Chapter 3
Ethics,
Fraud, and
Internal Control
COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson,
the Star logo, and South-Western are trademarks used herein under license
1
Objectives for Chapter 3
 Broad issues pertaining to business ethics
 Ethical issues related to the use of information
technology
 Distinguish between management fraud and
employee fraud
 Common types of fraud schemes
 Key features of SAS 78 / COSO internal control
framework
 Objects and application of physical controls
2
Business Ethics
Why should we be concerned about ethics in the
business world?
 Ethics are needed when conflicts arise
 In business, conflicts may arise between:
 employees
 management
 stakeholders
 Litigation
3
Business Ethics
Business ethics involves finding the
answers to two questions:
 How do managers decide on what is
right in conducting their business?
 Once managers have recognized what
is right, how do they achieve it?
4
Four Main Areas of Business Ethics
5
Computer Ethics
concerns social impact of computer technology (hardware,
software, and telecommunications).
The main computer ethics issues are:
 Privacy
 Security and accuracy
 Ownership of property
 Computer misuse
 Internal control integrity
6
Legal Definition of Fraud
 false representation - false statement
or disclosure
 material fact - fact must be important
enough so someone will act
 intent to deceive must exist
 misrepresentation must have resulted in
justifiable reliance upon information,
which caused someone to act
 misrepresentation must have caused
injury or loss
7
Factors that Contribute to Fraud
Employee Fraud
Usually~
an employee taking cash or other assets for
personal gain by circumventing company’s
system of internal controls
9
Management Fraud
 Perpetrated at management levels
 But the internal control structure usually relates to
activities performed at lower levels
 Frequently involves using financial statements
 Creating the illusion that entity is healthier and more
prosperous than it actually is.
 If management is stealing assets,
 Theft probably is hidden in very complicated
business transactions.
10
Underlying Problems of Enron,
WorldCom, Adelphia
 Lack of Auditor Independence:
 auditing firms also engaged to perform
non-accounting activities (consulting)
 Lack of Director Independence:
 Directors also served on the boards of
other companies (good ol’ boy network)
 Or had a business trading relationship
 Or had a financial relationship as
stockholders
 Or received personal loans,
 Or was employed by the company
Underlying Problems of Enron,
WorldCom, Adelphia (contd)
 Executive Compensation Schemes:
 short-term stock options as compensation
result in short-term strategies
 Drives up stock prices at expense of firm’s longterm health.
 Inappropriate Accounting Practices:
 Common to many financial statement fraud
schemes.
 Enron created many special purpose entities
 WorldCom transferred transmission line
costs from current expense accounts to
capital accounts (boosts balance sheet)
12
Sarbanes-Oxley Act of 2002
 Created the Public Company Accounting Oversight
Board (PCAOB)
 Requires Auditor independence—more separation
between firm’s attestation (auditing) and nonauditing activities
 Corporate governance—audit committee members
must be independent and must oversee external
auditors
 Disclosure requirements—increase auditor and
management disclosures
 New federal crimes for destruction of/tampering
with documents, securities fraud, and actions
against whistleblowers
Association of Certified Fraud Examiners’
2006 Occupational Fraud & Abuse Survey
2006*
1996
Scheme Type
%Cases
Median loss %Cases Median loss
Asset Misappropriations
91.5%
$ 150,000 81.1%
Corruption Schemes
30.8%
538,000 14.8%
Fraudulent Statements
10.6%
2,000,000
4.1%
$
65,000
440,000
4,000,000
*More than 100% because some reported in more than one category
14
Fraud Schemes
 Three categories of fraud schemes
according to the Association of
Certified Fraud Examiners:
A. Fraudulent statements
B. Corruption
C. Asset misappropriation
15
A. Fraudulent Statements
 Usually management fraud
 Misstating financial statements to make
company appear better than it is
 Often tied to short-term financial measures
for success
 Or management bonus packages are tied to
financial statements
16
B. Corruption

Examples:






Bribery
Illegal gratuities
Conflicts of interest
Economic extortion
Foreign Corrupt Practice Act of 1977:
 requires accurate records and internal controls (but
management was not required to put it in writing)
Sarbanes-Oxley Act of 2002:
 management must acknowledge it is responsible for
internal controls
 must assert to effectiveness of those controls - in annual
report to SEC (in other words, now it must be in writing)
17
C. Asset Misappropriation
 Most common type of fraud
 Usually employee fraud.
 Examples:
 Making charges to expense accounts to cover theft of
asset (such as cash)
 “Lapping”: using customer’s check from one account
to cover theft from a different customer’s account
 Transaction fraud: deleting, altering, or adding false
transactions to steal assets
18
Computer Fraud
 Theft or misuse of assets by
 altering computer data
 altering software programming
 Theft or misuse of computer hardware
 Theft, corruption, or destruction of software
or hardware
 Includes illegal copying or sharing of software
 Theft or illegal use of computer data
/information
19
Data Collection Fraud
 Fraud occurs as data are being
entered
 Most vulnerable because it is relatively
easy to change data as it is entered into
system.
 Also, the GIGO (garbage in, garbage
out) principle reminds us
 If input data are inaccurate, output will
be inaccurate.
20
Data Processing Fraud
Program Frauds
 altering programs to allow illegal access
to and/or manipulation of data
 destroying programs with a virus
Operations Frauds
 misuse of company resources, such as
using the computer for personal
business without permission
21
Database Management Fraud
 Altering, deleting, corrupting,
destroying, or stealing an
organization’s data
 Oftentimes conducted by disgruntled
or ex-employee
 This is why you don’t give terminated
employees 2 weeks notice!
 Escort them to their desk, then the door.
22
Information Generation Fraud
 Stealing, misdirecting, or misusing
computer output
 Scavenging
 searching through trash cans for
discarded output (output should
be shredded, but frequently is
not)
23
Internal Control Objectives
According to AICPA SAS
1. Safeguard assets of the firm
2. Ensure accuracy and reliability of
accounting records and information
3. Promote efficiency of the firm’s
operations
4. Measure compliance with
management’s prescribed policies
and procedures
24
Assumptions about Internal Control
Objectives
 Management Responsibility

establishment and maintenance of internal control system is
responsibility of management (NOT Auditor).
 Reasonable Assurance


cost of achieving objectives of internal control should not outweigh its
benefits.
Would you hire an armed guard 24x7 to make sure $100 of petty cash
is not stolen?
 Methods of Data Processing


techniques of achieving internal control objectives vary, depending on
technology.
Objectives of internal controls are same between manual and
computerized systems; methods (techniques) are different.
25
Limitations of Internal Controls
 Honest errors
 Employees get tired, distracted, sick
 Collusion
 When 2 or more employees get together to
defraud the company.
 Management override
 Manager tells accountant to enter bogus
transaction
 Changing conditions in the company
 especially true when companies grow rapidly
26
Exposures (Risks) of Weak
Internal Controls




Assets may be destroyed
Assets may be stolen
information may be corrupted
Information system may be disrupted
27
The Internal Controls Shield
28
Preventive, Detective, and
Corrective Controls
Least
costly
29
Auditing Standards
 Auditors are guided by GAAS
(Generally Accepted Auditing
Standards)
 3 classes of standards:
 General qualification standards
 Field work standards
 Reporting standards
 For specific guidance, auditors use
AICPA SAS (Statements on Auditing
Standards)
30
SAS 78 / COSO
Describes relationship between firm’s…
 internal control structure,
 auditor’s assessment of risk, and
 planning of audit procedures
How do these three interrelate?
The weaker the internal control structure, the higher
the assessed level of risk; the higher the risk, the
more auditor testing procedures applied in the audit.
31
Five Internal Control
Components of SAS 78
1.
2.
3.
4.
5.
control environment
risk assessment
information & communication
monitoring
control activities
32
1: Control Environment
integrity and ethics of management
management’s policies and philosophy
organizational structure
delegation of responsibility and authority
role of board of directors and the audit
committee
 performance evaluation measures
 external influences– (ex: regulatory
agencies)





33
2: Risk Assessment
 identify, analyze, and manage risks
relevant to financial reporting
 Examples:
 changes in external environment
 foreign markets – carry more risk than
domestic markets
 rapid growth that strains internal
controls
 new product lines
 restructuring/downsizing
 changes in accounting policies
34
3: Information and Communication
 System (CBIS) should produce quality
information that
 identifies and records all valid transactions
 provides timely information in appropriate
detail for proper classification and financial
reporting
 accurately measures financial value of
transactions, and
 records transactions in time period in
which they occurred
 Inventory arrives on 12/31/07. Is it recorded in
2007 or 2008?
35
4: Monitoring
The process for assessing quality of
internal control design and operation
 separate procedures--test of controls by internal
auditors
 ongoing monitoring:
 computer modules integrated into routine
operations
 management reports that show trends
 Reports with exceptions from normal
performance
 Sometimes called ‘exception reports’
36
5: Control Activities
 Policies and procedures to ensure
that appropriate actions are taken in
response to identified risks
 Fall into two distinct categories:
 IT controls—relate specifically to the
computer environment
 Physical controls—primarily pertain to
human activities
37
Two Types of IT Controls
 General controls—pertain to the
entitywide computer environment
 Examples: controls over the data center,
organization databases, systems
development, and program maintenance
 Application controls—ensure the
integrity of specific systems
 Examples: controls over sales order
processing, accounts payable, and
payroll applications
38
Six Types of Physical Controls






Access Control
Accounting Records
Authorization of Transactions
Independent Verification
Segregation of Duties
Memorize
Supervision
these!
39
Physical Controls
(continued)
Access Controls
 help to safeguard assets by
restricting physical access to them
Accounting Records
 provide audit trail
40
Physical Controls
(continued)
 Authorization
 used to ensure that employees are carrying
out only authorized transactions
 Authorizations may be general (everyday
procedures) or specific (non-routine
transactions).
Example: A clerk may have general authorization
to accept low-value returns from customers; if
the return is over a certain dollar amount, clerk
asks supervisor to approve (specific).
41
Physical Controls
Independent Verification
 reviewing batch totals
 reconciling subsidiary ledgers with
control accounts
 Example: Compare A/P sub. ledger
total with A/P Control account in
General Ledger.
42
Physical Controls
Segregation of Duties
 In manual system, separation is between:
 authorizing and processing a transaction
 custody and recordkeeping of the asset
 In computerized system, segregation
should exist between:
 program coding
 program processing
 program maintenance
43
Physical Controls
Supervision
 compensation for lack of segregation
of duties –
 Such as in a small company that cannot
hire many employees
 Sometimes called a “compensating
control”
44
Internal Controls in Computerbased Information Systems (CBIS):






Access
Accounting Records
Authorization of Transactions
Independent Verification
Segregation of Duties
Supervision
45
Internal Controls in CBISs
Access
 data consolidation exposes the
organization to computer fraud and
excessive losses from disaster
 If someone does access data,
s/he might get to all of it.
All data in here
46
Internal Controls in CBISs
Accounting Records
 transaction & master files (and some source
documents) are kept magnetically – audit
trail still exists, but must be read by
computer, rather than humans.
47
Internal Controls in CBISs
Authorization
 rules for transaction authorization frequently
embedded in computer programs
 Electronic Data Interchange (EDI) with Just-inTime Inventory (JIT): automated re-ordering of
inventory without human intervention
48
Internal Controls in CBISs
Independent Verification
 many of these tasks are performed by
computer rather than manually, and
need for an independent check on tasks
performed by computer is not necessary
(however, computer programs should
be checked).
49
Internal Controls in CBISs
Segregation of Duties
 Computer program performs many tasks
considered incompatible in manual systems
 Therefore, must separate program
development, program operations, and
program maintenance – in internally
developed systems
 Not as important in commercial software –
why?
50
Internal Controls in CBISs
Supervision
 ability to assess competent employees
becomes more challenging due to greater
technical knowledge required
 “compensating control”
51
52