CHAPTER Control 3: Ethics, Fraud, and Internal Key Terms Access controls: Controls that ensure that only authorized personnel have access to the firm’s assets. Accounting records: Document, ledger used in transaction cycles. journal, Computer ethics - Analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. Includes details about software as well as hardware and concerns about networks connecting computers as well as computers themselves. or Application controls: Application controls ensure the integrity of specific systems such as sales order processing, accounts payable, and payroll applications. Audit trail controls: Ensures that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements. Batch controls: Effective method of managing high volumes of transaction data through a system. Billing schemes: Schemes under which an employee causes the employer to issue a payment to a false supplier or vendor by submitting invoices for fictitious goods/services, inflated invoices, or invoices for personal purchases. Bribery: Giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. Business ethics: Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. Cash larceny: Theft of cash receipts from an organization after those receipts have been recorded in the organization’s books and records. Check digit: Method for detecting data coding errors in which a control digit is added to the code when it is originally designed to allow the integrity of the code to be established during subsequent processing. Check tampering: Forging, or changing in some material way, a check that was written to a legitimate payee. Committee of Sponsoring Organizations of the Treadway Commission: The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative to combat corporate fraud. COSO has established a common internal control model against which companies and organizations may assess their control Computer fraud Theft, misuse, or misappropriation of assets by altering computerreadable records and files, or by altering the logic of computer software; the illegal use of computer readable information; or the intentional destruction of computer software or hardware Conflict of interest - Outline of procedures for dealing with actual or apparent conflicts of interest between personal and professional relationships. Control activities - Policies and procedures to ensure that appropriate actions are taken to deal with the organization’s risks. Control environment - The foundation of internal control Control weaknesses - is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. Corrective controls - Actions taken to reverse the effects of errors detected Corruption - involves an executive, manager, or employee of the organization in collusion with an outsider. The ACFE study identifies four principal types of corruption: bribery, illegal gratuities, conflicts of interest, and economic extortion. Corruption accounts for about 10 percent of occupational fraud cases. Detective controls - Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls. Economic extortion - Use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value. The item of value could be a financial or economic asset, information, or cooperation to obtain a favorable decision on some matter under review. Employee fraud - Performance fraud by nonmanagement employee generally designed to directly convert cash or other assets to the employee’s personal benefit Ethical Responsibility - Responsibility of organization managers to seek a balance between the risks and benefits to their constituents that result from their decision. Ethics Principles of conduct that individuals use in making choices that guide their behavior in situations involving the concepts of right and wrong. Expense Reimbursement Frauds Claiming reimbursement of fictitious or inflated business expenses. Exposure Absence or weakness of a control. Fraud False representation of a material fact made by one party to another party, with the intent to deceive and induce the other party to justifiably rely on the material fact to his or her detriment. Fraud Triangle Triad of factors associated with management and employee fraud: situational pressure (includes personal or job-related stresses that could coerce an individual to act dishonestly); opportunity (involves direct access to assets and/or access to information that controls assets); and ethics (pertains to one's character and degree of moral opposition to acts of dishonesty). Fraudulent Statements Statements related to a material fact and known to be untrue or made with reckless indifference as to its truth or falsity. General Controls Controls that pertain to entitywide concerns such as controls over the data center, organization databases, systems development, and program maintenance. Grandfather-Father-Son A backup technique employed by systems that use sequential master files (whether tape or disk). It is an integral part of the master file update process. Hash Total Control technique that uses nonfinancial data to keep track of the records in a batch. Illegal Gratuity Giving, receiving, offering, or soliciting something of value because of an official act that has been taken. Input Controls Programmed procedures, often called edits, that perform tests on transaction data to ensure that they are free from errors. Internal Control System Policies a firm employs to safeguard the firm’s assets, ensure accurate and reliable accounting records and information, promote efficiency, and measure compliance with established policies. Lapping – Use of customer checks, received in payment of their accounts, to conceal cash previously stolen by an employee. Mail Room Fraud – Fraud committed when an employee opening the mail steals a customer’s check and destroys the associated remittance advice. Management Fraud – Performance fraud that often uses deceptive practices to inflate earnings or to forestall the recognition of either insolvency or a decline in earnings. Monitoring – Process by which the quality of internal control design and operation can be assessed. Non-cash Fraud – Schemes involve the theft or misuse of the victim organization’s non-cash assets (e.g., inventory, confidential information). Output Controls – are a combination of programmed routines and other procedures to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Ownership – State or fact of exclusive rights and control over property, which may be an object, land/real estate, intellectual property, or some other kind of property. Pass-through Fraud – Similar to shell company except that a transaction actually takes place. The perpetrator creates a false vendor and issues purchase orders to it for inventory or supplies. The false vendor purchases the needed inventory from a legitimate vendor, charges the victim company a much higher than market price for the items, and pockets the difference. Pay-and-Return – Scheme under which a clerk with check writing authority pays a vendor twice for the same products (inventory or supplies) received, then intercepts and cashes the overpayment returned by the vendor. Payroll Fraud paychecks to employees. – Distribution of fraudulent existent and/or nonexistent Preventive controls - Passive techniques designed to reduce the frequency of occurrence of undesirable events. Privacy - Full control of what and how much information about an individual is available to others and to whom it is available. Processing controls - is an engineering mechanism that uses continuous monitoring of an industrial process' operational variables (e.g., temperature, pressure, chemical content) and algorithms and then uses that information to adjust variables to reach product output specifications and objectives. Public Company Accounting Oversight Board (PCAOB) - Federal organization empowered to set auditing, quality control, and ethics standards; to inspect registered accounting firms; to conduct investigations; and to take disciplinary actions. Reasonable assurance - Assurance provided by the internal control system that the four broad objectives of internal control are met in a costeffective manner. Risk assessment - Identification, analysis, and management of risks relevant to financial reporting. Run-to-run controls - : Controls that use batch figures to monitor the batch as it moves from one programmed procedure to another. Sarbanes-Oxley Act (SOX) - Most significant federal securities law, with provisions designed to deal with specific problems relating to capital markets, corporate governance, and the auditing profession. Security - Attempt to avoid such undesirable events as a loss of confidentiality or data integrity. Segregation of duties - Separation of employee duties to minimize incompatible functions. Shell company - Establishment of a false vendor on the company’s books, then manufacturing false purchase orders, receiving reports, and invoices in the name of the vendor and submitting them to the accounting system, creating the illusion of a legitimate transaction. The system ultimately issues a check to the false vendor. Skimming - stealing cash from an organization before it is recorded on the organization’s books and records. Spooling - direction of an application’s output to a magnetic disk file rather than to the printer directly Statement on Auditing Standards (SAS) No. 109 - the current authoritative document for specifying internal control objectives and techniques. Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit - authoritative document that defines fraud as an intentional act that results in a material misstatement in financial statements. Supervision - control activity involving the critical oversight of employees. Thefts of cash - direct theft of cash on hand in the organization. Transaction authorization - a procedure to ensure that employees process only valid transactions within the scope of their authority. Transcription errors - type of errors that can corrupt a data code and cause processing errors. Transposition errors - an error that occurs when digits are transposed. Vendor fraud - schemes under which an employee causes the employer to issue a payment to a false supplier or vendor by submitting invoices for fictitious goods/services, inflated invoices, or invoices for personal purchases Verification procedures - independent checks of the accounting system to identify errors and misrepresentations. REVIEW QUESTIONS 1.What is ethics? Ethics pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. 2.What is business ethics? Business ethics involves finding the answers to two questions: (1) How do managers decide what is right in conducting their business? and (2) once managers have recognized what is right, how do they achieve it? 3.What are the four areas of ethical business issues? Ethical issues in business can be divided into four areas: equity, rights, honesty and the exercise of corporate power. 4.What are the main issues to be addressed in a business code of ethics required by the Securities and Exchange Commission? The main issues to be addressed in business code ethics are conflict of interset, accountability, full and fair disclosure, legal compliance, and reporting of code violation. Proportionality, justice, minimize risk. 5.What are the three ethical principles that may provide some guidance for ethical responsibility? Proportionality, justice and minimize risk 6.What is computer ethics? Computer ethics is ‘‘the analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. This concerns about software as well as hardware and concerns about networks connecting computers as well as the computers themselves.’’ 7.How do the three levels of computer ethics - pop, para, and theoretical - differ? Pop computer ethics is simply the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. Para computer ethics involves taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. Theoretical computer ethics is of interest to multidisciplinary researchers who apply the theories of philosophy, sociology and psychology to computer science with the goal of bringing some new understanding to the field. 8.Are computer ethical issues new problems or just a new twist on an old problem? Some argue that all pertinent ethical issues have already been examined in some other domain. For example, the issue of property rights has been explored and has resulted in copyright, trade secret, and patent laws. Although computer programs are a new type of asset, many believe that these programs should be considered no differently from other forms of property. 9.What are the computer ethical issues regarding privacy? People desire to be in full control of what and how much information about themselves is available to others, and to whom it is available. This is the issue of privacy. The creation and maintenance of huge, shared databases make it necessary to protect people from the potential misuse of data. This raises the issue of ownership in the personal information industry. 10. What are the computer ethical issues regarding security? The ethical issues involving security arise from the emergence of shared, computerized databases that have the potential to cause irreparable harm to individuals by disseminating inaccurate information to authorized users, such as through incorrect credit reporting. The ethical issues regarding computer security center on unauthorized access to systems and databases. Individuals can be harmed by the dissemination of inaccurate information to authorized users, and/or accurate information to unauthorized users. Security can be used to protect systems and personal information, but it can also restrict legitimate access. 11. What are the computer ethical issues regarding ownership of property? Copyright laws have been invoked in an attempt to protect those who develop software from having it copied. However, many believe the copyright laws can cause more harm than good. Part of the problem lies in the uniqueness of software, its ease of dissemination, and possibility of exact replication. 12. What are the computer ethical issues regarding equity in access? Several factors, some of which are not unique to information systems, can limit access to computing technology. Economic status of the individual or the affluence of an organization. Culture also limits access, for example, when documentation is prepared in only one language or is poorly translated. Safety features, or the lack thereof. 13. What are the computer ethical issues regarding the environment? Production of printed documents using papers. However, paper comes from trees, which is considered as a precious natural resource, and ends up in landfills if not properly recycled. 14. What are the computer ethical issues regarding artificial intelligence? As decision makers or replacement for experts, some people rely on expert systems significantly. Both knowledge and domain experts must be concerned about their responsibility for faulty decisions, incomplete or inaccurate knowledge bases, and the role given to computers in the decision-making process. And because expert systems attempt to clone a manager's decision style, an individual's prejudices may implicitly or explicitly be included in the knowledge base. 15. What are the computer ethical issues regarding unemployment and displacement? In a new age of technology world, people are thoroughly dependent upon the computers for work done. In any field computer importance has increased day by day. Today, society adapts computers whole heartedly. Computers made a great change in today’s ways of living. In an organization, management may favor the use of technology for improving their product output, which may be the cause of elimination of jobs and employees. 16. What are the computer ethical issues regarding misuse of computers? Engaging in illegal activities through computers, doing crime, copying genuine software, using company’s computer for personal benefit by the employee, spying on others to check their personal’s data are few examples of misusing computers. 17. What is the objective of Statement on Auditing Standards No. 99? Objective of SAS 99 is to seamlessly blend the auditor's consideration of fraud into all phases of the audit process. It also requires the auditor to perform new steps such as a brainstorming during audit planning to assess the potential risk of material misstatement of the financial statements from fraud schemes. 18. What are the five conditions that constitute fraud under common law? A. False representation. There must be a false statement or a nondisclosure. B. Material Fact. A fact must be a substantial factor in inducing someone to act. C. Intent. Intent to deceive or the knowledge that one's statement is false. D. Justifiable reliance. Misrepresentation must have been a substantial factor on which the injured party relied. E. Injury or loss. Deception must have caused injury or loss to the victim of fraud. 19. Name the three fraud-motivating forces. The three fraud-motivating forces are: (1) Situational Pressure, (2) Opportunity, and (3) Ethics. 20. What is employee fraud? Employee fraud, or fraud by non management employees, is generally designed to directly convert cash or other assets to the employee’s personal benefit. Typically, the employee circumvents the company’s internal control system for personal gain. If a company has an effective system of internal control, defalcations or embezzlements can usually be prevented or detected. 21. What is management fraud? Management fraud is more insidious than employee fraud because it often escapes detection until the organization has suffered irreparable damage or loss. Management fraud usually does not involve the direct theft of assets. Top management may engage in fraudulent activities to drive up the market price of the company’s stock. This may be done to meet investor expectations or to take advantage of stock options that have been loaded into the manager’s compensation package. The Commission on Auditors’ Responsibilities calls this performance fraud, which often involves deceptive practices to inflate earnings or to forestall the recognition of either insolvency or a decline in earnings. Lower-level management fraud typically involves materially misstating financial data and internal reports to gain additional compensation, to garner a promotion, or to escape the penalty for poor performance. 22. What three forces constitute the triangle of fraud? The fraud triangle consists of three factors that contribute to or are associated with management and employee fraud. These are (1) situational pressure, which includes personal or job-related stresses that could coerce an individual to act dishonestly; (2) opportunity, which involves direct access to assets and/or access to information that controls assets, and; (3) ethics, which pertains to one’s character and degree of moral opposition to acts of dishonesty 23. How can external auditors attempt to uncover motivations for committing fraud? External auditors can use a checklist of red-flag items that may help to uncover motivations for committing fraud. It consists of the following types of questions: 1. Do key executives have unusually high personal debt? 2. Do key executives appear to be living beyond their means? 3. Do key executives engage in habitual gambling? 4. Do key executives appear to abuse alcohol or drugs? 5. Do any of the key executives appear to lack personal codes of ethics? 6. Are economic conditions unfavourable within the company’s industry? 7. Does the company use several different banks, none of which sees the company’s entire financial picture? 8. Do any key executives have close associations with suppliers? 9. Is the company experiencing a rapid turnover of key employees, either through resignation or termination? 10. Do one or two individuals dominate the company? 24. What is lapping? Use of customer checks, received in payment of their accounts, to conceal cash previously stolen by an employee. Lapping is usually detected when the employee leaves the organization or becomes sick and must take time off from work. Unless the fraud is perpetuated, the last customer to have funds diverted from his or her account will be billed again, and the lapping technique will be detected. Employers can deter lapping by periodically rotating employees into different jobs and forcing them to take scheduled vacations. 25. What is collusion? Collusion is when two or more parties unrightfully cooperate and involve themselves in a secret agreement for a purpose which is deceitful, illegal or fraudulent. It is also a form of plagiarism. They do this for the settlement that they made among themselves for deceiving, misleading, or defrauding others of their legal rights or to obtain an objective that is forbidden by law or to gain an unfair advantage. It is quite difficult to prevent and detect but one way in doing so is to structure the organization in such a way that collusion can only happen between two or more individuals with incompatible responsibilities and tasks for these responsibilities are done physically as well. 26. What is bribery? Bribery is the giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. It defrauds the entity (business organization or government agency) of the right to honest and loyal services from those employed by it. 27. What is economic extortion? It is a kind of fraud where perpetrator (employee) is demanding the payment from a vendor to influence or make the decision of a company in favor of the vendor. 28. What is a conflict of interest? A conflict of interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed. Examples are bribery and illegal gratuities. 29. Define check tampering. A scheme in which an employer steals company funds by intercepting, forging or altering a check drawn on one of the organization's bank accounts. 30. What is billing (or vendor) fraud? It occurs when an employee submits personal, fake or inflated invoices for goods or services to the employer. 31. Define cash larceny. The intentional taking of an employer's cash without the consent and against the will of the employer. 32. What is skimming? Skimming involves stealing cash from an organization before it is recorded on the organization’s books and records. An example is mail room fraud in which an employee opening the mail steals a customer’s check and destroys the associated remittance advice. 33. What are the four broad objectives of internal control? The four broad objectives of internal control are: 1. To safeguard assets of the firm 2. To ensure the accuracy and reliability of accounting records and information 3. To promote efficiency in the firm’s operations 4. To measure compliance with management’s prescribed policies and procedures 34. What are the four modifying assumptions that guide designers and auditors of internal control systems? The four modifying assumptions are the following: 1. Management Responsibility 2. Reasonable Assurance 3. Methods of Data Processing 4. Limitations 35. Give an example of a preventive control Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. An example of preventive control is Segregation of Duties where duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions, recording transactions (accounting), and handling the related asset (custody) are divided. 36. Give an example of a detective control Detective controls attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. An example of detective control is Reviews of Performance where management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up. 37. Give an example of a corrective control An example of corrective control would be: Manual procedures to correct a batch that is not accepted because of an incorrect social security number. A clerical worker would need to investigate and determine either the correct hash total or the correct social security number that should be entered. A responsible party is then needed to read exception reports and follow up on anomalies. 38. What are management’s responsibilities under sections 302 and 404? Sec 302 Corporate Responsibility for Financial Reports: The act requires a company's CEO and CFO to personally certify that all records are complete and accurate. Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days Sec 404 the Management Assessment of Internal Control final audit report shall have a report of management's assessment of internal control over financial reporting. Stress is on management's certification that appropriate internal controls are in place that can effectively detect or prevent errors or fraud that could result in material misstatements in the financial statements. 39. What are five internal control components described in the COSO framework? five objectives of an acceptable system of internal controls, which are 1. control environment 2. risk assessment 3. control activities 4. information and communication 5. monitoring activities 40. What are the six broad classes oh physical control activities defined by COSO? 1. Transaction authorization 2. Segregation of duties 3. Supervision 4. Accounting records 5. Access controls 6. Independent verification 41. What is the purpose of a valid vendor file? Prevents unauthorized purchases from unapproved vendors. 42. Give one example of an error that a check digit control detects. A check digit is a form of redundancy check used for error detection on identification numbers, such as bank account numbers, which are used in an application where they will at least sometimes be input manually. It is analogous to a binary parity bit used to check for errors in computer-generated data. 43. What are the primary objectives of a batch control? - The objective of batch control is to reconcile output produced by the system with the input originally entered into the system. This provides assurance that: a. All records in the batch are processed b. No records are processed more than once c. An audit trail of transactions is created from input through processing to the output stage of the system. 44. If all of the inputs have been validated before processing, then what purpose do run-to-run controls serve? - The run-to-run control is a control device to ensure that no records are lost, unprocessed, or processed more than once for each of the computer runs (processes) that the record must flow through. 45. What is the objective of a transaction log? - The system triggers some transactions internally. For example, when inventory drops below the reorder point, the system automatically generates a purchase requisition. The objective is to maintain an audit trail of these activities where all internally generated transactions must be placed in a transaction log. 46. How can spooling present an added exposure? - Spooling present an added exposure by the creation of an output file as an intermediate step in the printing process. 47. What is the purpose of a limit check? - Limit checks are used to identify field values that exceed an authorized limit. 48. What is the purpose of a range check? - It is to detect keystroke errors by data entry clerks. 49. What is a validity check? - A validity check compares actual field values against known acceptable values. This control is used to verify such things as transaction codes, state abbreviations, or employee job skill codes. If the value of the does not match one of the acceptable values, the record flagged as an error. 50. What information would a batch control record contain? - The control record contains relevant information about the batch, such as: A unique batch number A batch date A transaction code The number of records in the batch The total dollar value of a financial field The total of a unique nonfinancial field DISCUSSION QUESTIONS 1. Distinguish between ethical issues and legal issues. Ethical issues are typically derived from personal feelings and judgements of what is right and what is wrong. These feelings and beliefs are not typically universally agreed upon. Business ethics include principles of conduct that person will use in order to make choices of right and wrong and will answer two questions: how do managers decide what is right in conducting business? And once managers have recognized right, how is this achieved? Legal Issues, on the other hand, can derive from unethical judgement, but is seen as something that goes against legal standards. 2.Some argue against corporate involvement in socially responsible behavior because the costs incurred by such behavior place the organization at a disadvantage in a competitive market. Discuss the merits and flaws of this argument. Managers are hired to maximize the profits for their organization and shareholders. Hence, if they tend to indulge in activities which are more socially responsible like for example, paying higher wages to their workers and charging less for their products, this would lead to diminished profit for the company. Managers can devote their time and resources in achieving organization goals instead of being diverted by socially responsible activities. Companies may misuse the concept of CSR by engaging in what is known as greenwashing, where the firm talks and advertises about being socially responsible to the environment and people but in reality it is not actually executed. The costs of socially responsible behavior include those associated with environmental protection, improving worker safety, and affirmative action. In the short run, when one firm incurs these costs and its competitor does not, the latter has a competitive advantage over the former. However, the socially responsive firm can maximize its profitability in the long run by accruing goodwill in society and avoiding the negative effects of government regulations. 3.Although top management’s attitude toward ethics sets the tone for business practice, sometimes it is the role of lower-level managers to uphold a firm’s ethical standards. John, an operations-level manager, discovers that the company is illegally dumping toxic materials and is in violation of environmental regulations. John’s immediate supervisor is involved in the dumping. What action should John take? Normally, the resolution of an ethical problem on the job would involve consultation between the subordinate and the immediate supervisor. When the supervisor is part of the problem, the matter should be taken to the next higher-level person in the organization structure. 4.When a company has a strong internal control structure, stockholders can expect the elimination of fraud. Comment on the soundness of this statement. A strong internal control structure provides a very good shield against fraud. However, these shields are not 100 percent bulletproof, especially when employees collude and/or top management is involved. A strong internal control structure coupled with good employee morals and ethics is the best deterrence against fraud. 5.Distinguish between employee fraud and management fraud. Employee fraud is committed by non-management employees, and it is generally designed to directly convert cash and other assets for the employee's personal benefit. In cases of employee fraud, weak internal controls are usually present. Management frauds, however, are usually committed at a level above the one to which internal controls generally relate. These frauds are typically shrouded in a nexus of transactions and are difficult to disentangle. 6.The estimates of losses annually resulting from computer fraud vary widely. Why do you think obtaining a good estimate of this figure is difficult? The top management team of publicly traded organizations is often reluctant to publicly admit that they have been the victim of computer crime because of fear of public opinion regarding their internal control structure. Also, many organizations may not be fully aware of the extent of their damages due to computer fraud. 7.How has Sarbanes-Oxley Act had a significant impact on corporate governance? The Sarbanes-Oxley Act of 2002 (SOX) has had a significant impact on strategic management practices and strategies. The Sarbanes-Oxley Act (SOX), passed in 2002, was intended to prevent scandals such as the Enron accounting fraud. It tried to prevent fraud in accounting, increase people's confidence in the financial reports of public companies, and safeguard shareholders. It created new laws about internal financial reporting and new requirements for financial audits of public companies. One of the most important effects the law had was that it made boards more powerful than management. 8. Discuss the concept of exposure and explain why firms may tolerate some exposure. Exposure is the absence or the weakness of the internal control. Some firms may tolerate some exposure to determine control procedures that need to be developed so that they decrease risk to a level where management can accept the exposure to that risk. 9. If detective controls signal error flags, why shouldn’t these types of controls automatically make a correction in the identified error? Why are corrective controls necessary? Linking a corrective action to a detected error, as an automatic response, may result in an incorrect action that causes a worse problem than the original error. For this reason, error correction should be viewed as a separate control step that should be taken cautiously. Necessity of corrective control There are three types of internal controls: Preventive, Detective and Corrective controls. Corrective controls used to restore the process back to state prior to the harmful event. To understand the necessity of the corrective control, consider the following example. “Quantity = 5; Price = $10; Total = $500”. Corrective Controls takes some actions to reverse the all effects of the errors detected. 10. Discuss the non-accounting services that external auditors are no longer permitted to render audit clients Auditing firms that are also engaged by their clients to perform non-accounting services such as actuarial services, internal audit outsourcing services, and consulting, lack independence. They are essentially auditing their own work. They are no longer permitted since auditors may not bring to management's attention detected problems that may adversely affect their consulting fees. 11. Discuss whether a firm with fewer employees than there are incompatible tasks should rely more heavily on general authority than specific authority Small firms with fewer employees than there are incompatible tasks should rely more heavily on specific authority. More approvals of decision by management and increased supervision should be imposed in order to compensate some for the lack of separation of duties. 12. An organization’s internal audit department is usually considered an effective control mechanism for evaluation the organizations’ internal control structure. The Birch Company’s internal auditing function reports directly to the controller. Comment on the effectiveness of this organization structure. The Controller of an organization is the Chief financial Officer who is responsible for all the financial aspects like accounting, statements, payroll, etc. When an internal auditor directly reports to the CFO of the company, the situation creates a potential conflict as it undermines the internal auditor’s position. An internal auditor is expected to have an objective view which may not be possible when the boss is the controller of the company. 13. According to COSO, the proper segregation of functions is an effective internal control procedure. Comment on the exposure (if any) caused by combining the tasks of paycheck preparation and distribution to employees If a payroll employee were to prepare a paycheck for a nonexistent employee which is known as “ghost employee” fraud, and this employee also has the task of distributing the checks, then no one would be the wiser. On the other hand, of the checks go directly another person, who then distributes the paychecks, the extra check should be discovered. 14. Explain the five conditions necessary for an act to be considered fraudulent. 1. False representation- there must be a false statement or a nondisclosure 2. Material fact- a fact must be a substantial factor in inducing someone to act 3. Intent- there must be an intent to deceive or the knowledge that one’s statement is false 4. Justifiable reliance- the misrepresentation must have a substantial factor on which the injured party relied 5. Injury or loss- the deception must have caused injury or loss to the victim of the fraud 6. 15. Distinguish between exposure and risk. The absence or weakness of a control is called an exposure. Exposures, which are illustrated as holes in the control shield, increase the firm’s risk to financial loss or injury from undesirable events. A weakness in internal control may expose the firm to one or more of the following types of risks: 1. Destruction of assets (both physical assets and information). 2. Theft of assets. 3. Corruption of information or the information system. 4. Disruption of the information system. 5. 16. Explain characteristics of management fraud It often escapes detection until the organization has suffered irreparable damage or loss. Management fraud usually does not involve the direct theft of assets. There are three special characteristics of management fraud. 1. The fraud is perpetrated at levels of management above the one to which internal control structures generally relate. 2. The fraud frequently involves using the financial statements to create an illusion that an entity is healthier and more prosperous than, in fact, it is. 3. If the fraud involves misappropriation of assets, it frequently is shrouded in a maze of complex business transactions, often involving related third parties. 17. The text identifies a number of personal traits of managers and other employees that might help uncover fraudulent activity. Discuss three traits. The fraud triangle consists of three factors that contribute to or are associated with management and employee fraud. These are: 1. Situational pressure, which includes personal or jobrelated stresses that could coerce and individual to act dishonestly. 2. Opportunity, which involves direct access to assets and/or access to information that controls assets 3. Ethics, which pertains to one’s character and degree of moral opposition to acts of dishonesty. An individual with a high level of personal ethics, who is confronted with low pressure and limited opportunity to commit fraud is more likely to behave honestly than one with weaker personal ethics, who is under high pressure and exposed to greater fraud opportunities. 18. Give two examples of employee fraud and explain how the thefts might occur. An example is stealing the cash received from a customer while entering the transaction as paid. Another example could be taking company products and selling them elsewhere in exchange for cash. Employee fraud usually involves three steps: 1. Stealing something of value 2. Converting the asset to a usable form such as cash 3. Concealing the crime to avoid detection 19. Discuss the fraud schemes of bribery, illegal gratuities and economic extortion. Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. It defrauds the entity of the right to be honest and loyal services from those employed by it. Illegal gratuities involve giving, receiving, offering, or soliciting something of value because of an official act that has been taken. This is similar to a bribe, but the transaction occurs after the fact. On the other hand, economic extortion is the use of force by an individual or organization to obtain something of value. The item of value could be a financial or economic asset, information, or cooperation to obtain a favorable decision on some matter under review. 20. Distinguish between skimming and cash larceny. Skimming involves stealing cash from an organization before it is recorded on the organization’s books and records while In Cash larceny, it involves schemes in which cash receipts are stolen from an organization after they have been recorded in the organization’s books and records. Additional information: Skimming may also be done to evade tax when the business owner does not record the sale and uses the cash from the customer directly for personal use. It is more difficult to detect as the act is performed before the cash receipt or sale is entered into the books. 21. Distinguish between shell company fraud and pass-through fraud Shell company fraud first requires that the perpetrator establish a false supplier on the victim company's book and then manufactures false purchase orders, receiving reports, and invoices in the name of the vendor and submitting them to the accounting system, creating the illusion of a legitimate transaction. While Pass-through fraud is similar to shell company fraud with the exception that a transaction actually takes place. Again, the perpetrator creates a false vendor and issues purchase orders to it for inventory or supplies. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company a much higher than market price for the items, but pays only the market price to the legitimate vendor. The difference is the profit that the perpetrator pockets. 22. Why are the computer ethics issues of privacy, security and property ownership of interest to accountants? Privacy is a concern because the nature of computer data files makes it possible for unauthorized individuals to obtain information without it being recognized as "missing" from its original location. Security is a concern because its absence makes control from a privacy viewpoint questionable. In addition lack of security may permit unauthorized changes to data, therefore distorting information that is reported. Property ownership raises issues of legitimacy of organizational software, valuation of assets, and questions of lost revenues. 23. A profile of fraud perpetrators prepared by the Association of Certified Fraud Examiners revealed that adult males with advances degrees commit a disproportionate amount of fraud. Explain these findings. According to the findings from the study provided by ACFE, adult males with advanced degrees commit a disproportionate amount of fraud, which is explained as follows: Gender. Women are not fundamentally more honest than men, but men occupy high corporate positions in greater numbers than women. This affords men greater access toassets. Age. Older employees tend to occupy higher-ranking positions and therefore generally have greater access to company assets. Education. Generally, those with more education occupy higher positions in their organizations and therefore have greater access to company funds and other assets. 24. Explain why collusion between employees and management in the commission of a fraud is difficult to both prevent and detect. It's harder to detect collusion between the employee and management because it is the duty of the management to detect and prevent fraud among their subordinates. It is also hard to prevent because of the opportunity to commit fraud by the management. 25. Because all fraud involves some form of financial misstatement, how is fraudulent statement fraud different? Fraudulent statement fraud is different because it involves in financial misstatements in order present a favorable financial statements and it benefits the organization rather than the company. 26. Explain the problems associated with lack of auditor independence. Auditing firms that are also engaged by their clients to perform non-accounting activities such as actuarial services, internal audit outsourcing services, and consulting, lack independence. The firms are essentially auditing their own work. The risk is that as auditors they will not bring to management’s attention detected problems that may adversely affect their consulting fees. For example, Enron’s auditors—Arthur Andersen—were also their internal auditors and their management consultants. 27. Explain the problems associated with lack of director independence. Many boards of directors are composed of individuals who are not independent. Examples of lack of independence are directors who have a personal relationship by serving on the boards of other directors’ companies; have a business trading relationship as key customers or suppliers of the company; have a financial relationship as primary stockholders or have received personal loans from the company; or have an operational relationship as employees of the company. A notorious example of corporate inbreeding is Adelphia Communications, a telecommunications company. Founded in 1952, it went public in 1986 and grew rapidly through a series of acquisitions. The founding family (John Rigas, CEO and chairman of the board; Timothy Rigas, CFO, Chief Administrative Officer, and chairman of the audit committee; Michael Rigas, Vice President for operation; and J.P. Rigas, Vice President for strategic planning) perpetrated the fraud. Between 1998 and May 2002, the Rigas family successfully disguised transactions, distorted the company’s financial picture, and engaged in embezzlement that resulted in a loss of more than $60 billion to shareholders.It is neither practical nor wise to establish a board of directors that is totally void of selfinterest, popular wisdom suggests that a healthier board of directors is one in which the majority of directors are independent outsiders, with the integrity and the qualifications to understand the company and objectively plan its course. 28. Explain the problems associated with questionable executive compensation schemes. A Thomson Financial survey revealed the strong belief that executives have abused stock-based compensation. The consensus is that fewer stock options should be offered than currently, is the practice. Excessive use of short-term stock options to compensate directors and executives may result in short-term thinking and strategies aimed at driving up stock prices at the expense of the firm’s long-term health. In extreme cases, financial statement misrepresentation has been the vehicle to achieve the stock price needed to exercise the option. As a case in point, Enron’s management was a firm believer in the use of stock options. Nearly every employee had some type of arrangement by which he or she could purchase shares at a discount or were granted options based on future share prices. At Enron’s headquarters in Houston, televisions were installed in the elevators so employees could track Enron’s (and their own portfolio’s) success. Before, the firm’s collapse, Enron executives added millions of dollars to their personal fortunes by exercising stock options. 29. Explain the problems associated with inappropriate accounting practices. The use of inappropriate accounting techniques is a characteristic common to many financial statement fraud schemes. Enron made elaborate use of special-purpose entities to hide liabilities through off-balance-sheet accounting. Special-purpose entities are legal, but their application in this case was clearly intended to deceive the market. Enron also employed income-inflating techniques. For example, when the company sold a contract to provide natural gas for a period of two years, they would recognize all future revenue in the period when the contract was sold. - A check digit is a control digit (or digits) that is added to the data code when it is originally assigned. This allows the integrity of the code to be established during subsequent processing. 30. Explain the purpose of the Public Company Accounting Oversight Board. SOX created a Public Company Accounting Oversight Board (PCAOB). The PCAOB is empowered to set auditing, quality control, and ethics standards; to inspect registered accounting firms; to conduct investigations; and to take disciplinary actions. 36. Does a hash total need to be based on a financial data field? Explain. - No, it does not need to be based on a financial data because hash total is the summation of a nonfinancial field to keep track of the records in a batch. Any numeric field, such us a customer’s account number, a purchase order number, or an inventory item number may be used to calculated a hash total. 31. Why is an independent audit committee important to a company? The audit committee is responsible for selecting and engaging an independent auditor, for ensuring that an annual audit is conducted, for reviewing the audit report, and for ensuring that deficiencies are addressed. Large organizations with complex accounting practices may need to create audit subcommittees that specialize in specific activities. 32. What are the key points of the “Issuer ad Management Disclosure” of the Sarbanes-Oxley Act? Public companies must report all offbalance-sheet transactions Annual reports filed with the SEC must include a statement by management asserting that it is responsible for creating and maintaining adequate internal controls and asserting to the effectiveness of those controls. Officer must certify that the company’ accounts “fairly present” the firm’s financial condition and results of operations Knowingly filing a false certification is a criminal offense 33. In this age of high technology and computerbased information systems, why are accountants concerned about physical (human) records? - They relate the physical controls to the human activities that trigger those tasks or utilize the results of those tasks. All systems need actual human control every once in a while. 34. What are the classes of transcription error? 1. Addition errors – occur when an extra digit or character is added to the code. 2. Truncation errors – occur when a digit or character is removed from the end of a code 3. Substitution errors – replacement of one digit in a code with another 35. What is the purpose of a check digit? 37. Explain the GFS background technique. Is it used for sequential files or direct access techniques? - Grandfather-father-son (GFS) is used for sequential master files. GFS background technique begins when current master file (the father) is processed against the transaction file to produce a new updated master file (the son). Note that the son is a physically different file from the father. With the next batch of transactions, the son becomes the current master file (the new father), and the original father becomes the backup file (grandfather). MULTIPLE QUESTIONS 1. An example of a control designed to validate a transaction at the point of data entry is a. b. c. d. e. recalculation of a batch total a record count a check digit checkpoints recalculation of hash total Justification: In Check digit, data codes are used extensively in transaction processing systems for representing such things as customer accounts, items of inventory, and general ledger accounts in the chart of accounts. If the data code of a particular transaction is entered incorrectly and goes undetected, then a transaction processing error will occur, such as posting to the wrong account. 2.Application controls are classified as a. b. c. d. e. Input, processing, and output Input, processing, output, and storage Input, processing, output, and control Input, processing, output, storage, and storage Collecting, sorting, summarizing, and reporting Justification: Input controls are programmed procedures (routines) that perform tests on transaction data to ensure that they are free from errors. After passing through the data input stage, transactions enter the processing stage of the system. Processing controls are programmed procedures and may be divided into three categories: batch controls, run-to-run controls, and audit trail controls. Output controls are a combination of programmed routines and other procedures to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. 3.Which of the following is NOT an element of the fraud triangle? a. b. c. d. e. Ethics Justifiable reliance Situational pressure Opportunity All of the above are elements Justification: fraud triangle consists of three factors that contribute to or are associated with management and employee fraud. These are (1) situational pressure, which includes personal or job-related stresses that could coerce an individual to act dishonestly; (2) opportunity, which involves direct access to assets and/or access to information that controls assets, and; (3) ethics, which pertains to one’s character and degree of moral opposition to acts of dishonesty. Justifiable reliance is part of the five conditions of fraudulent act, in which the misrepresentation must have been a substantial factor on which the injured party relied. 4. How are transactions in real-time processing systems edited? a. In a separate computer run b. In online mode as transactions are entered c. During a backup procedure d. Not edited due to time constraints e. Editing transactions in real-time is not necessary C. Back-up of master file in a real-time processing system is considered difficult because transactions are processed in a continuous way where the backup process is scheduled at particular intervals. While processing, the current version of the master file gets destroyed from disk failure or it will get corrupted due to some programming error, from which the master file can be reconstructed to the current backup file stored in the disk. 5. In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control technique to detect this action using employee identification numbers would be to use a a. Batch total b. Record count c. Hash total d. Subsequent check e. Final total C. Hash total is the addition of a non-financial field. It is used to maintain a track of the record. For example, a customer's account number of each transaction within a record can be added to obtain a hash total. Such hash total would not match if a perpetrator replaces a transaction with similar value could be detected. 6. Which of the following compensating control? a. Transaction authorization b. Supervision c. Accounting records d. Segregation of duties is often called B. Usually a good internal control means that the incompatible tasks are all allotted to different employees. But in the case of a small organization with fewer personnel, it may not be possible. In such a scenario, the management may choose to compensate for the lack of segregation of duties with close supervision. A manager may be asked to oversee the roles of various subordinates across different functions. Hence, called compensating control. 7. The underlying assumption of reasonable assurance regarding implementation of internal control means that a. Auditors are reasonably assured that fraud has not occurred in the period. b. Auditors reasonably assured that employee carelessness can weaken an internal control structure. c. Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability d. Management's assertions about control effectiveness should provide auditors with reasonable assurance. e. A control applies reasonably well to all forms of computer technology. Justification: When a company chooses to incorporate a good internal control system, then the underlying assumption is that the cost of implementing such a procedure must not outweigh the benefits. In other words, the company should be able to meet the four objectives of having an internal control (safeguarding the assets, Accurate and reliable data, increase in efficiency and adherence to company policies) in a cost-effective manner. 8. Which of the following journal entries would a bookkeeper make to conceal the theft of cash receipts from customers in payment of their accounts? DR CR a. Miscellaneous expense Cash b. Petty cash Cash c. Cash Accounts Receivable d. Sales returns Accounts Receivable e. None of the above Justification: For making the journal entries, the shopkeeper should have an idea related to the goods sold. If the sales rectums are debited and accounts receivable are credited, then bookkeeper will face no difficulty related to the receipts. It is because the bookkeeper will get the cost of goods after knowing the sales rectums. 9. Which of the following is not an example of preventive control? a. Separation of responsibilities for the recording, custodial, and authorization functions b. Sound personnel practices c. Documentation of policies and procedures d. Password Authentication software and Hardware e. Sources documents for capturing sales data Justification: documentation of policies and procedures is a directive control. 10. Which of the following is NOT a segregation of duties violations? A a. The treasurer has the authority to sign checks but gives the signature block to the assistant treasurer to run the check-signing machine. b. The warehouse clerk, who has custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low. c. The sales manager has the responsibility to approve credit and the authority to write off accounts. d. The department time clerk is given the undistributed payroll checks to mail to absent employees. No risk due to combination of tasks. The treasurer is responsible for having custody of the assets. The treasurer is not responsible for either authorizing or recording the transaction. By delegating the task signing, he checks to the assistant treasurer, no violation of the principle of the separation of functions occurs because the assistant treasurer does not authorize or record transaction either. 11. What name is given to computer programs that are used for checking the validity and accuracy of transaction data? B a. Operating System Program b. Edit Programs c. Compiler Programs d. Integrated Test Programs E. Interrogation Program Application uses routines for checking the validity and accuracy of the transaction data. Edit programs are the programs which are designed for performing the editing and modification functions or the deletion of the data. 12. An employee in the receiving department keyed in shipment from a remote terminal and inadvertently omitted the purchase order number. The best application control to detect this error would be a C a. Batch Total b. Missing Data Check c. Completeness Check d. Reasonableness Check e. Compatibility Test A completeness test checks that all data elements are entered before processing. An interactive system can be programmed to notify the user to enter the number before accepting the receiving report. 13. Which of the following controls would best prevent the lapping of accounts receivable A a. Segregate duties so that the clerk responsible for recording in the accounts receivable subsidiary ledger has no access to the general ledger. b. Request that customers review their monthly statements and report any unrecorded cash payments. c. Require customers to send payments directly to the company’s bank. d. Request that customers make checks payable to the company. In order to prevent lapping, the duties of the clerk responsible for recording the accounts receivable subsidiary ledger should be segregated from that of recording in the general ledger. Fraud is a malicious act committed by people to fulfill their personal benefits. Fraud can be committed by people inside or outside the organization. 14.) Ensuring that all material transactions processed by the information system are valid in accordance with management’s objectives is an example of Answer: A. Transaction Authorization Justification: An employee may be given the authority to initiate or approve any transaction. This is done in order to ensure that the transaction is valid and is in accordance with the policies and procedures of the organization. This is called transaction authorization. Hence, the correct option is a. 15.) Which of the following is an example of an input control? Answer: D. Performing a check digit test on a customer account number. Justification: Control are termed as a programmed procedure which performs the test related to the transaction ensuring the data is free from any of the error. It is also called as edits which are designed into the system at various points which depend on the processing whether it is real time or batch Input controls are placed in the real time system at the collection of the data stage for monitoring the data which are entered from the terminals. Historical transaction data must be error free for its efficient processing. 16.) Providing timely information about transactions in sufficient detail to permit proper classification and financial reporting is an example of Answer: C. Information and communication. Justification: An efficient accounting information system is used to initiate, classify and record the transactions related to the assets and liabilities. This timely, accurate and reliable information is very important to the management to make decisions. The details about how a transaction is initiated, how it is processed and how it is classified it required also from the audit perspective. 17.The fraud scheme that is similar to the concept of "borrowing from Peter to pay Paul" is Answer: C - Lapping is the practice of allocating one customer's payment to another customer's account. Hence, borrowing Peter's payment to pay Paul. 18.What is the process for posting to accounting records in a computer system? Answer: D - Accounting records in the computer based accounting system consist of a general ledger of each account which consists of beginning balance and month-to date total for all transactions. Computer system allows direct access for reviewing any of the account balance by using the monitor which provides current year-to-date data where master files gets updated according to the year-to-date files. 19. Which of the following benefits is least likely to result from a system of internal controls? Answer: B - No system can prevent two or more employees who have authority and control over the system to get together to commit fraud.
