1

Chapter 3

Ethics, Fraud, and Internal Control

COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the

Star logo, and South-Western are trademarks used herein under license

2

Objectives for Chapter 3 Broad issues pertaining to business ethics Ethical issues related to the use of information

technology Distinguish between management fraud and

employee fraud Common types of fraud schemes Key features of SAS 78 / COSO internal control

framework Objects and application of physical controls

3

Business Ethics

Why should we be concerned about ethics in the business world?

Ethics are needed when conflicts arise In business, conflicts may arise between:

employees management stakeholders

Litigation

4

Business Ethics

Business ethics involves finding the answers to two questions:

How do managers decide on what is right in conducting their business?

Once managers have recognized what is right, how do they achieve it?

5

Four Main Areas of Business Ethics

6

Computer Ethicsconcerns social impact of computer technology (hardware,

software, and telecommunications).The main computer ethics issues are:

Privacy Security and accuracy Ownership of property Computer misuse Internal control integrity

7

Legal Definition of Fraud false representation - false statement

or disclosure material fact - fact must be important

enough so someone will act intent to deceive must exist misrepresentation must have resulted in

justifiable reliance upon information, which caused someone to act

misrepresentation must have caused injury or loss

Factors that Contribute to Fraud

9

Employee Fraud

Usually~ an employee taking cash or other assets for

personal gain by circumventing company’s system of internal controls

10

Management Fraud

Perpetrated at management levels But the internal control structure usually relates to

activities performed at lower levels Frequently involves using financial statements

Creating the illusion that entity is healthier and more prosperous than it actually is.

If management is stealing assets, Theft probably is hidden in very complicated

business transactions.

Underlying Problems of Enron, WorldCom, Adelphia

Lack of Auditor Independence: auditing firms also engaged to perform

non-accounting activities (consulting) Lack of Director Independence:

Directors also served on the boards of other companies (good ol’ boy network) Or had a business trading relationship Or had a financial relationship as

stockholders Or received personal loans, Or was employed by the company

12

Underlying Problems of Enron, WorldCom, Adelphia (contd) Executive Compensation Schemes:

short-term stock options as compensation result in short-term strategies Drives up stock prices at expense of firm’s long-

term health. Inappropriate Accounting Practices:

Common to many financial statement fraud schemes.

Enron created many special purpose entities WorldCom transferred transmission line

costs from current expense accounts to capital accounts (boosts balance sheet)

Sarbanes-Oxley Act of 2002

Created the Public Company Accounting Oversight Board (PCAOB)

Requires Auditor independence—more separation between firm’s attestation (auditing) and non-auditing activities

Corporate governance—audit committee members must be independent and must oversee external auditors

Disclosure requirements—increase auditor and management disclosures

New federal crimes for destruction of/tampering with documents, securities fraud, and actions against whistleblowers

14

Association of Certified Fraud Examiners’2006 Occupational Fraud & Abuse Survey

2006* 1996

Scheme Type %Cases Median loss %CasesMedian loss

Asset Misappropriations 91.5% $ 150,000 81.1% $ 65,000

Corruption Schemes 30.8% 538,000 14.8% 440,000

Fraudulent Statements 10.6% 2,000,000 4.1%4,000,000

*More than 100% because some reported in more than one category

15

Fraud Schemes

Three categories of fraud schemes according to the Association of Certified Fraud Examiners:

A. Fraudulent statementsB. CorruptionC. Asset misappropriation

16

A. Fraudulent Statements

Usually management fraud Misstating financial statements to make

company appear better than it is Often tied to short-term financial measures

for success Or management bonus packages are tied to

financial statements

17

B. Corruption

Examples: Bribery Illegal gratuities Conflicts of interest Economic extortion

Foreign Corrupt Practice Act of 1977: requires accurate records and internal controls (but

management was not required to put it in writing) Sarbanes-Oxley Act of 2002:

management must acknowledge it is responsible for internal controls

must assert to effectiveness of those controls - in annual report to SEC (in other words, now it must be in writing)

18

C. Asset Misappropriation Most common type of fraud

Usually employee fraud. Examples:

Making charges to expense accounts to cover theft of asset (such as cash)

“Lapping”: using customer’s check from one account to cover theft from a different customer’s account

Transaction fraud: deleting, altering, or adding false transactions to steal assets

19

Computer Fraud Theft or misuse of assets by

altering computer data altering software programming

Theft or misuse of computer hardware Theft, corruption, or destruction of software or

hardware Includes illegal copying or sharing of software

Theft or illegal use of computer data /information

20

Data Collection Fraud Fraud occurs as data are being

entered Most vulnerable because it is relatively

easy to change data as it is entered into system.

Also, the GIGO (garbage in, garbage out) principle reminds us If input data are inaccurate, output will

be inaccurate.

21

Data Processing Fraud

Program Frauds altering programs to allow illegal access

to and/or manipulation of data destroying programs with a virusOperations Frauds misuse of company resources, such as

using the computer for personal business without permission

22

Database Management Fraud

Altering, deleting, corrupting, destroying, or stealing an organization’s data

Oftentimes conducted by disgruntled or ex-employee This is why you don’t give terminated

employees 2 weeks notice! Escort them to their desk, then the door.

23

Information Generation Fraud

Stealing, misdirecting, or misusing computer output Scavenging

searching through trash cans for discarded output (output should be shredded, but frequently is not)

24

Internal Control Objectives According to AICPA SAS

1. Safeguard assets of the firm2. Ensure accuracy and reliability of

accounting records and information3. Promote efficiency of the firm’s

operations4. Measure compliance with

management’s prescribed policies and procedures

25

Assumptions about Internal Control Objectives

Management Responsibility establishment and maintenance of internal control system is

responsibility of management (NOT Auditor).

Reasonable Assurance cost of achieving objectives of internal control should not outweigh its

benefits. Would you hire an armed guard 24x7 to make sure $100 of petty cash

is not stolen?

Methods of Data Processing techniques of achieving internal control objectives vary, depending on

technology. Objectives of internal controls are same between manual and

computerized systems; methods (techniques) are different.

26

Limitations of Internal Controls Honest errors

Employees get tired, distracted, sick Collusion

When 2 or more employees get together to defraud the company.

Management override Manager tells accountant to enter bogus

transaction Changing conditions in the company

especially true when companies grow rapidly

27

Exposures (Risks) of Weak Internal Controls

Assets may be destroyed Assets may be stolen information may be corrupted Information system may be disrupted

28

The Internal Controls Shield

29

Preventive, Detective, and Corrective Controls

Least costly

30

Auditing Standards Auditors are guided by GAAS

(Generally Accepted Auditing Standards)

3 classes of standards: General qualification standards Field work standards Reporting standards

For specific guidance, auditors use AICPA SAS (Statements on Auditing Standards)

31

SAS 78 / COSO

Describes relationship between firm’s… internal control structure, auditor’s assessment of risk, and planning of audit procedures

How do these three interrelate?

The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor testing procedures applied in the audit.

32

Five Internal Control Components of SAS 78

1. control environment2. risk assessment3. information & communication4. monitoring5. control activities

33

1: Control Environment integrity and ethics of management management’s policies and philosophy organizational structure delegation of responsibility and authority role of board of directors and the audit

committee performance evaluation measures external influences– (ex: regulatory

agencies)

34

2: Risk Assessment

identify, analyze, and manage risks relevant to financial reporting

Examples: changes in external environment foreign markets – carry more risk than

domestic markets rapid growth that strains internal

controls new product lines restructuring/downsizing changes in accounting policies

35

3: Information and Communication System (CBIS) should produce quality

information that identifies and records all valid transactions provides timely information in appropriate

detail for proper classification and financial reporting

accurately measures financial value of transactions, and

records transactions in time period in which they occurred Inventory arrives on 12/31/07. Is it recorded in

2007 or 2008?

36

4: Monitoring

The process for assessing quality of internal control design and operation

separate procedures--test of controls by internal auditors

ongoing monitoring: computer modules integrated into routine

operations management reports that show trends Reports with exceptions from normal

performance Sometimes called ‘exception reports’

37

5: Control Activities

Policies and procedures to ensure that appropriate actions are taken in response to identified risks

Fall into two distinct categories: IT controls—relate specifically to the

computer environment Physical controls—primarily pertain to

human activities

38

Two Types of IT Controls General controls—pertain to the

entitywide computer environment Examples: controls over the data center,

organization databases, systems development, and program maintenance

Application controls—ensure the integrity of specific systems Examples: controls over sales order

processing, accounts payable, and payroll applications

39

Six Types of Physical Controls

Access Control Accounting Records Authorization of Transactions Independent Verification Segregation of Duties Supervision Memorize

these!

40

Physical Controls (continued)

Access Controls help to safeguard assets by

restricting physical access to them

Accounting Records provide audit trail

41

Authorization used to ensure that employees are carrying

out only authorized transactions Authorizations may be general (everyday

procedures) or specific (non-routine transactions).Example: A clerk may have general authorization

to accept low-value returns from customers; if the return is over a certain dollar amount, clerk asks supervisor to approve (specific).

Physical Controls (continued)

42

Physical Controls

Independent Verification reviewing batch totals reconciling subsidiary ledgers with

control accounts Example: Compare A/P sub. ledger total

with A/P Control account in General Ledger.

43

Segregation of Duties In manual system, separation is between:

authorizing and processing a transaction custody and recordkeeping of the asset

In computerized system, segregation should exist between: program coding program processing program maintenance

Physical Controls

44

Physical Controls

Supervision compensation for lack of segregation

of duties – Such as in a small company that cannot

hire many employees Sometimes called a “compensating

control”

45

Internal Controls in Computer-based Information Systems (CBIS):

Access Accounting Records Authorization of Transactions Independent Verification Segregation of Duties Supervision

46

Internal Controls in CBISs

Access data consolidation exposes the

organization to computer fraud and excessive losses from disaster

If someone does access data,s/he might get to all of it.

All data in here

47

Internal Controls in CBISs

Accounting Records transaction & master files (and some source

documents) are kept magnetically – audit trail still exists, but must be read by computer, rather than humans.

48

Internal Controls in CBISs

Authorization rules for transaction authorization frequently

embedded in computer programs Electronic Data Interchange (EDI) with Just-in-Time

Inventory (JIT): automated re-ordering of inventory without human intervention

49

Internal Controls in CBISs

Independent Verification many of these tasks are performed by

computer rather than manually, and need for an independent check on tasks performed by computer is not necessary (however, computer programs should be checked).

50

Internal Controls in CBISs

Segregation of Duties Computer program performs many tasks

considered incompatible in manual systems Therefore, must separate program

development, program operations, and program maintenance – in internally developed systems Not as important in commercial software –

why?

51

Internal Controls in CBISs

Supervision ability to assess competent employees

becomes more challenging due to greater technical knowledge required

“compensating control”

52