Ethics, Fraud and Internal Control: Accounting Information Systems 9e James A. Hall

Chapter 3
Ethics,
Fraud and
Internal
Control
Accounting Information
Systems 9e
James A. Hall
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in
whole or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use.
Objectives for Chapter 3
• Understand the broad issues pertaining to business ethics.
• Have a basic understanding of ethical issues related to the use
of information technology.
• Be able to distinguish between management fraud and
employee fraud.
• Be familiar with common types of fraud schemes.
• Be familiar with the key features of the COSO internal control
framework.
• Understand the objectives and application of both physical and
IT control activities.
© 2015 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 2
Ethical Issues in Business
• Ethics pertains to principles of conduct used in making choices
and guiding behavior in situations involving the concept of right
and wrong.
• Business ethics involves answering two questions:
– How do managers decide what is right in conducting business?
– Once recognized, how do managers achieve what is right?
• Businesses having conflicting responsibilities to employees,
shareholders, customers and the public.
– Every decision has consequences. Seeking a balance between the
consequences is managers’ ethical responsibility.
– The benefit from a decision must outweigh the risks and no
alternative should provide greater benefit or less risk.
• Computer ethics analyzes the social impact of computer
technology and formulation and justification of policies for the
ethical use of technology.
– Para computer ethics involves taking an interest in computer ethics
cases and acquiring some level of skill and knowledge in the field.
• Issues of concern include:
– Privacy and ownership in the personal information industry.
– Security involving accuracy and confidentiality.
– What can an individual or organization own?
– Equity of access issues related to economic status, culture and safety.
– Environmental issues, artificial intelligence, unemployment and
displacement and computer misuse.
• Sarbanes-Oxley Act (SOX) Section 406 requires public
companies to disclose to the SEC if they have a code of ethics
that applies to the CEO, CFO and controller.
– If a company does not have a code, it must explain why.
• Compliance with 406 requires a code of ethics that addresses:
– Procedures for dealing with conflicts of interest.
– Full and fair disclosures to ensure candid, open, truthful disclosures.
– Requiring employees to follow applicable laws, rules and regulations.
– A mechanism to permit prompt internal reporting of ethical
violations.
– Taking appropriate actions when code violations occur.
Fraud and Accountants
• Passage of SOX has had tremendous impact on the external
auditor’s responsibilities for fraud detection in a financial audit.
– Objective is to seamlessly blend fraud consideration into all phases of
the audit process (SAS 99).
• Fraud denotes a false representation of material fact made
with the intent to deceive and induce another to rely it to their
detriment. Act must meet five conditions:
– False representation: false statement or disclosure.
– Material fact: fact must be substantial in inducing someone to act.
– Intent to deceive: must exist or knowledge statement is false.
– Justifiable reliance: misrepresentation must have been relied on.
– Injury or loss: must have been sustained by the victim.
• Fraud in business has a more specialized meaning:
– Intentional deception, asset misappropriation or financial data
manipulation to the advantage of the perpetrator.
– White collar crime, defalcation, embezzlement and irregularities.
• Auditors encounter two types of fraud:
– Employee fraud (non-management) generally designed to convert
cash or other assets to the employee’s personal benefit.
– Management fraud does not involve direct theft and is more harmful
as it usually involves material misstatements of financial data.
• Perpetrated at levels of management above internal control structures.
• Frequently involves exaggerated financial statement results.
• Misappropriation of assets often shrouded in complex transactions involving
related third parties.
• The fraud triangle factors that contribute to fraud:
– Situational pressures that coerce an individual to act dishonestly.
– Opportunity through direct access to assets.
– Ethics which relate to one’s character and moral compass.
• A recent study suggests fraud losses equal 5% of revenue.
– Actual cost difficult to quantify and do not include indirect losses.
• Most frauds are committed by employees than managers,
the losses are much higher for managers and owners.
• Collusion in the commission of a fraud is difficult to prevent
and detect.
Fraud and Accountants: Underlying Problems
• Lack of Auditor Independence: Audit firms also engaged by
their clients to perform non-accounting activities.
• Lack of Director Independence: Many board of directors are
comprised of directors who are not independent.
• Questionable Executive Compensation Schemes: Stock options
as compensation result in strategies aimed at driving up stock
prices at the expense of the firm’s long-term health.
– In extreme cases financial statement misrepresentation has been
used to achieve stock prices needed to exercise options.
• Inappropriate Accounting Practices: Common characteristic to
many financial statement fraud schemes.
• SOX establishes a framework for oversight and regulation of
public companies. Principal reforms pertain to:
– Creation of the Public Company Accounting Oversight Board
(PCAOB) to set standards, inspect firms, conduct investigations
and take regulator actions.
– Auditor independence: More separation between a firm’s
attestation and non-auditing activities.
– Corporate governance and responsibility: Audit committee
members must be independent and committee must hire and
oversee the external auditors.
– Issuer and management disclosure: Increased requirements.
– Fraud and criminal penalties: New penalties for destroying or
tampering with documents, securities fraud, and taking actions
against whistleblowers.
• Corruption involves a member of the organization in
collusion with an outsider. Four principal types:
– Bribery involves an exchange of value to influence an official in
the performance of his or her lawful duties.
– An illegal gratuity is an exchange of value because of an official
act that ha been taken. Similar to a bribe, but after the fact.
– A conflict of interest occurs when an employee acts on behalf of a
third party during the discharge of his or her duties.
– Economic extortion is use or threat of force to obtain value.
• The most common fraud schemes involve some type of

asset misappropriation (almost 90%).
– Cash, checking accounts inventory, supplies, equipment and
information are the most vulnerable to abuse.
Fraud and Accountants: Fraud Schemes
• Skimming involves stealing cash before it is recorded on an
organization’s books.
• Cash larceny involves stealing cash after it is recorded.
– Lapping is a common technique.
• Billing schemes (vendor fraud) involves paying false
vendors by submitting invoices for fictitious goods.
– A shell company fraud includes a false vendor set-up and false
purchase orders.
– A pass through fraud involves both a legitimate and false vendor
purchase (at a much higher price).
– A pay-and-return scheme involves double payment with the clerk
intercepting the vendor reimbursement check.
Fraud and Accountants: Fraud Schemes
• Check tampering involves altering legitimate checks.
• Payroll fraud is the distribution of fraudulent paychecks.
• Expense reimbursement fraud involve false or inflated
expense reimbursements.
• Thefts of cash are schemes that involve the direct theft of
cash on hand.
• Non-cash misappropriations involve the theft of noncash
assets like inventory or information.
• Computer fraud is discussed in a later chapter.
Internal Control Concepts and Techniques
• The internal control system consists of policies, practices
and procedures to achieve four broad objectives:
• Safeguard assets of the firm.
• Ensure accuracy and reliability of accounting records and
information.
• Promote efficiency of the firm’s operations.
• Measure compliance with management’s prescribed
policies and procedures.
• Modifying Assumptions to the Internal Control Objectives:
• Management Responsibility
– The establishment and maintenance of a system of internal control
is the responsibility of management.
• Reasonable Assurance
– Cost of achieving objectives should not outweigh the benefits.
• Methods of Data Processing
– Control techniques vary with different types of technology.
• Limitations
– These include (1) possibility of error, (2) circumvention, (3)
management override and (4) changing conditions.
• The absence or weakness of a control is an exposure:
– May result in asset destruction or theft and corruption or
disruption of the information system.
• Preventive controls are passive techniques designed to
reduce undesirable events by forcing compliance with
prescribed or desired actions.
– Preventing errors and fraud is more cost-effective than detecting
and correcting them.
• Detective controls are designed to identify undesirable
events that elude preventive controls.
• Corrective controls are actions taken to reverse the
effects of errors detected.
• Public company management responsibilities are codified
in Sections 302 and 404 of SOX:
– Section 302 requires management to certify organization’s
internal controls on a quarterly and annual basis.
– Section 404 requires management to assess internal control
effectiveness.
• COSO internal control framework five components:
• The control environment sets the tone for the
organization and influences control awareness.
– SAS 109 requires auditors obtain sufficient knowledge to assess
attitudes and awareness of the management, board and owners
regarding internal controls.
– As a minimum, board should adopt the provisions of SOX.
• COSO internal control framework five components:
• Organizations must perform a risk assessment to identify,
analyze and manage financial reporting risks.
• The quality of information the AIS generates impacts
management’s ability to take actions and make decisions.
– An effective system records all valid transactions and provides
timely and accurate information.
• Monitoring is the process by which the quality of internal
control design and operations can be assessed.
• Control activities are policies and procedures to ensure
appropriate actions are taken to deal with identified risks.
• IT controls relate to the computer environment:
– General control pertain to entity-wide IT concerns.
– Application controls ensure the integrity of specific systems.
• Physical controls relate to human activities:
– Transaction authorization is to ensure all material transactions
processed are valid.
– Segregation of duties controls are designed to minimize
incompatible functions including separating: (1) transaction
authorization and processing and (2) asset custody and record-
keeping. Successful fraud must require collusion.
– Supervision is a compensating control in organizations too
small for sufficient segregation of duties.
• Physical controls relate to human activities:
– Accounting records consist of source documents, journals and
ledgers which capture economic essence and provide an audit trail.
– Access controls ensure that only authorized personnel have access
to firm assets.
– Independent verification procedures are checks to identify errors
and misrepresentations. Management can assess (1) individual
performance, (2) system integrity and (3) data correctness. Includes:
• Reconciling batch totals during transaction processing.
• Comparing physical assets with accounting records.
• Reconciling subsidiary accounts with control accounts.
• Reviewing management reports that summarize business activities.
• IT application controls are associated with applications.
• Input control (edits) perform tests on transactions to ensure
they are free from errors.
– Check digit is a control digit(s) that is added to the data code when
originally assigned. Allows integrity to be established during
processing and helps prevent two common errors:
• Transcription errors occur when (1) extra digits are added to a code, (2) a
digit is omitted from a code, or (3) a digit is recorded incorrectly.
• Transposition errors occur when digits are reversed.
– Missing data check identifies blank or incomplete input fields.
– Numeric-alphabetic check identifies data in the wrong form.
– Limit checks identify fields that exceed authorized limits.
• Input controls (cont’d):
– Range checks verify that all amounts fall within an acceptable range.
– Reasonableness checks verify that amounts that have based limit
and range checks are reasonable.
– Validity checks compare actual fields against acceptable values.
• Processing controls are programmed procedures to ensure an
application’s logic is functioning properly.
– Batch controls manage the flow of high volume transactions and
reconcile system output with original input .
– Run-to-run controls monitor batch from one process to another.
• A hash total is the summation of a nonfinancial field to keep track of records.
• Audit trail controls ensure every transaction can be traced
through each stage to processing from source to financial
statements.
– Every transaction the system processes, including automatic ones,
should be recorded on a transaction log.
• Master file backup controls may be viewed as either a general
control or an application control.
– GFS (grandfather-father-son) backup is used with systems that use
sequential master files.
– The destructive update approach leaves no backup copy and
requires a special recovery program if data is destroyed or corrupted.
– Real-time systems schedule backups at specified daily intervals.
• Output controls are procedures to ensure output is not lost,
misdirected or corrupted and that privacy is not violated.
– Can cause disruption, financial loss and litigation.
• Controlling hard-copy output:
– Output data can become backlogged (spooling) requiring an
intermediate output file in the printing process.
• Proper access and backup procedures must be in place to protect these files.
– Print programs controls should be designed to prevent unauthorized
copies and employee browsing of sensitive data.
– Sensitive computer waste should be shredded for protection.
– Report distribution must be controlled. End-user should examine
reports for correctness, report errors and maintain report security.

Ethics, Fraud and Internal Control: Accounting Information Systems 9e James A. Hall

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ethics, Fraud and Internal Control: Accounting Information Systems 9e James A. Hall

Uploaded by

Copyright:

Available Formats

Chapter 3

• The most common fraud schemes involve some type of

You might also like