lOMoARcPSD|24356313

Ethics, Fraud, AND Internal Control ( Chapter 3)

Accountancy (University of San Carlos)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Khristine Mae Guanga ([email protected])
 lOMoARcPSD|24356313

ETHICS, FRAUD, AND INTERNAL CONTROL (CHAPTER 3)

ETHICAL ISSUES IN BUSINESS  Stage 1 (lowest): Punishment

orientation: obey rules to avoid
Ethical standards are derived from societal mores and punishment
deep-rooted personal beliefs about issues of right and
wrong that are not universally agreed upon.  Stage 2: Reward orientation: obey rules
to obtain the reward
What Is Business Ethics?
 Stage 3: Good boy/girl orientation: obey
Ethics pertains to the principles of conduct that rules to receive approval
individuals and business managers use in guiding their
behavior and choices. It involves not only knowing what  Stage 4: Authority orientation: obey
is right but also knowing how to achieve what is right. rules to be perceived as performing
one’s duty
Ethics in business can be divided into four areas:
 Stage 5: Social contract orientation:
- Equity (fairness and lawful practices in the obey rules to obtain the respect of
marketplace), peers and maintain self-respect
- Rights (individual employee rights),
- Honesty (behavior), and  Stage 6 (highest): Ethical Principle
- Exercise of corporate power (working condition Orientation: rules are guided by self-
choices). selected ethical principles that promote
self-esteem.
Ethical behavior is a necessary but not sufficient - Every business decision has ethical risks and
condition for business success in the long run. benefits. Your ethical responsibility is the
(Inherently, this statement is saying that businesses that balancing between these consequences. The
behave unethically should be punished). following principles have been provided for
guidance on these decisions:
Some firms address ethical issues through:
 Proportionality: The ethical benefit from a
- Ethics training and awareness in the workplace
decision must outweigh the risks.
- Greater commitment of top management to
 Justice: The benefits should be distributed fairly
improving ethical standards.
to those affected.
- Written codes of ethics/conduct to
 Minimize Risk: The decision should minimize all
communicate management’s expectations (Johnson
risks and avoid unnecessary risks.
and Johnson’s “credo” of corporate values).
- Programs to encourage moral development and
implement ethical guidelines. What is Computer Ethics?
- Techniques to monitor compliance. - Computer Ethics is the analysis of the impact of
computer technology and the policies for the
Management is responsible to maintain an ethical ethical use of such technology. It involves
environment, to limit opportunity and temptation for software, hardware, and network behaviors.
unethical behavior within the company. A company’s Three levels of computer ethics:
commitment to ethics should be above their
commitment to short-term profits and efficiency.  Pop ethics: staying current with the
MORAL REASONING STAGES OF DEVELOPMENT: media.
KOHLBERG’S STAGES OF MORAL DEVELOPMENT  Para ethics: having real interest and
acquiring some skill and knowledge in the field.
- (Kohlberg’s model was created specifically for  Theoretical ethics: multidisciplinary
the framework of child development and has application of ethical theories to computer
been widely criticized for promoting the science.
inherent value system of its author. The original
Kohlberg model organized a child’s values - Many argue that computer ethics are no
development from parental different in nature than traditional issues
punishment/rewards to organizational (property rights, copyright, trade secrets, patent
belonging/success (local maximization) to laws). The following issues of concern involve
greater social contracts/justice (forgoing one’s computer ethics and may generate class
individual gains for the sake of societal gain). discussions:
The representation in the Hall textbook is an
interpretation of the Kohlberg model.  Privacy: how much information about you is
available to others? How much information
about yourself do you really own?

Downloaded by Khristine Mae Guanga ([email protected])

 lOMoARcPSD|24356313

 Security (Accuracy and Confidentiality): How Management fraud is committed at higher levels and
can you avoid authorized/unauthorized usually does not involve the direct theft of an asset. It is
individuals accessing or changing your generally more difficult to detect for the following
computerized information? Where is the reasons:
balance between safe data and open shared
resources?  The fraud occurs at levels that are above
 Ownership of Property: Can an individual internal control mechanisms.
own ideas? Media? Source or object code? Do  The fraud occurs by managers who can
copyright laws and patents restrict the progress manipulate financial statements through either
of technology? expense allocations or revenue recognition.
 Equity in Access: Does the economic status  The misappropriation of assets can be covered
of an individual restrict him/her from access to a up with complex transactions, often involving third
career in information technology? parties.
 Environmental Issues: Do high-speed
printers cause less responsibility for reducing Factors That Contribute to Fraud
paper waste?
 Artificial Intelligence: Who is responsible Forces that interact to motivate an individual to commit
for the decisions that an expert system or a bot fraud can be categorized as situational pressures (high),
might make on behalf of a business? opportunity (high), and personal characteristics/ethics
 Unemployment and Displacement: When a (low).
business downsizes employees because a
Auditors should look to many places to determine
computer now performs their jobs, is that
management’s motivations to commit fraud and should
business responsible to retrain the displaced
look at the top management of the companies they
employees?
audit to find the answers to questions such as :
 Misuse of Computers: How do you feel
about copying software, MP3 music files,
 Personal: Do any of the managers have a lot of
snooping through other people’s files, or using a
debt? Are they living beyond their means? Are they
business’ computer for personal purposes?
gambling? Do they abuse substances?
 Environment: Are economic conditions
- Managers must establish and maintain a system
unfavorable?
of internal controls to ensure the integrity and
 Business: Does the company use several
reliability of their data.
different banks, none of which see the company’s
entire financial picture? Are there close associations
FRAUD AND ACCOUNTANTS with any supplier?
Fraud is a false representation of a material fact made
by one party to another party with the intent to deceive Financial Losses From Fraud
and to induce the other party to rely on the fact to his
or her detriment. Many times, alleged fraud is just poor
management decisions or adverse business conditions. The opportunity seems to be the overall most important
factor associated with the fraud. Opportunity can be
Common law asserts that for an act to be considered
defined as control over assets or access to assets.
fraudulent, it must meet five requirements:
Opportunity is characterized in this dataset with a
higher management position, which is mostly filled by
1. There must be a false representation, older, more educated males at this time in history.
statement or a nondisclosure.
2. There must be a material fact, a substantial Fraud Schemes
factor in inducing someone to act. The three broad categories of fraud schemes to be
3. There must be intent to deceive. discussed in this class are fraudulent financial
4. The misrepresentation must have resulted statements, corruption, and asset misappropriation.
in justifiable reliance causing someone to act.
5. The deception must have caused injury or
loss to the victim of the fraud.
Fraudulent Financial Statements
Business fraud is an intentional deception, For financial statements to be fraudulent, the
misappropriation of assets, or manipulation of financial statement itself must bring financial benefit to the
data to the advantage of the perpetrator. Two types of perpetrator, either direct or indirect. The manipulation
fraud discussed in this chapter are employee fraud and of the financial statement cannot just be a vehicle to
management fraud. hide the fraudulent act.
Employee fraud is committed by non-management Underlying problems include:
personnel and usually consists of an employee taking
cash or other assets for personal gain and concealing  Lack of auditor independence
their actions.  Lack of director independence

Downloaded by Khristine Mae Guanga ([email protected])

 lOMoARcPSD|24356313

 Questionable executive compensation schemes  Economic Extortion: Threat or use of force

 Inappropriate accounting practices (including economic sanctions) by an individual or
organization to obtain something of value.
Sarbanes-Oxley Act – July 2002, passed by US Congress
and signed by President Bush. This act reforms oversight Asset Misappropriation
and regulation of public company directing and auditing.
Its principle reforms involve: Asset Misappropriation is the most common form of
fraud, the CFE found 85 percent of fraud cases to be
 The creation of an accounting oversight board asset misappropriations. Transactions involving the case,
(PCAOB) empowered to set auditing, quality checking accounts, inventory, supplies, equipment, and
control, and ethics standards, to inspect registered information are the most vulnerable assets. Examples of
accounting firms, to conduct investigations, and to asset misappropriation schemes include:
take disciplinary actions.
 Auditor independence: Engaged auditors cannot  Charges to expense accounts.
provide other services to their clients including:  Lapping: an employee who has access to
bookkeeping, AIS design and implementation, customer checks and to accounts receivable records
appraisal or valuation services, fairness opinions, or steals some money, and then uses the next check
contribution-in-kind reports, actuarial services, that comes in to cover the last amount stolen (so
internal audit outsourcing services, management that the customers never notice). This can continue
functions, human resources, broker or dealer, until the employee leaves the company or takes a
investment adviser, or investment banking services, vacation, or is switched to another position.
legal services, expert services unrelated to the  Transaction Fraud: involves deleting, altering, or
audit, and any other service that the PCAOB adding false transactions to divert assets to the
determines impermissible. perpetrator (false invoices, false paychecks, etc.).
 Corporate governance and responsibility  Computer Fraud Schemes: Computer
through the board of directors’ audit committee, environments are subject to their own kinds of
who need to be independent of the company, and fraud. Computer fraud can include theft of assets
be the ones who hire and manage the external by:
auditors. Public corporations are prohibited to make o altering computer data records,
loans to their executive officers and directors, and o altering the logic of software
attorneys must report evidence of material programming,
violations of securities laws or breaches of fiduciary o theft or illegal use of computer
duty to the CEO, CFO or PCAOB. information,
 Disclosure requirements include all off-balance o theft, copying, or destruction of
sheet transactions, SEC filings containing a software, and
statement by management asserting that they are o theft, misuse, or destruction of
responsible for creating and maintaining adequate hardware.
and effective internal controls and that the officers
certify that the accounts fairly present the financial
condition and results of operations. Knowingly filing
Computer assets are vulnerable to theft or destruction
false certification is a criminal offense.
at each phase of the accounting information system.
 Penalties for fraud and other violations, such as
making it a federal offense for destroying
 Data Collection: This phase of the system is
documents or audit work papers, to be used in an
most vulnerable because it is very easy to change
official proceeding or actions against
data as it is being entered into the system.
whistleblowers.
Fraudulent transactions or dollar amounts can be
keyed into the system and thefts can thus be
Corruption
covered up. Data must be valid, complete, free from
Corruption involves collusion with an outside entity. The material errors, relevant, and efficiently collected.
four principal types of corruption include:  Masquerading is an unauthorized user entering
the system as an authorized user.
 Bribery: Offering, giving, or receiving things of  Piggybacking is tapping into the
value to influence an official in the performance of telecommunication lines and latching onto an
his/her lawful duties (before the fact). authorized user who is logging into the system.
 Illegal Gratuities: Offering, giving, requesting, or Once inside, the perpetrator can go their own way.
receiving something of value because of an official  Data Processing: Frauds can be a program or
act that has been taken (after the fact). operation fraud.
 Conflicts of Interest: When an employee acts on  Program fraud includes altering programs to
the behalf of a third party during the discharge of allow illegal access, introduce a virus, or alter a
duties or has self-interest in the activity being program’s logic to cause incorrect data processing.
performed.  Operation fraud is the misuse of company
computer resources, for example, for personal use
or personal business.

Downloaded by Khristine Mae Guanga ([email protected])

 lOMoARcPSD|24356313

 Database Management: Fraud at this phase of controls needed and utilized to achieve the four
the system involves altering, destroying, or stealing objectives.
the company's data either in storing, retrieving, or  Limitations: Every system has limitations
deleting tasks. including the possibility of error, circumvention,
 Information Generation: Frauds here involves management override, and changing conditions.
misrepresentation, theft, or misuse of the computer
output, either on-screen or in hard copy. It can also Exposures and Risks
involve scavenging (searching through the trash
cans of a company for discarded outputs) Assets are subject to the risk of losses,
or eavesdropping (listening to electronic termed exposures if internal controls are weak in a
transmissions). The information must have the particular area. Exposures can lead to the following
following characteristics: kinds of problems:
 Relevance: It affects the employee’s decisions
regarding the task at hand.  Destruction of the asset
 Timeliness: It can be no older than the time  Theft of the asset
period of the action that it supports.  Corruption of information or of the information
 Accuracy: It must be free of material errors. system
 Completeness: No essential piece of  Disruption of the information system
information is missing.
 Summarization: Information is aggregate in
accordance with the user’s needs.
The Preventive-Detective-Corrective Internal Control
Model is a very useful model to approach risk
management.
Internal Control Concepts and Procedures
 Preventive controls are designed to reduce the
Foreign Corrupt Practices Act of 1977
opportunities for the commission of errors or fraud.
Requires companies registered with the SEC to: They are passive controls, meaning that they are
integrated into the system in the hopes of
 Keep records that fairly and reasonably reflect preventing errors and fraud before they happen.
the transactions of the firm and its financial They provide safeguards that are built into the
position, and system's routine procedures.
 Maintain a system of internal control that  Detective controls are designed to detect errors
provides reasonable assurance that the or fraud after they have occurred. These controls
organization’s objectives are met. compare what has actually happened with what
was supposed to happen. If deviations occur, they
Internal Control in Concept are identified.
 Corrective controls are measures taken to
correct errors, especially material ones, once they
have been detected. Such measures should be
Internal control systems include all of the policies, taken with caution after the reasons for the errors
practices, and procedures employed by the organization have been found. If an error is a minor one, it may
to achieve four broad objectives (according to AICPA’s not be worth analyzing and correcting.
SAS#1, sec. 320):
Auditing and Auditing Standards
 to safeguard assets of the firm,
 to ensure the accuracy and reliability of
accounting records and information,
 to promote the efficiency of the firm's Auditors are guided in their professional responsibilities
operations, and by GAAS (Generally Accepted Auditing Standards), in
 to measure compliance with management's addition to many other Statements on Auditing
prescribed policies and procedures. Standards.

 General qualification standards refer to the

background that is necessary to be an auditor.
Modifying Assumptions for systems designers and  Fieldwork standards refer to the level of
auditors include: investigative professionalism that is required while
conducting an audit. Note that the second fieldwork
 Management Responsibility: Management is standard refers to an understanding of the internal
ultimately responsible. control structure.
 Reasonable assurance: The internal control  Reporting standards refer to the requirements
system should provide reasonable rather than an auditor must follow when rendering a
absolute assurance. professional opinion.
 Data Processing Methods: The methods utilized
for data processing will change the types of internal

Downloaded by Khristine Mae Guanga ([email protected])

 lOMoARcPSD|24356313

The Statement on Auditing Standards No. 78 discusses example, rapid growth, new competitors, new product
the complex relationship between the firm’s internal lines, organizational restructuring, entering foreign
controls, the auditor’s assessment of risk, and the markets, implementation of new technology, or
planning of audit procedures. This statement conforms adopting a new accounting principle that impacts the
to the recommendations of the US Congress’ Committee financial statements. Auditors are required by SAS No.
of Sponsoring Organizations of the Treadway 78 to obtain an understanding of their clients' methods
Commission (COSO). for assessing risk.

Internal Control Components

According to SAS No. 78, internal control consists of the Information and Communication
control environment, risk assessment, information and
communication activities, monitoring activities, and Managers are responsible for developing, implementing,
control activities. and maintaining a good system of Information and
Communication for all in the organization. The
Control Environment accounting information system consists of the records
and methods used to initiate, identify, analyze, classify,
The Control Environment is the foundation of internal and record the organization’s transactions and account
control and sets the tone for the organization. for the related assets and liabilities.
Important elements of the control environment include:
The quality of information generated by an
 The integrity and ethical values of management organization's accounting information system will
 The organizational structure of the company impact the reliability of the organization's financial
 The role and participation level of the board of statements. Auditors are required to obtain an
directors and of the audit committee understanding of the classification of material
transactions, the processing of those transactions in the
Is there an internal auditing department that reports to accounting records, and the utilization of processed data
the audit committee? in the preparation of financial statements.

Effective accounting information systems will:

 Management's philosophy or approach to
running the company
 Identify and record all valid financial
 Delegation of responsibility and authority
transactions.
 Provide timely information about transactions in
Is there proper segregation of duties between
sufficient detail to permit proper classification and
authorization, custody, and accounting?
financial reporting.
 Accurately measure the financial value of
 Methods for evaluating performance
transactions so their effects can be recorded in
 External influences, such as examinations by
financial statements.
outside parties
 Accurately record transactions in the time
 The organization's policies and practices for
period in which they occurred.
managing its human resources
Auditors are required to obtain sufficient knowledge of
SAS 78 requires the auditors to obtain sufficient
the information system to understand:
knowledge to assess the attitude and awareness of an
organization's management, the board of directors, and
 The classes of transactions that are material to
owners to determine the importance of internal control
the financial statements and how those transactions
in their organization. Techniques they could utilize
are initiated.
include background checks, reputation, integrity,
 The accounting records and accounts that are
external conditions, knowledge of the client’s industry,
used in the processing of material transactions.
and specific business.
 The transaction processing steps involved from
Management should adopt the provisions of the the initiation of a transaction to its inclusion in the
Sarbanes-Oxley Act by: financial statements.
 The financial reporting process used to prepare
 Separating the roles of CEO and chairman, financial statements, disclosures, and accounting
 Setting ethical standards, estimates.
 Establishing an Independent Audit Committee
 Compensation Committees Monitoring
 Nominating Committees
Monitoring must be performed to determine that the
 Access to Outside Professionals
internal controls are functioning as intended.
Risk Assessment Monitoring may be performed by internal auditors who
periodically test controls and report to management any
Management must assess the risks of their business and
weaknesses that could be a cause for concern.
their environment. Such risk would be increased by, for
Monitoring can also be performed continuously through

Downloaded by Khristine Mae Guanga ([email protected])

 lOMoARcPSD|24356313

the implementation of computer modules designed techniques, pointers, indexes, embedded keys).
specifically to monitor the functioning of internal Auditors must understand system controls to know
controls. A good reporting system, reviewed by their impact on the audit trails of the records.
management, is also an excellent monitoring  Access Controls safeguard assets by restricting
information system. physical access. In computer-based systems, access
controls should reduce the possibilities of computer
Control Activities fraud and losses from disasters. Access controls
Control Activities are the policies and procedures used should limit personnel access to central computers,
to ensure that appropriate actions are taken to deal restrict access to computer programs, provide
with the identified risks. There are two categories, security for the data processing center, provide
computer controls, and physical controls. adequate backup for data files, and provide for
disaster recovery.
Computer Controls can be categorized into two groups:  Independent Verification procedures identify
general controls and application controls. errors and misrepresentations and can be
performed by both managers and computers. For
 General Controls pertain to pervasive, entity- example, managers can review financial and
wide concerns such as access and approval, such as management reports, and computers can reconcile
human resources and project management. batch totals or subsidiary accounts with control
 Application Controls pertain to the details of accounts. Management can assess an individual
specific systems, such as payroll. application’s performance, processing system
integrity, and data accuracy. Examples of
Physical Controls typically relate to manual procedures. independent verification include reconciling batch
Traditionally, there are six categories of physical controls totals at various points of processing, comparing
activities: physical assets with accounting records, reconciling
subsidiary ledgers with general ledger control
 Transaction Authorization: Employees should accounts, and reviewing management reports.
only be carrying out authorized transactions.
Authorizations may be general or specific. General The Importance of Internal Controls
authorization may be granted to employees to carry
The five components of internal control are:
out routine, everyday procedures while specific
environment, risk assessment, information and
authorization may be needed for non-routine
communication, monitoring, and control activities.
transactions.
Understanding internal control will guide the auditor in
 Segregation of Duties: The key segregations
the planning of specific tests to determine the likelihood
should be between the authorizing and the
and the extent of financial statement misrepresentation.
processing of a transaction and between the
custody of an asset and its record-keeping. The
system must be designed so that it would take more
than one employee to successfully carry out a
fraudulent act. In a computerized system, however,
many duties that must be segregated in a manual
system may be combined because computers do
not make errors or commit fraud. Nevertheless, in a
computer-based system, segregation should exist
between the functions of program development,
program operations, and program maintenance.
Figure 3-6 illustrates the top 3 objectives for the
segregation of duties.
 Supervision is referred to as a compensating
control because it comes into play when there is not
an adequate separation of duties and employees
must double up on tasks. This control is especially
important for computer-based systems as often
management must hire from a small supply of
technically competent individuals, these individuals
have access to much of the organization’s sensitive
data, and because management is unable to
observe employees who work with the system.
 Accounting Records are the source documents,
journals, and ledgers of a business. These
documents provide the audit trail for all the
company's economic transactions. Audit trails are
also created in computer-based systems, but the
form and appearance of the accounting records are
different from those in a manual system (hashing

Downloaded by Khristine Mae Guanga ([email protected])