ETHICS, FRAUD, AND INTERNAL CONTROL (CHAPTER 3)
ETHICAL ISSUES IN BUSINESS
Ethical standards are derived from societal mores and
deep-rooted personal beliefs about issues of right and
wrong that are not universally agreed upon.
What Is Business Ethics?
Ethics pertains to the principles of conduct that
individuals and business managers use in guiding their
behavior and choices. It involves not only knowing what
is right but also knowing how to achieve what is right.
Ethics in business can be divided into four areas:
- Equity (fairness and lawful practices in the
marketplace),
- Rights (individual employee rights),
- Honesty (behavior), and
- Exercise of corporate power (working condition
choices).
Ethical behavior is a necessary but not sufficient
condition for business success in the long run.
(Inherently, this statement is saying that businesses that
behave unethically should be punished).
Some firms address ethical issues through:
- Ethics training and awareness in the workplace
- Greater commitment of top management to
improving ethical standards.
- Written codes of ethics/conduct to
communicate management’s expectations (Johnson
and Johnson’s “credo” of corporate values).
- Programs to encourage moral
development and implement ethical guidelines.
- Techniques to monitor compliance.
Management is responsible to maintain an ethical
environment, to limit opportunity and temptation for
unethical behavior within the company. A company’s
commitment to ethics should be above their
commitment to short-term profits and efficiency.
MORAL REASONING STAGES OF DEVELOPMENT:
KOHLBERG’S STAGES OF MORAL DEVELOPMENT
- (Kohlberg’s model was created specifically for
the framework of child development and has
been widely criticized for promoting the
inherent value system of its author.  The
original Kohlberg model organized a child’s
values development from parental
punishment/rewards to organizational
belonging/success (local maximization) to
greater social contracts/justice (forgoing one’s
individual gains for the sake of societal gain).   about yourself do you really own?
The representation in the Hall textbook is an
interpretation of the Kohlberg model.  How can you avoid authorized/unauthorized
 Stage 1 (lowest): Punishment
orientation: obey rules to avoid
punishment
 Stage 2: Reward orientation: obey rules
to obtain the reward
 Stage 3: Good boy/girl orientation:
obey rules to receive approval
 Stage 4: Authority orientation: obey
rules to be perceived as performing
one’s duty
 Stage 5: Social contract orientation:
obey rules to obtain the respect of
peers and maintain self-respect
 Stage 6 (highest): Ethical Principle
Orientation: rules are guided by self-
selected ethical principles that promote
self-esteem.
- Every business decision has ethical risks and
benefits. Your ethical responsibility is the
balancing between these consequences. The
following principles have been provided for
guidance on these decisions:
 Proportionality: The ethical benefit from a
decision must outweigh the risks.
 Justice: The benefits should be distributed fairly
to those affected.
 Minimize Risk: The decision should minimize all
risks and avoid unnecessary risks.
 What is Computer Ethics?
- Computer Ethics is the analysis of the impact of
computer technology and the policies for the
ethical use of such technology. It involves
software, hardware, and network behaviors.
Three levels of computer ethics:
 Pop ethics: staying current with the
media.
 Para ethics: having real interest and
acquiring some skill and knowledge in the field.
 Theoretical ethics: multidisciplinary
application of ethical theories to computer
science.
- Many argue that computer ethics are no
different in nature than traditional issues
(property rights, copyright, trade secrets, patent
laws). The following issues of concern involve
computer ethics and may generate class
discussions:
 Privacy: how much information about you is
available to others? How much information
 Security (Accuracy and Confidentiality):
individuals accessing or changing your
computerized information? Where is the
 balance between safe data and open shared
resources?
 Ownership of Property: Can an individual
own ideas? Media? Source or object code? Do
copyright laws and patents restrict the progress
of technology?
 Equity in Access: Does the economic status
of an individual restrict him/her from access to
a career in information technology?
 Environmental Issues: Do high-speed
printers cause less responsibility for reducing
paper waste?
 Artificial Intelligence: Who is responsible
for the decisions that an expert system or a bot
might make on behalf of a business?
 Unemployment and Displacement: When a
business downsizes employees because a
computer now performs their jobs, is that
business responsible to retrain the displaced
employees?
 Misuse of Computers: How do you feel
about copying software, MP3 music files,
snooping through other people’s files, or using a
business’ computer for personal purposes?
- Managers must establish and maintain a system
of internal controls to ensure the integrity and
reliability of their data.
 FRAUD AND ACCOUNTANTS
 Fraud is a false representation of a material fact made
by one party to another party with the intent to deceive
and to induce the other party to rely on the fact to his
or her detriment. Many times, alleged fraud is just poor
management decisions or adverse business conditions.
Common law asserts that for an act to be considered
fraudulent, it must meet five requirements:
1. There must be a false representation,
statement or a nondisclosure.
2. There must be a material fact, a substantial
factor in inducing someone to act.
3. There must be intent to deceive.
4. The misrepresentation must have resulted
in justifiable reliance causing someone to act.
5. The deception must have caused injury or
loss to the victim of the fraud.
Business fraud is an intentional deception,
misappropriation of assets, or manipulation of financial
data to the advantage of the perpetrator. Two types of
fraud discussed in this chapter are employee fraud and
management fraud.
Employee fraud is committed by non-management
personnel and usually consists of an employee taking
cash or other assets for personal gain and concealing
their actions.
Management fraud is committed at higher levels and
usually does not involve the direct theft of an asset. It is
generally more difficult to detect for the following
reasons:
 The fraud occurs at levels that are above
internal control mechanisms.
 The fraud occurs by managers who can
manipulate financial statements through either
expense allocations or revenue recognition.
 The misappropriation of assets can be covered
up with complex transactions, often involving third
parties.
Factors That Contribute to Fraud
Forces that interact to motivate an individual to commit
fraud can be categorized as situational pressures (high),
opportunity (high), and personal characteristics/ethics
(low).
Auditors should look to many places to determine
management’s motivations to commit fraud and should
look at the top management of the companies they
audit to find the answers to questions such as :
 Personal: Do any of the managers have a lot of
debt? Are they living beyond their means? Are they
gambling? Do they abuse substances?
 Environment: Are economic conditions
unfavorable?
 Business: Does the company use several
different banks, none of which see the company’s
entire financial picture? Are there close associations
with any supplier?
Financial Losses From Fraud
 
The opportunity seems to be the overall most important
factor associated with the fraud. Opportunity can be
defined as control over assets or access to assets.
Opportunity is characterized in this dataset with a
higher management position, which is mostly filled by
older, more educated males at this time in history.
Fraud Schemes
The three broad categories of fraud schemes to be
discussed in this class are fraudulent financial
statements, corruption, and asset misappropriation.
 
Fraudulent Financial Statements
For financial statements to be fraudulent, the
statement itself must bring financial benefit to the
perpetrator, either direct or indirect. The manipulation
of the financial statement cannot just be a vehicle to
hide the fraudulent act.
Underlying problems include:
 Lack of auditor independence
 Lack of director independence
 Questionable executive compensation schemes
 Inappropriate accounting practices
Sarbanes-Oxley Act – July 2002, passed by US Congress
and signed by President Bush. This act reforms oversight
and regulation of public company directing and
auditing. Its principle reforms involve:
 The creation of an accounting oversight board
(PCAOB) empowered to set auditing, quality
control, and ethics standards, to inspect registered
accounting firms, to conduct investigations, and to
take disciplinary actions.
 Auditor independence: Engaged auditors
cannot provide other services to their clients
including: bookkeeping, AIS design and
implementation, appraisal or valuation services,
fairness opinions, or contribution-in-kind reports,
actuarial services, internal audit outsourcing
services, management functions, human resources,
broker or dealer, investment adviser, or investment
banking services, legal services, expert services
unrelated to the audit, and any other service that
the PCAOB determines impermissible.
 Corporate governance and responsibility
through the board of directors’ audit committee,
who need to be independent of the company, and
be the ones who hire and manage the external
auditors. Public corporations are prohibited to
make loans to their executive officers and directors,
and attorneys must report evidence of material
violations of securities laws or breaches of fiduciary
duty to the CEO, CFO or PCAOB.
 Disclosure requirements include all off-balance
sheet transactions, SEC filings containing a
statement by management asserting that they are
responsible for creating and maintaining adequate
and effective internal controls and that the officers
certify that the accounts fairly present the financial
condition and results of operations. Knowingly filing
false certification is a criminal offense.
 Penalties for fraud and other violations, such as
making it a federal offense for destroying
documents or audit work papers, to be used in an
official proceeding or actions against
whistleblowers.
Corruption
Corruption involves collusion with an outside entity.
The four principal types of corruption include:
 Bribery: Offering, giving, or receiving things of
value to influence an official in the performance of
his/her lawful duties (before the fact).
 Illegal Gratuities: Offering, giving, requesting, or
receiving something of value because of an official
act that has been taken (after the fact).
 Conflicts of Interest: When an employee acts
on the behalf of a third party during the discharge
of duties or has self-interest in the activity being
performed.
 Economic Extortion: Threat or use of force
(including economic sanctions) by an individual or
organization to obtain something of value.      or personal business.
Asset Misappropriation
Asset Misappropriation is the most common form of
fraud, the CFE found 85 percent of fraud cases to be
asset misappropriations. Transactions involving the
case, checking accounts, inventory, supplies,
equipment, and information are the most vulnerable
assets. Examples of asset misappropriation schemes
include:
 Charges to expense accounts.
 Lapping: an employee who has access to
customer checks and to accounts receivable records
steals some money, and then uses the next check
that comes in to cover the last amount stolen (so
that the customers never notice). This can continue
until the employee leaves the company or takes a
vacation, or is switched to another position.
 Transaction Fraud: involves deleting, altering,
or adding false transactions to divert assets to the
perpetrator (false invoices, false paychecks, etc.).
 Computer Fraud Schemes: Computer
environments are subject to their own kinds of
fraud. Computer fraud can include theft of assets
by:
o altering computer data records,
o altering the logic of software
programming,
o theft or illegal use of computer
information,
o theft, copying, or destruction of
software, and
o theft, misuse, or destruction of
hardware.
 
Computer assets are vulnerable to theft or destruction
at each phase of the accounting information system. 
 Data Collection: This phase of the system is
most vulnerable because it is very easy to change
data as it is being entered into the system. 
Fraudulent transactions or dollar amounts can be
keyed into the system and thefts can thus be
covered up. Data must be valid, complete, free
from material errors, relevant, and efficiently
collected.
 Masquerading is an unauthorized user entering
the system as an authorized user.
 Piggybacking is tapping into the
telecommunication lines and latching onto an
authorized user who is logging into the system.
Once inside, the perpetrator can go their own way.
 Data Processing: Frauds can be a program or
operation fraud.
 Program fraud includes altering programs to
allow illegal access, introduce a virus, or alter a
program’s logic to cause incorrect data processing.
 Operation fraud is the misuse of company
computer resources, for example, for personal use
 Database Management: Fraud at this phase of
the system involves altering, destroying, or stealing
the company's data either in storing, retrieving, or
deleting tasks.
 Information Generation: Frauds here involves
misrepresentation, theft, or misuse of the computer
output, either on-screen or in hard copy. It can also
involve scavenging (searching through the trash
cans of a company for discarded outputs)
or eavesdropping (listening to electronic
transmissions). The information must have the
following characteristics:
 Relevance: It affects the employee’s decisions
regarding the task at hand.
 Timeliness: It can be no older than the time
period of the action that it supports.
 Accuracy: It must be free of material errors.
 Completeness: No essential piece of
information is missing.
 Summarization: Information is aggregate in
accordance with the user’s needs.
Internal Control Concepts and Procedures
Foreign Corrupt Practices Act of 1977
Requires companies registered with the SEC to:
 Keep records that fairly and reasonably reflect
the transactions of the firm and its financial
position, and
 Maintain a system of internal control that
provides reasonable assurance that the
organization’s objectives are met.
Internal Control in Concept
 
Internal control systems include all of the policies,
practices, and procedures employed by the organization
to achieve four broad objectives (according to AICPA’s
SAS#1, sec. 320):     have been found.  If an error is a minor one, it may
 to safeguard assets of the firm,
 to ensure the accuracy and reliability of
accounting records and information,
 to promote the efficiency of the firm's
operations, and
 to measure compliance with management's
prescribed policies and procedures.
 
Modifying Assumptions for systems designers and
auditors include:
 Management Responsibility: Management is
ultimately responsible.
 Reasonable assurance: The internal control
system should provide reasonable rather than
absolute assurance.
 Data Processing Methods: The methods utilized
for data processing will change the types of internal
controls needed and utilized to achieve the four
objectives.
 Limitations: Every system has limitations
including the possibility of error, circumvention,
management override, and changing conditions.
Exposures and Risks
Assets are subject to the risk of losses,
termed exposures if internal controls are weak in a
particular area. Exposures can lead to the following
kinds of problems: 
 Destruction of the asset
 Theft of the asset
 Corruption of information or of the information
system
 Disruption of the information system
The Preventive-Detective-Corrective Internal Control
Model is a very useful model to approach risk
management. 
 Preventive controls are designed to reduce the
opportunities for the commission of errors or
fraud.  They are passive controls, meaning that they
are integrated into the system in the hopes of
preventing errors and fraud before they happen. 
They provide safeguards that are built into the
system's routine procedures.
 Detective controls are designed to detect errors
or fraud after they have occurred. These controls
compare what has actually happened with what
was supposed to happen. If deviations occur, they
are identified.
 Corrective controls are measures taken to
correct errors, especially material ones, once they
have been detected. Such measures should be
taken with caution after the reasons for the errors
not be worth analyzing and correcting.
Auditing and Auditing Standards
 
Auditors are guided in their professional responsibilities
by  GAAS (Generally Accepted Auditing Standards), in
addition to many other Statements on Auditing
Standards. 
 General qualification standards refer to the
background that is necessary to be an auditor.
 Fieldwork standards refer to the level of
investigative professionalism that is required while
conducting an audit. Note that the second fieldwork
standard refers to an understanding of the internal
control structure.
 Reporting standards refer to the requirements
an auditor must follow when rendering a
professional opinion.
The Statement on Auditing Standards No. 78 discusses
the complex relationship between the firm’s internal
controls, the auditor’s assessment of risk, and the
planning of audit procedures.  This statement conforms
to the recommendations of the US Congress’
Committee of Sponsoring Organizations of the
Treadway Commission (COSO).
Internal Control Components
According to SAS No. 78, internal control consists of the
control environment, risk assessment, information and
communication activities, monitoring activities, and
control activities.
Control Environment
The Control Environment is the foundation of internal
control and sets the tone for the organization.  transactions and account for the related assets and
Important elements of the control environment include:
 The integrity and ethical values of management
 The organizational structure of the company
 The role and participation level of the board of
directors and of the audit committee
Is there an internal auditing department that reports to
the audit committee?
 Management's philosophy or approach to
running the company
 Delegation of responsibility and authority
Is there proper segregation of duties between
authorization, custody, and accounting?
 Methods for evaluating performance
 External influences, such as examinations by
outside parties
 The organization's policies and practices for
managing its human resources
SAS 78 requires the auditors to obtain sufficient
knowledge to assess the attitude and awareness of an
organization's management, the board of directors, and
owners to determine the importance of internal control
in their organization. Techniques they could utilize
include background checks, reputation, integrity,
external conditions, knowledge of the client’s industry,
and specific business.
Management should adopt the provisions of the
Sarbanes-Oxley Act by:
 Separating the roles of CEO and chairman,
 Setting ethical standards,
 Establishing an Independent Audit Committee
 Compensation Committees
 Nominating Committees
 Access to Outside Professionals
Risk Assessment
Management must assess the risks of their business
and their environment. Such risk would be increased by,
for example, rapid growth, new competitors, new
product lines, organizational restructuring, entering
foreign markets, implementation of new technology, or
adopting a new accounting principle that impacts the
financial statements.  Auditors are required by SAS No.
78 to obtain an understanding of their clients' methods
for assessing risk.
 
Information and Communication
Managers are responsible for developing,
implementing, and maintaining a good system
of Information and Communication for all in the
organization.  The accounting information system
consists of the records and methods used to initiate,
identify, analyze, classify, and record the organization’s
liabilities.
The quality of information generated by an
organization's accounting information system will
impact the reliability of the organization's financial
statements. Auditors are required to obtain an
understanding of the classification of material
transactions, the processing of those transactions in the
accounting records, and the utilization of processed
data in the preparation of financial statements.
Effective accounting information systems will:
 Identify and record all valid financial
transactions.
 Provide timely information about transactions
in sufficient detail to permit proper classification
and financial reporting.
 Accurately measure the financial value of
transactions so their effects can be recorded in
financial statements.
 Accurately record transactions in the time
period in which they occurred.
Auditors are required to obtain sufficient knowledge of
the information system to understand:
 The classes of transactions that are material to
the financial statements and how those
transactions are initiated.
 The accounting records and accounts that are
used in the processing of material transactions.
 The transaction processing steps involved from
the initiation of a transaction to its inclusion in the
financial statements.
 The financial reporting process used to prepare
financial statements, disclosures, and accounting
estimates.
Monitoring     
Monitoring must be performed to determine that the
internal controls are functioning as intended.
Monitoring may be performed by internal auditors who
periodically test controls and report to management
any weaknesses that could be a cause for concern. 
Monitoring can also be performed continuously through
the implementation of computer modules designed
specifically to monitor the functioning of internal
controls. A good reporting system, reviewed by Auditors must understand system controls to know
management, is also an excellent monitoring their impact on the audit trails of the records.
information system.  Access Controls safeguard assets by restricting
physical access. In computer-based systems, access
Control Activities controls should reduce the possibilities of computer
Control Activities are the policies and procedures used fraud and losses from disasters. Access controls
to ensure that appropriate actions are taken to deal should limit personnel access to central computers,
with the identified risks. There are two categories, restrict access to computer programs, provide
computer controls, and physical controls. security for the data processing center, provide
adequate backup for data files, and provide for
Computer Controls can be categorized into two groups: disaster recovery.
general controls and application controls.  Independent Verification procedures identify
errors and misrepresentations and can be
 General Controls pertain to pervasive, entity- performed by both managers and computers. For
wide concerns such as access and approval, such as example, managers can review financial and
human resources and project management. management reports, and computers can reconcile
 Application Controls pertain to the details of batch totals or subsidiary accounts with control
specific systems, such as payroll. accounts. Management can assess an individual
application’s performance, processing system
Physical Controls typically relate to manual procedures. integrity, and data accuracy. Examples of
Traditionally, there are six categories of physical independent verification include reconciling batch
controls activities: totals at various points of processing, comparing
physical assets with accounting records, reconciling
 Transaction Authorization: Employees should subsidiary ledgers with general ledger control
only be carrying out authorized transactions. accounts, and reviewing management reports.
Authorizations may be general or specific.  General
authorization may be granted to employees to carry The Importance of Internal Controls
out routine, everyday procedures while specific
The five components of internal control are:
authorization may be needed for non-routine
environment, risk assessment, information and
transactions.
communication, monitoring, and control activities.
 Segregation of Duties: The key segregations
Understanding internal control will guide the auditor in
should be between the authorizing and the
the planning of specific tests to determine the likelihood
processing of a transaction and between the
and the extent of financial statement
custody of an asset and its record-keeping. The
misrepresentation.
system must be designed so that it would take
more than one employee to successfully carry out a
fraudulent act.  In a computerized system, however,
many duties that must be segregated in a manual
system may be combined because computers do
not make errors or commit fraud.  Nevertheless, in
a computer-based system, segregation should exist
between the functions of program development,
program operations, and program maintenance.
Figure 3-6 illustrates the top 3 objectives for the
segregation of duties.
 Supervision is referred to as a compensating
control because it comes into play when there is
not an adequate separation of duties and
employees must double up on tasks. This control is
especially important for computer-based systems as
often management must hire from a small supply of
technically competent individuals, these individuals
have access to much of the organization’s sensitive
data, and because management is unable to
observe employees who work with the system. 
 Accounting Records are the source documents,
journals, and ledgers of a business. These
documents provide the audit trail for all the
company's economic transactions. Audit trails are
also created in computer-based systems, but the
form and appearance of the accounting records are
different from those in a manual system (hashing
techniques, pointers, indexes, embedded keys).