lOMoARcPSD|18238377

ETHICS, FRAUD, AND INTERNAL CONTROL  Ethical behavior is a necessary but not
sufficient condition for business success in the
(CHAPTER 3)
long run. (Inherently, this statement is saying
ETHICAL ISSUES IN BUSINESS that businesses that behave unethically should
 Ethical standards are derived from societal be punished).
mores and deep-rooted personal beliefs about Some firms address ethical issues through:
issues of right and wrong that are not
universally agreed upon.  Ethics training and awareness in the workplace

ETHICS  Greater commitment of top management to

improving ethical standards.
 a set of moral principles that distinguish
between what is right and what is wrong  Written codes of ethics/conduct to
communicate management’s expectations
 a set of values that guide the conduct and the (Johnson and Johnson’s “credo” of corporate
behavior of the individuals, enabling them to values).
differentiate between what should be done
and what should not be done  Programs to encourage moral development
and implement ethical guidelines.
 pertains to the principles of conduct that
individuals use in making choices and guiding  Techniques to monitor compliance.
their behavior in situations that involve the
concepts of right and wrong. Management is responsible to maintain an ethical
environment, to limit opportunity and temptation for
What Is Business Ethics? unethical behavior within the company. A company’s
 Ethics pertains to the principles of conduct that commitment to ethics should be above their
individuals and business managers use in commitment to short-term profits and efficiency.
guiding their behavior and choices. It involves MORAL REASONING STAGES OF DEVELOPMENT:
not only knowing what is right but also KOHLBERG’S STAGES OF MORAL DEVELOPMENT
knowing how to achieve what is right.
- (Kohlberg’s model was created specifically
Business ethics involves finding the answers to two for the framework of child development and
questions: has been widely criticized for
(1) How do managers decide what is right in promoting the inherent value system of its
conducting their business? and author. The original Kohlberg model organized
a child’s values development from
(2) Once managers have recognized what is right, how parental punishment/rewards to
do they achieve it? organizational belonging/success (local
maximization) to greater social
Ethics in business can be divided into four areas: contracts/justice (forgoing one’s individual
gains for the sake of societal gain). The
 Equity (fairness and lawful practices in the representation in the Hall textbook is an
marketplace), interpretation of the Kohlberg model.
 Rights (individual employee rights),
 Honesty (behavior), and  Stage 1 (lowest): Punishment
 Exercise of corporate power (working orientation: obey rules to avoid
condition choices). punishment

 Stage 2: Reward orientation: obey rules

to obtain the reward

 Stage 3: Good boy/girl orientation: obey

rules to receive approval

 Stage 4: Authority orientation: obey

rules to be perceived as performing
one’s duty

 Stage 5: Social contract orientation:

obey rules to obtain the respect of
peers and maintain self-respect

 Stage 6 (highest): Ethical Principle

Orientation: rules are guided by self-
selected ethical principles that promote
self-esteem.

Downloaded by Paredes Imee Therese (imee11therese@gmail.com)

 lOMoARcPSD|18238377

Every business decision has ethical risks and in nature than traditional issues (property rights,
benefits. Your ethical responsibility is the balancing copyright, trade secrets, patent laws). The
between these consequences. The following following issues of concern involve computer
principles have been provided for guidance on ethics and may generate class discussions:
these decisions:
Privacy: How much information about you is
 Proportionality: The ethical benefit from a available to others? How much information
decision must outweigh the risks. There about yourself do you really own?
must be no alternative decision that  being in full control of what and how
provides the same or greater benefit with much information about themselves is
less risk. available to others, and to whom it is
available.
 Justice: The benefits should be distributed  The creation and maintenance of huge,
fairly to those affected. Those who do not shared databases make it necessary to
benefit should not carry the burden of risk. protect people from the potential
misuse of data. This raises the issue of
 Minimize Risk: The decision should
ownership in the personal information
minimize all risks and avoid unnecessary industry.
risks. Even if judged acceptable by the
principles, the decision should be Security (Accuracy and Confidentiality): How
implemented so as to minimize all of the can you avoid authorized/unauthorized
risks and avoid any unnecessary risks. individuals accessing or changing your
computerized information? Where is the
What is Computer Ethics? balance between safe data and open shared
resources?
 Computer Ethics is the analysis of the impact  Computer security is an attempt to
of computer technology and the policies for avoid such undesirable events as a loss
the ethical use of such technology. It involves of confidentiality or data integrity.
software, hardware, and network behaviors. Security systems attempt to prevent
Three levels of computer ethics: fraud and other misuse of computer
 Pop ethics systems; they act to protect and
- staying current with the media. further the legitimate interests of the
- is simply the exposure to stories and reports system’s constituencies.
found in the popular media regarding the
good or bad ramifications of computer  The ethical issues involving security
technology arise from the emergence of shared,
 Para ethics computerized databases that have the
- having real interest and acquiring some skill potential to cause irreparable harm to
and knowledge in the field. individuals by disseminating inaccurate
- involves taking a real interest in computer information to authorized users, such
ethics cases and acquiring some level of skill as through incorrect credit reporting.
and knowledge in the field. There is a similar danger in
 Theoretical ethics disseminating accurate information to
- multidisciplinary application of ethical persons unauthorized to receive it.
theories to computer science.
- is of interest to multidisciplinary researchers Ownership of Property: Can an individual own
who apply the theories of philosophy, idea? Media? Source or object code? Do
sociology, and psychology to computer science copyright laws and patents restrict the progress
with the goal of bringing some new of technology?
understanding to the field.
Equity in Access: Does the economic status of
ERROR VS. FRAUD an individual restrict him/her from access to a
 The term “error” refers to career in information technology?
unintentional misstatements in the
financial statements, including the  Several factors, some of which are not
omission of an amount or a disclosure. unique to information systems, can
 Fraud refers to intentional act by one limit access to computing technology.
or more individuals among The economic status of the individual
management, those charged with or the affluence of an organization will
governance, employees, or third determine the ability to obtain
parties, involving the use of deception information technology
to obtain an unjust or illegal  Culture also limits access, for example,
advantage. when documentation is prepared in
only one language or is poorly
Many argue that computer ethics are no different

Downloaded by Paredes Imee Therese (imee11therese@gmail.com)

 lOMoARcPSD|18238377
translated.
Environmental Issues: Do high-speed printers
cause less responsibility for reducing paper
waste?
 For example, computers with high-
speed printers allow for the production
of printed documents faster than ever
before. It is probably easier just to
print a document than to consider
whether it should be printed and how
many copies really need to be made. It
may be more efficient or more
comforting to have a hard copy in
addition to the electronic version.
However, paper comes from trees, a
precious natural resource, and ends up
in landfills if not properly recycled.
Artificial Intelligence: Who is responsible for
the decisions that an expert system or a bot
might make on behalf of a business?
 Because of the way these systems have
been marketed—that is, as decision
makers or replacements for experts—
some people rely on them significantly.
Therefore, both knowledge engineers
(those who write the programs) and
domain experts (those who provide
the knowledge about the task being
automated) must be concerned about
their responsibility for faulty decisions,
incomplete or inaccurate knowledge
bases, and the role given to computers
in the decision-making process.
Unemployment and Displacement: When a
business downsizes employees because a
computer now performs their jobs, is that
business responsible to retrain the displaced
employees?
 Many jobs have been and are being
changed as a result of the availability of
computer technology. People unable or
unprepared to change are displaced.
Misuse of Computers: How do you feel about
copying software, MP3 music files, snooping
through other people’s files, or using a
business’ computer for personal purposes?
 Computers can be misused in many
ways. Copying proprietary software,
using a company’s computer for
personal benefit, and snooping through
other people’s files are just a few
obvious examples.
 Although copying proprietary software
(except to make a personal backup
copy) is clearly illegal, it is commonly
done.
- Managers must establish and maintain a
system of internal controls to ensure the
integrity and reliability of their data.
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
SARBANES-OXLEY ACT AND ETHICAL ISSUES
 is the most significant federal securities law
since the Securities and Exchange Commission
(SEC) Acts of 1933 and 1934
 SOX has many provisions designed to deal with
specific problems relating to capital markets,
corporate governance, and the auditing
profession
SECTION 406 – CODE OF ETHICS FOR SENIOR FINANCIAL
OFFICERS
 Section 406 of SOX requires public companies to
disclose to the SEC whether they have adopted
a code of ethics that applies to the
organization’s chief executive officer (CEO),
CFO, controller, or persons performing similar
functions.
 If the company has not adopted such a code, it
must explain why.
 A public company may disclose its code of ethics
in several ways:
1) included as an exhibit to its annual report,
2) as a posting to its Web site, or
3) by agreeing to provide copies of the code upon
request.
 Whereas Section 406 applies specifically to
executive and financial officers of a company, a
code of ethics should apply equally to all
employees. Top management’s attitude toward
ethics sets the tone for business practice, but it
is also the responsibility of lower-level
managers and nonmanagers to uphold a firm’s
ethical standards.
Conflict of Interest
- The company’s code of ethics should outline
procedures for dealing with actual or apparent
conflicts of interest between personal and
professional relationships.
- Whereas avoidance is the best policy,
sometimes conflicts are unavoidable. Thus,
one’s handling and full disclosure of the matter
become the ethical concern
Full and Fair Disclosure
- This provision states that the organization
should provide full, fair, accurate, timely, and
understandable disclosures in the documents,
reports, and financial statements that it
submits to the SEC and to the public.
 lOMoARcPSD|18238377

such as making it a federal offense for

Legal Compliance
- Codes of ethics should require employees to
follow applicable governmental laws, rules,
and regulations.
- Doing the right thing requires sensitivity to
laws, rules, regulations, and societal
expectations. To accomplish this, organizations
must provide employees with training and
guidance.
Internal Reporting of Code Violations
- The code of ethics must provide a mechanism
to permit prompt internal reporting of ethics
violations. This provision is similar in nature to
Sections 301 and 806, which were designed to
encourage and protect whistle-blowers.
Accountability
- An effective ethics program must take
appropriate action when code violations occur.
This will include various disciplinary measures,
including dismissal. Employees must see an
employee hotline as credible, or they will not
use it.
destroying documents or audit work
papers, to be used in an official proceeding
or actions against whistleblowers.
FRAUD AND ACCOUNTANTS
 Fraud is a false representation of a material fact
made by one party to another party with the
intent to deceive and to induce the other party
to rely on the fact to his or her detriment.
Many times, alleged fraud is just poor
management decisions or adverse business
conditions.
 is defined as the intentional use of deceit, trick,
or some dishonest means to deprive another
party of money, property, or of a legal right.
Common law asserts that for an act to be considered
fraudulent, it must meet five requirements:
1. There must be a false
representation, statement or a nondisclosure.
2. There must be a material fact, a substantial
factor in inducing someone to act.
3. There must be intent to deceive.
4. The misrepresentation must have resulted
in justifiable reliance causing someone to act.
5. The deception must have caused injury or
loss to the victim of the fraud.
Responsibility of Management and Those Charged with
Governance in fraud

- Section 301 directs the organization’s audit Under Philippine Standard of Auditing (PSA) 240.
committee to establish procedures for The responsibility for the prevention and
receiving, retaining, and treating such detection of fraud and error rest with both
complaints about accounting procedures and management and those charge with the governance of
internal control violations. the entity.

Sarbanes-Oxley Act – July 2002, passed by US Auditor’s Responsibility in Fraud

Congress and signed by President Bush. This act
reforms oversight and regulation of public company Under Philippine Standard of Auditing (PSA) 240.
directing and auditing. Its principal reforms involve: Although annual audits of financial statements
may act as deterrent to fraud and error, the auditor is
 The creation of an accounting oversight not and cannot be held responsible for the prevention
board (PCAOB) empowered to set of fraud and error.
auditing, quality control, and ethics
standards, to inspect registered The auditor’s responsibility is to design the
accounting firms, to conduct audit to provide reasonable assurance that the
investigations, and to take disciplinary financial statements are free from material
actions. misstatements, whether caused by error or fraud.
 Auditor independence: more separation Business fraud is an intentional deception,
between a firm’s attestation and non- misappropriation of assets, or manipulation of financial
auditing activities data to the advantage of the perpetrator. Two types of
fraud discussed in this chapter are employee fraud and
 Corporate governance and responsibility:
management fraud.
audit committee members must be
independent and the audit committee Employee fraud is committed by non-management
must oversee the external auditors personnel and usually consists of an employee taking
cash or other assets for personal gain and concealing
 Disclosure requirements: increase issuer their actions. Employee fraud usually involves three
and management disclosure steps:

 Penalties for fraud and other violations, (1) stealing something of value (an asset),

Downloaded by Paredes Imee Therese (imee11therese@gmail.com)

 lOMoARcPSD|18238377
(2) converting the asset to a usable from (cash), and
(3) concealing the crime to avoid detection
> performance fraud by non-management employee
generally designed to directly convert cash or other
assets to the employee’s personal benefit
Management fraud is committed at higher levels and
usually does not involve the direct theft of an asset. It
is more insidious than employee fraud because it
often escapes detection until the organization has
suffered irreparable damage or loss.
> uses deceptive practices to inflate earnings or to
forestall the recognition of either insolvency or a
decline in earnings
It is generally more difficult to detect for the following
reasons:
 The fraud occurs at levels that are above
internal control mechanisms.
 The fraud occurs by managers who can
manipulate financial statements through
either expense allocations or revenue
recognition.
 The misappropriation of assets can be covered
up with complex transactions, often involving
third parties.
Management fraud typically contains three special
characteristics:
1. The fraud is perpetrated at levels of management
above the one to which internal control structures
generally relate.
2. The fraud frequently involves using the financial
statements to create an illusion that an entity is
healthier and more prosperous than, in fact, it is.
3. If the fraud involves misappropriation of assets, it
frequently is shrouded in a maze of complex
business transactions, often involving related third
parties.
Factors That Contribute to Fraud
Forces that interact to motivate an individual to
commit fraud can be categorized as situational
pressures (high), opportunity (high), and personal
characteristics/ethics (low).
Auditors should look to many places to determine
management’s motivations to commit fraud and
should look at the top management of the companies
they audit to find the answers to questions such as:
Personal: Do any of the managers have a lot of
debt? Are they living beyond their means? Are
they gambling? Do they abuse substances?
Environment: Are economic conditions
unfavorable?
Business: Does the company use several different
banks, none of which see the company’s entire
financial picture? Are there close associations
with any supplier?
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
THE FRAUD TRIANGLE
The fraud triangle consists of three factors that
contribute to or are associated with management and
employee fraud:
(1) situational pressure, which includes personal or
job-related stresses that could coerce an
individual to act dishonestly;
(2) opportunity, which involves direct access to
assets and/or access to information that controls
assets, and;
(3) ethics, which pertains to one’s character and
degree of moral opposition to acts of dishonesty.
To provide insight into these factors, auditors often use a
red-flag checklist consisting of the following types of
questions:
 Do key executives have unusually high personal
debt?
 Do key executives appear to be living beyond
their means?
 Do key executives engage in habitual gambling?
 Do key executives appear to abuse alcohol or
drugs?
 Do any of the key executives appear to lack
personal codes of ethics?
 Are economic conditions unfavorable within the
company’s industry?
 Does the company use several different banks,
none of which sees the company’s entire
financial picture?
 Do any key executives have close associations
with suppliers?
 Is the company experiencing a rapid turnover of
key employees, either through resignation or
termination?
 Do one or two individuals dominate the
company?
Financial Losses from Fraud
The opportunity seems to be the overall most
important factor associated with the fraud.
Opportunity can be defined as control over assets or
access to assets. Opportunity is characterized in this
dataset with a higher management position, which is
mostly filled by older, more educated males at this
time in history.
Fraud Schemes
The three broad categories of fraud schemes
according to the Association of Certified Fraud
Examiners are fraudulent financial statements,
corruption, and asset misappropriation.
Fraudulent Financial Statements
 lOMoARcPSD|18238377
For financial statements to be fraudulent, the
statement itself must bring financial benefit to the
perpetrator, either direct or indirect. The
manipulation of the financial statement cannot just
be a vehicle to hide the fraudulent act.
 misstating the financial statements to make the
copy appear better than it is
 usually occurs as management fraud
 may be tied to focus on short-term financial
measures for success
 may also be related to management bonus
packages being tied to financial statements
Underlying problems include:
 Lack of auditor independence
- auditing firms also engaged by their clients to perform
non-accounting activities.
 Lack of director independence
- directors who also serve on the boards of other
companies, have a business trading relationship, have a
financial relationship as stockholders or have received
personal loans, or have an operational relationship as
employees
 Questionable executive compensation
schemes
- short-term stock options as compensation result in
short-term strategies aimed at driving up stock prices at
the expense of the firm’s long-term health
 Inappropriate accounting practices
- a characteristic common to many financial statement
fraud schemes
Corruption
Corruption involves collusion with an outside entity.
The four principal types of corruption include:
Bribery: Offering, giving, or receiving things of
value to influence an official in the performance of
his/her lawful duties (before the fact).
Illegal Gratuities: Offering, giving, requesting,
or receiving something of value because of an
official act that has been taken (after the fact).
Conflicts of Interest: When an employee acts
on the behalf of a third party during the discharge
of duties or has self-interest in the activity being
performed.
Economic Extortion: Threat or use of force
(including economic sanctions) by an individual
or organization to obtain something of value.
Asset Misappropriation (employee fraud)
Asset Misappropriation is the most common form
of fraud, the CFE found 85 percent of fraud cases
to be asset misappropriations. Transactions involving
the case, checking accounts, inventory, supplies,
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
equipment, and information are the most vulnerable
assets. Examples of asset misappropriation schemes
include:
Skimming
- involves stealing cash from an organization
before it is recorded on the organization’s books
and records.
- One example of skimming is an employee who
accepts payment from a customer but does not
record the sale.
- Another example is mail room fraud in which an
employee opening the mail steals a customer’s
check and destroys the associated remittance
advice. By destroying the remittance advice, no
evidence of the cash receipt exists. This type of
fraud may continue for several weeks or months
until detected.
Charges to expense accounts.
Cash Larceny
- involves schemes in which cash receipts are
stolen from an organization after they have
been
recorded in the organization’s books and records.
- An example of this is lapping, an employee
who has access to customer checks and to
accounts receivable records steals some money,
and then uses the next check that comes in to
cover the last amount stolen (so that the
customers never notice). This can continue until
the employee leaves the company or takes a
vacation, or is switched to another position.
Billing Schemes
- also known as vendor fraud, are perpetrated
by employees who causes their employer to
issue a payment to a false supplier or vendor
by submitting invoices for fictitious goods or
services, inflated invoices, or invoices for
personal purchases. Three examples of billing
scheme are presented here.
1)Shell company fraud
- requires that the perpetrator establish a false
supplier on the books of the victim company. The
fraudster then manufactures false purchase
orders, receiving reports, and invoices in the name
of the vendor and submits them to the accounting
system, which creates the allusion of a legitimate
transaction. Based on these documents, the
system will set up an account payable and
ultimately issue a check to the false supplier (the
fraudster).
2)Pass through fraud
- is similar to the shell company fraud with the
exception that a transaction actually takes place.
- the perpetrator creates a false vendor and issues
purchase orders to it for inventory or supplies. The
false vendor then purchases the needed inventory
from a legitimate vendor. The false vendor
 lOMoARcPSD|18238377
charges the victim company a much higher than
market price for the items, but pays only the
market price to the legitimate vendor. The
difference is the profit that the perpetrator
pockets.
3)Pay-and-turn
- This typically involves a clerk with check writing
authority who pays a vendor twice for the same
products (inventory or supplies) received. The
vendor, recognizing that its customer made a
double payment, issues a reimbursement to the
victim company, which the clerk intercepts and
cashes.
Check Tampering
- involves forging or changing in some material
way a check that the organization has written
to a legitimate payee.
- One example of this is an employee who
steals an outgoing check to a vendor, forges
the
payee’s signature, and cashes the check.
Payroll fraud
- is the distribution of fraudulent paychecks to
existent and/or nonexistent employees?
- For example, a supervisor keeps an employee
on the payroll who has left the organization.
Each week, the supervisor continues to
submit timecards to the payroll department
as if the employee were still working for the
victim organization.
Expense Reimbursements
- are schemes in which an employee makes a
claim for reimbursement of fictitious or
inflated business expenses. For example, a
company salesperson files false expense
reports, claiming meals, lodging, and travel
that never occurred.
Thefts of cash
- are schemes that involve the direct theft of
cash on hand in the organization.
- An example of this is an employee who makes
false entries on a cash register, such as
voiding a sale, to conceal the fraudulent
removal of cash.
- Another example is a bank employee who
steals cash from the vault.
Non-Cash Misappropriations
- involve the theft or misuse of the victim
organization’s non-cash assets.
- One example of this is a warehouse clerk who
steals inventory from a warehouse or
storeroom.
- Another example is a customer services clerk
who sells confidential customer information
to a third party.
Transaction Fraud: involves deleting, altering, or
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
adding false transactions to divert assets to the
perpetrator (false invoices, false paychecks, etc.).
Computer Fraud Schemes: Computer
environments are subject to their own kinds of
fraud. Computer fraud can include theft of assets
by:
o altering computer-readable records, and
files
o altering the logic of computer software,
o theft or illegal use of computer-readable
information,
o theft, corruption, illegal copying, or
intentional destruction of software, and
o theft, misuse, or misappropriation of
computer hardware.
Computer assets are vulnerable to theft or
destruction at each phase of the accounting
information system.
Data Collection Fraud: This phase of the
system is most vulnerable because it is very easy
to change data as it is being entered into the
system. Fraudulent transactions or dollar
amounts can be keyed into the system and
thefts can thus be covered up. Data must be
valid, complete, free from material errors,
relevant, and efficiently collected.
Masquerading is an unauthorized user entering
the system as an authorized user.
Piggybacking is tapping into the
telecommunication lines and latching onto
an authorized user who is logging into the
system. Once inside, the perpetrator can go their
own way.
Data Processing: Frauds can be a program or
operation fraud.
Program fraud includes altering programs to
allow illegal access, introduce a virus, or alter
a program’s logic to cause incorrect data
processing.
Operation fraud is the misuse of company
computer resources, for example, for personal
use or personal business.
Database Management: Fraud at this phase of the
system involves altering, destroying, or stealing the
company's data either in storing, retrieving, or
deleting tasks. (Disgruntled or Ex-employee)
Information Generation: Frauds here involves
misrepresentation, theft, or misuse of the
computer output, either on-screen or in hard copy.
It can also involve scavenging (searching through
the trash cans of a company for discarded
outputs) or eavesdropping (listening to electronic
transmissions). The information must have the
following characteristics:
Relevance: It affects the employee’s decisions
regarding the task at hand.
Timeliness: It can be no older than the time period
of the action that it supports.
Accuracy: It must be free of material errors.
Completeness: No essential piece of information is
missing.
 lOMoARcPSD|18238377

Summarization: Information is aggregate in

accordance with the user’s needs.
• Limitations: Every system has limitations including
the possibility of error—no system is perfect,
circumvention via collusion—personnel may
circumvent the system through collusion or other
means, management override—management is in
a position to override control procedures by
personally distorting transactions or by directing a
subordinate to do so, and changing conditions—
Internal Control Concepts and Procedures conditions may change over time so that existing
controls may become ineffectual.
Internal Control- a state that management strives to
achieve to provide reasonable assurance that the
firm’s objectives will be achieved Exposures and Risks

Under Philippine Standard of Auditing (PSA) 315 Assets are subject to the risk of losses, termed
Internal Control is defined as the process exposures if internal controls are weak in a particular
designed and effected by those charged with area. Exposures can lead to the following kinds of
governance, management, and other personnel to problems:
provide reasonable assurance about the achievement
of the entity’s objectives with regard to reliability of • Destruction of the asset
financial reporting, effectiveness, and efficiency of • Theft of the asset
operations and compliance with applicable laws and • Corruption of information or of the
regulations. information system
• Disruption of the information system
Foreign Corrupt Practices Act of 1977 Relationship between the firm’s internal control
structure, auditor’s assessment of risk, and the
Requires companies registered with the SEC to:
planning of audit procedures
 Keep records that fairly and reasonably  The weaker the internal control structure, the
reflect the transactions of the firm and its higher the assessed level of risk; the higher
financial position, and the risk, the more auditor procedures applied
 Maintain a system of internal control that in the audit
provides reasonable assurance that the
organization’s objectives are met. The Preventive-Detective-Corrective Internal Control
Model is a very useful model to approach risk
Internal Control in Concept management.
Preventive controls
Internal control systems include all of the policies, are designed to reduce the opportunities for
practices, and procedures employed by the the commission of errors or fraud. They are
organization to achieve four broad objectives passive controls, meaning that they are
(according to AICPA’s SAS#1, sec. 320): integrated into the system in the hopes of
preventing errors and fraud before they happen.
• to safeguard assets of the firm, They provide safeguards that are built into the
• to ensure the accuracy and reliability of system's routine procedures.
accounting records and information,
• to promote the efficiency of the are passive techniques designed to reduce
firm's operations, and the frequency of occurrence of undesirable
• to measure compliance with management's events. Preventive controls force compliance
prescribed policies and procedures. with prescribed or desired actions and thus
screen out aberrant events. When designing
Modifying Assumptions for systems designers and internal control systems, an ounce of prevention
auditors include: is most certainly worth a pound of cure.
• Management Responsibility: Management is Preventing errors and fraud is far more cost-
ultimately responsible. effective than detecting and correcting problems
• Reasonable assurance: The internal control after they occur.
system should provide reasonable rather than
absolute assurance. Detective controls
• Data Processing Methods: The methods are designed to detect errors or fraud after
utilized for data processing will change the types they have occurred. These controls compare
of internal what has actually happened with what was
controls needed and utilized to achieve the four supposed to happen. If deviations occur, they are
objectives. identified.

Downloaded by Paredes Imee Therese (imee11therese@gmail.com)

 lOMoARcPSD|18238377
are devices, techniques, and procedures
designed to identify and expose undesirable
events that elude preventive controls. Detective
controls reveal specific types of errors by
comparing actual occurrences to preestablished
standards. When the detective control identifies
a departure from standard, it sounds an alarm to
attract attention to the problem.
Corrective controls
are measures taken to correct errors,
especially material ones, once they have been
detected. Such measures should be taken with
caution after the reasons for the errors have
been found. If an error is a minor one, it may not
be worth analyzing and correcting.
are actions taken to reverse the effects of errors
detected in the previous step.
 There is an important distinction between
detective controls and corrective controls.
Detective controls identify anomalies and draw
attention to them; corrective controls actually
fix the problem
Auditing and Auditing Standards
Auditors are guided in their professional responsibilities
by GAAS (Generally Accepted Auditing Standards), in
addition to many other Statements on Auditing
Standards.
• General qualification standards refer to the
background that is necessary to be an auditor.
• Fieldwork standards refer to the level of
investigative professionalism that is required
while conducting an audit. Note that the second
fieldwork standard refers to an understanding of
the internal control structure.
• Reporting standards refer to the
requirements an auditor must follow when
rendering a professional opinion.
The Statement on Auditing Standards No. 78 discusses
the complex relationship between the firm’s internal
controls, the auditor’s assessment of risk, and the
planning of audit procedures. This statement
conforms to the recommendations of the US
Congress’ Committee of Sponsoring Organizations of
the Treadway Commission (COSO).
Internal Control Components
According to SAS No. 78, internal control consists of the
control environment, risk assessment, information
and communication activities, monitoring activities,
and control activities.
Control Environment
The Control Environment is the foundation of internal
control and sets the tone for the organization.
Important elements of the control environment
include:
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
• The integrity and ethical values of
management
• The organizational structure of the company
• The role and participation level of the board
of directors and of the audit committee
 demonstrate commitment to integrity and
ethical values
 exercise oversight responsibility
 establish structure, authority and
responsibility
 demonstrate commitment to competence
 enforce accountability
Is there an internal auditing department that reports to
the audit committee?
• Management's philosophy or approach
to running the company
• Delegation of responsibility and authority
Is there proper segregation of duties between
authorization, custody, and accounting?
• Methods for evaluating performance
• External influences, such as examinations by
outside parties
• The organization's policies and practices for
managing its human resources
SAS 78 requires the auditors to obtain sufficient
knowledge to assess the attitude and awareness of an
organization's management, the board of directors,
and owners to determine the importance of internal
control in their organization. Techniques they could
utilize include background checks, reputation,
integrity, external conditions, knowledge of the
client’s industry, and specific business.
Management should adopt the provisions of the
Sarbanes-Oxley Act by:
• Separating the roles of CEO and chairman,
• Setting ethical standards,
• Establishing an Independent Audit Committee
• Compensation Committees
• Nominating Committees
• Access to Outside Professionals
Risk Assessment
Management must assess the risks of their business and
their environment. Such risk would be increased by,
for
example, rapid growth, new competitors, new product
lines, organizational restructuring, entering foreign
markets, implementation of new technology, or
adopting a new accounting principle that impacts the
financial statements. Auditors are required by SAS
No. 78 to obtain an understanding of their clients'
methods for assessing risk.
 specify suitable objectives
 identify and analyze risk
 lOMoARcPSD|18238377
 assess fraud risk
 identify and analyze significant change
Organizations must perform a risk assessment to
identify, analyze, and manage risks relevant to
financial reporting. Risks can arise or change
from circumstances such as:
 changes in external environment
 risky foreign markets
 significant and rapid growth that strain
internal controls
 new product lines
 restricting, downsizing
 changes in accounting policies
Information and Communication
Managers are responsible for developing, implementing,
and maintaining a good system of Information and
Communication for all in the organization. The
accounting information system consists of the
records and methods used to initiate, identify,
analyze, classify, and record the organization’s
transactions and account for the related assets and
liabilities.
The quality of information generated by an organization's
accounting information system will impact the
reliability of the organization's financial statements.
Auditors are required to obtain an understanding of
the classification of material transactions, the
processing of those transactions in the accounting
records, and the utilization of processed data in the
preparation of financial statements.
 use relevant information
 communicate internally and externally
Effective accounting information systems will:
• Identify and record all valid financial
transactions.
• Provide timely information about
transactions in sufficient detail to permit proper
classification and financial reporting.
• Accurately measure the financial value of
transactions so their effects can be recorded in
financial statements.
• Accurately record transactions in the time
period in which they occurred.
SAS 78/ COSO requires that Auditors to obtain sufficient
knowledge of the information system to understand:
• The classes of transactions that are material
to the financial statements and how those
transactions are initiated. (input)
• The accounting records and accounts that are
used in the processing of material transactions.
(input)
• The transaction processing steps involved
from the initiation of a transaction to its inclusion
in the financial statements. (process)
• The financial reporting process used to
prepare financial statements, disclosures, and
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
accounting estimates. (output)
Monitoring
Monitoring must be performed to determine that the
internal controls are functioning as intended. The
process by which the quality of internal control
design and operation can be assessed. This may be
accomplished by separate procedures or by ongoing
activities.
Monitoring may be performed by internal auditors who
periodically test controls and report to management
any weaknesses that could be a cause for concern.
Monitoring can also be performed continuously
through the implementation of computer modules
designed specifically to monitor the functioning of
internal controls. A good reporting system, reviewed
by management, is also an excellent monitoring
information system.
 conduct ongoing and/or separate evaluations
 evaluate and communicate deficiencies
Control Activities
Control Activities are the policies and procedures used to
ensure that appropriate actions are taken to deal with
the identified risks.
 select and develop control activities, and
general controls over technology
 deploy through policies and procedures
There are two categories, computer controls, and physical
controls.
Computer or IT Controls can be categorized into two
groups: general controls and application controls.
• General Controls pertain to pervasive, entity-
wide concerns such as access and approval, such
as human resources and project management.
• Application Controls pertain to the details of
specific systems, such as payroll.
IT APPLICATION CONTROLS
Management and Auditors are required by SOX
to consider IT Application controls relevant to
financial reporting. Application controls are
associated with specific applications, such as
payroll, purchases, and cash disbursement
systems, and fall into three broad categories:
Input Controls: are programmed procedures, often
called edits, which perform tests on transaction
data to ensure that they are free from errors
 Check digits
 Missing Data Checks
 Numeric-Alphabetic Check
 Limit Check
 Range Check
 Reasonables Check
 Validity Check
Processing Controls: are programmed procedures to
 lOMoARcPSD|18238377
ensure that an application’s logic is functioning
properly
 Batch Controls
 Audit Trail Controls
 ensure that every transaction can be
traced through each stage of
processing from its economic source
to its presentation in financial
statements
 Master Trail Controls
Output Controls: are combination of programmed
routines and other procedures to ensure that
system output is not lost, misdirected, or
corrupted and that privacy is not violated
Physical Controls typically relate to manual procedures.
This class of controls relates primarily to the human
activities employed in accounting systems.
Traditionally, there are six categories of physical
control activities:
Transaction Authorization: Employees should
only be carrying out authorized transactions.
Authorizations may be general or specific. General
authorization may be granted to employees to
carry out routine, everyday procedures while
specific authorization may be needed for non-
routine transactions. Often embedded within
computer programs. The purpose of transaction
authorization is to ensure that all material
transactions processed by the information system
are valid and in accordance with management’s
objectives.
Segregation of Duties: The key segregations
should be between the authorizing and the
processing of a transaction and between the
custody of an asset and its record-keeping. The
system must be designed so that it would take
more than one employee to successfully carry out
a fraudulent act. In a computerized system,
however, many duties that must be segregated in
a manual system may be combined because
computers do not make errors or commit fraud.
Nevertheless, in a computer-based system,
segregation should exist between the functions of
program development, program operations, and
program maintenance.
Supervision is referred to as a compensating
control because it comes into play when there is
not an adequate separation of duties and
employees must double up on tasks. This
control is especially important for computer-
based systems as often management must hire
Downloaded by Paredes Imee Therese (imee11therese@gmail.com)
from a small supply of technically competent
individuals, these individuals have access to much
of the organization’s sensitive data, and because
management is unable to observe employees
who work with the system. The ability to assess
competent employees becomes more challenging
due to the greater technical knowledge required.
Underlying assumption of supervision control is
that the firm employs competent and trustworthy
personnel. Obviously, no company could function
for long on the alternative assumption that its
employees are incompetent and dishonest.
Accounting Records are the source
documents, journals, and ledgers of a business.
These documents provide the audit trail for all the
company's economic transactions. Audit trails are
also created in computer-based systems, but the
form and appearance of the accounting records
are different from those in a manual system
(hashing techniques, pointers, indexes, embedded
keys). Auditors must understand system controls
to know their impact on the audit trails of the
records. Sometimes source documents are kept
magnetically. No audit trail is readily apparent.
These records capture the economic essence of
transactions and provide an audit trail of
economic events. The audit trail enables the
auditor to trace any transaction through all phases
of its processing from the initiation of the event to
the financial statements.
Organizations must maintain audit trails for two
reasons:
(1) This information is needed for conducting day-
to-day operations. The audit trail helps employees
respond to customer inquiries by showing the
current status of transactions in process.
(2) The audit trail plays an essential role in the
financial audit of the firm. It enables external (and
internal) auditors to verify selected transactions
by tracing them from the financial statements to
the ledger accounts, to the journals, to the source
documents, and back to their original source.
Access Controls safeguard assets by
restricting physical access. In computer-based
systems, access controls should reduce the
possibilities of computer fraud and losses from
disasters. Access controls should limit personnel
access to central computers, restrict access to
computer programs, provide security for the data
processing center, provide adequate backup for
data files, and provide for disaster recovery. Data
consolidation exposes the organization to
computer fraud and excessive losses from
disaster. The purpose of access controls is to
ensure that only authorized personnel have
access to the firm’s assets. Unauthorized access
exposes assets to misappropriation, damage, and
theft. Therefore, access controls play an
important role in safeguarding assets.
 lOMoARcPSD|18238377

Independent Verification procedures identify

errors and misrepresentations and can be
performed by both managers and computers. For
example, managers can review financial and
management reports, and computers can
reconcile batch totals or subsidiary accounts with
control accounts. Management can assess an
individual application’s performance, processing
system integrity, and data accuracy. Examples of
independent verification include reconciling
batch totals at various points of processing,
comparing physical assets with accounting
records, reconciling subsidiary ledgers with
general ledger control accounts, and reviewing
management reports. When tasks are performed
by the computer rather than manually, the need
for an independent check is not necessary.
However, the programs themselves are checked.

The Importance of Internal Controls

• The five components of internal control are:
environment, risk assessment, information and
communication, monitoring, and control
activities. Understanding internal control will
guide the auditor in the planning of specific tests
to determine the likelihood and the extent of
financial statement misrepresentation.

Downloaded by Paredes Imee Therese (imee11therese@gmail.com)

 lOMoARcPSD|18238377

Downloaded by Paredes Imee Therese (imee11therese@gmail.com)