1 chapter 3 ethics, fraud, and internal control copyright © 2007 thomson south-western, a part of...
TRANSCRIPT
1
Chapter 3
Ethics, Fraud, and Internal Control
COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the
Star logo, and South-Western are trademarks used herein under license
2
Objectives for Chapter 3 Broad issues pertaining to business ethics Ethical issues related to the use of information
technology Distinguish between management fraud and
employee fraud Common types of fraud schemes Key features of SAS 78 / COSO internal control
framework Objects and application of physical controls
3
Business Ethics
Why should we be concerned about ethics in the business world?
Ethics are needed when conflicts arise In business, conflicts may arise between:
employees management stakeholders
Litigation
4
Business Ethics
Business ethics involves finding the answers to two questions:
How do managers decide on what is right in conducting their business?
Once managers have recognized what is right, how do they achieve it?
5
Four Main Areas of Business Ethics
6
Computer Ethicsconcerns social impact of computer technology (hardware,
software, and telecommunications).The main computer ethics issues are:
Privacy Security and accuracy Ownership of property Computer misuse Internal control integrity
7
Legal Definition of Fraud false representation - false statement
or disclosure material fact - fact must be important
enough so someone will act intent to deceive must exist misrepresentation must have resulted in
justifiable reliance upon information, which caused someone to act
misrepresentation must have caused injury or loss
Factors that Contribute to Fraud
9
Employee Fraud
Usually~ an employee taking cash or other assets for
personal gain by circumventing company’s system of internal controls
10
Management Fraud
Perpetrated at management levels But the internal control structure usually relates to
activities performed at lower levels Frequently involves using financial statements
Creating the illusion that entity is healthier and more prosperous than it actually is.
If management is stealing assets, Theft probably is hidden in very complicated
business transactions.
Underlying Problems of Enron, WorldCom, Adelphia
Lack of Auditor Independence: auditing firms also engaged to perform
non-accounting activities (consulting) Lack of Director Independence:
Directors also served on the boards of other companies (good ol’ boy network) Or had a business trading relationship Or had a financial relationship as
stockholders Or received personal loans, Or was employed by the company
12
Underlying Problems of Enron, WorldCom, Adelphia (contd) Executive Compensation Schemes:
short-term stock options as compensation result in short-term strategies Drives up stock prices at expense of firm’s long-
term health. Inappropriate Accounting Practices:
Common to many financial statement fraud schemes.
Enron created many special purpose entities WorldCom transferred transmission line
costs from current expense accounts to capital accounts (boosts balance sheet)
Sarbanes-Oxley Act of 2002
Created the Public Company Accounting Oversight Board (PCAOB)
Requires Auditor independence—more separation between firm’s attestation (auditing) and non-auditing activities
Corporate governance—audit committee members must be independent and must oversee external auditors
Disclosure requirements—increase auditor and management disclosures
New federal crimes for destruction of/tampering with documents, securities fraud, and actions against whistleblowers
14
Association of Certified Fraud Examiners’2006 Occupational Fraud & Abuse Survey
2006* 1996
Scheme Type %Cases Median loss %CasesMedian loss
Asset Misappropriations 91.5% $ 150,000 81.1% $ 65,000
Corruption Schemes 30.8% 538,000 14.8% 440,000
Fraudulent Statements 10.6% 2,000,000 4.1%4,000,000
*More than 100% because some reported in more than one category
15
Fraud Schemes
Three categories of fraud schemes according to the Association of Certified Fraud Examiners:
A. Fraudulent statementsB. CorruptionC. Asset misappropriation
16
A. Fraudulent Statements
Usually management fraud Misstating financial statements to make
company appear better than it is Often tied to short-term financial measures
for success Or management bonus packages are tied to
financial statements
17
B. Corruption
Examples: Bribery Illegal gratuities Conflicts of interest Economic extortion
Foreign Corrupt Practice Act of 1977: requires accurate records and internal controls (but
management was not required to put it in writing) Sarbanes-Oxley Act of 2002:
management must acknowledge it is responsible for internal controls
must assert to effectiveness of those controls - in annual report to SEC (in other words, now it must be in writing)
18
C. Asset Misappropriation Most common type of fraud
Usually employee fraud. Examples:
Making charges to expense accounts to cover theft of asset (such as cash)
“Lapping”: using customer’s check from one account to cover theft from a different customer’s account
Transaction fraud: deleting, altering, or adding false transactions to steal assets
19
Computer Fraud Theft or misuse of assets by
altering computer data altering software programming
Theft or misuse of computer hardware Theft, corruption, or destruction of software or
hardware Includes illegal copying or sharing of software
Theft or illegal use of computer data /information
20
Data Collection Fraud Fraud occurs as data are being
entered Most vulnerable because it is relatively
easy to change data as it is entered into system.
Also, the GIGO (garbage in, garbage out) principle reminds us If input data are inaccurate, output will
be inaccurate.
21
Data Processing Fraud
Program Frauds altering programs to allow illegal access
to and/or manipulation of data destroying programs with a virusOperations Frauds misuse of company resources, such as
using the computer for personal business without permission
22
Database Management Fraud
Altering, deleting, corrupting, destroying, or stealing an organization’s data
Oftentimes conducted by disgruntled or ex-employee This is why you don’t give terminated
employees 2 weeks notice! Escort them to their desk, then the door.
23
Information Generation Fraud
Stealing, misdirecting, or misusing computer output Scavenging
searching through trash cans for discarded output (output should be shredded, but frequently is not)
24
Internal Control Objectives According to AICPA SAS
1. Safeguard assets of the firm2. Ensure accuracy and reliability of
accounting records and information3. Promote efficiency of the firm’s
operations4. Measure compliance with
management’s prescribed policies and procedures
25
Assumptions about Internal Control Objectives
Management Responsibility establishment and maintenance of internal control system is
responsibility of management (NOT Auditor).
Reasonable Assurance cost of achieving objectives of internal control should not outweigh its
benefits. Would you hire an armed guard 24x7 to make sure $100 of petty cash
is not stolen?
Methods of Data Processing techniques of achieving internal control objectives vary, depending on
technology. Objectives of internal controls are same between manual and
computerized systems; methods (techniques) are different.
26
Limitations of Internal Controls Honest errors
Employees get tired, distracted, sick Collusion
When 2 or more employees get together to defraud the company.
Management override Manager tells accountant to enter bogus
transaction Changing conditions in the company
especially true when companies grow rapidly
27
Exposures (Risks) of Weak Internal Controls
Assets may be destroyed Assets may be stolen information may be corrupted Information system may be disrupted
28
The Internal Controls Shield
29
Preventive, Detective, and Corrective Controls
Least costly
30
Auditing Standards Auditors are guided by GAAS
(Generally Accepted Auditing Standards)
3 classes of standards: General qualification standards Field work standards Reporting standards
For specific guidance, auditors use AICPA SAS (Statements on Auditing Standards)
31
SAS 78 / COSO
Describes relationship between firm’s… internal control structure, auditor’s assessment of risk, and planning of audit procedures
How do these three interrelate?
The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor testing procedures applied in the audit.
32
Five Internal Control Components of SAS 78
1. control environment2. risk assessment3. information & communication4. monitoring5. control activities
33
1: Control Environment integrity and ethics of management management’s policies and philosophy organizational structure delegation of responsibility and authority role of board of directors and the audit
committee performance evaluation measures external influences– (ex: regulatory
agencies)
34
2: Risk Assessment
identify, analyze, and manage risks relevant to financial reporting
Examples: changes in external environment foreign markets – carry more risk than
domestic markets rapid growth that strains internal
controls new product lines restructuring/downsizing changes in accounting policies
35
3: Information and Communication System (CBIS) should produce quality
information that identifies and records all valid transactions provides timely information in appropriate
detail for proper classification and financial reporting
accurately measures financial value of transactions, and
records transactions in time period in which they occurred Inventory arrives on 12/31/07. Is it recorded in
2007 or 2008?
36
4: Monitoring
The process for assessing quality of internal control design and operation
separate procedures--test of controls by internal auditors
ongoing monitoring: computer modules integrated into routine
operations management reports that show trends Reports with exceptions from normal
performance Sometimes called ‘exception reports’
37
5: Control Activities
Policies and procedures to ensure that appropriate actions are taken in response to identified risks
Fall into two distinct categories: IT controls—relate specifically to the
computer environment Physical controls—primarily pertain to
human activities
38
Two Types of IT Controls General controls—pertain to the
entitywide computer environment Examples: controls over the data center,
organization databases, systems development, and program maintenance
Application controls—ensure the integrity of specific systems Examples: controls over sales order
processing, accounts payable, and payroll applications
39
Six Types of Physical Controls
Access Control Accounting Records Authorization of Transactions Independent Verification Segregation of Duties Supervision Memorize
these!
40
Physical Controls (continued)
Access Controls help to safeguard assets by
restricting physical access to them
Accounting Records provide audit trail
41
Authorization used to ensure that employees are carrying
out only authorized transactions Authorizations may be general (everyday
procedures) or specific (non-routine transactions).Example: A clerk may have general authorization
to accept low-value returns from customers; if the return is over a certain dollar amount, clerk asks supervisor to approve (specific).
Physical Controls (continued)
42
Physical Controls
Independent Verification reviewing batch totals reconciling subsidiary ledgers with
control accounts Example: Compare A/P sub. ledger total
with A/P Control account in General Ledger.
43
Segregation of Duties In manual system, separation is between:
authorizing and processing a transaction custody and recordkeeping of the asset
In computerized system, segregation should exist between: program coding program processing program maintenance
Physical Controls
44
Physical Controls
Supervision compensation for lack of segregation
of duties – Such as in a small company that cannot
hire many employees Sometimes called a “compensating
control”
45
Internal Controls in Computer-based Information Systems (CBIS):
Access Accounting Records Authorization of Transactions Independent Verification Segregation of Duties Supervision
46
Internal Controls in CBISs
Access data consolidation exposes the
organization to computer fraud and excessive losses from disaster
If someone does access data,s/he might get to all of it.
All data in here
47
Internal Controls in CBISs
Accounting Records transaction & master files (and some source
documents) are kept magnetically – audit trail still exists, but must be read by computer, rather than humans.
48
Internal Controls in CBISs
Authorization rules for transaction authorization frequently
embedded in computer programs Electronic Data Interchange (EDI) with Just-in-Time
Inventory (JIT): automated re-ordering of inventory without human intervention
49
Internal Controls in CBISs
Independent Verification many of these tasks are performed by
computer rather than manually, and need for an independent check on tasks performed by computer is not necessary (however, computer programs should be checked).
50
Internal Controls in CBISs
Segregation of Duties Computer program performs many tasks
considered incompatible in manual systems Therefore, must separate program
development, program operations, and program maintenance – in internally developed systems Not as important in commercial software –
why?
51
Internal Controls in CBISs
Supervision ability to assess competent employees
becomes more challenging due to greater technical knowledge required
“compensating control”
52