DISCUSSION QUESTIONS (15 ITEMS)

1. What are ethical standards? Who formulated them? How were they derived?

Ethical standards are a set of principles established by the founders of the organization to
communicate its underlying moral values. This code provides a framework that can be used
as a reference for decision making processes.

Ethical standards are derived from social mores and deep-rooted personal beliefs about
issues of right and wrong that are not universally agreed upon.

2. What is business ethics? Is this good for business, or a hindrance to making more
profits?
Business ethics is an ethics pertains to the principles of conduct that individuals use in
making choices and guiding their behavior in situations that involve the concepts of right
and wrong. Many people feel that business ethics is an oxymoron, however, good ethical
behavior is also food for business. This does not mean that act ethically will prosper. Ethical
behavior is a necessity, but a sufficient condition for business success. An equally important
corollary is that firms that act unethically should be punished

3. What are the ethical issues in business?

Ethical Issues in Business

Equity Executive Salaries
Corporate Worth
Product Pricing
Rights Corporate Due Process
Employee Health Screening
Employee Privacy
Sexual Harassment
Affirmative Action
Equal Employment Opportunity
Whistle Blowing
Honesty Employee and Management Conflicts of Interest
Security of Organization Data and Records
Misleading Advertising
Questionable Business Practices in Foreign Countries
Accurate Reporting of Shareable Interests
Exercise of Corporate Power Political Action Committees
Workplace Safety
Product Safety
 Environmental Issues
Divestment of Interests
Corporate Political Considerations
Downsizing and Plant Closures

4. Is it possible for two individuals, who both consider themselves acting ethically, to be on
opposite sides of an issue? Why or why not?
Ethical standards are derived from social mores and deep-rooted personal beliefs about
issues of right and wrong that are not universally agreed upon. Yes, it is quite possible
for two individuals, both of whom consider themselves to be acting ethically, to be on
opposite sides of an issue. Often we confuse ethical issues with legal issues.
When an Honorable Gentleman who is charged with ethical misconduct, stands before
Congress and proclaims that he is “guilty of no wrong doing”, is he really saying that he
did not break the law? Accreditation bodies such as the American Assembly of
Collegiate Schools of Business and the Association for Computing Machinery, in
conjunction with business people, are increasingly incorporating ethical issues into the
business curriculum. Although a thorough treatment of ethics is impossible within the
space available in this module, the objective of this section is to heighten the reader’s
awareness of ethical issues relating to business information systems, and computer
technology.

5. Explain the proportionality principle that managers should use as a guide in the
discharge of their ethical responsibility.
The proportionality principle states that “The benefit from a decision must outweigh the
risks. Furthermore, there must be no alternative decision that provides the same or
greater benefit with less risk”.

Justice: The benefits of the decision should be distributed fairly to those who share the
risks. Those who cannot should not carry the burden of risk.
Minimize risk: Even if judged acceptable by the above principle, the decision should be
implemented so as to minimize all of the risks and avoid any unnecessary risks.

6. What is computer ethics? What are the three levels of computer ethic ? Explain each.
Computer ethics is “the analysis of the nature and social impact of computer technology
and the corresponding formulation and justification of policies for the ethical use of
such technology…(“This includes) concerns about software as well as hardware and
concerns about networks connecting computers as well as computers themselves.”

Bynum has defined three levels of computer ethics: pop, para, and theoretical.
Pop computer ethics is simply the exposure to stories and reports found in the popular
media regarding the good or bad ramifications of computer technology. The society at
large need to be aware of such things as computer virus and computer systems
designed to aid handicapped persons.
Para computer ethics involves taking a real interest in computer ethics cases and
acquiring some level of skill and knowledge in the field. All systems professionals need
to reach this level of competency so they can do their jobs effectively. Students of
accounting information systems should also achieve this level of ethical understanding.
Theoretical computer ethics, is of interest to multidisciplinary researchers who apply the
theories of philosophy, sociology and psychology to computer science with the goal of
bringing some understanding to the field.

7. Why is business fraud called a white collar crime?

Other definitions related to fraud are: “white-collar crime”.
White collar crime refers to the misdeeds of people who wear ties to work and steal
with a pencil or a computer terminal. White collar crime produces ink stains instead of
blood stains.

8. `Discuss the concept of fraud exposure and explain why firms may tolerate some
exposure
Fraud exposures are more likely to occur after implementation, in the operational
period of the system’s life cycle, called the maintenance phase. During this period which
may last for years, a typical may be modified dozens of times. This is an opportunity for
errors to be inserted unintentionally in the application and for the computer criminal to
perpetrate a fraud by making an illegal program change.
Access control in an IT environment covers many level of exposure. Controls that
address these exposures include techniques designed to limit personnel access
authority, restrict access to computer programs, provide physical security for the data
processing center, ensure adequate backup for data files, and provide disaster recovery
capability. Some access controls are technological procedures and devices, while others
are physical barriers implemented through organizational segregation of duties.

9. Explain the “need to know” principle in the access control technique

But underlying all access control techniques is the fundamental principle of “need to
know”. Individuals should be given to access to data, programs, and restricted areas
only when a need in connection with their assigned tasks has been demonstrated. This
principle should never be violated.
 10. What is the responsibility of management in detecting fraud? What is the
responsibility of the auditors? Give examples.
The primary responsibility for the prevention and detection of fraud rests with both
those charged with governance of the entity and with management. The respective
responsibilities may vary from country to country. In some entities, the governance
structure may be more informal as those charged with governance may be the same
individuals as the management of the entity.
Example: By directing subordinates to record transactions incorrectly or to conceal
them. Given its position of authority within an entity, management has the ability to
either direct employees to do something or solicit heir help to assist in carrying out a
fraud, with or without the employees’ knowledge. Also, the subsequent discovery of a
material misstatement of the financial statements resulting from fraud does not, in
itself, indicate a failure to comply with PSAs. This is particularly the case for certain kinds
of intentional misstatements, since audit procedures may be ineffective for detecting an
intentional misstatement that is concealed through collusion between or among one or
more individuals among management, those charged with governance, employee or
third parties, or that involves falsified documentation. Whether the auditor has
performed an audit in accordance with PSAs is determined by the audit procedures
performed in the circumstances, the sufficiency and appropriateness of the audit
evidence as a result thereof and the suitability of the auditor’s report based on an
evaluation of that evidence.

The auditor’s responsibility to detect a fraud depends on factors such as the skillfulness
of the perpetrator, the frequency and extent of manipulation, the degree of collusion
involved, the relative size of individual amounts manipulated, and the seniority of those
individuals involved. While the auditors may be able to identify potential opportunities
for fraud to be perpetrated, it is difficult for the auditor to determine whether
misstatement in judgment areas such as accounting estimates are caused by fraud or
error. Furthermore, the risk of the auditor not detecting a material misstatement
resulting from management fraud is greater than for employee fraud, because
management is frequently in a position to directly or indirectly manipulate accounting
records and present fraudulent financial information. Certain levels of management may
be in a position to override control procedures designed to prevent similar frauds by
other employees,
Example: The Securities Exchange Commission, the courts, and the public, along with
Congress, are focusing more and more on business failures and questionable practices
by the management of corporations that engage in alleged fraud. The question being
asked is “Where were the auditors?” It is important to note that audit teams are
concerned with fraud only as it affects the financial statements. That is, audit teams are
not responsible to detect all fraud but are responsible to detect all cases where
fraudulent activity results in materially misstated financial statements. For example, if a
 warehouse employee is misappropriating inventory, but that embezzlement does not
result in materially misstated financial statements, the audit team does not have
responsibility for detecting the fraud. However, if management is intentionally
misstating revenues in order to meet earnings expectations, the audit team is
responsible for detecting this misstatement. That is not to say that the audit team would
ignore immaterial fraud (they would typically report immaterial fraud to the next higher
level above where the fraud occurred), but only that the audit team’s primary
responsibility is to design procedures to provide reasonable assurance that material
frauds that might misstate the financial statements are detected.

11. What are the inherent limitations that auditors have to deal with in the audit of client
organizations?
As described in PSA 200, “Objectives and General Principles Governing an Audit of Financial
Statements”, the objective of an audit of financial statements is to enable the auditor to
express an opinion whether the financial statements are prepared, in all material respects, in
accordance with an applicable financial reporting framework. Owing to the inherent limitations
of an audit, there is an unavoidable risk that some material misstatements of the financial
statements will not be detected, even though the audit is properly planned and performed in
accordance with PSAs. The risk of not detecting a material misstatement resulting from fraud is
higher than the risk of not detecting a material misstatement resulting from error because
fraud may involve sophisticated and carefully organized schemes designed to conceal it, such as
forgery, deliberate failure to record transactions, or intentional misrepresentations being made
to the auditor. Although auditing standards concentrate on fraudulent financial reporting, SAS
99 also requires auditor to consider employee fraud (misappropriation of assets) perpetrated
against a client organization. Attention to employee fraud is important because the cover-up
can create financial statement misstatements (e.g., overstating inventory to disguise theft of
valuable products).

12. What is professional skepticism? What kind of professional attitude must an auditor have in
conducting an audit.
Professional skepticism is an attitude that includes a questioning mind and a critical assessment
of audit evidence. Professional skepticism requires an ongoing questioning of whether the
information and audit evidence obtained suggests that a material misstatement due to fraud
may exist.
This attitude should be maintained throughout the audit, recognizing the possibility that a
material misstatement due to fraud could exist, notwithstanding the auditor’s past experience
with the entity about the honesty and integrity of management and those charged with
governance.
However, although the auditor cannot be expected to fully disregard past experience with the
entity, the maintenance of professional skepticism is important because there may have been
changes in circumstances. When making inquiries and performing audit procedures, the auditor
exercises professional skepticism and is not satisfied with less-than-pervasive audit evidence
based on a belief that management and those charged with governance are honest and have
integrity. With regard to those charged with governance, maintaining an attitude of
professional skepticism means that the auditor carefully considers the reasonableness of
responses to inquiries in the light of all other evidence obtained during the audit

13. Explain the meaning of the following transaction fraud techniques: masquerading,
piggybanking, and hacking

Masquerading involves a perpetrator gaining access to the system from a remote site by
pretending to be an authorized user. This usually requires first gaining authorized access to a
password.

Piggy banking is a technique in which the perpetrator at a remote site taps into the
communication lines and latches onto an authorized user who is logging into the system. Once
in the system, the perpetrator can masquerade as the authorized user.

Hacking may involve piggy banking or masquerading techniques. Hackers are distinguished
from other computer criminals because their motives are not usually to defraud for financial
gain. They are motivated primarily by the challenge of breaking into the system rather than the
thefts of assets. Nevertheless, hackers can cause extensive damage and loss to organizations.
Many believe that the line between hackers and the more classic compute criminals is thin.

14. In your initial audit of inventories, you easily noticed some differences between the physical
balances and the book balances. You also noticed that the inventory control supervisor could
not give you sufficient reasons to explain the differences. Your skeptical mind tells you that
fraud may exist in this area. What technique will you do to uncover the fraud, considering that
there are lots of inventory items to be counted and there is very little time left to do that.

Part of fraud detection techniques is for the audit team to be aware of the factors that
contribute to fraud and be able to have a checklist of these as red flags in the client firm. While
these factors, for the most part, fall outside of the auditor’s sphere of influence, auditors can
develop a red flag checklist to detect possible fraudulent activity.
Some of the largest accounting firms have developed checklists to help uncover fraudulent
activity during an audit. Questions for such a checklist might include:
• Do key executives have unusually high personal debt?
• Do key executives appear to be living beyond their means?
• Do key executives engage in habitual gambling?
• Do key executives appear to abuse alcohol or drugs?
• Do any of the key executives appear to lack personal codes of ethics
• Are economic conditions unfavorable within the company’s industry?
• Does the company use several different banks, none of which sees the company’s entire
financial picture?
• Do any key executives have close association with suppliers?
• Is the company experiencing a rapid turnover of key employees, either through quitting or
being fired?
• Do one or two individuals dominate the company?

A review of some of these questions suggests that the contemporary auditor may use special
investigative agencies to run a complete but confidential background check on the key
managers of existing and prospective client firms.

15. What is compensating control as an internal control procedure?

Implementing adequate separation of duties require that a firm employ a sufficient large
number of employees. Achieving adequate separation of duties often presents difficulties for
small organizations. Obviously, it is impossible to separate five incompatible tasks among three
employees. Therefore, in small organizations or in functional areas that lack sufficient
personnel, management must compensate for the absence of segregation controls with close
supervision. For this reason, supervision is often called compensating control.
An underlying assumption of compensating control is that the firm employs competent and
trustworthy personnel. Obviously, no company could function for long on the alternative
assumption that its employees are incompetent and dishonest. The “competent and
trustworthy employee” assumption promotes supervisory inefficiency. Firms can thus establish
a managerial span of control whereby a single manager supervises several employees. In
manual systems, maintaining a span of control tends to be straightforward because both
manager and employees are at the same physical location.