposition 1: There is a positive relationship between intentions to commit computer-based
fraud and employee fraudulent behavior.
In testing Proposition 1, researchers should be aware that directly measuring an individ-
ual’s intention to commit fraud can be difficult, as individuals may not be willing to honestly
respond to intentions to commit computer fraud for fear of negative consequences.
Fig. 2. Research model.
3.1.1. Behavioral attitude
Individuals may feel good about a behavior if they believe that their performance will lead
to more positive rather than negative outcomes (Fishbein, 1979). The positive outcomes
(benefits) can be subjective (e.g., feelings of power and control) or objective (quantifiable
resources acquired). Similarly, the negative outcomes (costs) can also be subjective (e.g.,
embarrassment, harassment, or confinement) or objective (e.g., acquiring necessary resour-
ces, paying fines, and making forfeitures). Behavioral attitude has an instrumental value
component and an experiential quality component. The benefit–cost ratio is a key aspect of
the instrumental value component of behavioral attitude. If the perceived ratio is 1:1 or less, it
is unlikely that a person will engage in fraud. However, perceived ratios that are considerably
greater than 1:1 might induce someone to perpetrate a fraud. The precise ratio that might trip
someone’s fraudulent behavior varies by individual. Thus, from an instrumental perspective,
individuals may characterize the net benefit of engaging in computer fraud on a spectrum that
ranges from beneficial to harmful or valuable to worthless.
The use of IT can increase the benefit side of the ratio because employees have potential
access to more corporate resources via the computer system (e.g., the electronic transfer of
funds). Also, some individuals gain a sense of cleverness, smugness, power, and control
(subjective benefits) from ‘‘beating the system’’ (Van Beveren, 2001; Jordan and Taylor,
1998). The use of IT can decrease the cost portion of the ratio by allowing perpetrators to
quickly target more victims at minimal cost and/or by reducing the probability of getting
caught through online anonymity and audit trail corruption. Thus, our next proposition is:
Proposition 2A: There is a positive relationship between an individual’s instrumental
attitude toward engaging in computer-based fraud and intentions to commit such fraud.
The experiential component of behavioral attitude reflects how the fraud perpetrator feels
about the act of committing computer fraud (e.g., good, bad, happy, sad). From an
experiential perspective, individuals may characterize the net benefit of engaging in computer
fraud on a spectrum that ranges from pleasant to unpleasant or interesting to boring. For
example, fraud perpetrators may experience a sense of power and control over computer
systems that they cannot replicate offline. Therefore, the motivation is not necessarily
financial in nature, but experiential since the computer fraud experience makes the individual
feel good, charged, and/or challenged. The following proposition follows:
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308302
Proposition 2B: There is a positive relationship between an individual’s experiential attitude
toward engaging in computer-based fraud and intentions to commit such fraud.
3.1.2. Subjective norms
Extant research (Yuthas and Dillard, 1999) suggests that face-to-face communication is
essential to effectively disseminate ethical expectations throughout an organization. When
committing fraud, an individual may believe that the act is not that egregious, especially when
isolated from ethical cultural norms or when the intended proper use of the technology is not
conveyed. Computer-networked environments create new social and organization problems,
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 303
as employees limit regular social interactions associated with noncomputerized systems
(Turban et al., 2002). For example, the use of e-mail, instant messaging, and Intranets create
physical and psychological distance among organizational employees and dehumanize
potential stakeholders and victims (i.e., investors, employer, and customers): ‘‘Once
dehumanized, [individuals] are no longer viewed as persons with feelings, hopes, and
concerns but as subhuman objects’’ (Bandura, 1986, p. 382). Hence, face-to-face interaction
is an important component of corporate culture that should not be overlooked in today’s
technology-centric organizations. Failure to adequately address this social issue can weaken
psychological proximity among organizational workers and increase the likelihood of
employee fraud, which suggests the following proposition:
Proposition 3A: There is a negative relationship between the level of face-to-face
communication within an organization and intentions to commit computer fraud.
The Report of the National Commission on Fraudulent Financial Reporting states ‘‘the
corporate environment or culture within which financial reporting occurs is the most
important factor contributing to the integrity of the financial reporting process. Notwith-
standing an impressive set of written rules and procedures, if the tone set by management is
lax, fraudulent financial reporting is more likely to occur’’ (NCFFR, 1987, p. 32; McMullen
et al., 1996). Whether supervisors are adhering to and enforcing company standards and
principles for computer usage is vital to understanding the likelihood that employees will
engage in computer-based fraud. Without such active support by superiors, technology may
impede opportunities for organizational values and norms to filter throughout the organ-
ization; thus, reducing conveyance of socially acceptable computer usage behavior (Desai and
Rittenburg, 1997). For instance, suppose policy states IT should not be used incorrectly or
illegally, however, managers use the computer to conduct unofficial business, such as web
surfing and downloading unauthorized software. This signals to employees that IT can be
used in an unethical manner. However, when managers comply with policy and only use IT
for its intended purpose, then employees are less likely to abuse the system. This discussion
leads us to the next proposition:
Proposition 3B: There is a negative relationship between the degree of visibility of
management’s ethical computer behavior and intentions to commit computer fraud.
3.1.3. Perceived behavioral control
Consistent with the theory of planned behavior, both perceived behavioral control and
behavioral intentions are determinants of computer-based fraud. Holding behavioral inten-
tions constant, an individual’s perceived behavioral control over committing computer-based
fraud directly impacts such fraudulent behavior (i.e., the extent to which an individual
believes he/she has actual control over performing a behavior will impact whether or not the
behavior is attempted). While in some cases, the individual committing the fraud does, in fact,
have total control over whether or not to commit the act, there may be instances where factors
outside the individual’s control limits the degree to which the behavior can be performed,
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308304
such as technology, skills, coworkers, time, and cost (Ajzen and Madden, 1986). Factors such
as these can impact degree of perceived behavioral control. Thus, we offer the following
proposition:
Proposition 4A: There is a positive relationship between perceived behavioral control over
committing computer-based fraud and employee fraudulent behavior.
Personal beliefs regarding the degree of control one possesses will impact an individual’s
intention to perform the behavior. One manifestation of this concept is past experience.
Overall, if an individual’s past experiences with computer-based fraud have been positive
(e.g., the person committed fraud, got away with it, and enjoyed it), then their perceived
behavioral control over attempting another fraud will be greater (Bandura, 1977, 1982). As a
result, we offer the following proposition:
Proposition 4B: There is a positive relationship between prior computer fraud experience
and intentions to commit computer fraud.
Highly restrictive technology tends to include more embedded control mechanisms that
limit the range of activities in which individuals can engage (Silver, 1991; Desanctis and
Poole, 1994). Therefore, an individual’s control over committing computer-based fraud will
be affected by the restrictiveness of the system. Accordingly,
Proposition 4C: There is a negative relationship between the perceived level of system
restrictiveness and intentions to commit computer fraud.
The reliance on others to complete a task limits volitional control. Thompson (1967) and
Van De Ven et al. (1976) categorize organizational task interdependence as pooled,
sequential, reciprocal, or team interdependent, where pooled and team interdependence are
at opposite ends of the ‘‘reliance on others’’ spectrum. Pooled interdependence tasks would
include those whose task performance does not directly rely on another’s input. Team
interdependence refers to tasks undertaken jointly by organizational members. Therefore, an
individual working in a pooled situation has more volitional control to process transactions
independently from start to finish, leading to a greater opportunity to commit fraud. Hence,
we offer the following proposition:
Proposition 4D: There is a negative relationship between the perceived level of task
interdependency and intentions to commit computer fraud.
Gaining unauthorized access to computer systems can be as easy as getting someone’s
password or understanding the flaws associated with a particular program, or as complex
as having a group of sophisticated technical experts brainstorm various ways to
accomplish the intrusion (Jordan and Taylor, 1998). The more complex the system, the
more difficult it is for potential fraud perpetrators to successfully gain unauthorized access
to the system.
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 305
System complexity is comprised of three factors, component complexity, coordinate
complexity, and the degree of stability in the relationship between component complexity
and coordinate complexity (Wood, 1986). Component complexity refers to the number of
steps to complete the task (e.g., gaining access to different components of the system)
while coordinate complexity refers to the level of sequential steps involved in the task.
Thus, the less stable the relationship between coordinate complexity and component
complexity the more complex the system. For example, perceived system complexity
increases when organizations constantly change passwords, rotate job assignments,
upgrade software, and change inquiry commands, making it difficult for fraud perpetrators
to be successful. As reflected below, a person’s perception about the complexity level of
the system will influence their perceived behavioral control and intentions to commit
fraud:
Proposition 4E: There is a negative relationship between system complexity perceptions and
intentions to commit computer fraud.
Perceived behavioral control is also influenced by how well the fraud perpetrator
understands the system internal controls and embedded fraud detection efforts. A recent
survey suggested that computer hacking within an organization may be difficult to uncover
if the hacker is familiar with the system and has the ability to cover his/her tracks
(Computer Fraud and Security, 2002). If users feel they can more accurately predict the
likelihood of being caught as well as how they could be caught, they can tailor their actions
to avoid detection. Once users understand system integrity and fraud detection controls,
they increase the likelihood that fraudulent acts will go undetected. Therefore, we offer the
final proposition:
Proposition 4F: There is a positive relationship between the perceived predictability of
organizational fraud detection patterns and intentions to commit computer fraud.
4. Conclusion and future research
This article posits a framework, based on measures of Ajzen’s (1991) theory of
planned behavior, for considering the likelihood of fraud in an environment that includes
integrated information systems embedded throughout the organization. This article makes
several contributions to extant literature. First, it identifies appropriate measures for
assessing an individual’s intention to commit fraud. Second, it identifies ways in which
technology may inadvertently provide different avenues for fraudulent behavior, and last,
by incorporating the theory of planned behavior into the context of computer fraud, we
are able to provide additional insight regarding the profiles of individuals most likely to
commit fraud.
Several propositions are presented that should be useful for future research. This frame-
work can be tested as a whole, or in part, to determine whether the factors presented can
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308306
predict fraudulent behavior, and to examine the possible interaction or correlation between the
constructs. For example, in testing Proposition 1, research could compare and contrast
respondents convicted of fraud charges with those respondents convicted of other types of
nonfraud crime.
This framework can be used as the basis for developing expert systems and statistical
techniques for fraud detection. Systems can be developed to assist auditors in detecting and
determining the magnitude of fraud risk. For example, the system might look at the frequency
of face-to-face communication in an organization and compare the frequency with that of
similar firms that have had incidents of fraud.
Systems could also be developed to track employee technical skills and the level of task
interdependency and assist auditors in measuring the visibility of management’s ethical
values. This could be accomplished by having the system scan documents or minutes of
meetings for certain keywords that would represent discussion of ethical values in organ-
ization. In addition, to alleviate the ease with which fraud detection efforts can be predicted, a
system interface could be developed that provides auditors with several methods of inquiry
for obtaining the same information.
This article focuses on employee fraud in an IT environment. However, computer
fraud can also be committed by parties external to the organization. For example, a
stockholder could hack into the system to change the financial reporting of the
organization’s financial position in an effort to receive personal gain. Future research
could test whether constructs used for internal fraud detection are also applicable when
the perpetrators are external to the organization. It is possible that results will vary across
various societal groups. What is considered morally appropriate for one group may be
different from what is considered morally appropriate for another group. It is also
possible that the model may vary by the type of fraud committed. This framework is
specific to fraud committed by individuals for personal gain, and may not generalize to
fraud committed by firm management, for example, fraudulent financial reporting to
avoid debt covenant violations.
Fraud can be approached from multiple angles, including the individual, the technol-
ogy, or the task that is being performed. By viewing fraud in a multidimensional way,
we are better able to identify precursors to fraud and potential flags that will help us
identify fraud.
Acknowledgements
We would like to thank the two anonymous reviewers, Tanya Benford, Monica
Garfield, Vanita Nottingham, Mohamed Shehata, and our discussant and participants at
the Third International Research Symposium on Accounting Information Systems and
participants at the accounting doctoral seminar held at the University of South Florida for
their helpful comments. Funding support was provided by the Florida Education Fund,
University of South Florida Office of Graduate Studies, School of Accountancy, and
Gaiennie doctoral fellowship.
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308 307
References
Association of Certified Fraud Examiners (ACFA). Report to the nation occupational fraud and abuse. Austin
(TX): Association of Certified Fraud Examiners; 2002.
AICPA. Statement on Auditing Standards (SAS) No. 99: consideration of fraud in a financial statement audit.
Jersey City (NJ): American Institute of Certified Public Accountants; 2002.
Ajzen I. The theory of planned behavior. Org Behav Hum Decis Process 1991;50(2):179–211.
Ajzen I. Nature and operation of attitudes. Annu Rev Psychol 2001;52:27–58.
Ajzen I. Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. J Appl
Soc Psychol 2002;32(4):665–83.
Ajzen I, Driver BL. Prediction of leisure participation from behavioral, normative, and control beliefs—an
application of the theory of planned behavior. Leis Sci 1991;13(3):185–204.
Ajzen I, Driver BL. Application of the theory of planned behavior to leisure choice. J Leis Res 1992;24(3):207–24.
Ajzen I, Fishbein M. Understanding attitudes and predicting social behavior. Englewood Cliffs (NJ): Prentice-
Hall; 1980.
Ajzen I, Madden TJ. Prediction of goal-directed behavior—attitudes, intentions, and perceived behavioral-control.
J Exp Soc Psychol 1986;22(5):453–74.
Baird L. The detection of crimes and errors and omissions. EDP Audit Control Secur Newsl 2001;20(3):1–8.
Bandura A. Self-efficacy: toward a unifying theory of behavioral change. Psychol Rev 1977;84(2):191–215.
Bandura A. Self-efficacy mechanism in human agency. Am Psychol 1982;37(2):122–47.
Bandura A. Social foundations of thought and action: a social cognitive. Englewood Cliffs (NJ): Prentice-Hall;
1986.
Boldero J. The prediction of household recycling of newspapers: the role of attitudes, intentions, and situational
fact. J Appl Soc Psychol 1995;25(440–462):1825–34.
Bro RH. Criminal online conduct. In: Smedinghoff T, editor. Online law: the SPA’s legal guide to doing business
on the Internet. Canada: Addison-Wesley; 2000. p. 475–92.
Chang MK. Predicting unethical behavior: a comparison of the theory of reasoned action and the theory of
planned behavior. J Bus Ethics 1998;17:1825–34.
Colbert JL, Turner BS. Strategies for dealing with fraud. J Corp Account Finance 2000;11(4):43–9.
Computer Fraud & Security. Who can you trust more—those on the outside or on the inside? 2002;3:20.
Desai AB, Rittenburg T. Global ethics: an integrative framework for MNEs. J Bus Ethics 1997;16(8):791–800.
Desanctis G, Poole MS. Capturing the complexity in advanced technology use—adaptive structuration theory.
Organ Sci 1994;5(2):121–47.
Fishbein M. A theory of reasoned action: some applications and implications. In: Howe HE, editor. 1979 Nebraska
Symposium on Motivation. Lincoln (NE): University of Nebraska Press; 1980. p. 65–116.
Fishbein M, Ajzen I. Belief, attitude, intention, and behavior: an introduction to theory and research. Reading
(MA): Addison-Wesley; 1975.
Furnham A, Lovett J. Predicting the use of complementary medicine: a test of the theories of reasoned action and
planned behavior. J Appl Soc Psychol 2001;31(12):2588–620.
Giles M, Larmour S. The theory of planned behavior: a conceptual framework to view the career development of
women. J Appl Soc Psychol 2000;30(10):2137–57.
Hartwick J, Barki H. Explaining the role of user participation in information-system use. Manage Sci
1994;40(4):440–65.
Hsu MH, Kuo FY. An investigation of volitional control in information ethics. Behav Inf Technol
2003;22(1):53–62.
Huber GP. A theory of the effects of advanced information technologies on organization design, intelligence. Acad
Manage Rev 1990;15(1):47–71.
Hull RP, Serio LE. What managers should know about computer security. Business 1987;3–8.
Jones TM. Ethical decision-making by individuals in organizations—an issue-contingent model. Acad Manage
Rev 1991;16(2):366–95.
A. Lynch, M. Gomaa / International Journal of Accounting Information Systems 4 (2003) 295–308308
Jordan T, Taylor P. A sociology of hackers. Sociol Rev 1998;46(4):757–80.
Kurland NB. Ethical intentions and the theories of reasoned action and planned behavior. J Appl Soc Psychol
1995;25(4):297–313.
Madden TJ, Ellen PS, Ajzen I. A comparison of the theory of planned behavior and the theory of reasoned action.
Pers Soc Psychol Bull 1992;18(1):3–9.
McMullen DA, Raghunandan K, Rama DV. Internal control reports and financial reporting problems. Account
Horiz 1996;10(4):67–75.
NCFFR. Report of the National Commission on Fraudulent Financial Reporting. New York: AICPA; 1987.
Okun MA, Sloane ES. Application of planned behavior theory to predicting volunteer enrollment by college
students in a campus-based program. Soc Behav Pers 2002;30(3):243–9.
Orbell S, Blair C, Sherlock K, Conner M. The theory of planned behavior and ecstasy use: roles for habit and
perceived control over taking versus obtaining substances. J Appl Soc Psychol 2001;31(1):31–47.
Randall DM. Why students take elective business ethics courses—applying the theory of planned behavior. J Bus
Ethics 1994;13(5):369–78.
Randall DM, Gibson AM. Ethical decision-making in the medical-profession—an application of the theory of
planned behavior. J Bus Ethics 1991;10(2):111–22.
Silver MS. Systems that support decision makers: description and analysis. Chichester: Wiley; 1991.
Taylor S, Todd PA. Understanding information technology usage—a test of competing models. Inf Syst Res
1995;6(2):144–76.
Thompson JD. Organizations in action; social science bases of administrative theory. New York: McGraw-Hill;
1967.
Trafimow D, Fishbein M. The importance of risk in determining the extent to which attitudes affect intentions to
wear seat belts. J Appl Soc Psychol 1994;24(1):1–11.
Turban E, McLean E, Wetherbe JC. Information technology from management: transforming business in the
digital economy. New York: Wiley; 2002.
Van Beveren J. A conceptual model of hacker development and motivations. J E-Bus 2001;1(2):1–9.
Van De Ven AH, Delbecq AL, Koenig R. Determinants of coordination modes within organizations. Am Sociol
Rev 1976;41(2):322–38.
Vardi Y, Weitz E. Using the theory of reasoned action to predict organizational misbehavior. Psychol Rep
2002;91(3):1027–40.
Wood RE. Task complexity—definition of the construct. Org Behav Hum Decis Process 1986;37(1):60–82.
Yuthas K, Dillard JF. Ethical development of advanced technology: a postmodern stakeholder perspective. J Bus
Ethics 1999;19(1):35–49.
Top Related