lOMoARcPSD|17305319

CHAPTER 3 This includes details about software as well as

Ethics, Fraud, and Internal Control hardware and concerns about networks
connecting computers as well as computers
Ethical Issues in Business themselves.
• Ethical standards are derived from societal mores 3 Levels of Computer Ethics
and deep-rooted personal beliefs about issues of 1. Pop – exposure to stories about computer
right and wrong that are not universally agreed technology on popular media;
upon. 2. Para – having real interest in computer ethics;
• Ethics are the principles of conduct that acquiring skill and level in the field (e.g. for
individuals use in making choices that guide their systems professional and AIS students);
behaviour in situations involving the concepts of 3. Theoretical – for multidisciplinary researchers;
right and wrong. applying theories of other fields (e.g. philo, socio,
• Often, we confuse ethical issues with legal issues. psych) to computer science
• A new problem or just a new twist on an old
BUSINESS ETHICS problem?
• Business ethics involves answering two • Privacy
questions: o Privacy is full control of what and how
o How do managers decide what is right in much information about an individual is
conducting business? available to others and to whom it is
o Once recognized, how do managers available.
achieve what is right? • Ownership
• Making Ethical Decisions o The creation and maintenance of shared
o Businesses having conflicting databases make it necessary to protect
responsibilities to employees, people from the potential misuse of data.
shareholders, customers and the public. o It is the state or fact of exclusive rights
o Ethical responsibility is the and control over property, which may be
responsibility of organization managers an object, land/real estate, intellectual
to seek a balance between the risks and property, or some other kind of property.
benefits to their constituents that result
from their decisions. • Security (Accuracy and Confidentiality)
• PROPORTIONALITY - The benefit from a o Computer security is an attempt to
decision must outweigh the risks and no avoid such undesirable events as a loss
alternative should provide greater or same of confidentiality or data integrity.
benefit with less risk. • Ownership of Property
o What can an individual or organization
own?
• Equity in Access
o related to economic status, culture and
safety.
• Environmental Issues
o e.g. papers from trees
• Artificial Intelligence
o e.g. responsibility of decision making by
expert systems
• Unemployment and Displacement
o e.g. employers responsible in retraining
displaced employees due to
computerization?
• Misuse of Computers
o e.g. copying software, used personally

SARBANES-OXLEY ACT AND ETHICAL ISSUES

• Sarbanes-Oxley Act (SOX) is the most
significant federal securities law, with provisions
COMPUTER ETHICS designed to deal with specific problems relating
• Computer ethics is the analysis of the nature to capital markets, corporate governance, and
and social impact of computer technology and the the auditing profession.
corresponding formulation and justification of • It requires public companies to disclose to the
policies for the ethical use of such technology. SEC if they have a code of ethics that applies to

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

the CEO, CFO and controller. If a company does • Employee fraud is the performance fraud by
not have a code, it must explain why. non-management employee generally designed
to directly convert cash or other assets to the
Section 406—Code of Ethics for Senior Financial employee’s personal benefit.
Officers • Management fraud is the performance fraud
• CONFLICTS OF INTEREST - Procedures for that often uses deceptive practices to inflate
dealing with conflicts of interest (not necessarily earnings or to forestall the recognition of either
preventing, provide trainings) insolvency or a decline in earnings. It does not
• FULL AND FAIR DISCLOSURES - To ensure involve direct theft and is more harmful as it
candid, open, truthful disclosures (not complex usually involves material misstatements of
and misleading accounting techniques) financial data.
• LEGAL COMPLIANCE - Requiring employees to o Perpetrated at levels of management
follow applicable laws, rules and regulations. above internal control structures.
• INTERNAL REPORTING OF CODE o Frequently involves exaggerated financial
VIOLATIONS - A mechanism to permit prompt statement results.
internal reporting of ethical violations (whistle o Misappropriation of assets often
blowers) shrouded in complex transactions
• ACCOUNTABILITY - Taking appropriate actions involving related third parties.
when code violations occur (audit committee in-
charge). THE FRAUD TRIANGLE
• The fraud triangle is a triad of factors
Fraud and Accountants associated with management and employee
• The passage of SOX has had a tremendous fraud:
impact on the external auditor’s responsibilities o situational pressure (includes personal or
for fraud detection during a financial audit. job-related stresses that could coerce an
• The Statement on Auditing Standards (SAS) individual to act dishonestly);
No. 99 is the current authoritative document that o opportunity (involves direct access to
defines fraud as an intentional act that results in assets and/ or access to information that
a material misstatement in financial statements. controls assets); and
• The objective of SAS 99 is to seamlessly blend the o ethics (pertains to one’s character and
auditor’s consideration of fraud into all phases of degree of moral opposition to acts of
the audit process. dishonesty).
DEFINITIONS OF FRAUD
• Fraud is the false representation of a material
fact made by one party to another party, with the
intent to deceive and induce the other party to
justifiably rely on the material fact to his or her
detriment.
• Act must meet five conditions:
o False representation: false statement
or disclosure.
o Material fact: fact must be substantial
factor in inducing someone to act.
o Intent to deceive: must exist or
knowledge that statement is false.
o Justifiable reliance:
misrepresentation must have been a
substantial factor relied on.
o Injury or loss: must have been
sustained by the victim.
• Fraud in business has a more specialized FINANCIAL LOSSES FROM FRAUD
meaning: • A recent study suggests fraud losses equal 5% of
o Intentional deception, asset revenue.
misappropriation or financial data • The actual cost of fraud is, however, difficult to
manipulation to the advantage of the quantify for a number of reasons:
perpetrator. o Not all fraud is detected.
o White collar crime, defalcation, o Of that detected, not all is reported.
embezzlement and irregularities. o In many fraud cases, incomplete
information is gathered.

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

o Information is not properly distributed to

management or law enforcement
authorities.
o Too often, business organizations decide
to take no civil or criminal action against
the perpetrator(s) of fraud. • Fraud Losses by Age
• In addition to the direct economic loss to the o Older employees tend to occupy higher-
organization, indirect costs—including reduced ranking positions and therefore generally
productivity, the cost of legal action, increased have greater access to company assets.
unemployment, and business disruption due to
investigation of the fraud—need to be
considered.
• Collusion in the commission of a fraud is difficult
to prevent and detect.

Distribution of Losses

• Fraud Losses by Education

o Generally, those with more education
occupy higher positions in their
organizations and therefore have greater
access to company funds and other
assets.
THE PERPETRATORS OF FRAUDS
• Fraud Losses by Position within the Organization
o Individuals in the highest positions within
an organization are beyond the internal
control structure and have the greatest
access to company funds and assets. Conclusions to Be Drawn
• Opportunity factor, other than situational
pressure and ethics, explains much of the
financial loss differential
• Those in higher position – with greatest access to
the assets
• Position – those with highest position are above
• Fraud Losses and the Collusion Effect the internal control
o One reason for segregating occupational • Gender – more men occupy the higher corporate
duties is to deny potential perpetrators positions
the opportunity they need to commit • Age – older employees occupy higher positions
fraud. • Education – those with higher education occupy
o When individuals in critical positions higher positions
collude, they create opportunities to • Collusion – it creates opportunities for greater
control or gain access to assets that access to assets that otherwise would not exist
otherwise would not exist.
FRAUD SCHEMES
Fraudulent Statements
• Fraudulent statements are statements
associated with management fraud.
• In this class of fraud scheme, the financial
• Fraud Losses by Gender statement misrepresentation must itself bring
o Women are not fundamentally more direct or indirect financial benefit to the
honest than men, but men occupy high perpetrator.
corporate positions in greater numbers THE UNDERLYING PROBLEMS
than women. • Lack of Auditor Independence: Audit firms also
o This affords men greater access to engaged by their clients to perform non-
assets. accounting activities.

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

• Lack of Director Independence: Many board of o most common fraud schemes involve
directors are comprised of directors who are not some type of asset misappropriation
independent. (almost 90% according to ACFE study).
• Questionable Executive Compensation Schemes: • Skimming involves skimming cash from an
Stock options as compensation result in strategies organization before it is recorded on the
aimed at driving up stock prices at the expense organization’s books and records.
of the firm’s long-term health. o Another example is mail room fraud,
o In extreme cases financial statement in which an employee opening the mail
misrepresentation has been used to steals a customer’s check and destroys
achieve stock prices needed to exercise the associated remittance advice.
options • Cash larceny is theft of cash receipts from an
• Inappropriate Accounting Practices: Common organization after those receipts have been
characteristic to many financial statement fraud recorded in the organization’s books and records.
schemes. o Lapping is the use of customer checks,
• SOX establishes a framework for oversight and received in payment of their accounts, to
regulation of public companies. Principal reforms conceal cash previously stolen by an
pertain to: employee.
o Creation of the Public Company • Billing schemes, also known as vendor fraud,
Accounting Oversight Board are schemes under which an employee causes
(PCAOB) to set standards, inspect firms, the employer to issue a payment to a false
conduct investigations and take regulator supplier or vendor by submitting invoices for
actions. fictitious goods/services, inflated invoices, or
o Auditor independence: More separation invoices for personal purchases.
between a firm’s attestation and non- o A shell company is establishing a false
auditing activities. vendor on the company’s books, and
o Corporate governance and responsibility: then making false purchase orders,
Audit committee members must be receiving reports, and invoices in the
independent and committee must hire name of the vendor and submitting them
and oversee the external auditors. to the accounting system, creating the
o Issuer and management disclosure: illusion of a legitimate transaction. The
Increased requirements. system ultimately issues a check to the
o Fraud and criminal penalties: New false vendor.
penalties for destroying or tampering o A pass-through fraud is similar to shell
with documents, securities fraud, and company fraud except that a transaction
taking actions against whistleblowers. actually takes place. The perpetrator
Corruption creates a false vendor and issues
• Corruption involves an executive, a manager, or purchase orders to it for inventory or
an employee of the organization in collusion with supplies. The false vendor purchases the
an outsider. needed inventory from a legitimate
• Bribery involves giving, offering, soliciting, or vendor, charges the victim company a
receiving things of value to influence an official in much higher than market price for the
the performance of his or her lawful duties. items, and pockets the difference.
• An illegal gratuity involves giving, receiving, o A pay-and-return is a scheme under
offering, or soliciting something of value because which a clerk with check writing authority
of an official act that has been taken. Similar to a pays a vendor twice for the same
bribe, but after the fact. products (inventory or supplies) received
• A conflict of interest is an outline of procedures and then intercepts and cashes the
for dealing with actual or apparent conflicts of overpayment returned by the vendor.
interest between personal and professional • Check tampering involves forging, or changing
relationships. in some material way, a check that was written to
• Economic extortion is the use (or threat) of a legitimate payee.
force (including economic sanctions) by an • Payroll fraud is the distribution of fraudulent
individual or organization to obtain something of paychecks to existent and/or nonexistent
value. employees.
o The item of value could be a financial or • Expense reimbursement fraud involves
economic asset, information, or claiming reimbursement of fictitious or inflated
cooperation to obtain a favorable business expenses.
decision on some matter under review. • Thefts of cash is the direct theft of cash on hand
• Asset Misappropriation in the organization.

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

• Noncash fraud is the theft or misuse of non- The Preventive-Detective-Corrective Internal

cash assets (e.g., inventory, confidential Control Model
information). • Preventive controls are passive techniques
• Computer fraud involves theft, misuse, or designed to reduce the frequency of occurrence
misappropriation of assets by altering computer- of undesirable events by forcing compliance with
readable records and files, or by altering the logic prescribed or desired actions. Preventing errors
of computer software; the illegal use of and fraud is more cost-effective than detecting
computer-readable information; or the intentional and correcting them.
destruction of computer software or hardware. • Detective controls are devices, techniques, and
Losses from Asset Misappropriation Schemes procedures designed to identify and expose
undesirable events that elude preventive
controls.
• Corrective controls are actions taken to
reverse the effects of errors detected.

Internal Control Shield

Losses from Fraud by Scheme Type

INTERNAL CONTROL CONCEPTS AND

TECHNIQUES
• The internal control system is a set of policies
a firm employs to safeguard the firm’s assets,
ensure accurate and reliable accounting records
and information, promote efficiency, and
measure compliance with established policies.
• Modifying Assumptions (inherent to the control
objectives; guide designers and auditors of
internal controls)
o Management responsibility is the
concept under which the responsibility
for the establishment and maintenance
of a system of internal control falls to Preventive, Detective, and Corrective Controls
management.
o Reasonable assurance is an assurance
provided by the internal control system
that the four broad objectives of internal
control are met in a cost-effective
manner. Cost of achieving objectives
should not outweigh the benefits.
• METHODS OF DATA PROCESSING. Control
techniques vary with different types of
technology.
• LIMITATIONS. These include (1) possibility of
error, (2) circumvention, (3) management
override and (4) changing conditions.

Control Weaknesses and Risks

• Control weaknesses increase the firm’s risk to
financial loss or injury from the threats.

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

• Statement on Auditing Standards (SAS) No. actions are taken to deal with the
109 is the current authoritative document for organization’s risks.
specifying internal control objectives and o IT CONTROLS: General controls are
techniques. It is based on the COSO framework. controls that pertain to entity-wide
• SOX and Internal Control: concerns such as controls over the data
o Public company management center, organization databases, systems
responsibilities are codified in Sections development, and program maintenance.
302 and 404 of SOX: Application controls are controls that
o Section 302 requires management to ensure the integrity of specific systems.
certify organization’s internal controls on o PHYSICAL CONTROLS relate to human
a quarterly and annual basis. activities.
o Section 404 requires management to o Transaction authorization is a
assess internal control effectiveness. procedure to ensure that employees
o Committee of Sponsoring process only valid transactions within the
Organizations of the Treadway scope of their authority.
Commission (COSO) is a joint initiative o Segregation of duties is the separation
of five private sector organizations and is of employee duties to minimize
dedicated to providing thought incompatible functions. These include
leadership through the development of separating: (1) transaction authorization
frameworks and guidance on enterprise and processing, (2) asset custody and
risk management, internal control, and record-keeping, (3) tasks so that
fraud deterrence. successful fraud must require collusion.
o Supervision is a control activity
COSO internal control framework five involving the critical oversight of
components: employees. It is a compensating control
• The Control Environment in organizations too small for sufficient
o The control environment is the segregation of duties.
foundation of internal control. o The accounting records of an
o It sets the tone for the organization and organization consist of documents,
influences control awareness. journals, or ledgers used in transaction
o SAS 109 requires auditors obtain cycles. These capture economic essence
sufficient knowledge to assess attitudes and provide an audit trail.
and awareness of the management, o Access controls are controls that
board and owners regarding internal ensure that only authorized personnel
controls. have access to the firm’s assets.
o As a minimum, board should adopt the
provisions of SOX. Segregation of Duties Objectives
• Risk Assessment
o Risk assessment is the identification,
analysis, and management of risks
relevant to financial reporting.
• Information and Communication
o The quality of information the AIS
generates impacts management’s ability
to take actions and make decisions.
o An effective accounting information
system records all valid transactions and
provides timely and accurate information.
• Monitoring
o Monitoring is the process by which the
quality of internal control design and o Verification procedures are
operation can be assessed. independent checks of the accounting
o This can be done thru separate system to identify errors and
procedures (e.g. internal audits) or misrepresentations.
ongoing activities (e.g. computer o These differ from supervision – these
modules, management reports) happen after the fact by an individual not
• Control Activities directly involved in the transaction or task
o Control activities are the policies and being verified. Supervision happens
procedures to ensure that appropriate

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

during the activity by a superior directly • Hash total is a control technique that uses
responsible for the task. nonfinancial data to keep track of the records in
o Management can assess (1) individual a batch.
performance, (2) system integrity and (3)
data correctness. Batch Control Record
o Includes:
• Reconciling batch totals during
transaction processing.
• Comparing physical assets with
accounting records.
• Reconciling subsidiary accounts
with control accounts.
• Reviewing management reports
that summarize business Run-to-Run Controls
activities.

IT APPLICATION CONTROLS
• are associated with applications.

Input controls are programmed procedures, often

called edits, that perform tests on transaction data to
ensure that they are free from errors.
• CHECK DIGIT: A check digit is a method for
detecting data coding errors in which a control
digit is added to the code when it is originally
designed to allow the integrity of the code to be
established during subsequent processing.
o It allows integrity to be established
during processing and helps prevent two
common errors:
o Transcription errors are the type of
errors that can corrupt a data code and
cause processing errors.
o Transposition errors are errors that
occur when digits are transposed.
• MISSING DATA CHECK identifies blank or • Audit trail controls ensures that every
incomplete input fields. transaction can be traced through each stage of
• NUMERIC-ALPHABETIC CHECK identifies data in processing from its economic source to its
the wrong form. presentation in financial statements.
• LIMIT CHECK identify fields that exceed • Every transaction the system processes, including
authorized limits. automatic ones, should be recorded on a
• RANGE CHECK verify that all amounts fall within transaction log.
an acceptable range. o TRANSACTION LOGS – serve as journals;
• REASONABLENESS CHECK verify that amounts contain only successful transactions
that have based limit and range checks are o LOG OF AUTOMATIC TRANSACTIONS –
reasonable.* log or audit trail of internally generated
• VALIDITY CHECK compare actual fields against transactions (system triggered).
acceptable values.
Transaction Log to Preserve the Audit Trail
Processing Controls are programmed procedures to
ensure an application’s logic is functioning properly.
• Batch controls is an effective method of
managing high volumes of transaction data
through a system.
o The objective is to reconcile system
output with original input.
• Run-to-run controls are controls that use
batch figures to monitor the batch as it moves
from one programmed procedure to another.

Downloaded by Christine Joy Dela Peña ([email protected])

 lOMoARcPSD|17305319

Backup Procedures for Batch Systems Using Direct Access

MASTERFILE BACK-UP CONTROLS AND GFS Files
BACKUP TECHNIQUE
• Master File Backup Controls may be viewed as
either a general control or an application control.
o The grandfather-father-son (GFS) is
a back-up technique employed by
systems that use sequential master files
(whether tape or disk). It is an integral
part of the master file update process.
o The systems designer determines the
number of backup master files needed
for each application. Two factors
influence this decision: (1) the financial
significance of the system and (2) the BACKUP OF MASTER FILES IN A REAL-TIME
degree of file activity. SYSTEM
• Real-time systems pose a more difficult problem
Grandfather-Father-Son Approach because transactions are being processed
continuously.
• Backup procedures are therefore scheduled at
pre-specified intervals throughout the day (e.g.,
every 15 minutes).

Backup Procedures for Real-Time Processing System

BACKUP PROCESS IN BATCH SYSTEM USING Output controls are procedures to ensure output is not
DIRECT ACCESS FILES lost, misdirected or corrupted and that privacy is not
• Each record in a direct access file is assigned a violated.
unique disk location or address that is determined • Can cause disruption, financial loss and litigation.
by its primary key value.
• The destructive update approach leaves no Controlling Hard-Copy Output
backup copy of the original master file. It requires • OUTPUT SPOOLING: Spooling is directing an
a special recovery program if data is destroyed or application’s output to a magnetic disk file rather
corrupted. than to the printer directly because output data
in output devices can become backlogged
Destructive Update Approach (bottleneck). Proper access and backup
procedures must be in place to protect these
output (spool) files.
• PRINT PROGRAM CONTROLS should be designed
to prevent unauthorized copies and employee
browsing of sensitive data.
• SENSITIVE COMPUTER WASTE should be
shredded for protection.
• REPORT DISTRIBUTION must be controlled.*
• END-USER should examine reports for
correctness, report errors and maintain report
security.

Downloaded by Christine Joy Dela Peña ([email protected])