Course code: Candidate names: BE304E Runar Horn and Christ-Amour Ignoumba A digitalized society in front of the cyberwar - are we prepared? A case study of four Norwegian organizations Date: 22.05.2017 Total number of pages: 102 Masteroppgave Management Control Abstract: The purpose of this study is to investigate how Norwegian companies respond to the continuously growing threat from cybercrime. We live in a society that becomes more digitalized every day that goes by, which makes us more vulnerable and exposed to the cyber threat. Our problem statement and research questions will investigate specifically at how the internal control system of our respondents are affected by this threat. In addition, we will take a close look at the different type of frauds that are out there, and how companies today are affected by institutional forces. In order to do this research we have chosen to cooperate with four different Norwegian firms; Company A, Y, B and X. Company X and B are operating in the health sector, Company A in the finance industry whereas Company Y in the automotive industry. However, all of them wanted to stay anonymous. Doing research towards this area, in which we applied the institutional theory, have been to great interest for us and have provided some exciting findings. We experience that the subject has become even more important than when we started our research, based on media and articles we have seen in the news. Our findings show that the most common type of fraudulent activity today is hacking, phishing, CEO fraud and identity theft. Based on our findings, working towards having the right organizational culture and attitudes of employees is the most important measures to fight cybercrime. In addition, having satisfactory security systems in place (e.g. antivirus, firewall, backup system) is important, but more importantly, the employees needs to know how to use them. The companies we have worked with are all regulated by laws, but according to our respondents it was a common agreement that only complying with laws and regulations is not enough to stay satisfactory protected against cybercrime. At the end we summarized our discussion by comparing virus theory to cybercrime as a metaphor. Our findings in this investigation show that dealing with a continuously growing cyber threat demand a great amount of resources and attention, and in that way clearly impacts the internal control system. Keywords: Cybercrime, fraud, internal control systems, institutional theory i Masteroppgave Management Control FOREWORD This research paper is our master thesis in Business Administration, at Bodø Nord University, Norway. Through this work we gained knowledge in the concept of IT related frauds and internal control systems in four Norwegian companies and insight into how useful these systems measures are in contrast with IT development. First and foremost we would like thank and express our appreciation to our thesis supervisor, Mr. Anatoli Bourmistrov for his great supports, help, inspiration, advice, encouragement and guidance during our research work. He has always been working in a professional manner with very rapid replies and has offered us great timely advices. Furthermore, we would like to thank all the representatives in companies such as Company A, Company X, Company Y and Company B that have accepted working with us knowing full well the sensitive nature of our problem statement. Additionally, we would like to send our special gratitude to Kristian Thaysen - partner BDO, compliance and investigation and Arne Helme - KPMG Partner and advisor in the development of complex IT systems and solutions for their supports and great answers. Finally, we would like to show our gratefulness to our respective families with their unlimited love and assistance. Also a big thank you to all of our friends, colleagues and most importantly each other, as without each other, this work would not have been possible. Bodø, Mai 2017 Runar Horn A. and Christ A. Ignoumba ii Masteroppgave Management Control ACRONYMS ACFE: Association of Fraud Examiners CEO: Chief Executive Officer CFO: Chief Financial Officer CGMA: Chartered Global Management Accountant COBIT: Control Objectives for Information Technology COSO: Committee of Sponsoring Organization CRM: Customer Relationship Management DDoS: Distributed denial of service EFT: Electronic Funds Transfer ERM: Enterprise Risk Management IA: Internal Audit IC: Internal Control ICT: Information and Communication Technology ID: Identification ISACA: Information System Audit and Control Association ISO: International Organization for standardization IT: Information Technology NSM: Norsk sikkerhetsmyndighet NSD: Norsk senter for forskningsdata SOX: Sarbanes-Oxley Act iii Masteroppgave Management Control Contents 1 INTRODUCTION ................................................................................................................. 1 1.0 Introduction ...................................................................................................................... 1 1.1 Motivation ........................................................................................................................ 1 1.2 Problem statement and Research question ....................................................................... 2 1.3 Reflection over methodology and theory choices ............................................................ 3 2 THEORETICAL FRAMEWORK ...................................................................................... 4 2.0 Introduction ..................................................................................................................... 4 2.1 Fraud Overview ............................................................................................................... 4 2.1.1 Types of fraud. .......................................................................................................... 5 2.1.2 The fraud triangle ...................................................................................................... 6 2.1.3 Detection Of Fraud Schemes ..................................................................................... 7 2.1.4 IT Fraud (Electronic Fraud) ..................................................................................... 7 2.1.5 Major IT Fraud Areas ................................................................................................ 8 2.2 Internal Control systems ................................................................................................. 9 2.2.1 Committee of the Sponsoring Organization (COSO) ............................................... 9 2.2.2 Control Objectives for Information and Related Technology (COBIT) ................. 10 2.2.3 Enterprise Risk Management (ERM) System ......................................................... 10 2.2.4 Corporate Governance ............................................................................................. 11 2.2.5 IT Governance. ....................................................................................................... 13 2.2.6 Internal Audit Function .......................................................................................... 13 2.3 Institutional Theory ...................................................................................................... 14 2.3.1 Legitimacy .............................................................................................................. 15 2.3.2 Institutional Pressures and Isomorphism................................................................. 16 2.3.3 Institutional isomorphism and Public Sector Organizations .................................. 18 2.3.4 Institutional model of accounting ........................................................................... 19 2.4 Summary ....................................................................................................................... 21 3 METHODOLOGY .............................................................................................................. 22 3.0 Introduction ................................................................................................................... 22 3.1 Scientific Theory Approach .......................................................................................... 22 3.2 Research design ............................................................................................................. 23 3.3 data collection method ................................................................................................... 25 3.3.1 Primary and secondary data .................................................................................... 25 3.3.2 Interview .................................................................................................................. 26 3.3.3 Interview implementation ....................................................................................... 27 3.3.4 Presentation of informants ...................................................................................... 28 3.4 Validity and reliability ................................................................................................... 30 3.4.1 Validity .................................................................................................................... 31 3.4.2 Reliability ................................................................................................................ 32 3.5 Summary .......................................................................................................................