Professional Documents
Culture Documents
ETHICS, FRAUD, AND INTERNAL CONTROL Ethical behavior is a necessary but not
sufficient condition for business success in the
(CHAPTER 3)
long run. (Inherently, this statement is saying
ETHICAL ISSUES IN BUSINESS that businesses that behave unethically should
Ethical standards are derived from societal be punished).
mores and deep-rooted personal beliefs about Some firms address ethical issues through:
issues of right and wrong that are not
universally agreed upon. Ethics training and awareness in the workplace
Every business decision has ethical risks and in nature than traditional issues (property rights,
benefits. Your ethical responsibility is the balancing copyright, trade secrets, patent laws). The
between these consequences. The following following issues of concern involve computer
principles have been provided for guidance on ethics and may generate class discussions:
these decisions:
Privacy: How much information about you is
Proportionality: The ethical benefit from a available to others? How much information
decision must outweigh the risks. There about yourself do you really own?
must be no alternative decision that being in full control of what and how
provides the same or greater benefit with much information about themselves is
less risk. available to others, and to whom it is
available.
Justice: The benefits should be distributed The creation and maintenance of huge,
fairly to those affected. Those who do not shared databases make it necessary to
benefit should not carry the burden of risk. protect people from the potential
misuse of data. This raises the issue of
Minimize Risk: The decision should
ownership in the personal information
minimize all risks and avoid unnecessary industry.
risks. Even if judged acceptable by the
principles, the decision should be Security (Accuracy and Confidentiality): How
implemented so as to minimize all of the can you avoid authorized/unauthorized
risks and avoid any unnecessary risks. individuals accessing or changing your
computerized information? Where is the
What is Computer Ethics? balance between safe data and open shared
resources?
Computer Ethics is the analysis of the impact Computer security is an attempt to
of computer technology and the policies for avoid such undesirable events as a loss
the ethical use of such technology. It involves of confidentiality or data integrity.
software, hardware, and network behaviors. Security systems attempt to prevent
Three levels of computer ethics: fraud and other misuse of computer
Pop ethics systems; they act to protect and
- staying current with the media. further the legitimate interests of the
- is simply the exposure to stories and reports system’s constituencies.
found in the popular media regarding the
good or bad ramifications of computer The ethical issues involving security
technology arise from the emergence of shared,
Para ethics computerized databases that have the
- having real interest and acquiring some skill potential to cause irreparable harm to
and knowledge in the field. individuals by disseminating inaccurate
- involves taking a real interest in computer information to authorized users, such
ethics cases and acquiring some level of skill as through incorrect credit reporting.
and knowledge in the field. There is a similar danger in
Theoretical ethics disseminating accurate information to
- multidisciplinary application of ethical persons unauthorized to receive it.
theories to computer science.
- is of interest to multidisciplinary researchers Ownership of Property: Can an individual own
who apply the theories of philosophy, idea? Media? Source or object code? Do
sociology, and psychology to computer science copyright laws and patents restrict the progress
with the goal of bringing some new of technology?
understanding to the field.
Equity in Access: Does the economic status of
ERROR VS. FRAUD an individual restrict him/her from access to a
The term “error” refers to career in information technology?
unintentional misstatements in the
financial statements, including the Several factors, some of which are not
omission of an amount or a disclosure. unique to information systems, can
Fraud refers to intentional act by one limit access to computing technology.
or more individuals among The economic status of the individual
management, those charged with or the affluence of an organization will
governance, employees, or third determine the ability to obtain
parties, involving the use of deception information technology
to obtain an unjust or illegal Culture also limits access, for example,
advantage. when documentation is prepared in
only one language or is poorly
Many argue that computer ethics are no different
translated.
Environmental Issues: Do high-speed printers
cause less responsibility for reducing paper SARBANES-OXLEY ACT AND ETHICAL ISSUES
waste?
For example, computers with high- is the most significant federal securities law
speed printers allow for the production since the Securities and Exchange Commission
of printed documents faster than ever (SEC) Acts of 1933 and 1934
before. It is probably easier just to
print a document than to consider SOX has many provisions designed to deal with
whether it should be printed and how specific problems relating to capital markets,
many copies really need to be made. It corporate governance, and the auditing
may be more efficient or more profession
comforting to have a hard copy in
addition to the electronic version. SECTION 406 – CODE OF ETHICS FOR SENIOR FINANCIAL
However, paper comes from trees, a OFFICERS
precious natural resource, and ends up
in landfills if not properly recycled. Section 406 of SOX requires public companies to
disclose to the SEC whether they have adopted
Artificial Intelligence: Who is responsible for a code of ethics that applies to the
the decisions that an expert system or a bot organization’s chief executive officer (CEO),
might make on behalf of a business? CFO, controller, or persons performing similar
Because of the way these systems have functions.
been marketed—that is, as decision
makers or replacements for experts— If the company has not adopted such a code, it
some people rely on them significantly. must explain why.
Therefore, both knowledge engineers
(those who write the programs) and A public company may disclose its code of ethics
domain experts (those who provide in several ways:
the knowledge about the task being
automated) must be concerned about 1) included as an exhibit to its annual report,
their responsibility for faulty decisions, 2) as a posting to its Web site, or
incomplete or inaccurate knowledge 3) by agreeing to provide copies of the code upon
bases, and the role given to computers request.
in the decision-making process.
Whereas Section 406 applies specifically to
Unemployment and Displacement: When a executive and financial officers of a company, a
business downsizes employees because a code of ethics should apply equally to all
computer now performs their jobs, is that employees. Top management’s attitude toward
business responsible to retrain the displaced ethics sets the tone for business practice, but it
employees? is also the responsibility of lower-level
Many jobs have been and are being managers and nonmanagers to uphold a firm’s
changed as a result of the availability of ethical standards.
computer technology. People unable or
unprepared to change are displaced. Conflict of Interest
Misuse of Computers: How do you feel about - The company’s code of ethics should outline
copying software, MP3 music files, snooping procedures for dealing with actual or apparent
through other people’s files, or using a conflicts of interest between personal and
business’ computer for personal purposes? professional relationships.
Computers can be misused in many
ways. Copying proprietary software, - Whereas avoidance is the best policy,
using a company’s computer for sometimes conflicts are unavoidable. Thus,
personal benefit, and snooping through one’s handling and full disclosure of the matter
other people’s files are just a few become the ethical concern
obvious examples.
Although copying proprietary software Full and Fair Disclosure
(except to make a personal backup
copy) is clearly illegal, it is commonly - This provision states that the organization
done. should provide full, fair, accurate, timely, and
understandable disclosures in the documents,
- Managers must establish and maintain a reports, and financial statements that it
system of internal controls to ensure the submits to the SEC and to the public.
integrity and reliability of their data.
- Section 301 directs the organization’s audit Under Philippine Standard of Auditing (PSA) 240.
committee to establish procedures for The responsibility for the prevention and
receiving, retaining, and treating such detection of fraud and error rest with both
complaints about accounting procedures and management and those charge with the governance of
internal control violations. the entity.
Penalties for fraud and other violations, (1) stealing something of value (an asset),
For financial statements to be fraudulent, the equipment, and information are the most vulnerable
statement itself must bring financial benefit to the assets. Examples of asset misappropriation schemes
perpetrator, either direct or indirect. The include:
manipulation of the financial statement cannot just
be a vehicle to hide the fraudulent act.
Skimming
misstating the financial statements to make the - involves stealing cash from an organization
copy appear better than it is before it is recorded on the organization’s books
usually occurs as management fraud and records.
- One example of skimming is an employee who
may be tied to focus on short-term financial accepts payment from a customer but does not
measures for success record the sale.
- Another example is mail room fraud in which an
may also be related to management bonus employee opening the mail steals a customer’s
packages being tied to financial statements check and destroys the associated remittance
Underlying problems include: advice. By destroying the remittance advice, no
evidence of the cash receipt exists. This type of
Lack of auditor independence fraud may continue for several weeks or months
until detected.
- auditing firms also engaged by their clients to perform
non-accounting activities. Charges to expense accounts.
Lack of director independence
Cash Larceny
- directors who also serve on the boards of other - involves schemes in which cash receipts are
companies, have a business trading relationship, have a stolen from an organization after they have
financial relationship as stockholders or have received been
personal loans, or have an operational relationship as recorded in the organization’s books and records.
employees
- An example of this is lapping, an employee
Questionable executive compensation who has access to customer checks and to
schemes accounts receivable records steals some money,
and then uses the next check that comes in to
- short-term stock options as compensation result in cover the last amount stolen (so that the
short-term strategies aimed at driving up stock prices at customers never notice). This can continue until
the expense of the firm’s long-term health the employee leaves the company or takes a
vacation, or is switched to another position.
Inappropriate accounting practices
charges the victim company a much higher than adding false transactions to divert assets to the
market price for the items, but pays only the perpetrator (false invoices, false paychecks, etc.).
market price to the legitimate vendor. The
difference is the profit that the perpetrator
pockets.
Computer Fraud Schemes: Computer
environments are subject to their own kinds of
fraud. Computer fraud can include theft of assets
3)Pay-and-turn by:
- This typically involves a clerk with check writing o altering computer-readable records, and
authority who pays a vendor twice for the same files
products (inventory or supplies) received. The o altering the logic of computer software,
vendor, recognizing that its customer made a o theft or illegal use of computer-readable
double payment, issues a reimbursement to the information,
victim company, which the clerk intercepts and o theft, corruption, illegal copying, or
cashes. intentional destruction of software, and
o theft, misuse, or misappropriation of
Check Tampering computer hardware.
- involves forging or changing in some material
way a check that the organization has written Computer assets are vulnerable to theft or
to a legitimate payee. destruction at each phase of the accounting
- One example of this is an employee who information system.
steals an outgoing check to a vendor, forges
the Data Collection Fraud: This phase of the
payee’s signature, and cashes the check. system is most vulnerable because it is very easy
to change data as it is being entered into the
Payroll fraud system. Fraudulent transactions or dollar
- is the distribution of fraudulent paychecks to amounts can be keyed into the system and
existent and/or nonexistent employees? thefts can thus be covered up. Data must be
valid, complete, free from material errors,
- For example, a supervisor keeps an employee relevant, and efficiently collected.
on the payroll who has left the organization. Masquerading is an unauthorized user entering
Each week, the supervisor continues to the system as an authorized user.
submit timecards to the payroll department Piggybacking is tapping into the
as if the employee were still working for the telecommunication lines and latching onto
victim organization. an authorized user who is logging into the
system. Once inside, the perpetrator can go their
Expense Reimbursements own way.
- are schemes in which an employee makes a Data Processing: Frauds can be a program or
claim for reimbursement of fictitious or operation fraud.
inflated business expenses. For example, a Program fraud includes altering programs to
company salesperson files false expense allow illegal access, introduce a virus, or alter
reports, claiming meals, lodging, and travel a program’s logic to cause incorrect data
that never occurred. processing.
Operation fraud is the misuse of company
Thefts of cash computer resources, for example, for personal
- are schemes that involve the direct theft of use or personal business.
cash on hand in the organization. Database Management: Fraud at this phase of the
- An example of this is an employee who makes system involves altering, destroying, or stealing the
false entries on a cash register, such as company's data either in storing, retrieving, or
voiding a sale, to conceal the fraudulent deleting tasks. (Disgruntled or Ex-employee)
removal of cash. Information Generation: Frauds here involves
- Another example is a bank employee who misrepresentation, theft, or misuse of the
steals cash from the vault. computer output, either on-screen or in hard copy.
It can also involve scavenging (searching through
Non-Cash Misappropriations the trash cans of a company for discarded
- involve the theft or misuse of the victim outputs) or eavesdropping (listening to electronic
organization’s non-cash assets. transmissions). The information must have the
- One example of this is a warehouse clerk who following characteristics:
steals inventory from a warehouse or Relevance: It affects the employee’s decisions
storeroom. regarding the task at hand.
- Another example is a customer services clerk Timeliness: It can be no older than the time period
who sells confidential customer information of the action that it supports.
to a third party. Accuracy: It must be free of material errors.
Completeness: No essential piece of information is
Transaction Fraud: involves deleting, altering, or missing.
Under Philippine Standard of Auditing (PSA) 315 Assets are subject to the risk of losses, termed
Internal Control is defined as the process exposures if internal controls are weak in a particular
designed and effected by those charged with area. Exposures can lead to the following kinds of
governance, management, and other personnel to problems:
provide reasonable assurance about the achievement
of the entity’s objectives with regard to reliability of • Destruction of the asset
financial reporting, effectiveness, and efficiency of • Theft of the asset
operations and compliance with applicable laws and • Corruption of information or of the
regulations. information system
• Disruption of the information system
Foreign Corrupt Practices Act of 1977 Relationship between the firm’s internal control
structure, auditor’s assessment of risk, and the
Requires companies registered with the SEC to:
planning of audit procedures
Keep records that fairly and reasonably The weaker the internal control structure, the
reflect the transactions of the firm and its higher the assessed level of risk; the higher
financial position, and the risk, the more auditor procedures applied
Maintain a system of internal control that in the audit
provides reasonable assurance that the
organization’s objectives are met. The Preventive-Detective-Corrective Internal Control
Model is a very useful model to approach risk
Internal Control in Concept management.
Preventive controls
Internal control systems include all of the policies, are designed to reduce the opportunities for
practices, and procedures employed by the the commission of errors or fraud. They are
organization to achieve four broad objectives passive controls, meaning that they are
(according to AICPA’s SAS#1, sec. 320): integrated into the system in the hopes of
preventing errors and fraud before they happen.
• to safeguard assets of the firm, They provide safeguards that are built into the
• to ensure the accuracy and reliability of system's routine procedures.
accounting records and information,
• to promote the efficiency of the are passive techniques designed to reduce
firm's operations, and the frequency of occurrence of undesirable
• to measure compliance with management's events. Preventive controls force compliance
prescribed policies and procedures. with prescribed or desired actions and thus
screen out aberrant events. When designing
Modifying Assumptions for systems designers and internal control systems, an ounce of prevention
auditors include: is most certainly worth a pound of cure.
• Management Responsibility: Management is Preventing errors and fraud is far more cost-
ultimately responsible. effective than detecting and correcting problems
• Reasonable assurance: The internal control after they occur.
system should provide reasonable rather than
absolute assurance. Detective controls
• Data Processing Methods: The methods are designed to detect errors or fraud after
utilized for data processing will change the types they have occurred. These controls compare
of internal what has actually happened with what was
controls needed and utilized to achieve the four supposed to happen. If deviations occur, they are
objectives. identified.
ensure that an application’s logic is functioning from a small supply of technically competent
properly individuals, these individuals have access to much
of the organization’s sensitive data, and because
Batch Controls management is unable to observe employees
Audit Trail Controls who work with the system. The ability to assess
ensure that every transaction can be competent employees becomes more challenging
traced through each stage of due to the greater technical knowledge required.
processing from its economic source Underlying assumption of supervision control is
to its presentation in financial that the firm employs competent and trustworthy
statements personnel. Obviously, no company could function
Master Trail Controls for long on the alternative assumption that its
employees are incompetent and dishonest.
Output Controls: are combination of programmed
routines and other procedures to ensure that Accounting Records are the source
system output is not lost, misdirected, or documents, journals, and ledgers of a business.
corrupted and that privacy is not violated These documents provide the audit trail for all the
company's economic transactions. Audit trails are
Physical Controls typically relate to manual procedures. also created in computer-based systems, but the
This class of controls relates primarily to the human form and appearance of the accounting records
activities employed in accounting systems. are different from those in a manual system
Traditionally, there are six categories of physical (hashing techniques, pointers, indexes, embedded
control activities: keys). Auditors must understand system controls
Transaction Authorization: Employees should to know their impact on the audit trails of the
only be carrying out authorized transactions. records. Sometimes source documents are kept
Authorizations may be general or specific. General magnetically. No audit trail is readily apparent.
authorization may be granted to employees to These records capture the economic essence of
carry out routine, everyday procedures while transactions and provide an audit trail of
specific authorization may be needed for non- economic events. The audit trail enables the
routine transactions. Often embedded within auditor to trace any transaction through all phases
computer programs. The purpose of transaction of its processing from the initiation of the event to
authorization is to ensure that all material the financial statements.
transactions processed by the information system
are valid and in accordance with management’s Organizations must maintain audit trails for two
objectives. reasons:
Segregation of Duties: The key segregations
should be between the authorizing and the (1) This information is needed for conducting day-
processing of a transaction and between the to-day operations. The audit trail helps employees
custody of an asset and its record-keeping. The respond to customer inquiries by showing the
system must be designed so that it would take current status of transactions in process.
more than one employee to successfully carry out
a fraudulent act. In a computerized system, (2) The audit trail plays an essential role in the
however, many duties that must be segregated in financial audit of the firm. It enables external (and
a manual system may be combined because internal) auditors to verify selected transactions
computers do not make errors or commit fraud. by tracing them from the financial statements to
Nevertheless, in a computer-based system, the ledger accounts, to the journals, to the source
segregation should exist between the functions of documents, and back to their original source.
program development, program operations, and
program maintenance. Access Controls safeguard assets by
restricting physical access. In computer-based
systems, access controls should reduce the
possibilities of computer fraud and losses from
disasters. Access controls should limit personnel
access to central computers, restrict access to
computer programs, provide security for the data
processing center, provide adequate backup for
data files, and provide for disaster recovery. Data
consolidation exposes the organization to
computer fraud and excessive losses from
disaster. The purpose of access controls is to
Supervision is referred to as a compensating ensure that only authorized personnel have
control because it comes into play when there is access to the firm’s assets. Unauthorized access
not an adequate separation of duties and exposes assets to misappropriation, damage, and
employees must double up on tasks. This theft. Therefore, access controls play an
control is especially important for computer- important role in safeguarding assets.
based systems as often management must hire