Survey							
                            
		                
		                * Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter 3 Ethics, Fraud, and Internal Control COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license 1 Objectives for Chapter 3  Broad issues pertaining to business ethics  Ethical issues related to the use of information technology  Distinguish between management fraud and employee fraud  Common types of fraud schemes  Key features of SAS 78 / COSO internal control framework  Objects and application of physical controls 2 Business Ethics Why should we be concerned about ethics in the business world?  Ethics are needed when conflicts arise  In business, conflicts may arise between:  employees  management  stakeholders  Litigation 3 Business Ethics Business ethics involves finding the answers to two questions:  How do managers decide on what is right in conducting their business?  Once managers have recognized what is right, how do they achieve it? 4 Four Main Areas of Business Ethics 5 Computer Ethics concerns social impact of computer technology (hardware, software, and telecommunications). The main computer ethics issues are:  Privacy  Security and accuracy  Ownership of property  Computer misuse  Internal control integrity 6 Legal Definition of Fraud  false representation - false statement or disclosure  material fact - fact must be important enough so someone will act  intent to deceive must exist  misrepresentation must have resulted in justifiable reliance upon information, which caused someone to act  misrepresentation must have caused injury or loss 7 Factors that Contribute to Fraud Employee Fraud Usually~ an employee taking cash or other assets for personal gain by circumventing company’s system of internal controls 9 Management Fraud  Perpetrated at management levels  But the internal control structure usually relates to activities performed at lower levels  Frequently involves using financial statements  Creating the illusion that entity is healthier and more prosperous than it actually is.  If management is stealing assets,  Theft probably is hidden in very complicated business transactions. 10 Underlying Problems of Enron, WorldCom, Adelphia  Lack of Auditor Independence:  auditing firms also engaged to perform non-accounting activities (consulting)  Lack of Director Independence:  Directors also served on the boards of other companies (good ol’ boy network)  Or had a business trading relationship  Or had a financial relationship as stockholders  Or received personal loans,  Or was employed by the company Underlying Problems of Enron, WorldCom, Adelphia (contd)  Executive Compensation Schemes:  short-term stock options as compensation result in short-term strategies  Drives up stock prices at expense of firm’s longterm health.  Inappropriate Accounting Practices:  Common to many financial statement fraud schemes.  Enron created many special purpose entities  WorldCom transferred transmission line costs from current expense accounts to capital accounts (boosts balance sheet) 12 Sarbanes-Oxley Act of 2002  Created the Public Company Accounting Oversight Board (PCAOB)  Requires Auditor independence—more separation between firm’s attestation (auditing) and nonauditing activities  Corporate governance—audit committee members must be independent and must oversee external auditors  Disclosure requirements—increase auditor and management disclosures  New federal crimes for destruction of/tampering with documents, securities fraud, and actions against whistleblowers Association of Certified Fraud Examiners’ 2006 Occupational Fraud & Abuse Survey 2006* 1996 Scheme Type %Cases Median loss %Cases Median loss Asset Misappropriations 91.5% $ 150,000 81.1% Corruption Schemes 30.8% 538,000 14.8% Fraudulent Statements 10.6% 2,000,000 4.1% $ 65,000 440,000 4,000,000 *More than 100% because some reported in more than one category 14 Fraud Schemes  Three categories of fraud schemes according to the Association of Certified Fraud Examiners: A. Fraudulent statements B. Corruption C. Asset misappropriation 15 A. Fraudulent Statements  Usually management fraud  Misstating financial statements to make company appear better than it is  Often tied to short-term financial measures for success  Or management bonus packages are tied to financial statements 16 B. Corruption  Examples:       Bribery Illegal gratuities Conflicts of interest Economic extortion Foreign Corrupt Practice Act of 1977:  requires accurate records and internal controls (but management was not required to put it in writing) Sarbanes-Oxley Act of 2002:  management must acknowledge it is responsible for internal controls  must assert to effectiveness of those controls - in annual report to SEC (in other words, now it must be in writing) 17 C. Asset Misappropriation  Most common type of fraud  Usually employee fraud.  Examples:  Making charges to expense accounts to cover theft of asset (such as cash)  “Lapping”: using customer’s check from one account to cover theft from a different customer’s account  Transaction fraud: deleting, altering, or adding false transactions to steal assets 18 Computer Fraud  Theft or misuse of assets by  altering computer data  altering software programming  Theft or misuse of computer hardware  Theft, corruption, or destruction of software or hardware  Includes illegal copying or sharing of software  Theft or illegal use of computer data /information 19 Data Collection Fraud  Fraud occurs as data are being entered  Most vulnerable because it is relatively easy to change data as it is entered into system.  Also, the GIGO (garbage in, garbage out) principle reminds us  If input data are inaccurate, output will be inaccurate. 20 Data Processing Fraud Program Frauds  altering programs to allow illegal access to and/or manipulation of data  destroying programs with a virus Operations Frauds  misuse of company resources, such as using the computer for personal business without permission 21 Database Management Fraud  Altering, deleting, corrupting, destroying, or stealing an organization’s data  Oftentimes conducted by disgruntled or ex-employee  This is why you don’t give terminated employees 2 weeks notice!  Escort them to their desk, then the door. 22 Information Generation Fraud  Stealing, misdirecting, or misusing computer output  Scavenging  searching through trash cans for discarded output (output should be shredded, but frequently is not) 23 Internal Control Objectives According to AICPA SAS 1. Safeguard assets of the firm 2. Ensure accuracy and reliability of accounting records and information 3. Promote efficiency of the firm’s operations 4. Measure compliance with management’s prescribed policies and procedures 24 Assumptions about Internal Control Objectives  Management Responsibility  establishment and maintenance of internal control system is responsibility of management (NOT Auditor).  Reasonable Assurance   cost of achieving objectives of internal control should not outweigh its benefits. Would you hire an armed guard 24x7 to make sure $100 of petty cash is not stolen?  Methods of Data Processing   techniques of achieving internal control objectives vary, depending on technology. Objectives of internal controls are same between manual and computerized systems; methods (techniques) are different. 25 Limitations of Internal Controls  Honest errors  Employees get tired, distracted, sick  Collusion  When 2 or more employees get together to defraud the company.  Management override  Manager tells accountant to enter bogus transaction  Changing conditions in the company  especially true when companies grow rapidly 26 Exposures (Risks) of Weak Internal Controls     Assets may be destroyed Assets may be stolen information may be corrupted Information system may be disrupted 27 The Internal Controls Shield 28 Preventive, Detective, and Corrective Controls Least costly 29 Auditing Standards  Auditors are guided by GAAS (Generally Accepted Auditing Standards)  3 classes of standards:  General qualification standards  Field work standards  Reporting standards  For specific guidance, auditors use AICPA SAS (Statements on Auditing Standards) 30 SAS 78 / COSO Describes relationship between firm’s…  internal control structure,  auditor’s assessment of risk, and  planning of audit procedures How do these three interrelate? The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor testing procedures applied in the audit. 31 Five Internal Control Components of SAS 78 1. 2. 3. 4. 5. control environment risk assessment information & communication monitoring control activities 32 1: Control Environment integrity and ethics of management management’s policies and philosophy organizational structure delegation of responsibility and authority role of board of directors and the audit committee  performance evaluation measures  external influences– (ex: regulatory agencies)      33 2: Risk Assessment  identify, analyze, and manage risks relevant to financial reporting  Examples:  changes in external environment  foreign markets – carry more risk than domestic markets  rapid growth that strains internal controls  new product lines  restructuring/downsizing  changes in accounting policies 34 3: Information and Communication  System (CBIS) should produce quality information that  identifies and records all valid transactions  provides timely information in appropriate detail for proper classification and financial reporting  accurately measures financial value of transactions, and  records transactions in time period in which they occurred  Inventory arrives on 12/31/07. Is it recorded in 2007 or 2008? 35 4: Monitoring The process for assessing quality of internal control design and operation  separate procedures--test of controls by internal auditors  ongoing monitoring:  computer modules integrated into routine operations  management reports that show trends  Reports with exceptions from normal performance  Sometimes called ‘exception reports’ 36 5: Control Activities  Policies and procedures to ensure that appropriate actions are taken in response to identified risks  Fall into two distinct categories:  IT controls—relate specifically to the computer environment  Physical controls—primarily pertain to human activities 37 Two Types of IT Controls  General controls—pertain to the entitywide computer environment  Examples: controls over the data center, organization databases, systems development, and program maintenance  Application controls—ensure the integrity of specific systems  Examples: controls over sales order processing, accounts payable, and payroll applications 38 Six Types of Physical Controls       Access Control Accounting Records Authorization of Transactions Independent Verification Segregation of Duties Memorize Supervision these! 39 Physical Controls (continued) Access Controls  help to safeguard assets by restricting physical access to them Accounting Records  provide audit trail 40 Physical Controls (continued)  Authorization  used to ensure that employees are carrying out only authorized transactions  Authorizations may be general (everyday procedures) or specific (non-routine transactions). Example: A clerk may have general authorization to accept low-value returns from customers; if the return is over a certain dollar amount, clerk asks supervisor to approve (specific). 41 Physical Controls Independent Verification  reviewing batch totals  reconciling subsidiary ledgers with control accounts  Example: Compare A/P sub. ledger total with A/P Control account in General Ledger. 42 Physical Controls Segregation of Duties  In manual system, separation is between:  authorizing and processing a transaction  custody and recordkeeping of the asset  In computerized system, segregation should exist between:  program coding  program processing  program maintenance 43 Physical Controls Supervision  compensation for lack of segregation of duties –  Such as in a small company that cannot hire many employees  Sometimes called a “compensating control” 44 Internal Controls in Computerbased Information Systems (CBIS):       Access Accounting Records Authorization of Transactions Independent Verification Segregation of Duties Supervision 45 Internal Controls in CBISs Access  data consolidation exposes the organization to computer fraud and excessive losses from disaster  If someone does access data, s/he might get to all of it. All data in here 46 Internal Controls in CBISs Accounting Records  transaction & master files (and some source documents) are kept magnetically – audit trail still exists, but must be read by computer, rather than humans. 47 Internal Controls in CBISs Authorization  rules for transaction authorization frequently embedded in computer programs  Electronic Data Interchange (EDI) with Just-inTime Inventory (JIT): automated re-ordering of inventory without human intervention 48 Internal Controls in CBISs Independent Verification  many of these tasks are performed by computer rather than manually, and need for an independent check on tasks performed by computer is not necessary (however, computer programs should be checked). 49 Internal Controls in CBISs Segregation of Duties  Computer program performs many tasks considered incompatible in manual systems  Therefore, must separate program development, program operations, and program maintenance – in internally developed systems  Not as important in commercial software – why? 50 Internal Controls in CBISs Supervision  ability to assess competent employees becomes more challenging due to greater technical knowledge required  “compensating control” 51 52