Control Self-Assessment Controls Assessment (Chapter 10) Frameworks Prisoner’s Dilemma Worldcom’s Prisoner’s Dilemma Ethics and IT (in Hong Kong) Practicum: St James Clothiers (IT-based vs. Manual Accounting Systems) Schedule (revised) , Topic Readings Practicum 12-Sep-05 Identifying Computer Systems Chapter 2 Evaluating IT Benefits and Risks Jacksonville Jaguars 19-Sep-05 IS Audit Programs Chapter 3 The Job of the Staff Auditor A Day in the Life of Brent Dorsey 26-Sep-05 IS Security Chapter 4 Recognizing Fraud The Anonymous Caller Utility Computing and IS Service Organizations Chapter 5 Evaluating a Prospective Audit Client Ocean Manufacturing 10-Oct-05 Physical Security Chapter 6 Inherent Risk and Control Risk Comptronix Corporation 17-Oct-05 Logical Security Chapter 7 & 8 Evaluating the Internal Control Environment Easy Clean 24-Oct-05 IS Operations Chapter 9 Fraud Risk and the Internal Control Environment Cendant Corporation Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems St James Clothiers 14-Nov-05 Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement Dell Computer 21-Nov-05 Computer Forensics Chapter 12 Analytical Procedures as Substantive Tests Burlington Bees 28-Nov-05 New Challenges from the Internet: Privacy, Piracy, Viruses and so forth Chapter 13 Information Systems and Audit Evidence Henrico Retail 3-Oct-05 7-Nov-05 What is ‘Control SelfAssessment’? DEFINITION Control Self-assessment (CSA) is a leading edge process in which auditors facilitate a group of staff members who have expertise in a specific process, with the objective of identifying opportunities for internal control enhancement pertaining to critical operating areas designated by management Nascency Originally a way of measuring ‘soft controls' which traditional auditing found difficult to measure, e.g. Management integrity, honesty, trust Willingness of employees to circumvent controls Employee morale The tone and ethics of a firm are set by top management And this is a way of eliciting these It’s become especially important post SarbanesOxley Why is CSA Important? Without commitment to good internal control Internal control systems (preventive, detective and corrective) And inherent honest and ethical behavior of employees throughout the organization Would quickly become the single most expensive part of the firm’s accounting systems Internal and external audits would become prohibitively expensive Financial statements would lose their value to outside investors Causing stock price to fall Bank borrowing interest rates to rise And firm operations to cease being competitive This happened in some of Arthur Andersen’s clients Where financial statements came to be known as: Andersen’s Fairy Tales COSO Framework COSO (Committee of Sponsoring Organizations of the Treadway Commission) Founded in aftermath of the 1977 Lockheed Scandal Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations COCO Framework CoCo (Criteria of Control Board) Founded by Canadian Institute of Chartered Accountants The world’s premier group in setting internal auditing standards Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations & internal policies Cadbury Framework Committee of the Financial Aspects of Corporate Governance of the Institute of Chartered Accountants in England and Wales (Cadbury Committee … you can see why they adopted the latter name) Contemporaneous with CoCo Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of financial information used with in the business or for publication COBIT Framework COBIT (Control Objectives for Information and Related Technology) Contemporaneous with CoCo and Cadbury Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of financial information used with in the business or for publication An important difference as COBIT was directed specifically towards Information Technology SAC / eSAC Framework SAC (Systems Auditability and Control report) Originally published in 1977, but updated in 1991-4 contemporaneous with CoCo and Cadbury Internal Control insure the same things as CoCo and Cadbury But provide an extensive module-based framework Audit & control Environment IT in Auditing Managing computer resources Managing Information and Developing System Business Systems End user and Departmental Computing Telecommunications Security Contingency Planning Emerging tech An important difference as SAC / eSAC was directed specifically towards Information Technology, and provides more detailed direction for IT audits SASs 55, 78 & 94 Extensions to the COSO Framework that are essentially summarized in SAS 94 (2001) Specific IT related Internal Control risks are targeted: Reliance on IT that is inaccurately processing data Unauthorized access to data, destruction, inaccurate recording, privacy breach Unauthorized changes to systems Failure to make needed changes to systems Inappropriate manual intervention Potential loss of data SAS 94 also emphasizes the importance of specialized IT Auditing skills (important for this class) Prisoner's dilemma Two suspects A, B are arrested by the police. The police have insufficient evidence for a conviction, and having separated both prisoners, visit each of them and offer the same deal: If one testifies for the prosecution (turns King's Evidence) against the other and the other remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes free. If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each. This can be summarized: Prisoner A Stays Silent Prisoner A Betrays Prisoner B Stays Silent Bother Serve 6 months Prisoner B serves ten years; Prisoner A goes free Prisoner B Betrays Both serve two years Prisoner A serves ten years; Prisoner B goes free The Dilemma Each prisoner has two options: to cooperate with his accomplice and stay quiet, or to betray his accomplice and give evidence. The outcome of each choice depends on the choice of the accomplice. However, neither prisoner knows the choice of his accomplice. The optimal solution would be for both prisoners to cooperate with each other, as this would reduce the total jail time served by the group to one year total. Any other decision would be worse for the two prisoners considered together. However by each following their individual interests, the two prisoners each receive a lengthy sentence. Prisoner's dilemma (Corporate Setting) Two officers of the corporation – the CEO and the Comptroller are arrested for Financial Reporting fraud The police have insufficient evidence for a conviction (they didn’t take my course) and having separated both prisoners, visit each of them and offer the same deal: If one testifies for the prosecution against the other and the other remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes free. If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each. This can be summarized: Comptroller Cooperates Comptroller Betrays CEO Cooperates -.5,-.5 0,-10 CEO Betrays -10,0 -2,-2 The Deal (another view) Or stated differently Here is how the deal will look to the CEO and the Comptroller Comptroller Cooperates Comptroller Betrays CEO Cooperates Win-win Win much – lose much CEO Betrays Lose much – win much Lose - lose The Deal Or stated differently Here is how the deal will look to the CEO and the Comptroller Comptroller Cooperates Comptroller Betrays CEO Cooperates Cooperation, 6 months each Comptroller Temptation to Defect payoff of zero years CEO Betrays CEO Temptation to Defect payoff of zero years Sucker’s Payoff (two years each) Why Ethics are Important! The prisoner's dilemma is a type of non-zero-sum game it is assumed that each individual player ("prisoner") is trying to maximize his own advantage, without concern for the well-being of the other players. In Econo-speak: The Nash equilibrium for this type of game does not lead to Pareto optimums (jointly optimum solutions) Each side has an individual incentive to cheat even after promising to cooperate. This is the heart of the dilemma. In the iterated prisoner's dilemma the game is played repeatedly. Thus each player has an opportunity to "punish" the other player for previous noncooperative play. Cooperation may then arise as an equilibrium outcome. The incentive to cheat may then be overcome by the threat of punishment, leading to the possibility of a superior, cooperative outcome. As the number of iterations approach infinity, the Nash equilibrium tends to the Pareto Optimum, because when you face eternity the threat of grudges is a grave one indeed Practicum: Evaluation of Manual & IT-Based Sales Accounting System Risks St. James Clothiers Fraud at WorldCom A Corporate IT Auditing Ethical Dilemma Oops On June 27, 2002, markets around the world were sent reeling when it was discovered that WorldCom had overstated the prior 15 months of earnings by US$3.9 billion to which was later added another US$3.2 billion for a total of US$7.1 billion in accounting misstatements Ultimately the overstatement of income totaled $11 billion For a company that reported US$1.4 billion net income in 2001 it seems difficult for the auditors to dismiss this as “immaterial.” Great Auditing, guys Roman Weil, a professor of accounting at the University of Chicago, noted that WorldCom’s fraudulent accounting “is so basic that I teach it in the second week of my class.” Yet the ploy, which misclassified supposedly difficultto-manipulate cash flows, fooled both Arthur Andersen and KPMG, two of the (at the time) Big 5 accounting firms. Cash Flow “How do you fake cash flow? What was significant was that few companies used the stratagems that undermined Enron; You simply move the negative things – the cash outflows – out of the operating section and you move it into the investing or financing section.” but all corporations use cash flow and earnings before interest, taxes depreciation, and amortization (EBITDA) as a measure of value. And cash flow has been championed by the analysts’ community that claims that it is not subject to the ambiguities of “income.” Blessed by Accountants Did generally accepted accounting principles (GAAP) contribute to the fraud? Yes; indeed, GAAP is a prime enabler of fraud. Without double-entry bookkeeping, frauds such as WorldCom’s could never be perpetrated. From an accounting standpoint, WorldCom had impeccable financials Audited by the Big5 Success solidly founded on inviolable cash flows Here’s Bernie Bernie Ebbers, one of its original nine investors in LDDS, was called in to run the company in 1984 Ebbers was previously employed as a milkman, bartender, bar bouncer, car salesman, truck driver, basketball coach and hotelier. While he lacked technology experience, Ebbers later joked that his most useful qualification was being "the meanest SOB they could find." Ebbers took less than a year to make the company profitable. Ebbers is now A Prisoner Corporate Culture (does it matter) Growth through acquisitions led to a hodgepodge of peoples and cultures Ebbers called an internal effort to create a corporate code of conduct a "colossal waste of time" encouraged "a systemic attitude conveyed from the top down that employees should not question their superiors, but simply do what they were told" Goals "Our goal is not to capture market share or be global. Our goal is to be the No. 1 stock on Wall Street.“ Ebbers, in 1997 Revenue growth was a key to increasing the company's market value. the demand for revenue growth was "in every brick in every building," Accounting at WorldCom It all centered on Accruals and Culture Discuss Culture “… you need to book the entry.“ When Schneeman refused, Myers to David Schneeman, acting CFO of UUNET Myers told him "Book it right now, I can't wait another minute" "Here's your number" Myers telling Timothy Schneberger, Director of International Fixed Costs to release $370 millions of accruals The Audit ‘Profession’ Arthur Andersen, WorldCom's independent external auditor, from 1990 to 2002 called WorldCom its "flagship" and most "highly coveted" client, the firm's "Crown Jewel" Andersen wanted to be considered as a committed member of WorldCom's team. After WorldCom merged with MCI. Andersen, which had a Mississippi-based team of 10—12 people working full-time on WorldCom's audits, under-billed the company and justified the lower charges as a continuing investment in its WorldCom relationship. The Bottom Line Who was responsible for WorldCom’s Fraud? What was responsible for WorldCom’s Fraud? Why was it responsible for WorldCom’s Fraud? Discuss Ethics in Action True stories from Hong Kong Technology Hype: Pollution Control A businesswoman with government ties gets an exclusive contract from the Environmental Protection Department to supply high tech ‘exhaust cleaners’ to clean up the pollution from diesel taxis and buses in the city These ‘exhaust cleaners’ are later found to be empty tins with a little steel wool thrown into them, that were sold to the government at 300% markup The businesswoman uses the proceeds from her scam to promote the IPO of a new company selling her ‘exhaust cleaners’ And promptly transfers the proceeds of the IPO to another company Question: Was the businesswoman (1) clever, (2) working through a tradition of ‘guanxi’, or (3) unethical? What remedy would you prescribe to compensate residents whose health has deteriorated because of the pollution? To the taxpayers who paid for the scam? Technology Hype: Pollution Control, part 2 A financial analyst and a celebrity columnist for the local newspaper find out about the bogus ‘exhaust cleaner’ scam, and publish their findings in the newspaper and on the Internet The businesswoman’s husband (who is owner of the company that was IPO’d) Posts material to his own Web site impugning the financial analyst’s character Falsely accusing the analyst of being a ‘porn star’ Question: The businesswoman’s husband (1) was justified in venting his personal anger, (2) should adjust his medication, or (3) is unethical? What remedy would you prescribe to compensate the analyst? Yes, Virginia, there is a Santa Claus A businessman runs a successful business selling plastic Christmas trees He announces plans to sell off this core business (accounting for 99.9% of revenue) To reposition the firm as a producer of game software In order to justify this shift, the businessman claimed last year’s reported profits dropped 9.6% in the core business whereas they actually increased profits 12.5% Subsequent analysis revealed that the sale of the plastic Christmas tree business would be to a related party at a substantial discount to the value of the business. The difference would be borne by (expropriated from) the minority shareholders Question: Was the businessman (1) ‘clever’, or (2) properly exercising his ‘guanxi’ or (2) unethical? What remedy would you prescribe to compensate minority shareholders? Would you recommend that next time they should heed the dictum ‘caveat emptor’ – let the buyer beware? Cyber-sport A businessman uses his government ties To coerce the government to subsidize (at taxpayer expense of $10 billion) a large property development on the last developable ocean view property in the city The businessman promises that the unique design of this property will make the city a world leader in information technology The property is 75% residential, with another 15% dedicated to shopping; The remaining 10% is office space no different than available elsewhere in the city for 50% of the price Question: Was the businessman (1) ‘clever’, or (2) properly exercising his ‘guanxi’ or (2) unethical? What remedy would you prescribe to compensate taxpayers? Cyber-sport, part 2 A businessman uses his investment in government subsidized real estate To promote an IPO in stock Based on promises of this company becoming a leading global information technology firm The businessman spent millions on marketing firms, ghost writers and payments to create an image of high technology for himself and his firm An analysis of the assets of the firm indicates an IPO value of $5 per share, maximum The local securities firm handling the IPO estimates the share value at $25 per share Analysts who contradicted the $25 share price were followed by private investigators The IPO was successful, and the businessman immediately transferred $1 billion from the IPO into one of his other companies The stock price subsequently collapsed to under $2 per share Question: Was the businessman (1) ‘clever’, or (2) unethical? What remedy would you prescribe to compensate investors, many of whom were pensioners or had placed their life savings in these shares? Cyber-sport, part 3 Government bureaucrats, being unwilling to renege on their real estate subsidy Instead takes an ownership position in the property And dictate that rental prices will be substantially less than for property owned by rival property developers This essentially robs paying customers from other property And further depresses the cities property market Driving investment overseas Question: The bureaucrats (1) were right to save ‘face’, or (2) were doing their civil service by protecting the taxpayers subsidy (i.e., two wrongs might make a right) or (3) unethical? What remedy would you prescribe to compensate rival property owners, or are they all just too rich and powerful to deserve helping? Loose Lips The chairman of a stock exchange publicly announces that he is considering delisting a technology-heavy class of stocks The next trading day, prices collapse, and sell-side liquidity drops to zero, resulting in investor losses in the billions Acquisitive companies purchase the nearly valueless shares, gain control, strip the assets from the firms, and fire management and employees Question: Was the stock exchange chairman (1) careless, or (2) unethical? What remedy would you prescribe to compensate investors, managers and employees who have been wronged, many of whom were pensioners or had placed their life savings in these shares? Should the exchange chairman be fired? Accounting for Technology The President of the Professional Society of Accountants objects to new accounting rules as ‘invasive’ These rules would crack down on corporate crooks who have used ‘technology hype’ and faulty accounting for technology assets to rob investors of trillions of dollars, putting it into their own off-shore bank accounts there are no other rules or regulations in force which will catch the crooks Question: Question: Accountants (1) have no duty to protect investors, only to make sure that accounts satisfy accounting principles, or (2) the President of the Professional Society of Accountants has made an unethical recommendation, or (3) something else? What remedy would you prescribe to compensate investors, managers and employees who have been wronged by these corporate crooks? Should accountants be sued for their part in helping the crooks?