ethics fraud

8/6/2019 Ethics Fraud

1/49

Date:17/ 9/ 07 College of Agricultural Banking, RBI , PUNE

Ethics,Ethics,Fraud, andFraud, and

Internal ControlInternal Control

SUPRIYO BHATTACHARJEE

AGM & MOF

CAB,RBI,PUNE


2/49

Date: College of Agricultural Banking, RBI , PUNE

ObjectivesObjectives

Broad issues pertaining to business ethics

Ethics in accounting information systems Ethical issues in information technology

Management fraud and employee fraud

Common fraud techniques in manual and computer-based systems

Implications of computer technology on the internalcontrol structure


3/49


Business EthicsBusiness Ethics

Why should we be concerned about ethics in the

business world? Ethics are needed when conflicts arise--the

need to choose

In business, conflicts may arise between: employees

management

stakeholders Litigation


4/49


Four Main Areas of Business EthicsFour Main Areas of Business Ethics


5/49


Behavioral Stage Theory of MoralBehavioral Stage Theory of MoralDevelopmentDevelopment


6/49


Computer EthicsComputer Ethics

Concerns the social impact of computer technology (hardware, software,and telecommunications).

What are the main computer ethics issues?

Privacy

Security and accuracy Ownership of property

Environmental issues

Equity in access

Artificial intelligence Unemployment and displacement

Computer misuse

Internal control integrity


7/49


What is Fraud?What is Fraud?Five Conditions of FraudFive Conditions of Fraud

Fa lse r ep r esen t a t ion - false statement or

disclosure Mat er ia l f act - a fact must be substantial in

inducing someone to act

I n t en t t o d ecei v e must exist The misrepresentation must have resulted in

j us t i f i ab le r e l iance upon information, whichcaused someone to act

The misrepresentation must have causedi n j u r y o r l o s s


8/49


2002 CFE Study of Fraud2002 CFE Study of Fraud

Loss due to fraud equal to 6% of revenues

approximately $600 billion Loss by position within the company:

Other results: higher losses due to men, employeesacting alone, employees with advance degrees


9/49


Enron, WorldCom, AdelphiaEnron, WorldCom, AdelphiaThe Underlying ProblemsThe Underlying Problems

Lack of Auditor Independence: auditing firms also engaged by their clientsto perform nonaccounting activities such as actuarial services, internalaudit outsourcing services, and consulting

Lack of Director Independence: directors who have a personal relationshipby serving on the boards of other companies, have a business tradingrelationship as key customers or suppliers, have a financial relationship asprimary stockholders or have received personal loans, or have anoperational relationship as employees

Questionable Executive Compensation Schemes: short-term stock optionsas compensation scheme result in short-term strategies aimed at drivingup stock prices at the expense of the firms long-term health.

Inappropriate Accounting Practices: a characteristic common to manyfinancial statement fraud schemes. Enron made elaborate use of special purpose entities to hide liabilities

through off-balance-sheet accounting. WorldCom transferred transmission line costs from current expense

accounts to capital accounts, allowing them to defer some operatingexpenses and report higher earnings.


10/49


SarbanesSarbanes--Oxley ActOxley Act Signed into law July 2002 Its principal reforms pertain to:

The creation of the Public Company Accounting Oversight

Board (PCAOB) Auditor independencemore separation between a firms

attestation and non-auditing activities Corporate governance and responsibilityaudit committee

members must be independent and the audit committeemust oversee the external auditors

Disclosure requirementsincrease issuer and managementdisclosure, including off-the-balance items

New federal crimes for the destruction of or tampering withdocuments, securities fraud, and actions againstwhistleblowers


11/49


12/49


Why Fraud OccursWhy Fraud Occurs-- Fraud TriangleFraud Triangle

Situational

Pressures e.g.

an employee is

experiencing

financial difficulties

Available

Opportunities e.g poor

internal controls

Rationalisation

personal morals ofindividual

employees


13/49


14/49


Management FraudManagement Fraud

It is perpetrated at levels of management above the one to

which internal control structure relates. It frequently involves using the financial statements to

create an illusion that an entity is more healthy andprosperous than it actually is.

If it involves misappropriation of assets, it frequently isshrouded in a maze of complex business transactions.


15/49


Fraud SchemesFraud Schemes

Three categories of fraud schemes

according to the Association ofCertified Fraud Examiners:

A. fraudulent statementsB. corruption

C. asset misappropriation


16/49


A. Fraudulent StatementsA. Fraudulent Statements

Misstating the financial statements tomake the copy appear better than it is

Usually occurs as management fraud

May be tied to focus on short-termfinancial measures for success

May also be related to management bonus

packages being tied to financialstatements


17/49


B. CorruptionB. Corruption

Examples:

bribery illegal gratuities

conflicts of interest

economic extortion


18/49


19/49


Computer FraudComputer Fraud

Theft, misuse, or misappropriation of assets by alteringcomputer data

Theft, misuse, or misappropriation of assets by alteringsoftware programming

Theft or illegal use of computer data/ information

Theft, corruption, illegal copying or destruction ofsoftware or hardware

Theft, misuse, or misappropriation of computer hardware


20/49


Using the general IS model, explain how fraud can occur

at the different stages of information processing?


21/49


Input ManipulationInput Manipulation

This phase of the system is most vulnerablebecause it is very easy to change data as it is

being entered into the system.

Often referred to as Data Diddling

Requires low level of computer expertise.

Also, GIGO (garbage in, garbage out)reminds us that if the input data isinaccurate, processing will result ininaccurate output.


22/49


Program ManipulationProgram Manipulation

Program Frauds

Altering programs to allow illegal access to and/ormanipulation of data files

Destroying programs with a virus e.g Trojan Horse

Requires perpetrators to have program-specific knowledge.

Operations Frauds misuse of company computer resources, such as using the

computer for personal business


23/49


Output ManipulationOutput Manipulation

Effected by targeting the output of the

computer system. Achieved by falsifying instructions to the

computer at the input stage.

E.g.Encoding falsified information on the back of

bank cards & credit cards.

Salami Technique


24/49


Information Generation FraudInformation Generation Fraud

Stealing, misdirecting, or misusing computer output

Scavenging searching through the trash cans on the

computer center for discarded output (the outputshould be shredded, but frequently is not)


25/49


Internal Control Objectives According to SASInternal Control Objectives According to SASNo. 78No. 78

1. Safeguard assets of the firm2. Ensure accuracy and reliability of accountingrecords and information

3. Promote efficiency of the firms operations

4. Measure compliance with managementsprescribed policies and procedures


26/49


Modifying Assumptions to the Internal ControlModifying Assumptions to the Internal Control

ObjectivesObjectives

Management Responsibility

The establishment and maintenance of a system of internal control is theresponsibility of management.

Reasonable Assurance

The cost of achieving the objectives of internal control should notoutweigh its benefits.

Methods of Data Processing

The techniques of achieving the objectives will vary with different typesof technology.


27/49


Limitations of Internal ControlsLimitations of Internal Controls

Possibility of honest errors

Circumvention via collusion Management override

Changing conditions--especially in companies

with high growth


28/49


Exposures of Weak Internal Controls (Risk)Exposures of Weak Internal Controls (Risk)

Destruction of an asset

Theft of an asset

Corruption of information

Disruption of the information system


29/49


The Internal Controls ShieldThe Internal Controls Shield


30/49


Preventive, Detective, and Corrective ControlsPreventive, Detective, and Corrective Controls

Undesirable Events

Levels

of

Control

Corrective

Preventive Preventive Preventive Preventive

Corrective Corrective

Detective Detective Detective


31/49


Auditing StandardsAuditing Standards

Auditors are guided by GAAS(Generally Accepted AuditingStandards)

3 classes of standards

general qualification standards

field work standards

reporting standards

For specific guidance, auditors use the AICPAs SASs(Statements on Auditing Standards)


32/49


SAS No. 78SAS No. 78

Describes the relationship between the firms

internal control structure, auditors assessment of risk, and

the planning of audit procedures

How do these three interrelate?

The weaker the internal control structure, the higher theassessed level of risk; the higher the risk, the more auditorprocedures applied in the audit. AIS is particularly concerned

with the internal control structure.


33/49


Five Internal Control Components: SAS No.Five Internal Control Components: SAS No.7878

1. Control environment

2. Risk assessment

3. Information and communication

4. Monitoring

5. Control activities


34/49


1: The Control Environment1: The Control Environment

Integrity and ethics of management

Organizational structure

Role of the board of directors and the audit committee

Managements policies and philosophy

Delegation of responsibility and authority

Performance evaluation measures

External influences--regulatory agencies

Policies and practices managing human resources


35/49


2: Risk Assessment2: Risk Assessment

Identify, analyze and manage risks relevant tofinancial reporting: changes in external environment

risky foreign markets

significant and rapid growth that strain internalcontrols

new product lines

restructuring, downsizing

changes in accounting policies


36/49


3: Information and Communication3: Information and Communication

The AIS should produce high quality informationwhich: identifies and records all va l id transactions

provides t i m e l y information in appropriate detail topermit proper classification and financial reporting

accura te ly measures the financial value of transactions,

and accurately records transactions i n t h e t i m e p er i o d i n

w h i ch t h e y o ccu r r e d


37/49


Information and CommunicationInformation and Communication

Auditors must obtain sufficient knowledge of the IS to understand:

the classes of transactions that are material

how these transactions are initiated [input]

the associated accounting records and accounts used inprocessing [input]

the transaction processing steps involved from the initiation ofa transaction to its inclusion in the financial statements[process]

the financial reporting process used to compile financialstatements, disclosures, and estimates [output]

[red shows relationship to the AIS model]


38/49


4: Monitoring4: Monitoring

The process for assessing the quality of internal

control design and operation[This is feedback in the general AIS model.] Separate procedures--test of controls by internal auditors

Ongoing monitoring:

Computer modules integrated into routine operations Management reports which highlight trends and exceptions

from normal performance


39/49


40/49


In manual system, separation between:

authorizing and processing a transaction custody and recordkeeping of the asset

subtasks

In computerized system, segregation should

exist between: program coding

program processing

program maintenance

Segregation of DutiesSegregation of Duties


41/49


Authorization

Authorization

Authorization

Processing

Custody Recording

Task 1 Task 2 Task 2Task 1

Nested Control Objectives forNested Control Objectives for

TransactionsTransactions

Control

Objective 1

ControlObjective 2

ControlObjective 3

Custody Recording


42/49


Physical ControlsPhysical Controls

Authorization

used to ensure that employees are carrying out onlyauthorized transactions

general (everyday procedures) or specific (non-routinetransactions) authorizations

Supervision a compensation for lack of segregation; some may be

built into computer systems


43/49


Accounting Records

provide an audit trailAccess Controls

help to safeguard assets by restricting physical accessto them

Independent Verification reviewing batch totals or reconciling subsidiary accounts

with control accounts

Physical ControlsPhysical Controls


44/49


Internal Controls inInternal Controls in CBISsCBISs

Transaction Authorization

The rules are often embedded within computerprograms.

EDI/JIT: automated re-ordering of inventory without

human intervention


45/49



Segregation of Duties

A computer program may perform many tasks thatare deemed incompatible.

Thus the crucial need to separate program

development, program operations, and programmaintenance.


46/49



Supervision

The ability to assess competent employeesbecomes more challenging due to the greatertechnical knowledge required.


47/49



Accounting Records

ledger accounts and sometimes source documentsare kept magnetically

no audit trail is readily apparent


48/49



Access Control

Data consolidation exposes the organization tocomputer fraud and excessive losses from disaster.


49/49



Independent Verification

When tasks are performed by the computer ratherthan manually, the need for an independent check isnot necessary.

However, the programs themselves are checked.

ethics fraud

Documents