Control Self-Assessment
Controls Assessment (Chapter 10)
Frameworks
Prisoner’s Dilemma
Worldcom’s Prisoner’s Dilemma
Ethics and IT (in Hong Kong)
Practicum: St James Clothiers
(IT-based vs. Manual Accounting Systems)
Schedule (revised)
,
Topic
Readings
Practicum
12-Sep-05
Identifying Computer Systems
Chapter 2
Evaluating IT Benefits and Risks
Jacksonville Jaguars
19-Sep-05
IS Audit Programs
Chapter 3
The Job of the Staff Auditor
A Day in the Life of Brent Dorsey
26-Sep-05
IS Security
Chapter 4
Recognizing Fraud
The Anonymous Caller
Utility Computing and IS Service
Organizations
Chapter 5
Evaluating a Prospective Audit
Client
Ocean Manufacturing
10-Oct-05
Physical Security
Chapter 6
Inherent Risk and Control Risk
Comptronix Corporation
17-Oct-05
Logical Security
Chapter 7 & 8
Evaluating the Internal Control
Environment
Easy Clean
24-Oct-05
IS Operations
Chapter 9
Fraud Risk and the Internal Control
Environment
Cendant Corporation
Controls Assessment
Chapter 10
IT-based vs. Manual Accounting
Systems
St James Clothiers
14-Nov-05
Encryption and Cryptography
Chapter 11
Materiality / Tolerable
Misstatement
Dell Computer
21-Nov-05
Computer Forensics
Chapter 12
Analytical Procedures as
Substantive Tests
Burlington Bees
28-Nov-05
New Challenges from the
Internet: Privacy, Piracy,
Viruses and so forth
Chapter 13
Information Systems and Audit
Evidence
Henrico Retail
3-Oct-05
7-Nov-05
What is
‘Control SelfAssessment’?
DEFINITION
Control Self-assessment (CSA) is a leading edge
process
in which auditors
facilitate a group of staff members
who have expertise in a specific process,
with the objective of identifying opportunities for internal
control enhancement
pertaining to critical operating areas designated by
management
Nascency

Originally a way of measuring ‘soft controls' which
traditional auditing found difficult to measure, e.g.
 Management
integrity, honesty, trust
 Willingness of employees to circumvent controls
 Employee morale

The tone and ethics of a firm are set by top
management


And this is a way of eliciting these
It’s become especially important post SarbanesOxley
Why is CSA Important?

Without commitment to good internal control


Internal control systems (preventive, detective and corrective)



And inherent honest and ethical behavior of employees throughout
the organization
Would quickly become the single most expensive part of the firm’s
accounting systems
Internal and external audits would become prohibitively expensive
Financial statements would lose their value to outside investors
Causing stock price to fall
 Bank borrowing interest rates to rise
 And firm operations to cease being competitive


This happened in some of Arthur Andersen’s clients

Where financial statements came to be known as:

Andersen’s Fairy Tales
COSO Framework

COSO (Committee of Sponsoring Organizations of
the Treadway Commission)

Founded in aftermath of the 1977 Lockheed Scandal
Internal Control was supposed to insure:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
COCO Framework

CoCo (Criteria of Control Board)

Founded by Canadian Institute of Chartered Accountants
 The world’s premier group in setting internal auditing
standards
Internal Control was supposed to insure:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations & internal
policies
Cadbury Framework

Committee of the Financial Aspects of Corporate Governance
of the Institute of Chartered Accountants in England and
Wales (Cadbury Committee … you can see why they adopted
the latter name)

Contemporaneous with CoCo
Internal Control was supposed to insure:





Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Safeguarding of assets against unauthorized use of disposition
Maintenance of proper accounting records and the reliability of
financial information used with in the business or for publication
COBIT Framework

COBIT (Control Objectives for Information and Related
Technology)

Contemporaneous with CoCo and Cadbury
Internal Control was supposed to insure:





Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Safeguarding of assets against unauthorized use of disposition
Maintenance of proper accounting records and the reliability of
financial information used with in the business or for publication
An important difference as COBIT was directed specifically
towards Information Technology
SAC / eSAC Framework

SAC (Systems Auditability and Control report)

Originally published in 1977, but updated in 1991-4
contemporaneous with CoCo and Cadbury
Internal Control insure the same things as CoCo and Cadbury

But provide an extensive module-based framework









Audit & control Environment
IT in Auditing
Managing computer resources
Managing Information and Developing System
Business Systems
End user and Departmental Computing
Telecommunications Security
Contingency Planning
Emerging tech
An important difference as SAC / eSAC was directed specifically
towards Information Technology, and provides more detailed
direction for IT audits
SASs 55, 78 & 94

Extensions to the COSO Framework that are essentially
summarized in SAS 94 (2001)

Specific IT related Internal Control risks are targeted:







Reliance on IT that is inaccurately processing data
Unauthorized access to data, destruction, inaccurate recording, privacy
breach
Unauthorized changes to systems
Failure to make needed changes to systems
Inappropriate manual intervention
Potential loss of data
SAS 94 also emphasizes the importance of specialized IT
Auditing skills (important for this class)
Prisoner's dilemma


Two suspects A, B are arrested by the police.
The police have insufficient evidence for a conviction, and having separated both
prisoners, visit each of them and offer the same deal:




If one testifies for the prosecution (turns King's Evidence) against the other and the other
remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes
free.
If both stay silent, the police can only give both prisoners 6 months for a minor charge.
If both betray each other, they receive a 2-year sentence each.
This can be summarized:
Prisoner A Stays Silent
Prisoner A Betrays
Prisoner B
Stays Silent Bother Serve 6 months
Prisoner B serves ten years;
Prisoner A goes free
Prisoner B
Betrays
Both serve two years
Prisoner A serves ten years;
Prisoner B goes free
The Dilemma

Each prisoner has two options:


to cooperate with his accomplice and stay quiet,
or to betray his accomplice and give evidence.

The outcome of each choice depends on the choice of the
accomplice. However, neither prisoner knows the choice of
his accomplice.

The optimal solution would be for both prisoners to cooperate
with each other, as this would reduce the total jail time served
by the group to one year total.
Any other decision would be worse for the two prisoners
considered together. However by each following their
individual interests, the two prisoners each receive a lengthy
sentence.

Prisoner's dilemma
(Corporate Setting)


Two officers of the corporation – the CEO and the Comptroller are arrested for Financial
Reporting fraud
The police have insufficient evidence for a conviction (they didn’t take my course) and
having separated both prisoners, visit each of them and offer the same deal:




If one testifies for the prosecution against the other and the other remains silent, the silent
accomplice receives the full 10-year sentence and the betrayer goes free.
If both stay silent, the police can only give both prisoners 6 months for a minor charge.
If both betray each other, they receive a 2-year sentence each.
This can be summarized:
Comptroller Cooperates
Comptroller Betrays
CEO Cooperates
-.5,-.5
0,-10
CEO Betrays
-10,0
-2,-2
The Deal (another view)

Or stated differently
 Here is how the deal will look to the CEO and the
Comptroller
Comptroller Cooperates
Comptroller Betrays
CEO Cooperates
Win-win
Win much – lose much
CEO Betrays
Lose much – win much
Lose - lose
The Deal

Or stated differently
 Here is how the deal will look to the CEO and the
Comptroller
Comptroller Cooperates
Comptroller Betrays
CEO Cooperates
Cooperation, 6 months each
Comptroller Temptation to Defect
payoff of zero years
CEO Betrays
CEO Temptation to Defect payoff
of zero years
Sucker’s Payoff (two years each)
Why Ethics are Important!

The prisoner's dilemma is a type of non-zero-sum game

it is assumed that each individual player ("prisoner") is trying to maximize his own
advantage, without concern for the well-being of the other players.

In Econo-speak: The Nash equilibrium for this type of game does not lead to
Pareto optimums (jointly optimum solutions)

Each side has an individual incentive to cheat even after promising to
cooperate. This is the heart of the dilemma.

In the iterated prisoner's dilemma the game is played repeatedly.




Thus each player has an opportunity to "punish" the other player for previous noncooperative play.
Cooperation may then arise as an equilibrium outcome.
The incentive to cheat may then be overcome by the threat of punishment, leading to
the possibility of a superior, cooperative outcome.
As the number of iterations approach infinity, the Nash equilibrium tends
to the Pareto Optimum, because when you face eternity the threat of
grudges is a grave one indeed
Practicum:
Evaluation of Manual & IT-Based
Sales Accounting System Risks
St. James Clothiers
Fraud at WorldCom
A Corporate IT Auditing Ethical Dilemma
Oops

On June 27, 2002, markets around the world were sent
reeling when it was discovered that WorldCom





had overstated the prior 15 months of earnings by US$3.9 billion
to which was later added another US$3.2 billion
for a total of US$7.1 billion in accounting misstatements
Ultimately the overstatement of income totaled $11 billion
For a company that reported US$1.4 billion net income in
2001

it seems difficult for the auditors to dismiss this as “immaterial.”
Great Auditing, guys

Roman Weil, a professor of accounting at the
University of Chicago, noted that WorldCom’s
fraudulent accounting


“is so basic that I teach it in the second week of my class.”
Yet the ploy, which misclassified supposedly difficultto-manipulate cash flows, fooled both Arthur
Andersen and KPMG, two of the (at the time) Big 5
accounting firms.
Cash Flow

“How do you fake cash flow?


What was significant was that few companies used the
stratagems that undermined Enron;


You simply move the negative things – the cash outflows – out of
the operating section and you move it into the investing or
financing section.”
but all corporations use cash flow and earnings before interest,
taxes depreciation, and amortization (EBITDA) as a measure of
value.
And cash flow has been championed by the analysts’
community that claims that it is not subject to the ambiguities
of “income.”
Blessed by Accountants

Did generally accepted accounting principles
(GAAP) contribute to the fraud?


Yes; indeed, GAAP is a prime enabler of fraud. Without
double-entry bookkeeping, frauds such as WorldCom’s
could never be perpetrated.
From an accounting standpoint, WorldCom had
impeccable financials


Audited by the Big5
Success solidly founded on inviolable cash flows
Here’s Bernie

Bernie Ebbers, one of its original
nine investors in LDDS, was called
in to run the company in 1984


Ebbers was previously employed as
a milkman, bartender, bar bouncer,
car salesman, truck driver,
basketball coach and hotelier.
While he lacked technology
experience, Ebbers later joked that
his most useful qualification was

being "the meanest SOB they
could find."

Ebbers took less than a year to
make the company profitable.

Ebbers is now A Prisoner
Corporate Culture
(does it matter)


Growth through acquisitions led to a hodgepodge of
peoples and cultures
Ebbers called an internal effort to create a corporate
code of conduct


a "colossal waste of time"
encouraged "a systemic attitude conveyed from the top
down that employees should not question their superiors,
but simply do what they were told"
Goals

"Our goal is not to capture market share or be
global. Our goal is to be the No. 1 stock on Wall
Street.“


Ebbers, in 1997
Revenue growth was a key to increasing the
company's market value.

the demand for revenue growth was "in every brick in every
building,"
Accounting at WorldCom

It all centered on Accruals and Culture


Discuss
Culture

“… you need to book the entry.“


When Schneeman refused,


Myers to David Schneeman, acting CFO of UUNET
Myers told him "Book it right now, I can't wait another minute"
"Here's your number"

Myers telling Timothy Schneberger, Director of International Fixed Costs to
release $370 millions of accruals
The Audit ‘Profession’

Arthur Andersen, WorldCom's independent external auditor,
from 1990 to 2002 called WorldCom its



"flagship" and most "highly coveted" client, the firm's "Crown
Jewel"
Andersen wanted to be considered as a committed member of
WorldCom's team.
After WorldCom merged with MCI.



Andersen, which had a Mississippi-based team of 10—12 people
working full-time on WorldCom's audits,
under-billed the company
and justified the lower charges as a continuing investment in its
WorldCom relationship.
The Bottom Line

Who was responsible for WorldCom’s Fraud?
What was responsible for WorldCom’s Fraud?
Why was it responsible for WorldCom’s Fraud?

Discuss


Ethics in Action
True stories from Hong Kong
Technology Hype:
Pollution Control

A businesswoman with government ties






gets an exclusive contract from the Environmental Protection Department to
supply high tech ‘exhaust cleaners’ to clean up the pollution from diesel taxis
and buses in the city
These ‘exhaust cleaners’ are later found to be empty tins with a little steel wool
thrown into them,
that were sold to the government at 300% markup
The businesswoman uses the proceeds from her scam to promote the IPO of a
new company selling her ‘exhaust cleaners’
And promptly transfers the proceeds of the IPO to another company
Question:


Was the businesswoman (1) clever, (2) working through a tradition of ‘guanxi’, or
(3) unethical?
What remedy would you prescribe to compensate residents whose health has
deteriorated because of the pollution? To the taxpayers who paid for the scam?
Technology Hype:
Pollution Control, part 2

A financial analyst and a celebrity columnist for the local newspaper


find out about the bogus ‘exhaust cleaner’ scam,
and publish their findings in the newspaper and on the Internet





The businesswoman’s husband (who is owner of the company that was IPO’d)
Posts material to his own Web site impugning the financial analyst’s character
Falsely accusing the analyst of being a ‘porn star’
Question:


The businesswoman’s husband (1) was justified in venting his personal anger, (2)
should adjust his medication, or (3) is unethical?
What remedy would you prescribe to compensate the analyst?
Yes, Virginia, there is a Santa Claus

A businessman runs a successful business selling plastic Christmas trees






He announces plans to sell off this core business (accounting for 99.9% of revenue)
To reposition the firm as a producer of game software
In order to justify this shift, the businessman claimed last year’s reported profits
dropped 9.6% in the core business
 whereas they actually increased profits 12.5%
Subsequent analysis revealed that the sale of the plastic Christmas tree business
would be to a related party at a substantial discount to the value of the business.
The difference would be borne by (expropriated from) the minority shareholders
Question:

Was the businessman (1) ‘clever’, or (2) properly exercising his ‘guanxi’ or (2)
unethical?

What remedy would you prescribe to compensate minority shareholders? Would you
recommend that next time they should heed the dictum ‘caveat emptor’ – let the buyer
beware?
Cyber-sport

A businessman uses his government ties






To coerce the government to subsidize (at taxpayer expense of $10
billion) a large property development on the last developable ocean
view property in the city
The businessman promises that the unique design of this property
will make the city a world leader in information technology
The property is 75% residential, with another 15% dedicated to
shopping;
The remaining 10% is office space no different than available
elsewhere in the city for 50% of the price
Question:

Was the businessman (1) ‘clever’, or (2) properly exercising his
‘guanxi’ or (2) unethical?

What remedy would you prescribe to compensate taxpayers?
Cyber-sport, part 2

A businessman uses his investment in government subsidized real estate









To promote an IPO in stock
Based on promises of this company becoming a leading global information technology firm
The businessman spent millions on marketing firms, ghost writers and payments to create an
image of high technology for himself and his firm
An analysis of the assets of the firm indicates an IPO value of $5 per share, maximum
The local securities firm handling the IPO estimates the share value at $25 per share
Analysts who contradicted the $25 share price were followed by private investigators
The IPO was successful, and the businessman immediately transferred $1 billion from the
IPO into one of his other companies
The stock price subsequently collapsed to under $2 per share
Question:


Was the businessman (1) ‘clever’, or (2) unethical?
What remedy would you prescribe to compensate investors, many of whom were pensioners
or had placed their life savings in these shares?
Cyber-sport, part 3

Government bureaucrats, being unwilling to renege on their real
estate subsidy




Instead takes an ownership position in the property
And dictate that rental prices will be substantially less than for
property owned by rival property developers
This essentially robs paying customers from other property
And further depresses the cities property market


Driving investment overseas
Question:


The bureaucrats (1) were right to save ‘face’, or (2) were doing
their civil service by protecting the taxpayers subsidy (i.e., two
wrongs might make a right) or (3) unethical?
What remedy would you prescribe to compensate rival property
owners,

or are they all just too rich and powerful to deserve helping?
Loose Lips

The chairman of a stock exchange publicly announces that he
is considering delisting a technology-heavy class of stocks



The next trading day, prices collapse, and sell-side liquidity drops
to zero, resulting in investor losses in the billions
Acquisitive companies purchase the nearly valueless shares, gain
control, strip the assets from the firms, and fire management and
employees
Question:



Was the stock exchange chairman (1) careless, or (2) unethical?
What remedy would you prescribe to compensate investors,
managers and employees who have been wronged, many of whom
were pensioners or had placed their life savings in these shares?
Should the exchange chairman be fired?
Accounting for Technology

The President of the Professional Society of Accountants





objects to new accounting rules as ‘invasive’
These rules would crack down on corporate crooks
who have used ‘technology hype’ and faulty accounting for
technology assets to rob investors of trillions of dollars, putting it
into their own off-shore bank accounts
there are no other rules or regulations in force which will catch the
crooks
Question: Question:


Accountants (1) have no duty to protect investors, only to make
sure that accounts satisfy accounting principles, or (2) the
President of the Professional Society of Accountants has made an
unethical recommendation, or (3) something else?
What remedy would you prescribe to compensate investors,
managers and employees who have been wronged by these
corporate crooks? Should accountants be sued for their part in
helping the crooks?