Chapter 3: Ethics, Fraud, and Internal Control
and avoid any unnecessary risks
Objectives for Chapter 3
 Broad issues pertaining to business ethics
 Ethical issues related to the use of information
technology
 Distinguish between management fraud and employee
fraud
 Common types of fraud schemes
 Key features of SAS 78 / COSO internal control
framework
 Objects and application of physical controls
Ethics
 pertains to the principles of conduct that individuals
use in making choices and guiding their behavior in
situations that involve the concepts of right and wrong
Business Ethics
Why should we be concerned about ethics in the business
world?
 Ethics are needed when conflicts arise—the need to
choose
 In business, conflicts may arise between:
 employees
 management
 stakeholders
 Litigation
Business ethics involves finding the answers to two
questions:
 How do managers decide on what is right in conducting
their business?
 Once managers have recognized what is right, how do
they achieve it?
Four Main Areas of Business Ethics
Ethical Responsibility
 Seeking a balance between these consequences
 PROPORTIONALITY
 Justice. The benefits of the decision should be
distributed fairly to those who share the risks.
Those who do not benefit should not carry the
burden of risk.
 Minimize risk. Even if judged acceptable by
the principles, the decision should be
implemented so as to minimize all of the risks
Computer Ethics
 analysis of the nature and social impact of computer
technology and the corresponding formulation and
justification of policies for the ethical use of such
technology.… [This includes] concerns about software
as well as hardware and concerns about networks
connecting computers as well as computers
themselves.
Three Levels of Computer Ethics
 Pop computer ethics is simply the exposure to stories
and reports found in the popular media regarding the
good or bad ramifications of computer technology
 Para computer ethics involves taking a real interest in
computer ethics cases and acquiring some level of skill
and knowledge in the field
 Theoretical Computer Ethics, is of interest to
multidisciplinary researchers who apply the theories of
philosophy, sociology, and psychology to computer
science with the goal of bringing some new
understanding to the field
Computer Ethics…
concerns the social impact of computer technology
(hardware, software, and telecommunications).
What are the main computer ethics issues?
 Privacy
 Security—accuracy and confidentiality
 Ownership of property
 Equity in access
 Environmental issues
 Artificial intelligence
 Unemployment and displacement
 Misuse of computer
Security (Accuracy and Confidentiality)
 Computer security is an attempt to avoid such
undesirable events as a loss of confidentiality or data
integrity.
Sarbanes-Oxley Act of 2002
Its principal reforms pertain to:
 Creation of the Public Company Accounting
Oversight Board (PCAOB)
 Auditor independence—more separation
between a firm’s attestation and non-auditing
activities
 Corporate governance and responsibility—
audit committee members must be
independent and the audit committee must
oversee the external auditors
 Disclosure requirements—increase issuer and
management disclosure
 New federal crimes for the destruction of or
tampering with documents, securities fraud,
and actions against whistleblowers
Section 406—Code of Ethics for Senior Financial
Officers SOX
 Conflicts Of Interest
 Full And Fair Disclosures
 Legal Compliance
 Internal Reporting Of Code Violations
 Accountability
Legal Definition of Fraud
 False representation - false statement or
disclosure
 Material fact - a fact must be substantial in
inducing someone to act
 Intent to deceive must exist
 The misrepresentation must have resulted in
justifiable reliance upon information, which
caused someone to act
 The misrepresentation must have caused
injury or loss
Fraud in Accounting Literature
 fraud is also commonly known as white-collar
crime, defalcation, embezzlement, and
irregularities. Auditors encounter fraud at two
levels: employee fraud and management fraud.
Factors that Contribute to Fraud
Employee Fraud
 Committed by non-management personnel
 Usually consists of: an employee taking cash or
other assets for personal gain by circumventing a
company’s system of internal controls
 Three Steps:
 stealing something of value (an asset)
 converting the asset to a usable form (cash)
 concealing the crime to avoid detection
Management Fraud Special Characteristics
 Perpetrated at levels of management above the one to
which internal control structure relates
 Frequently involves using financial statements to
create an illusion that an entity is more healthy and
prosperous than it actually is
 Involves misappropriation of assets, it frequently is
shrouded in a maze of complex business transactions
Fraud Triangle
 Situational Pressure, which includes personal or
job-related stresses that could coerce an
individual to act dishonestly
 Opportunity, which involves direct access to
assets and/or access to information that controls
assets
 Ethics, which pertains to one’s character and
degree of moral opposition to acts of dishonesty
Fraud Losses
 Position. Individuals in the highest positions within an
organization are beyond the internal control structure
and have the greatest access to company funds and
assets.
 Gender. Women are not fundamentally more honest
than men, but men occupy high corporate positions in
greater numbers than women. This affords men
greater access to assets.
 Age. Older employees tend to occupy higher-ranking
positions and therefore generally have greater access
to company assets.
 Education. Generally, those with more education
occupy higher positions in their organizations and
therefore have greater access to company funds and
other assets.
 Collusion. One reason for segregating occupational
duties is to deny potential perpetrators the
opportunity they need to commit fraud. When
individuals in critical positions collude, they create
opportunities to control or gain access to assets that
otherwise would not exist. FRA
Fraud Schemes
Three categories of fraud schemes according to the
Association of Certified Fraud Examiners:
A. fraudulent statements
B. corruption
C. asset misappropriation
A. Fraudulent Statements
 Misstating the financial statements to make the
copy appear better than it is
 Usually occurs as management fraud
 May be tied to focus on short-term financial
measures for success
 May also be related to management bonus
packages being tied to financial statements
Enron, WorldCom, Adelphia Underlying Problems
 Lack of Auditor Independence: auditing firms also
engaged by their clients to perform nonaccounting
activities
 Lack of Director Independence: directors who also
serve on the boards of other companies, have a
business trading relationship, have a financial
relationship as stockholders or have received personal
loans, or have an operational relationship as
employees
 Questionable Executive Compensation Schemes: short-
term stock options as compensation result in short-
term strategies aimed at driving up stock prices at the
expense of the firm’s long-term health.
 Inappropriate Accounting Practices: a characteristic
common to many financial statement fraud schemes.
 Enron made elaborate use of special purpose
entities
 WorldCom transferred transmission line costs
from current expense accounts to capital
accounts
B. Corruption
 Examples:
 bribery
 illegal gratuities
 conflicts of interest
 economic extortion
 Foreign Corrupt Practice Act of 1977:
 indicative of corruption in business world
 impacted accounting by requiring accurate
records and internal controls
 involves an executive, manager, or employee of the
organization in collusion with an outsider.
 Four Principal Types:
 Bribery involves giving, offering, soliciting, or
receiving things of value to influence an
official in the performance of his or her lawful
duties
 Illegal Gratuity involves giving, receiving,
offering, or soliciting something of value
because of an official act that has been taken
 Conflict Of Interest occurs when an employee
acts on behalf of a third party during the
discharge of his or her duties or has self-
interest in the activity being performed
 Economic Extortion is the use (or threat) of
force (including economic sanctions) by an
individual or organization to obtain something
of value
C. Asset Misappropriation
 Most common type of fraud and often occurs as
employee fraud
 Examples:
 making charges to expense accounts to cover
theft of asset (especially cash)
 lapping: using customer’s check from one
account to cover theft from a different
account
 transaction fraud: deleting, altering, or adding
false transactions to steal assets
Skimming
 involves stealing cash from an organization before
it is recorded on the organization’s books and
records.
 Mail Room Fraud in which an employee opening
the mail steals a customer’s check and destroys
the associated remittance advice
Cash Larceny
 involves schemes in which cash receipts are stolen
from an organization after they have been recorded in
the organization’s books and records.
 Lapping, in which the cash receipts clerk first steals and
cashes a check from Customer A. To conceal the
accounting imbalance caused by the loss of the asset,
Customer A’s account is not credited. Later (the next
billing period), the employee uses a check received
from Customer B and applies it to Customer A’s
account. Funds received in the next period from
Customer C are then applied to the account of
Customer B, and so on.
Billing Schemes/ Vendor Fraud
 perpetrated by employees who causes their
employer to issue a payment to a false supplier or
vendor by submitting invoices for fictitious goods
or services, inflated invoices, or invoices for
personal purchases. Three examples of billing
scheme are presented here.
 Shell Company Fraud first requires that the
perpetrator establish a false supplier on the books
of the victim company. The fraudster then
manufactures false purchase orders, receiving
reports, and invoices in the name of the vendor
and submits them to the accounting system,
which creates the allusion of a legitimate
transaction. Based on these documents, the
system will set up an account payable and
ultimately issue a check to the false supplier (the
fraudster). This sort of fraud may continue for
years before it is detected.
 A Pass Through Fraud is similar to the shell
company fraud with the exception that a
transaction actually takes place. Again, the
perpetrator creates a false vendor and issues
purchase orders to it for inventory or supplies.
The false vendor then purchases the needed
inventory from a legitimate vendor. The false
vendor charges the victim company a much higher
than market price for the items, but pays only the
market price to the legitimate vendor. The
difference is the profit that the perpetrator
pockets.
 A Pay-and-return Scheme is a third form of
vendor fraud. This typically involves a clerk with
checkwriting authority who pays a vendor twice
for the same products (inventory or supplies)
received. The vendor, recognizing that its
customer made a double payment, issues a
reimbursement to the victim company, which the
clerk intercepts and cashes.
Check Tampering
 involves forging or changing in some material way
a check that the organization has written to a
legitimate payee. One example of this is an
employee who steals an outgoing check to a
vendor, forges the payee’s signature, and cashes
the check. A variation on this is an employee who
 steals blank checks from the victim company
makes them out to himself or an accomplice.
Payroll Fraud
 the distribution of fraudulent paychecks to existent
and/or nonexistent employees. For example, a
supervisor keeps an employee on the payroll who has
left the organization. Each week, the supervisor
continues to submit time cards to the payroll
department as if the employee were still working for
the victim organization. The fraud works best in
organizations in which the supervisor is responsible for
distributing paychecks to employees. The supervisor
may intercept the paycheck, forge the former
employee’s signature, and cash it. Another example of
payroll fraud is to inflate the hours worked on an
employee time card so that he or she will receive a
larger than deserved paycheck. This type of fraud often
involves collusion with the supervisor or timekeeper.
Expense Reimbursements
 schemes in which an employee makes a claim for
reimbursement of fictitious or inflated business
expenses. For example, a company salesperson
files false expense reports, claiming meals,
lodging, and travel that never occurred.
Thefts of Cash
 schemes that involve the direct theft of cash on
hand in the organization. An example of this is an
employee who makes false entries on a cash
register, such as voiding a sale, to conceal the
fraudulent removal of cash. Another example is a
bank employee who steals cash from the vault.
Non-Cash Misappropriations
 involve the theft or misuse of the victim
organization’s non-cash assets. One example of
this is a warehouse clerk who steals inventory
from a warehouse or storeroom. Another
example is a customer services clerk who sells
confidential customer information to a third
party.
Computer Fraud Schemes
 Theft, misuse, or misappropriation of assets by altering
computer-readable records and files
 Theft, misuse, or misappropriation of assets by altering
logic of computer software
 Theft or illegal use of computer-readable information
 Theft, corruption, illegal copying or intentional
destruction of software
 Theft, misuse, or misappropriation of computer
hardware
Data Collection Fraud
 This aspect of the system is the most vulnerable
because it is relatively easy to change data as it is being
entered into the system.
 Also, the GIGO (garbage in, garbage out) principle
reminds us that if the input data is inaccurate,
processing will result in inaccurate output.
Data Processing Fraud
Program Frauds
 altering programs to allow illegal access to and/or
manipulation of data files
 destroying programs with a virus
Operations Frauds
 misuse of company computer resources, such as using
the computer for personal business
Database Management Fraud
 Altering, deleting, corrupting, destroying, or stealing an
organization’s data
 Oftentimes conducted by disgruntled or ex-employee
Information Generation Fraud
Stealing, misdirecting, or misusing computer output
Scavenging
 searching through the trash cans on the computer
center for discarded output (the output should be
shredded, but frequently is not)
Internal Control Objectives According to AICPA SAS
1. Safeguard assets of the firm
2. Ensure accuracy and reliability of accounting
records and information
3. Promote efficiency of the firm’s operations
4. Measure compliance with management’s
prescribed policies and procedures
Modifying Assumptions to the Internal Control
Objectives
 Management Responsibility
The establishment and maintenance of a system of internal
control is the responsibility of management.
 Reasonable Assurance
The cost of achieving the objectives of internal control should
not outweigh its benefits.
 Methods of Data Processing
The techniques of achieving the objectives will vary with
different types of technology.
Limitations of Internal Controls
 Possibility of honest errors
 Circumvention via collusion
 Management override
  Changing conditions--especially in companies with high
growth
Exposure and Risk
 The absence or weakness of a control is called an
exposure
Exposures of Weak Internal Controls (Risk)
 Destruction of an asset
 Theft of an asset
 Corruption of information
 Disruption of the information system
The Preventive–Detective–Corrective Internal
Control Model
 Preventive controls are passive techniques
designed to reduce the frequency of occurrence
of undesirable events. Preventive controls force
compliance with prescribed or desired actions and
thus screen out aberrant events.
 Detective controls form the second line of
defense. These are devices, techniques, and
procedures designed to identify and expose
undesirable events that elude preventive controls.
Detective controls reveal specific types of errors
by comparing actual occurrences to pre-
established standards.
 Corrective controls are actions taken to reverse
the effects of errors detected in the previous step.
There is an important distinction between
detective controls and corrective controls.
Detective controls identify anomalies and draw
attention to them; corrective controls actually fix
the problem.
SAS 78 / COSO
Describes the relationship between the firm’s…
 internal control structure,
 auditor’s assessment of risk, and
 the planning of audit procedures
How do these three interrelate?
The weaker the internal control structure, the higher the assessed
level of risk; the higher the risk, the more auditor
procedures applied in the audit.
Five Internal Control Components: SAS 78 / COSO
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
1: The Control Environment
 Integrity and ethics of management
 Organizational structure
 Role of the board of directors and the audit committee
 Management’s policies and philosophy
 Delegation of responsibility and authority
 Performance evaluation measures
 External influences—regulatory agencies
 Policies and practices managing human resources
2: Risk Assessment
 Identify, analyze and manage risks relevant to financial
reporting:
 changes in external environment
 risky foreign markets
 significant and rapid growth that strain
internal controls
 new product lines
 restructuring, downsizing
 changes in accounting policies
3: Information and Communication
 The AIS should produce high quality information which:
 identifies and records all valid transactions
 provides timely information in appropriate
detail to permit proper classification and
financial reporting
 accurately measures the financial value of
transactions
 accurately records transactions in the time
period in which they occurred
 Auditors must obtain sufficient knowledge of the IS to
understand:
 the classes of transactions that are material
 how these transactions are initiated
[input]
 the associated accounting records
and accounts used in processing
[input]
 the transaction processing steps involved from
the initiation of a transaction to its inclusion in
the financial statements [process]
 the financial reporting process used to
compile financial statements, disclosures, and
estimates [output]
4: Monitoring
The process for assessing the quality of internal control design
and operation
[This is feedback in the general AIS model.]
 Separate procedures—test of controls by internal
auditors
 Ongoing monitoring:
 computer modules integrated into routine
operations
 management reports which highlight trends
and exceptions from normal performance
5: Control Activities
 Policies and procedures to ensure that the appropriate
actions are taken in response to identified risks
 Fall into two distinct categories:
 IT controls—relate specifically to the
computer environment
 Physical controls—primarily pertain to human
activities
Two Types of IT Controls  Thus the crucial need to separate program
development, program operations, and program
 General controls—pertain to the entitywide maintenance.
computer environment  Physical Controls in IT Contexts
 Examples: controls over the data center,
organization databases, systems Supervision
development, and program maintenance  The ability to assess competent employees becomes
 Application controls—ensure the integrity of more challenging due to the greater technical
specific systems knowledge required.
 Examples: controls over sales order  Physical Controls in IT Contexts
processing, accounts payable, and payroll
applications Accounting Records
 ledger accounts and sometimes source documents are
kept magnetically
Six Types of Physical Controls  no audit trail is readily apparent
 Physical Controls in IT Contexts
 Transaction Authorization
 Segregation of Duties Access Control
 Data consolidation exposes the organization to
 Supervision
computer fraud and excessive losses from disaster.
 Accounting Records  Physical Controls in IT Contexts
 Access Control
 Independent Verification Independent Verification
 When tasks are performed by the computer rather
than manually, the need for an independent check is
Physical Controls not necessary.
 However, the programs themselves are checked.
Transaction Authorization
 used to ensure that employees are carrying out only
authorized transactions
 general (everyday procedures) or specific (non-routine
transactions) authorizations

Segregation of Duties
 In manual systems, separation between:
 authorizing and processing a transaction
 custody and recordkeeping of the asset
 subtasks
 In computerized systems, separation between:
 program coding
 program processing
 program maintenance

Supervision
 a compensation for lack of segregation; some may be
built into computer systems

Accounting Records
 provide an audit trail

Access Controls
 help to safeguard assets by restricting physical access
to them

Independent Verification
 reviewing batch totals or reconciling subsidiary
accounts with control accounts
Physical Controls in IT Contexts

Transaction Authorization

 The rules are often embedded within computer

programs.
 EDI/JIT: automated re-ordering of inventory
without human intervention

Segregation of Duties
 A computer program may perform many tasks that are
deemed incompatible.