Page | 1

CHAPTER 3

Ethics, Fraud and Internal Control

Learning Outcomes:

After studying the chapter, you should:

 Understand the broad issues pertaining to business issues.

 Have a basic understanding of ethical issues related to the use of information
technology
 Be able to distinguish between management fraud and employee fraud
 Be familiar with the key features of SAS 78/COSO internal control framework
 Understand the objectives and application of physical controls

Ethical Standards
Ethical standards are derived from societal mores and deep-rooted
personal beliefs about issues of right and wrong that are not universally
agreed upon.

Business Ethics
Ethics pertains to the principles of conduct that individuals use in
making choices and guiding their behavior in situations that involve the
concepts of right and wrong.
Why should we be concerned about ethics in the business
world?
 Ethics are needed when conflicts arise—the need to choose
 In business, conflicts may arise between:

 employees
 management
 stakeholders

Page | 2
  Litigation
Business ethics involves finding the answers to two questions:

 How do managers decide on what is right in conducting their

business?

 Once managers have recognized what is right, how do they

achieve it?

Four Main Areas of Business Ethics

PROPORTIONALITY. The benefit from a decision must outweigh the risks.

Furthermore, there must be no alternative decision that provides the
same or greater benefit with less risk.

Page | 3
 • Justice. The benefits of the decision should be distributed
fairly to those who share the risks. Those who do not benefit should
not carry the burden of risk.
• Minimize risk. Even if judged acceptable by the principles,
the decision should be implemented so as to minimize all of the
risks and avoid any unnecessary risks.

• Computer Ethics. The analysis of the nature and social impact

of computer technology and the corresponding formulation and
justification of policies for the ethical use of such technology.…
[This includes] concerns about software as well as hardware and
concerns about networks connecting computers as well as
computers themselves.’’ concerns the social impact of computer
technology (hardware, software, and telecommunications).

• Three levels of computer ethics: pop, para, and theoretical.

• Pop computer ethics is simply the exposure to stories and

reports found in the popular media regarding the good or bad
ramifications of computer technology.

• Para computer ethics involves taking a real interest in

computer ethics cases and acquiring some level of skill and
knowledge in the field.

• The third level, theoretical computer ethics, is of interest to

multidisciplinary researchers who apply the theories of philosophy,
sociology, and psychology to computer science with the goal of
bringing some new understanding to the field.
What are the main computer ethics issues?

Page | 4
• Privacy - The creation and maintenance of huge, shared
databases make it necessary to protect people from the potential
misuse of data.

• Security—accuracy and confidentiality - Computer security is

an attempt to avoid such undesirable events as a loss of
confidentiality or data integrity. Security systems attempt to
prevent fraud and other misuse of computer systems; they act to
protect and further the legitimate interests of the system’s
constituencies.

• Ownership of property - Laws designed to preserve real

property rights have been extended to cover what is referred to as
intellectual property, that is, software.

• Equity in access
• Environmental issues
• Artificial intelligence

• Unemployment and displacement - Many jobs have been

and are being changed as a result of the availability of computer
technology. People unable or unprepared to change are displaced.

• Misuse of computer Legal Definition of Fraud

 False representation - false statement or disclosure

 Material fact - a fact must be substantial in inducing

someone to act
 Intent to deceive must exist

 The misrepresentation must have resulted in justifiable

reliance upon information, which caused someone to act

 The misrepresentation must have caused injury or loss

Page | 5
Enron, WorldCom, Adelphia - Underlying Problems
Lack of Auditor Independence: auditing firms also engaged by their clients
to perform non accounting activities
Lack of Director Independence: directors who also serve on the boards of
other companies, have a business trading relationship, have a financial
relationship as stockholders or have received personal loans, or have an
operational relationship as employees
Questionable Executive Compensation Schemes: short-term stock options
as compensation result in short-term strategies aimed at driving up stock
prices at the expense of the firm’s long-term health
Inappropriate Accounting Practices: a characteristic common to many
financial statement fraud schemes

Page | 6
 • Enron made elaborate use of special purpose entities.

• WorldCom transferred transmission line costs from current

expense accounts to capital accounts.
Sarbanes-Oxley Act of 2002 - Its principal reforms pertain to:

 Creation of the Public Company Accounting Oversight Board

(PCAOB)

 Auditor independence—more separation between a firm’s

attestation and non-auditing activities

 Corporate governance and responsibility—audit committee

members must be independent and the audit committee must
oversee the external auditors
 Disclosure requirements—increase issuer and management
disclosure
 New federal crimes for the destruction of or tampering with
documents, securities fraud, and actions against whistleblowers

Employee Fraud
 Committed by non-management personnel
 Usually consists of: an employee taking cash or other assets
for personal gain by circumventing a company’s system of internal
controls

Management Fraud

 Perpetrated at levels of management above the one to which

internal control structure relates

Page | 7
  Frequently involves using financial statements to create an
illusion that an entity is healthier and prosperous than it actually is

 Involves misappropriation of assets, it frequently is shrouded

in a maze of complex business transactions
Fraud Schemes
Three categories of fraud schemes according to the Association of
Certified Fraud Examiners:
A. fraudulent statements - are associated with management
fraud.
B. corruption - involves an executive, manager, or employee of
the organization in collusion with an outsider.
C. asset misappropriation - The most common fraud schemes
involve some form of asset misappropriation in which assets are
either directly or indirectly diverted to the perpetrator’s benefit.
A. Fraudulent Statements

 Misstating the financial statements to make the copy appear

better than it is
 Usually occurs as management fraud

 May be tied to focus on short-term financial measures for

success

 May also be related to management bonus packages being

tied to financial statements
B. Corruption

• BRIBERY. Bribery involves giving, offering, soliciting, or

receiving things of value to influence an official in the performance
of his or her lawful duties

Page | 8
 • ILLEGAL GRATUITIES. An illegal gratuity involves giving,
receiving, offering, or soliciting something of value because of an
official act that has been taken. This is similar to a bribe, but the
transaction occurs after the fact

• CONFLICTS OF INTEREST. Every employer should expect that

his or her employees will conduct their duties in a way that serves
the interests of the employer. A conflict of interest occurs when an
employee acts on behalf of a third party during the discharge of his
or her duties or has selfinterest in the activity being performed

• ECONOMIC EXTORTION. Economic extortion is the use (or

threat) of force (including economic sanctions) by an individual or
organization to obtain something of value. The item of value could
be a financial or economic asset, information, or cooperation to
obtain a favorable decision on some matter under review.

 Foreign Corrupt Practice Act of 1977:

 indicative of corruption in business world

 impacted accounting by requiring accurate

records and internal controls
C. Asset Misappropriation
 Skimming involves stealing cash from an organization before
it is recorded on the organization’s books and records.

 Cash larceny involves schemes in which cash receipts are

stolen from an organization after they have been recorded in the
organization’s books and records. An example of this is lapping, in

Page | 9
 which the cash receipts clerk first steals and cashes a check from
Customer A.
 Check tampering involves forging or changing in some
material way a check that the organization has written to a
legitimate payee.

 Payroll fraud is the distribution of fraudulent paychecks to

existent and/or nonexistent employees. Most common type of
fraud and often occurs as employee fraud  Examples:
 making charges to expense accounts to cover theft of asset
(especially cash)
 lapping: using customer’s check from one account to cover
theft from a different account
 transaction fraud: deleting, altering, or adding false
transactions to steal assets
Internal Control Objectives According to AICPA SAS
1. Safeguard assets of the firm

2. Ensure accuracy and reliability of accounting records and

information
3. Promote efficiency of the firm’s operations

4. Measure compliance with management’s prescribed policies

and procedures
Modifying Assumptions to the Internal Control Objectives

 Management Responsibility
The establishment and maintenance of a system of internal control is
the responsibility of management.

 Reasonable Assurance

Page | 10
 The cost of achieving the objectives of internal control should not
outweigh its benefits.

 Methods of Data Processing

The techniques of achieving the objectives will vary with different types
of technology.
Limitations of Internal Controls
 Possibility of honest errors
 Circumvention via collusion
 Management override
 Changing conditions--especially in companies with high
growth Exposures of Weak Internal Controls (Risk)
 Destruction of an asset
 Theft of an asset
 Corruption of information

 Disruption of the information system

Preventive, Detective, and Corrective Controls

Page | 11
SAS 78 / COSO
Describes the relationship between the firm’s…
• internal control structure,
• auditor’s assessment of risk, and
• the planning of audit procedures How do these three interrelate?
The weaker the internal control structure, the higher the assessed level
of risk; the higher the risk, the more auditor procedures applied in the
audit. Five Internal Control Components: SAS 78 / COSO
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
1: The Control Environment
 Integrity and ethics of management
 Organizational structure
 Role of the board of directors and the audit committee
 Management’s policies and philosophy
 Delegation of responsibility and authority
 Performance evaluation measures
 External influences—regulatory agencies
 Policies and practices managing human resources
2: Risk Assessment

 Identify, analyze and manage risks relevant to financial

reporting:

Page | 12
  changes in external environment
 risky foreign markets
 significant and rapid growth that strain internal
controls
 new product lines
 restructuring, downsizing

 changes in accounting policies

3: Information and Communication

 The AIS should produce high quality information

which:
 identifies and records all valid transactions
 provides timely information in appropriate detail to
permit proper classification and financial reporting

 accurately measures the financial value of

transactions

 accurately records transactions in the time period in

which they occurred
Information and Communication

• Auditors must obtain sufficient knowledge of the IS to

understand:
• the classes of transactions that are material
• how these transactions are initiated [input]

• the associated accounting records and accounts used in

processing [input]

• the transaction processing steps involved from the initiation

of a transaction to its inclusion in the financial statements [process]

Page | 13
 • the financial reporting process used to compile financial
statements, disclosures, and estimates [output]
[red shows relationship to the general AIS model]
4: Monitoring
The process for assessing the quality of internal control design and
operation [This is feedback in the general AIS model.]
 Separate procedures—test of controls by internal auditors
 Ongoing monitoring:
 computer modules integrated into routine operations

 management reports which highlight trends and exceptions

from normal performance
[red shows relationship to the general AIS model]

5: Control Activities

 Policies and procedures to ensure that the appropriate

actions are taken in response to identified risks
 Fall into two distinct categories:
 IT controls—relate specifically to the computer environment

 Physical controls—primarily pertain to human activities Two

Types of IT Controls
 General controls—pertain to the entity wide computer
environment
 Examples: controls over the data center, organization
databases, systems development, and program maintenance
 Application controls—ensure the integrity of specific
systems

Page | 14
  Examples: controls over sales order processing, accounts
payable, and payroll applications
Six Types of Physical Controls
 Transaction Authorization
 Segregation of Duties
 Supervision
 Accounting Records
 Access Control

 Independent Verification
Physical Controls
Transaction Authorization
 used to ensure that employees are carrying out only
authorized transactions

 general (everyday procedures) or specific (non-routine

transactions) authorizations
Segregation of Duties
 In manual systems, separation between:
 authorizing and processing a transaction
 custody and recordkeeping of the asset
 subtasks
 In computerized systems, separation between:
 program coding
 program processing
 program maintenance Supervision

 a compensation for lack of segregation; some may be

built into computer systems
Page | 15
Accounting Records
 provide an audit trail Access Controls
 help to safeguard assets by restricting physical access to them
Independent Verification

 reviewing batch totals or reconciling subsidiary accounts with

control accounts

Physical Controls in IT Contexts

Transaction Authorization
 The rules are often embedded within computer programs.

 EDI/JIT: automated re-ordering of inventory without human

intervention Segregation of Duties
 A computer program may perform many tasks that are deemed
incompatible.
Page | 16
 Thus the crucial need to separate program development, program
operations, and program maintenance. Supervision
 The ability to assess competent employees becomes more
challenging due to the greater technical knowledge required.
Accounting Records

 ledger accounts and sometimes source documents are kept

magnetically
 no audit trail is readily apparent
Access Control
 Data consolidation exposes the organization to computer
fraud and excessive losses from disaster. Independent
Verification
 When tasks are performed by the computer rather than
manually, the need for an independent check is not necessary.
 However, the programs themselves are checked.

Page | 17