Chapter 4.

Ethics, Fraud, and Internal Control

Learning Objectives:
After studying this chapter, you should:
 Understand broad issues pertaining to business ethics
 Have a basic understanding of ethical issues related to the use
of information technology
 Be able to distinguish between management fraud and
employee fraud
 Be familiar with common types of fraud schemes
 Be familiar with common types of the COSO internal control
framework
 Understand the objectives and application of both physical and
IT control activities
 ETHICAL ISSUES IN BUSINESS

We have been inundated with scandals in the stock market, stories of

computer crimes and viruses, and almost obscene charges of impropriety
and illegalities by corporate executives. Using covert compensation
schemes, Enron’s chief financial officer (CFO) Andy Fastow managed to
improve his personal wealth by approximately $40 million. Similarly, Dennis
Kozowski of Tyco, Richard Scrushy of Health-South, and Bernie Ebbers of
WorldCom all became wealthy beyond imagination while driving their
companies into the ground. Indeed, during the period from early 1999 to
May 2002, the executives of 25 companies extracted $25 billions worth of
special compensation, stock options, and private loans from their
organizations while their companies’ stock plummeted 75 percent or more.
 Business Ethics

Ethics pertains to the principle of conduct that

individuals are use in making choices and guiding their
behavior in situations that involve the concepts of right
and wrong. More specifically, business ethics involves
finding the answers to two questions: (1) How do
managers deicide what is right in conducting their
business? And (2) once managers have recognized
what is right, how do they achieve it?
Making Ethical Decisions

Business organization have conflicting

responsibilities to their employees,
shareholders, customers, and the
public. Every major decision has
consequences that potentially harm or
benefit these constituents.
 Proportionality

The benefit from a decision must outweigh the risks. Furthermore,

there must be no alternative decision that provides the same or
greater benefit with less risk.
Justice. The benefits of the decision should be distributed fairly
to those who share the risks. Those who do not benefit should
not carry the burden of the risk.
Minimize risk. Even if judged acceptable by the principles, the
decision should be implemented so as to minimize all of the risks
and avoid any unnecesary risks.
 Computer Ethics

The use of information technology in business has had a major

impact on society and thus raises significant ethical issues
regarding computer crime, working conditions, privacy, and
more. Computer ethics is “the analysis of the nature and social
impact of computer technology and the corresponding
formulation and justification of policies for the ethical use of
such technology…. [this include] concerns about software as
well as hardware and concerns about networks connecting
computers as well as computer themselves.
 ETHICAL ISSUES IN BUSINESS

Equity Executive Salaries

Comparable Worth
Product Pricing
Rights Corporate Due Process
Employee Health Screening
Employee Privacy
Sexual Harassment
Diversity
Equal Employment Opportunity
Whistle-Blowing
Honesty Employee and Management Conflict of Interest
Security of Organization Data and Records
Misleading Advertising
Questionable Business Practices in Foreign Countries
Accurate Reporting of Shareholder Interest
 ETHICAL ISSUES IN BUSINESS

Exercise of Corporate Power Political Action Committees

Workplace Safety
Product Safety
Environment Issues
Divestment of Interests
Corporate Political Contributions
Downsizing and Plant Closures
Ethical behavior is a necessary but not sufficient condition for business
success in the long run. (Inherently, this statement is saying that businesses
that behave unethically should be punished).
Some firms address ethical issues through:
- Ethics training and awareness in the workplace - Greater commitment
of top management to improving ethical standards.
- Written codes of ethics/conduct to communicate management’s
expectations (Johnson and Johnson’s “credo” of corporate values).
- Programs to encourage moral development and implement ethical
guidelines.
- Techniques to monitor compliance
Management is responsible to maintain an ethical
environment, to limit opportunity and temptation for unethical
behavior within the company. A company’s commitment to
ethics should be above their commitment to short-term profits
and efficiency.
MORAL REASONING STAGES OF DEVELOPMENT:
KOHLBERG’S STAGES OF MORAL DEVELOPMENT

- (Kohlberg’s model was created specifically for the framework

of child development and has been widely criticized for
promoting the inherent value system of its author. The original
Kohlberg model organized a child’s values development from
parental punishment/rewards to organizational
belonging/success (local maximization) to greater social
contracts/justice (forgoing one’s individual gains for the sake of
societal gain). The representation in the Hall textbook is an
interpretation of the Kohlberg model.
MORAL REASONING STAGES OF DEVELOPMENT:
KOHLBERG’S STAGES OF MORAL DEVELOPMENT
 Stage 1 (lowest): Punishment orientation: obey rules to avoid
punishment
 Stage 2: Reward orientation: obey rules to obtain the reward
 Stage 3: Good boy/girl orientation: obey rules to receive approval
 Stage 4: Authority orientation: obey rules to be perceived as performing
one’s duty
 Stage 5: Social contract orientation: obey rules to obtain the respect of
peers and maintain self-respect
 Stage 6 (highest): Ethical Principle Orientation: rules are guided by self
selected ethical principles that promote self-esteem.
Every business decision has ethical risks and benefits. Your ethical
responsibility is the balancing between these consequences. The following
principles have been provided for guidance on these decisions:
 Proportionality: The ethical benefit from a decision must outweigh the
risks.
 Justice: The benefits should be distributed fairly to those affected.
 Minimize Risk: The decision should minimize all risks and avoid
unnecessary risks
 What is Computer Ethics?

Computer Ethics is the analysis of the impact of computer technology and

the policies for the ethical use of such technology. It involves software,
hardware, and network behaviors.
Three levels of computer ethics:
 Pop ethics: staying current with the media.
 Para ethics: having real interest and acquiring some skill and knowledge
in the field.
 Theoretical ethics: multidisciplinary application of ethical theories to
computer science.
Many argue that computer ethics are no different in nature than traditional issues
(property rights, copyright, trade secrets, patent laws).
The following issues of concern involve computer ethics and may generate class
discussions:
 Privacy: how much information about you is available to others? How much
information about yourself do you really own?
 Security (Accuracy and Confidentiality): How can you avoid authorized/unauthorized
individuals accessing or changing your computerized information? Where is the
balance between safe data and open shared resources?
 Ownership of Property: Can an individual own ideas? Media? Source or object code?
Do copyright laws and patents restrict the progress of technology?
 Equity in Access: Does the economic status of an individual restrict him/her from
access to a career in information technology?
 Environmental Issues: Do high-speed printers cause less responsibility for reducing
paper waste?
 Artificial Intelligence: Who is responsible for the decisions that an expert system or a
bot might make on behalf of a business?
 Unemployment and Displacement: When a business downsizes employees because a
computer now performs their jobs, is that business responsible to retrain the displaced
employees?
 Misuse of Computers: How do you feel about copying software, MP3 music files,
snooping through other people’s files, or using a business’ computer for personal
purposes? - Managers must establish and maintain a system of internal controls to
ensure the integrity and reliability of their data.
 FRAUD AND ACCOUNTANTS

Fraud is a false representation of a material fact made by one party to another party
with the intent to deceive and to induce the other party to rely on the fact to his or her
detriment. Many times, alleged fraud is just poor management decisions or adverse
business conditions.
Legally, for an act to be fraudulent there must be:
1. A false statement, representation, or disclosure.
2. A material fact, which is something that induces a person to act.
3. An intent to deceive.
4. A justified reliance; that is, the person relies on the misrepresentation to take an action.
5. An injury or loss suffered by a victim.
FRAUD AND ACCOUNTANTS

The Association of Certified Fraud Examiners (ACFE) conducts comprehensive

fraud studies and releases its findings in a Report to the Nation on
Occupational Fraud and Abuse.

The ACFE estimates that:

 A typical organization loses 5% of its annual revenue to fraud, indicating
yearly global fraud loses over $3.7 trillion.
 Owner/executive frauds took much longer to detect and were more than
four times as costly as manager-perpetrated frauds and more that 11 times
costly as employee fraud.
FRAUD AND ACCOUNTANTS

Corruption is dishonest conduct by those holding power and it often involves actions that
are illegitimate, immoral, or incompatible with ethical standards. There are many types of
corruption; examples include bribery and bid rigging.

Investment fraud is misrepresenting or leaving out facts in order to promote an

investment that promises fantastic profits with little or no risk. There are many types of
investment fraud; examples include Ponzi schemes and securities fraud.

Two types of frauds that are important to businesses are misappropriation of assets
(sometimes called employee fraud) and fraudulent financial reporting (sometimes called
management fraud). These two types of fraud are now discussed in greater depth.
 FRAUD AND ACCOUNTANTS

 Business fraud is an intentional deception, misappropriation of assets, or

manipulation of financial data to the advantage of the perpetrator.
Two types of fraud discussed in this chapter are employee fraud and
management fraud.
 Employee fraud is committed by non-management personnel and
usually consists of an employee taking cash or other assets for personal
gain and concealing their actions.
FRAUD AND ACCOUNTANTS

Misappropriation of assets is the theft of assets by employee.

Examples include the following:
 Albert Mirano, a manager at ABS-CBN responsible for processing bills, embezzled Php20
million over a five-year period. He forged a superior’s signature on invoices for services never
performed, submitted them to accounts payable, forged the endorsement on the check,
and deposited it in his account. Milano used the funds to buy an expensive home, five cars,
and a boat.
 A bank (BPI) vice president approved Php1 billion in a bad loans in exchange for
Php585,000.00 in kickbacks. The loan cost the bank $800 million and helped trigger its
collapsed.
 A manager at a Cebu newspaper went to work for a competitor after he was fired. The first
employer soon realized its reporters were being scooped. An investigation revealed the
manager still had an active account and password and regularly browsed its computer files
for information on exclusive stories.
FRAUD AND ACCOUNTANTS

Fraudulent financial reporting as intentional or reckless conduct, whether by act or

emission, that results in materially misleading financial statements.

Management falsifies financial statements to deceive investors and creditors, increase a

company’s stock price, meet cash flow needs, or hide company losses and problems.

Four actions to reduce fraudulent financial reporting:

1. Establish an organizational environment that contributes to the integrity of financial
reporting process.
2. Identify and understand the factors that lead to fraudulent financial reporting.
3. Assess the risk of fraudulent financial reporting within the company.
4. Design and implement internal controls to provide reasonable assurance of
preventing fraudulent financial reporting.
 FRAUD AND ACCOUNTANTS

Management fraud is committed at higher levels and usually does not

involve the direct theft of an asset. It is generally more difficult to detect
for the following reasons:
 The fraud occurs at levels that are above internal control mechanisms.
 The fraud occurs by managers who can manipulate financial
statements through either expense allocations or revenue recognition.
 The misappropriation of assets can be covered up with complex
transactions, often involving third parties.
 Factors That Contribute to Fraud

Forces that interact to motivate an individual to commit fraud can be

categorized as situational pressures (high), opportunity (high), and personal
characteristics/ethics (low).
Auditors should look to many places to determine management’s motivations to
commit fraud and should look at the top management of the companies they
audit to find the answers to questions such as :
 Personal: Do any of the managers have a lot of debt? Are they living beyond
their means? Are they gambling? Do they abuse substances?
 Environment: Are economic conditions unfavorable?
 Business: Does the company use several different banks, none of which see
the company’s entire financial picture? Are there close associations with any
supplier
Fraud Triangle
 Pressure

A person is a person’s incentive or

motivation for committing fraud.

Three types of pressure that lead to

misappropriations.
Financial pressure often motivate
misappropriation fraud by
employees. Examples of such
pressure include living beyond
one’s means, heavy financial
losses, or high personal debt.
 Opportunity

Opportunity is the condition or

situation that allows a person or
organization to commit and conceal
a dishonest act and convert it to
personal gain.

1. Commit the fraud. The theft of

assets is the most common type of
misappropriation.

Most instances of fraudulent financial

reporting involve overstatements of
assets or revenues, overstatements of
liabilities, or failures to disclose
information.
 Opportunity

2. Conceal the fraud. To prevent

detection when assets are stolen or
financial statements are overstated,
perpetrators must keep the accounting
equation in balance by inflating other
assets or decreasing liabilities or equity.

Concealment often takes more effort

and time and leaves behind more
evidence than the theft or
misrepresentation.

Taking cash requires only a few

seconds; altering records to hide the
theft is more challenging and time-
consuming.
 Opportunity
3. Convert the theft or
misrepresentation to personal gain.

In a misrepresentation, fraud
perpetrators who do not steal cash or
use the stolen assets personally must
convert them to a spendable form.

For example, employees who steal

inventory or equipment sell the items or
otherwise convert them to cash. In
cases of falsified financial statements,
perpetrators convert their actions to
personal gain through indirect benefits;
that is, to keep their jobs, their stock
rises, they receive pay raises and
promotions, or they gain more power
and influence.
 Financial Losses From Fraud

The opportunity seems to be the overall most important factor

associated with the fraud. Opportunity can be defined as
control over assets or access to assets. Opportunity is
characterized in this dataset with a higher management
position, which is mostly filled by older, more educated males
at this time in history.
 Fraud Schemes

The three broad categories of fraud schemes to be

discussed in this class are fraudulent financial
statements, corruption, and asset misappropriation.
 Fraudulent Financial Statements

For financial statements to be fraudulent, the statement itself must bring

financial benefit to the perpetrator, either direct or indirect. The
manipulation of the financial statement cannot just be a vehicle to hide
the fraudulent act.
Underlying problems include:
 Lack of auditor independence
 Lack of director independence
 Questionable executive compensation schemes
 Inappropriate accounting practices
Sarbanes-Oxley Act – July 2002, passed by US Congress and signed by President Bush. This
act reforms oversight and regulation of public company directing and auditing. Its
principle reforms involve:
 The creation of an accounting oversight board (PCAOB) empowered to set auditing,
quality control, and ethics standards, to inspect registered accounting firms, to
conduct investigations, and to take disciplinary actions.
 Auditor independence: Engaged auditors cannot provide other services to their clients
including: bookkeeping, AIS design and implementation, appraisal or valuation
services, fairness opinions, or contribution-in-kind reports, actuarial services, internal
audit outsourcing services, management functions, human resources, broker or
dealer, investment adviser, or investment banking services, legal services, expert
services unrelated to the audit, and any other service that the PCAOB determines
impermissible.
 Corporate governance and responsibility through the board of directors’ audit
committee, who need to be independent of the company, and be the ones who hire
and manage the external auditors. Public corporations are prohibited to make loans
to their executive officers and directors, and attorneys must report evidence of
material violations of securities laws or breaches of fiduciary duty to the CEO, CFO or
PCAOB.
 Disclosure requirements include all off-balance sheet transactions, SEC filings
containing a statement by management asserting that they are responsible for
creating and maintaining adequate and effective internal controls and that the
officers certify that the accounts fairly present the financial condition and results of
operations. Knowingly filing false certification is a criminal offense.
 Penalties for fraud and other violations, such as making it a federal offense for
destroying documents or audit work papers, to be used in an official proceeding or
actions against whistleblowers.
 Corruption

Corruption involves collusion with an outside entity. The four principal types
of corruption include:
 Bribery: Offering, giving, or receiving things of value to influence an
official in the performance of his/her lawful duties (before the fact).
 Illegal Gratuities: Offering, giving, requesting, or receiving something of
value because of an official act that has been taken (after the fact).
 Conflicts of Interest: When an employee acts on the behalf of a third
party during the discharge of duties or has self-interest in the activity
being performed.
 Economic Extortion: Threat or use of force (including economic
sanctions) by an individual or organization to obtain something of value.
 Asset Misappropriation

Asset Misappropriation is the most common form of fraud, the CFE found
85 percent of fraud cases to be asset misappropriations. Transactions
involving the case, checking accounts, inventory, supplies, equipment,
and information are the most vulnerable assets. Examples of asset
misappropriation schemes include:
 Charges to expense accounts.
 Lapping: an employee who has access to customer checks and to
accounts receivable records steals some money, and then uses the
next check that comes in to cover the last amount stolen (so that the
customers never notice). This can continue until the employee leaves
the company or takes a vacation, or is switched to another position.
 Asset Misappropriation

 Transaction Fraud: involves deleting, altering, or adding false

transactions to divert assets to the perpetrator (false invoices, false
paychecks, etc.).
 Computer Fraud Schemes: Computer environments are subject to their
own kinds of fraud. Computer fraud can include theft of assets by: o
altering computer data records, o altering the logic of software
programming, o theft or illegal use of computer information, o theft,
copying, or destruction of software, and o theft, misuse, or destruction
of hardware.
Computer Fraud

Computer fraud is any fraud that requires computer technology to perpetrate

it.

Examples include:
 Unauthorized theft, use, access, modification, copying, or destruction of
software, hardware, or data.
 Theft of assets covered up by altering computer records.
 Obtaining information or tangible or tangible property illegally using
computers.
Computer Fraud

Computer fraud classification

Input fraud
The simplest and most common way to commit a computer fraud is to alter or falsify computer
input. It requires little skill; perpetrators need only understand how the system operates so they can
cover their tracks.

Processor fraud
Processor fraud unauthorized system use, including the theft or computer time and services.

Computer instruction fraud

Computer instruction fraud includes tampering with company software, copying software illegally,
using software in an unauthorized manner, and developing software to carry out an unauthorized
activity. This approach used to be uncommon because it required specialized programming
knowledge.
Computer fraud

Data fraud
Illegally using, copying, browsing, searching, or harming company data constitutes, data
fraud. The biggest cause of data breaches is employee negligence.

Output fraud
Unless properly safeguarded, displayed or printed output can be stolen, copied, or
misused. It was showed that some monitors emit television-like signals that, with the help of
some inexpensive electronic gear can be displayed on a television screen.
 Fraud perpetrators use computers to forge authentic-looking outputs, such as
paycheck.
 A fraud perpetrator can scan a company paycheck, use desktop publishing software
to erase the payee and amount, and print fictitious paycheck.
Computer assets are vulnerable to theft or destruction at each phase of the
accounting information system.
 Data Collection: This phase of the system is most vulnerable because it is very
easy to change data as it is being entered into the system. Fraudulent
transactions or dollar amounts can be keyed into the system and thefts can
thus be covered up. Data must be valid, complete, free from material errors,
relevant, and efficiently collected.
 Masquerading is an unauthorized user entering the system as an authorized
user.
 Piggybacking is tapping into the telecommunication lines and latching onto
an authorized user who is logging into the system. Once inside, the perpetrator
can go their own way.
 Data Processing: Frauds can be a program or operation fraud.
 Program fraud includes altering programs to allow illegal access,
introduce a virus, or alter a program’s logic to cause incorrect data
processing.
 Operation fraud is the misuse of company computer resources, for
example, for personal use or personal business.
 Database Management: Fraud at this phase of the system involves
altering, destroying, or stealing the company's data either in storing,
retrieving, or deleting tasks.
 Information Generation: Frauds here involves misrepresentation, theft, or
misuse of the computer output, either on-screen or in hard copy. It can also
involve scavenging (searching through the trash cans of a company for
discarded outputs) or eavesdropping (listening to electronic transmissions).
The information must have the following characteristics:
 Relevance: It affects the employee’s decisions regarding the task at hand.
 Timeliness: It can be no older than the time period of the action that it supports.
 Accuracy: It must be free of material errors.
 Completeness: No essential piece of information is missing.
 Summarization: Information is aggregate in accordance with the user’s needs.
 Internal Control Concepts and Procedures

Foreign Corrupt Practices Act of 1977

Requires companies registered with the SEC to:
 Keep records that fairly and reasonably reflect the
transactions of the firm and its financial position, and
 Maintain a system of internal control that provides
reasonable assurance that the organization’s
objectives are met.
 Internal Control in Concept

Internal control systems include all of the policies, practices,

and procedures employed by the organization to achieve four
broad objectives (according to AICPA’s SAS#1, sec. 320):
 to safeguard assets of the firm,
 to ensure the accuracy and reliability of accounting records
and information,
 to promote the efficiency of the firm's operations, and
 to measure compliance with management's prescribed
policies and procedures.
Modifying Assumptions for systems designers and
auditors include:
 Management Responsibility: Management is ultimately
responsible.
 Reasonable assurance: The internal control system should
provide reasonable rather than absolute assurance.
 Data Processing Methods: The methods utilized for data
processing will change the types of internal controls needed
and utilized to achieve the four objectives.
 Limitations: Every system has limitations including the
possibility of error, circumvention, management override, and
changing conditions.
 Exposures and Risks

Assets are subject to the risk of losses, termed exposures if

internal controls are weak in a particular area. Exposures can
lead to the following kinds of problems:
 Destruction of the asset
 Theft of the asset
 Corruption of information or of the information system
 Disruption of the information system
Internal controls perform 3 functions

1. Preventive controls deter problems before they rise. Examples include

hiring qualified personnel, segregating employee duties, and controlling
physical access to assets and information.
2. Detective controls discover problems that are not prevented. Examples
include duplicate checking of calculations and preparing bank
reconciliations and monthly trial balances.
3. Corrective controls identify and correct problems as well as correct and
recover from the resulting errors. Examples include maintaining backup
copies of files, correcting data entry errors, and resubmitting transactions
for subsequent processing.
2 Categories of Internal Controls

1. General controls make sure an organization’s control environment is stable

and well managed. Examples include security; IT infrastructure; and
software acquisition, development, and maintenance controls.
2. Applications controls prevent, detect, and correct transactions errors and
fraud in application program. They are concerned with the accuracy,
completeness, validity, and authorization of the data captured, entered,
processed, stored, transmitted to other systems, and reported.
4 Levers of Control

Robert Simons, a Harvard business professor, has espoused four levers of control to help
management reconcile the conflict between creativity and controls.
1. A belief system describes how a company creates value, helps employees understand
management’s vision, communications company core values, and inspires employees to
live by those values.
2. A boundary system helps employees act ethically by setting boundaries an employee
behavior. Instead of telling employees exactly what to do, they are encouraged to
creatively solve problems and meet customer needs while meeting minimum performance
standards, shunning off-limit activities, and avoiding actions that might damage their
reputation.
3. A diagnostic control systems measures, monitors, and compares actual company progress
to budgets and performance goals. Feedback helps management adjust and fine-tune
inputs and processes so future outputs more closely match goals.
4. An Interactive control system helps managers to focus subordinates’ attention on key
strategic issues and to be more involved in their decisions. Interactive system data are
interpreted and discussed In face-to-face meetings of superiors, subordinates, and peers.
 Auditing and Auditing Standards

Auditors are guided in their professional responsibilities by GAAS

(Generally Accepted Auditing Standards), in addition to many other
Statements on Auditing Standards.
 General qualification standards refer to the background that is
necessary to be an auditor.
 Fieldwork standards refer to the level of investigative professionalism
that is required while conducting an audit. Note that the second
fieldwork standard refers to an understanding of the internal control
structure.
 Reporting standards refer to the requirements an auditor must follow
when rendering a professional opinion.
The Statement on Auditing Standards No. 78 discusses
the complex relationship between the firm’s internal
controls, the auditor’s assessment of risk, and the
planning of audit procedures. This statement conforms
to the recommendations of the US Congress’
Committee of Sponsoring Organizations of the
Treadway Commission (COSO).
 Internal Control Components

According to SAS No. 78, internal control consists of the control

environment, risk assessment, information and communication activities,
monitoring activities, and control activities.
Control Environment
The Control Environment is the foundation of internal control and sets the
tone for the organization. Important elements of the control environment
include:
 The integrity and ethical values of management
 The organizational structure of the company
 The role and participation level of the board of directors and of the
audit committee
 Control Environment

Is there an internal auditing department that reports to the audit

committee?
 Management's philosophy or approach to running the company
 Delegation of responsibility and authority
Is there proper segregation of duties between authorization, custody, and
accounting?
 Methods for evaluating performance
 External influences, such as examinations by outside parties
 The organization's policies and practices for managing its human
resources
SAS 78 requires the auditors to obtain sufficient
knowledge to assess the attitude and awareness of an
organization's management, the board of directors,
and owners to determine the importance of internal
control in their organization. Techniques they could
utilize include background checks, reputation, integrity,
external conditions, knowledge of the client’s industry,
and specific business.
 Risk Assessment

Management must assess the risks of their business and their

environment. Such risk would be increased by, for example,
rapid growth, new competitors, new product lines,
organizational restructuring, entering foreign markets,
implementation of new technology, or adopting a new
accounting principle that impacts the financial statements.
Auditors are required by SAS No. 78 to obtain an understanding
of their clients' methods for assessing risk.
 Information and Communication

Managers are responsible for developing, implementing, and maintaining

a good system of Information and Communication for all in the
organization. The accounting information system consists of the records
and methods used to initiate, identify, analyze, classify, and record the
organization’s transactions and account for the related assets and
liabilities.
The quality of information generated by an organization's accounting
information system will impact the reliability of the organization's financial
statements. Auditors are required to obtain an understanding of the
classification of material transactions, the processing of those transactions
in the accounting records, and the utilization of processed data in the
preparation of financial statements.
 Monitoring

Monitoring must be performed to determine that the internal

controls are functioning as intended.
Monitoring may be performed by internal auditors who
periodically test controls and report to management any
weaknesses that could be a cause for concern. Monitoring
can also be performed continuously through the
implementation of computer modules designed specifically to
monitor the functioning of internal controls. A good reporting
system, reviewed by management, is also an excellent
monitoring information system.
 Control Activities

Control Activities are the policies and procedures used to ensure that
appropriate actions are taken to deal with the identified risks. There are
two categories, computer controls, and physical controls.
 Computer Controls can be categorized into two groups: general
controls and application controls.
 General Controls pertain to pervasive, entitywide concerns such as
access and approval, such as human resources and project
management.
 Application Controls pertain to the details of specific systems, such as
payroll.
 Control Activities

 Physical Controls typically relate to manual procedures. Traditionally,

there are six categories of physical controls activities:
 Transaction Authorization: Employees should only be carrying out
authorized transactions. Authorizations may be general or specific.
General authorization may be granted to employees to carry out
routine, everyday procedures while specific authorization may be
needed for non-routine transactions.
 Control Activities

 Segregation of Duties: The key segregations should be between the

authorizing and the processing of a transaction and between the
custody of an asset and its record-keeping. The system must be
designed so that it would take more than one employee to successfully
carry out a fraudulent act. In a computerized system, however, many
duties that must be segregated in a manual system may be combined
because computers do not make errors or commit fraud. Nevertheless,
in a computer-based system, segregation should exist between the
functions of program development, program operations, and program
maintenance.
 Control Activities

 Supervision is referred to as a compensating control because it comes

into play when there is not an adequate separation of duties and
employees must double up on tasks. This control is especially important
for computer-based systems as often management must hire from a
small supply of technically competent individuals, these individuals
have access to much of the organization’s sensitive data, and because
management is unable to observe employees who work with the
system.
 Control Activities

 Accounting Records are the source documents, journals, and ledgers of

a business. These documents provide the audit trail for all the
company's economic transactions. Audit trails are also created in
computer-based systems, but the form and appearance of the
accounting records are different from those in a manual system
(hashing techniques, pointers, indexes, embedded keys). Auditors must
understand system controls to know their impact on the audit trails of
the records.
 Control Activities

 Access Controls safeguard assets by restricting physical access. In

computer-based systems, access controls should reduce the possibilities
of computer fraud and losses from disasters. Access controls should limit
personnel access to central computers, restrict access to computer
programs, provide security for the data processing center, provide
adequate backup for data files, and provide for disaster recovery.
 Control Activities

 Independent Verification procedures identify errors and

misrepresentations and can be performed by both managers and
computers. For example, managers can review financial and
management reports, and computers can reconcile batch totals or
subsidiary accounts with control accounts. Management can assess an
individual application’s performance, processing system integrity, and
data accuracy. Examples of independent verification include
reconciling batch totals at various points of processing, comparing
physical assets with accounting records, reconciling subsidiary ledgers
with general ledger control accounts, and reviewing management
reports.
 The Importance of Internal Controls

The five components of internal control are: environment, risk

assessment, information and communication, monitoring, and
control activities. Understanding internal control will guide the
auditor in the planning of specific tests to determine the
likelihood and the extent of financial statement
misrepresentation.
Sorbanes Oxley Act of 2002

The following are some of the most important aspects of SOX:

 Public Company Accounting Oversight Board (PCAOB). SOX created the Public
Company Accounting Oversight Board (PCAOB) to control the auditing profession.
The PCAOB sets and enforces auditing, quality control, ethics, independence, and
other auditing standards. It consists of five people who are appointed by the
Securities and Exchange Commission (SEC).
 New rules for auditors. Auditors must report specific information to the company’s
audit committee, such as critical accounting policies and practices. SOX prohibits –
auditors from performing certain non-audit services, such as information systems
design and implementation. Audit firms cannot provide services to companies if top
management was employed by the auditing firm and worked on the company’s
audit in the preceding 12 months.
Sorbanes Oxley Act of 2002

The following are some of the most important aspects of SOX:

 New roles for audit committee. Audit committee members must be on the company’s
board of directors and be independent of the company. One member of the audit
committee must be a financial expert. The audit committee hires, compensate, and
oversees the auditors, who report directly to them.
 New rules for management. SOX requires the CEO and CFO to certify that (1) financial
statements and disclosures are fairly presented, were reviewed by the management,
and are not misleading; and that (2) the auditors were told about all the material
internal control weaknesses and fraud. If management knowingly violates this rules,
they can be prosecuted and fined. Companies must disclose, in plain English,
material changes to their financial condition on a timely basis.
Sorbanes Oxley Act of 2002

 New internal control requirements. Section 404 requires companies to issue

a report a report accompanying the financial statements stating that
management is responsible for establishing and maintaining an adequate
internal control systems.

After SOX was passed, the SEC mandated that management must:
 Base its evaluation on a recognized control framework
 Disclose all material internal control weaknesses
 Conclude that a company does not have effective financial reporting internal
controls if there are material weaknesses.
Control Frameworks

1. Control Objectives for Information and Related Technology (COBIT)

framework
2. Committee of Sponsoring Organizations (COSO) Internal Controls (IC)
framework
3. Committee of Sponsoring Organizations (COSO) Enterprise Risk
Management(ERM) framework
COBIT Framework

The Information Systems Audit and Control Association (ISACA) developed the Control
Objectives for Information and Related Technology (COBIT) framework.

COBIT consolidates control standards from many different sources into a single
framework that allows:
1. Management to benchmark security and control practices of IT environments.
2. Users to be assured that adequate IT security and controls exist, and
3. Auditors to substantiate their internal control opinions and to adhere on IT security
and control matters.
The COBIT 5 framework describes best practices for the effective governance and
management of IT. COBIT 5 is based on the following five key principles of IT governance
and management. These principles help organizations build an effective governance
and management framework that protects stakeholders’ investments and produces the
best possible information system.
COBIT Framework

1. Meeting stakeholders need. COBIT 5 helps users customize business processes and
procedures to create an information system that adds value to its stakeholders. It also
allows the company to create the proper balance between risk and reward.
2. Covering the enterprise end-to-end. COBIT 5 does not focus on the IT operations, it
integrates all IT functions and processes into a companywide functions and
processes.
3. Applying a single, integrated framework. COBIT 5 can be aligned at a high level with
other standards and frameworks so that an overarching framework for IT governance
and management is created.
4. Enabling a holistic approach. COBIT 5 provides a holistic approach that results in
effective governance and management of all IT functions in the company.
5. Separating governance from management. COBIT 5 distinguished between
governance and management.
COSO’s internal control framework

The Committee of Sponsoring Organizations (COSO) consists of the American Accounting

Association, the AICPA, the Institute of Internal Auditors, the Institute of Management
Accountants, and the Financial Executives Institute.

In 1992, COSO issued Internal Control – Integrated Framework (IC), which is widely accepted
as the authority on internal controls and is incorporated into policies, rules, and regulations
used to control business activities.

In 2013, the IC framework was updated to better deal with current business processes and
technological advancement. For example, in 1992, very few businesses used the internet, sent
e-mail, or stored their data in the cloud.

The revised IC framework also provides users with more precise guidance on how to
implement and document the framework. Many new examples have been added to clarify
framework concepts and make the framework easier to understand and use.
COSO’s Enterprise Risk Management
Framework
To improve the risk management process, COSO developed a second control framework called Enterprise
Risk Management – Integrated Framework (ERM).

ERM is the process the board of directors and management use to set strategy, identify events that may
affect the entity, assess and manage risk, and provide reasonable assurance that the company achieve its
objectives and goals.

The basic principles behind ERM are as follows:

• Companies are formed to create value for their owners.
• Management must decide how much uncertainty it will accept as it creates value.
• Uncertainty result in risk, which is the possibility that something negatively affects the company’s ability to
create or preserve value.
• Uncertainty results in opportunity, which is the possibility that something positively affects the company’s
ability to create or preserve value.
• The ERM framework can manage uncertainty as well as create and preserve value.
ERM Framework vs IC Framework