Pindi Yulinar Rosita

008201905023

Session 6

Chapter 7 : Control and Accounting Information Systems

Threat/event: any potential adverse occurrence or unwanted event that could injure the AIS or the
organization.
Exposure/impact: the potential dollar loss should a particular threat becomes a reality.
Likelihood: The probability that a threat will come to pass.
Internal controls: the processes and procedures implemented to provide reasonable assurance that control
objectives are met. Internal controls perform three important functions:
 Preventive controls: controls that deter problems before they arise.
 Detective controls: controls designed to discover control problems that were not prevented.
 Corrective controls: controls that identify and correct problems as well as correct and recover from the resulting
errors.

Internal controls are often segregated into two categories:

 General controls: controls designed to make sure an organization’s information system and control
environment is stable and well managed.
 Application controls: controls that prevent, detect, and correct transaction errors and fraud in application
programs.

Four levers of control to help management reconcile the conflict between creativity and controls:
 Belief system: system that described how a company creates value, helps employees understand management’s
vision, communicates company core values and inspires employees to live by those values.
 Boundary system: system that helps employees act ethically by setting boundaries on employee behavior.
 Diagnostic control system: system that measures, monitors and compares actual company progress to budgets
and performance goals
 Interactive control systems: systems that helps managers to focus subordinates’ attention on key strategic
issues and to be more involved in their decisions.

The Foreign Corrupt Practices Act (FCPA): legalization passed to prevent companies from bribing foreign
officials to obtain business; also requires all publicly owned corporations maintain a system of internal
accounting controls.
Sarbanes-Oxley Act (SOX): legalization intended to prevent financial statement fraud, make financial reports
more transparent, provide protection to investors, strengthen internal controls at public companies, and punish
executives who perpetrate fraud. SOX is the most important business-orientated legalization in the last 80
years. The following are some of the most important aspects of SOX:
 Public company accounting oversight board (PCAOB): a board created by SOX that regulates the auditing
profession, created as past of SOX.
 New rules for auditor’s  auditors must report specific information to the company’s audit committee.
 New rules for audit committees  audit committee members must be on the company’s board of directors and
be independent of the company.
  New rules for management.
 New internal control requirements

Control frameworks

Control Objective for Information and Related Technology (COBIT):

a security and control framework that allows (1) management to benchmark the security and control practices
of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3)
auditors to substantiate their internal control options and advise on IT security and control matters.
Committee of Sponsoring Organizations (COSO): a private-sector group consisting of the American
Accounting Association, the AICPA, the institute of internal auditors, he institute of management accountants
and the financial executives institute.
Internal Control – Integrated Framework (IC): a COSO framework that defines internal controls and
provides guidance for evaluating and enhancing internal control systems.
Enterprise Risk Management – Integrated Framework (ERM): a COSO framework that improves the risk
management process by expanding COSO’s internal control – integrated.

DISCUSSION QUESTION 7.1-7.3

1. Answer the following questions about the audit of Springer’s Lumber & Supply
a. What deficiencies existed in the internal environment at Springer’s?
The "internal environment" refers to the tone or culture of a company and helps
determine how risk consciousness employees are. It is the foundation for all other
ERM components, providing discipline and structure. It is essentially the same
thing as the control environment in the internal control framework.
The internal environment also refers to management's attitude toward internal
control, and to how that attitude is reflected in the organization's control policies
and procedures. At Springer's, several deficiencies in the control environment are
apparent:

1. Management authority is concentrated in three family members, so there are

few, if any, checks and balances on their behavior. In addition, several other
relatives and friends of the family are on the payroll.
2. Since the company has a "near monopoly" on the business in the Bozeman
area, few competitive constraints restrain prices, wages, and other business
practices.
3. Lines of authority and responsibility are loosely defined, which make it
difficult to identify who is responsible for problems or decisions.
4. Management may have engaged in "creative accounting" to make its financial
performance look better, which suggests a management philosophy that could
encourage unethical behavior among employees.

b. Do you agree with the decision to settle with the Springers rather than to
prosecute them for fraud and embezzlement? Why or why not?

Whether or not to settle with the Springers is a matter of opinion, with reasonable
arguments on both sides of the issue.
 The reasons for reaching a settlement are clearly stated: the difficulty of obtaining
convictions in court, and the possible adverse effects on the company's market position.
  On the other hand, the evidence of fraud here seems strong. If this kind of behavior is not
penalized, then the perpetrators may be encouraged to do it again, with future adverse
consequences to society.
c. Should the company have told Jason and Maria the results of the high-level audit?
Why or why not?
Whether or not Jason and Maria should have been told the results of the high-level audit is
also a matter of opinion. The investigative team is apparently trying to keep its agreement
to maintain silence by telling as few people as possible what really happened. On the other
hand, Jason and Maria were the ones who first recognized the problems; it seems only right
that they be told about the outcome.

2. Explain why the Foreign Corrupt Practices Act was important to accountants.

Small companies can do the following things to compensate for their inability to
implement an adequate segregation of duties:
 Effective supervision and independent checks performed by the owner/manager may be the most
important element of control in situations where separation of functions cannot be fully achieved.
In very small businesses, the owner-manager may find it necessary to supervise quite extensively.
For example, the manager could reconcile the bank account, examine invoices, etc.
 Fidelity bonding is a second form of internal control that is critical for persons holding positions of
trust that are not entirely controlled by separation of functions.
 Document design and related procedures are also important to internal control in this
situation. Documents should be required with customer returns to encourage customer
audit
 Document design should include sequential prenumbering to facilitate subsequent review.
3. One function of the AIS is to provide adequate controls to ensure the safety \
of organizational assets, including data. However, many people view control procedures as
“red tape.” They also believe that, instead of producing tangible benefits, business controls
create resentment and loss of company morale. Discuss this position.
Well-designed controls should not be viewed as “red tape” because they can actually improve
both efficiency and effectiveness. The benefits of business controls are evident if one considers
the losses that frequently occur due to the absence of controls. Consider a control procedure
mandating weekly backup of critical files.

It is probably impossible to eliminate resentment or loss of morale among all employees,

but these factors may be minimized if controls are administered fairly and courteously.

Of course, there is a cost-benefit tradeoff in implementing internal controls. If an organization has

too many controls, this may justifiably generate resentment and loss of morale among employees.
Controls having only marginal economic benefit may be rejected for this reason.

Another factor is the obtrusiveness of the controls. When the user sees no clear need or purpose to
a control it can appear to be there only to control them and little more than that. When the user
does not understand their purpose, controls can often provoke resentment
SUGGESTED SOLUTIONS TO THE CASE

1. How did Guisti commit the fraud, conceal it, and convert the fraudulent actions to personal gain?
Answer :
Commit: James Guisti, a trusted 14-year employee and manager of a Greater Providence Deposit &
Trust’ branch office, was authorized to make consumer loans up to a certain dollar limit without loan
committee approvals. He used this authority to create 67 fraudulent 90-day notes requiring no
collateral. As the scheme progressed, he was able to bypass the loan committee approval as some of
his loans exceed his loan limit. Guisti was charged with embezzling $1.83 million from the bank.
Conceal: He made the loans out to five people: his wife using her maiden name, his father, two
friends, and a non-existent person. To avoid detection, he made sure the loans were performing and
that they were never examined for non-payment. That is, when the loans matured, he would take out a
new loan, or rewrite the old one, to pay the principal and interest due. He also kept the loans small to
avoid the attention of auditors, who examined loans much larger than those he was fraudulently
originating.
Convert: He had a subordinate, customer service representative Lucy Fraioli, cosign the checks. He
then had another subordinate, head teller Marcia Perfetto, cash the checks, and give him the money.

2. Good internal controls require that the custody, recording, and authorization functions be separated.
Explain which of those functions Guisti had and how the failure to segregate them facilitated the fraud.

Answer :

Authorization: Guisti was authorized to make consumer loans up to $10,000 (later

$15,000 and then $25,000) without loan committee approval. This authorization is standard industry
practice. He used this authority to create fraudulent loans.
Custody: Guisti was able to commit the fraud because he was able to obtain custody of the checks
used to extend the loans. He used his position as branch manager to get his subordinates to cosign the
checks and cash them
Recording: Nothing in the case write-up indicates that Guisti had any recording responsibilities. It
appears that he used the bank’s normal recording processes: the bank recorded the loans when created
and the payments were appropriately recorded when Guisti repaid them

3. Identify the preventive, detective, and corrective controls at GPD&T and discuss whether they were
effective.

Answer :

Preventive: All bank loans exceeding Guist’s limit ($10,000, then $15,000 and then
$25,000) were supposed to be approved by a loan committee. This control was not enforced or was not
effective as Guisti was able to bypass it.

Detective: State regulators and the bank’s internal auditors failed to detect the fraud. Bank auditors do not
examine all loans and focus on much larger loans than Guisti’s.

Corrective: The bank bonded (an insurance policy on an employee’s honesty) its employees. When the bank
was defrauded, the bank’s bonding company covered the loss. This control was effective in restoring the
financial losses the bank experienced

4. Explain the pressures, opportunities, and rationalizations that were present in the
Guisti fraud.
Answer :

Pressures: Guisti was a frequent gambler and needed the money to pay gambling debts.

Opportunities: As the Branch Manager, Guisti could override some internal controls and unduly influence his
subordinates not to comply with others.

Rationalization: No information is given on how or why Guisti rationalized his fraud

5. Discuss how Greater Providence Deposit & Trust might improve its control procedures over
the disbursement of loan funds to minimize the risk of this type of fraud. In what way does this
case indicate a lack of proper segregation of duties?

Answer :

Loan funds should generally not be disbursed in cash. Better control would be established by depositing the
funds in a checking account in the borrower's name or by issuing a bank check to the borrower.
When cashing such a check, bank personnel should require identification containing the borrower's
photograph, and the borrower's signature on the check, and should scan both the photograph and the signature
to verify the borrower's identity.
In no case should one bank employee disburse cash to another for a loan to a third party borrower without first
verifying the existence and identity of the borrower.
Customer service representatives generally should not co-sign checks to borrowers without first verifying their
existence.

6. Discuss how Greater Providence might improve its loan review procedures at bank
headquarters to minimize its fraud risk. Was it a good idea to rotate the assignments of loan
review clerks? Why or why not?

Answer :

A system should be in place at the bank's headquarters to maintain data on all outstanding bank loans. This
system should flag all loans that have been made in excess of the loan officer's lending limit. The authenticity
of these loans should be scrutinized by internal auditors or other bank officials independent of the loan officer.
Disciplinary action should be taken when a loan officer extends a loan that is greater than his loan limit.
Approved loans for which there is no credit report should be flagged and scrutinized.
Bank headquarters could send a letter to each new borrower thanking them for their business. Individuals
whose names had been used on loan documents without their permission would be likely to question why they
had received such a letter, while letters mailed to fictitious borrowers would be returned as undeliverable.
Either event should trigger an investigation.

7. Discuss whether Greater Providence’s auditors should have been able to detect this fraud.

Answer :

Audits are not guaranteed to detect fraud. It is too costly for auditors to examine every loan, so they generally
examine a systematically selected sample. It makes sense for auditors to focus on larger loans, since that is
where the greatest exposure is.

The case notes that Guisti was a former auditor. Therefore, he would have been very familiar with the bank's
control system and its audit procedures. He undoubtedly made use of this knowledge in planning and carrying
out his embezzlement scheme. On the other hand, since the bank's central records were computerized, it should
have been a simple matter for auditors to find and examine every outstanding loan record with questionable
characteristics, such as:

 Loan amounts in excess of the loan officer's lending limit

 Short-term loans that had been rewritten several times.

8. Are there any indications that the internal environment at Greater Providence may
have been deficient? If so, how could it have contributed to this embezzlement?
Answer :

There are three indications of potential deficiencies in the bank's control environment.

 Controls may have been deficient during the computer services changeover. However,
the fraud took place over a three-year period, and any problems relating to the computer
changeover should have taken much less than three years to resolve.
 The bank pled guilty to a felony three years prior to discovery of the fraud, which was
about the time the fraud began.
 The state's charges of an inflated balance sheet suggest the possibility that the integrity
of the bank's management may be flawed, though there is certainly no proof of this.

While one indicator of a deficient internal environment may be tolerable, three begins to look like a pattern.
Deficiencies in the bank's internal environment certainly could have contributed to the embezzlement by
enhancing the opportunity for fraud and by fostering an attitude that dishonest behavio