CHAPTER 3

Chapter 3
Ethics, Fraud,
and Internal
Control
Additional slides and texts provided by

J.J. Dorega, CPA, LPT, MBA
James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Understand the broad issues pertaining to business
ethics.
• Have a basic understanding of ethical issues related to
the use of information technology.
• Be able to distinguish between management fraud and
employee fraud.
• Be familiar with common types of fraud schemes.
• Be familiar with the key features of the COSO internal
control framework.
• Understand the objectives and application of both physical
and IT control activities.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
Ethical Issues in Business
• Ethical standards are derived from societal mores and
deep-rooted personal beliefs about issues of right and
wrong that are not universally agreed upon.
• Often, we confuse ethical issues with legal issues.

• Mores are often dictated by a society's values, ethics, and sometimes
religious influences. Some mores examples include: It is not
considered acceptable or mainstream to abuse drugs, particularly
those such as heroin and cocaine. It is not considered acceptable to
drive at 90 mph in a residential area.
Mores Examples: Common Cultural Expectations (yourdictionary.com)
BUSINESS ETHICS
• Ethics are the principles of conduct that individuals use in
making choices that guide their behavior in situations
involving the concepts of right and wrong.
• Business ethics pertains to the principles of conduct that
individuals use in making choices and guiding their
behavior in situations that involve the concepts of right
and wrong.
• Making Ethical Decisions
• Ethical responsibility is the responsibility of organization
managers to seek a balance between the risks and benefits to
their constituents that result from their decisions.
• PROPORTIONALITY
BUSINESS ETHICS
• Making Ethical Decisions
• PROPORTIONALITY
• The benefit from a decision must outweigh the risks.
• There must be no alternative decision that provides the same or greater
benefit with less risk.
– JUSTICE.
• The benefit of the decision should be distributed fairly to those
who share the risks.
• Those who do not benefit should not carry the burden risk.
– MINIMIZE RISK.
• Even if judged acceptable by principles, the decision should be
implemented so as to minimize all of the risks and avoid any
unnecessary risks.
Excessive CEO retirement perks

• Delta Exorbitant compensation (both
• PepsiCo cash and stock) for executives.
• AOL Many executives, including Bernie
• Time Warner Ebbers of WorldCom and Richard
• Ford Grasso of the NYSE, received
• GE huge cash and equity-based
• IBM compensation that has since been
determined to have been
These were highly criticized for excessive.
endowing huge, costly perks and
benefits, such as planes, Source:
executive apartments, and maids Forensic Accounting 4th Edition
to retiring executives. By Zimbelman and Albrecht
1) ENRON CASE
• Whistleblower is Sherron Watkins
2) WORLDCOM CASE
• Whistleblower is Cynthia Cooper
The Fall of WorldCom and Rise of Corporate Whistlebl

owing | Business Government & Society III (wordpress.
com)
COMPUTER ETHICS
• Computer ethics is the analysis of the nature and social
impact of computer technology and the corresponding
formulation and justification of policies for the ethical use
of such technology. This includes details about software
as well as hardware and concerns about networks
connecting computers as well as computers themselves.
• A new problem or just a new twist on an old problem?
• Privacy
• Privacy is full control of what and how much information about
an individual is available to others and to whom it is available.
• Ownership is the state or fact of exclusive rights and control
over property, which may be an object, land/real estate,
intellectual property, or some other kind of property.
COMPUTER ETHICS (continued)
• Security (Accuracy and Confidentiality)
• Ownership of Property
• Equity in Access
• Environmental Issues
• Artificial Intelligence
• Unemployment and Displacement
• Misuse of Computers
• Computer security is an attempt to avoid such undesirable
events as a loss of confidentiality or data integrity.
Additional texts provided by

• An attempt to prevent fraud and other misuse of computer

systems.
• They act to protect and further the legitimate interests of the
system’s constituencies.
• It arises from the emergence of shared, computerized
databases that have the potential to authorized users.
• Which is more important: security, accuracy, or confidentiality?
10 Common IT Security Risks in the Workplace (ccsinet.com)
• Ownership of Property
• Related to intellectual property rights – the software
• Copyright laws have been invoked in an attempt to protect
those who developed from having it copied.
• The intention is to promote the progress of science and the useful arts.
• The best interest of computer users is served when industry standards
emerge; copyright laws work against this.
• Part of the problem lies in

– The uniqueness of software
– Its ease of dissemination
– The possibility of exact replication
• Equity in Access
• Some barriers to access are intrinsic to the technology of
information systems, but some are avoidable through careful
system design.
• The economic status of the individual or the affluence of an
organization will determine the ability to obtain IT.
• Culture limits the access – prepared in one language and poor
translation
• Safety features, or the lack thereof, have limited access to
pregnant women
• Consideration for differences in physical and cognitive skills
should be considered in its design.
• Cost of providing equity in access
• Groups of society – access of priority
• Environmental Issues
• Printers – require papers
• Papers come from trees (a
precious natural resource that
ends up in landfills if not properly
recycled)
(65) Pinterest
• Artificial Intelligence
• Expert system as decision makers or replacement for experts
• Both knowledge engineers (program writer) and domain
experts (provider of knowledge about the task being
automated) must be concerned about their RESPONSIBILITY
for:
• Faulty decisions
• Incomplete or inaccurate knowledge bases
• The role given to computers in the decision-making process
• Expert systems attempt to clone a manager’s decision-making
style, an individual’s prejudices may implicitly or explicitly be
included in the knowledge base.
• Unemployment and Displacement

• Many jobs have been and are being changed as a result of the
availability of computer technology.
• People unable or unprepared to change are displaced.
As of March 25, 2019

As reported by BBC News
Automation could replace 1.5 m

illion jobs, says ONS - BBC Ne
ws
• Misuse of Computers J.J. Dorega, CPA, LPT, MBA
• Copying proprietary software (except for personal backup) -
ILLEGAL
• Using a company’s computer for personal benefit
• Snooping through other people’s files
• Misuse of Computers J.J. Dorega, CPA, LPT, MBA
Software piracy in PHL worsens to 70%, $338M in unlicensed programs — global study (gmanetwork.com)
SARBANES-OXLEY ACT AND ETHICAL ISSUES
• Sarbanes-Oxley Act (SOX) is the most significant federal

securities law, with provisions designed to deal with
specific problems relating to capital markets, corporate
governance, and the auditing profession.
• Section 406—Code of Ethics for Senior Financial Officers
• CONFLICTS OF INTEREST
• FULL AND FAIR DISCLOSURES
• LEGAL COMPLIANCE
• INTERNAL REPORTING OF CODE VIOLATIONS
• ACCOUNTABILITY

• CONFLICTS OF INTEREST
• Company Code of Ethics should outline procedures for dealing with
actual or apparent conflicts of interest between personal and
professional relationships.
– It deals with conflict of interest and not prohibiting them
– Avoidance is the best policy although conflicts are unavoidable
– Managers and employees should be made aware of firm’s code of
ethics, be given decision models, and participate in training programs
that explore conflict of interest issues.

• FULL AND FAIR DISCLOSURES
• The organization should provide full, fair, accurate, timely, and
understandable disclosures in the documents, reports, and financial
statements that is submits to the SEC and to the public.
• To ensure that future disclosures are candid, open, truthful, and void of
such deceptions.

• LEGAL COMPLIANCE
• Code of ethics should require employees to follow applicable
government laws, rules, and regulations.
• Do not confuse ethical issues with legal issues.
• Doing the right thing requires sensitivity to laws, rules,
regulations, and societal expectations.
• Provide employees with training and guidance.


• INTERNAL REPORTING OF CODE VIOLATIONS
• The Code of Ethics must provide a mechanism to permit prompt internal
reporting of ethics violations.
• Similar to Sections 301 and 806, which were designed to encourage
and protect whistleblowers.
• Employee hotlines as emerging mechanism.
• SOX requires this function to be confidential
– May be outsourced

• ACCOUNTABILITY
• To be effective, take appropriate action when code violations occur.
– Disciplinary measures including dismissal
• Employees must see an employee hotline credible.
• Section 301directs the organization’s audit committee to
establish procedures for
• Receiving complaints
• Retaining complaints
• Treating complaints
• Related sample complaints:
• Accounting procedures
• Internal control violations
• Audit committee will also play an important role in the oversight
of ethics enforcement activities.
Fraud and Accountants
• The passage of SOX has had

a tremendous impact on the
external auditor’s
responsibilities for fraud
detection during a financial
audit.
• The Statement on Auditing Standards PSA 240 – The
(SAS) No. 99 is the current authoritative
document that defines fraud as an Auditor’s
intentional act that results in a material Responsibility to
misstatement in financial statements.
Consider Fraud in
• The objective of SAS 99 is to seamlessly the Audit of FS
blend the auditor’s consideration of fraud
into all phases of the audit process. (Revised 2005)
DEFINITIONS OF FRAUD
• Fraud is the false representation of a material fact made
by one party to another party, with the intent to deceive
and induce the other party to justifiably rely on the
material fact to his or her detriment.

• Fraud must meet the following five conditions:

1) False representation
2) Material fact
3) Intent
4) Justifiable reliance
5) Injury or loss
• FRAUD
• Involves all deceptive ways in which one individual obtains an
advantage over another by false representation.
• Always involves confidence and trickery.
• It is different than robbery where force is used.
Source: Forensic Accounting 4th Edition by Zimbelman and Albrecht
• In accounting, fraud is commonly known as:

• White-collar crime
• Defalcation
• Embezzlement
• Irregularities
Two levels of fraud encountered by auditors

1) Employee fraud
2) Management Fraud
• Employee fraud is the performance fraud by
nonmanagement employee generally designed to directly
convert cash or other assets to the employee’s personal
benefit.

• Three steps involved
1) Stealing something of value (an asset)
2) Converting the asset to a usable form (cash)
3) Concealing the crime to avoid detection
• Management fraud is the performance fraud that often
uses deceptive practices to inflate earnings or to forestall
the recognition of either insolvency or a decline in
earnings.
• Management fraud
• Often escapes detection until the organization has suffered
irreparable damage or loss.
• Usually not involve direct theft of assets.
• Involves management in fraudulent activities it drive up the
market price of the company’s stock to meet investors’
expectations or to take advantage of stock options which is
part of manager’s compensation package.
• Lower-level management fraud typically involves

materially misstating financial data and internal reports
1) To gain additional compensation
2) To garner a promotion
3) To escape the penalty for poor performance.
• Three defining characteristics of management fraud
1) Perpetrated at levels of management above the one to
which internal control structures generally relate.
2) Involves using the financial statements to create an
illusion that an entity is healthier and more prosperous
than, in fact, it is. (See next slide – WorldCom Case)
3) Frequently involves misappropriation of assets
WorldCom Scandal (slideshare.net)
THE FRAUD TRIANGLE
• The fraud triangle is a triad of factors associated with
management and employee fraud: situational pressure
(includes personal or job-related stresses that could
coerce an individual to act dishonestly); opportunity
(involves direct access to assets and/ or access to
information that controls assets); and ethics (pertains to
one’s character and degree of moral opposition to acts of
dishonesty).
Fraud Triangle
THE FRAUD TRIANGLE
Additional image provided by
The Fraud Triangle and Your Business (kmco.com)

FINANCIAL LOSSES FROM FRAUD
• The actual cost of fraud is, however, difficult to quantify for
a number of reasons:
• Not all fraud is detected.
• Of that detected, not all is reported.
• In many fraud cases, incomplete information is gathered.
• Information is not properly distributed to management or law
enforcement authorities.
• Too often, business organizations decide to take no civil or
criminal action against the perpetrator(s) of fraud.
• In addition to the direct economic loss to the organization,
indirect costs—including reduced productivity, the cost of
legal action, increased unemployment, and business
disruption due to investigation of the fraud—need to be
considered.
Distribution of Losses
THE PERPETRATORS OF FRAUDS
• Fraud Losses by Position within the Organization
• Individuals in the highest positions within an organization are
beyond the internal control structure and have the greatest
access to company funds and assets.
• Fraud Losses and the Collusion Effect
• One reason for segregating occupational duties is to deny
potential perpetrators the opportunity they need to commit
fraud. When individuals in critical positions collude, they create
opportunities to control or gain access to assets that otherwise
would not exist.
• Fraud Losses by Gender
• Women are not fundamentally more honest than men, but men
occupy high corporate positions in greater numbers than
women. This affords men greater access to assets.
(continued)
• Fraud Losses by Age

• Older employees tend to occupy higher-ranking positions and
therefore generally have greater access to company assets.
(continued)
• Fraud Losses by Education

• Generally, those with more education occupy higher positions
in their organizations and therefore have greater access to
company funds and other assets.
(continued)

• Conclusions to Be Drawn
• Opportunity is the factor that actually facilitates the act.
• Fraud perpetrators:
1) Individual with highest positions have the greatest access to company
funds and assets.
2) Men that occupy high corporate positions have greater access to
assets.
3) Older employees since they have greater access to company assets.
4) Those with more education generally occupy higher position that will
lead to have greater access to company funds and other assets.
5) When positions in critical positions collude, they create opportunities
to control or gain access to assets that otherwise would not exists.
FRAUD SCHEMES
• Fraudulent Statements
• Corruption
1) Corruption
2) Bribery
3) Illegal gratuity
4) Conflict of interest
5) Economic
6) Economic distortion
• Asset misappropriation
Losses from Fraud by Scheme Type
FRAUD SCHEMES
• Fraudulent statements are statements associated with
management fraud. In this class of fraud scheme, the financial
statement misrepresentation must itself bring direct or indirect
financial benefit to the perpetrator.
• THE UNDERLYING PROBLEMS
• SARBANES-OXLEY ACT AND FRAUD
FRAUD SCHEMES
1) Lack of auditor independence
 Auditing firms are also engaged by their
clients to perform nonaccounting
activities such as actuarial services,
internal audit outsourcing services, and
consulting.
 The firms are essentially auditing their
own work.
 The firm will not bring to management’s
attention the detected problems that
may adversely affect their consulting
fees
2) Lack of director independence
3) Questionable executive compensation
Arthur Andersen - Ms. Cuttle's Classes
scheme (google.com)
4) Inappropriate accounting practices
FRAUD SCHEMES
• BOD composed of individuals who are not independent.
• Directors who have a personal relationship by serving on the
boards of other director’s companies
• Having a business trading relationship as key customers or
suppliers of the company
• Having a financial relationship as primary stockholder or have
received personal loans from the company
• Having an operational relationship as employees of the company
3) Questionable executive compensation scheme
FRAUD SCHEMES
Background - Adelphia Family Scandal -

'Massive' Fraud (google.com)
FRAUD SCHEMES
 Abuse of stock-based compensation scheme
 Excessive
 May result in short-term thinking and strategies aimed at driving
up stock prices at the expense of the firm’s long-term health.
FRAUD SCHEMES
– The characteristic common to many financial statement fraud
schemes.
– ENRON made elaborate use of special purpose vehicle to hide
liabilities through off-balance sheet accounting; employed income
inflating techniques.
– WORLDCOM decided to transfer transmission line costs from current
expense accounts to capital accounts.
FRAUD SCHEMES
Balance Sheet Example - India Dictionary (1investing.in)
FRAUD SCHEMES
• SARBANES-OXLEY ACT AND FRAUD:
• SOX ACT establishes a framework to modernize and reform the
oversight and regulation of public company auditing.
– Its principal reforms pertain to:
1) Accounting Oversight Board
2) Auditor Independence
3) Corporate Governance and Responsibility
4) Issuer and Management Disclosure
5) Fraud and Criminal Penalties
FRAUD SCHEMES
– Public Company Accounting Oversight Board (PCAOB)
– It is the federal organization empowered to set auditing, quality
control, and ethics standards; to inspect registered accounting
firms; to conduct investigations; and to take disciplinary actions.
FRAUD SCHEMES
– Creating more separation between a firm’s attestation and non-
auditing activities
• Bookkeeping or other services related to the accounting records or
financial statements
• Financial information systems design and implementation
• Appraisal or valuation services, fairness opinions, or contribution-in-kind
reports
• Actuarial services
• Internal audit outsourcing services
• Management functions or human resources
• Broker or dealer, investment adviser, or investment banking services
• Legal services and expert services unrelated to the audit
• Any other service that the PCAOB determines is impermissible
FRAUD SCHEMES
– The act requires all audit committee members to be
independent and requires the audit committee to hire and
oversee the external auditors.
– This provision is consistent with many investors who consider
the board composition to be a critical investment factor
FRAUD SCHEMES
– Imposition of new corporate disclosure requirements:
a) Public companies must report all off-balance-sheet transactions.
b) Annual reports filed with the SEC must include a statement by
management asserting that it is responsible for creating and
maintaining adequate internal controls and asserting to the
effectiveness of those controls.
c) Officers must certify that the company’s accounts ‘‘fairly present’’
the firm’s financial condition and results of operations.
d) Knowingly filing a false certification is a criminal offense
FRAUD SCHEMES
1) SOX imposes a range of new criminal penalties for fraud and
other wrongful acts.
2) In particular, the act creates new federal crimes relating to the
destruction of documents or audit work papers, securities
fraud, tampering with documents to be used in an official
proceeding, and actions against whistle-blowers.
FRAUD SCHEMES (continued)
• Corruption
• Corruption involves an executive, a manager, or an employee
of the organization in collusion with an outsider.
• Bribery involves giving, offering, soliciting, or receiving things

of value to influence an official in the performance of his or her
lawful duties.
• An illegal gratuity involves giving, receiving, offering, or

soliciting something of value because of an official act that has
been taken.
• A conflict of interest is an outline of procedures for dealing

with actual or apparent conflicts of interest between personal
and professional relationships.
• Corruption (continued)
• Economic extortion is the use (or threat) of force (including
economic sanctions) by an individual or organization to obtain
something of value. The item of value could be a financial or
economic asset, information, or cooperation to obtain a
favorable decision on some matter under review.
• Asset Misappropriation
• The most common fraud scheme in various forms
• Assets are either directly or indirectly diverted to the
perpetrator’s benefit.
• 90% of the frauds fall in this general category (ACFE)
1) Skimming
2) Cash larceny
3) Billing schemes
4) Check tampering
5) Payroll fraud
6) Expense reimbursements
7) Thefts of cash
8) Noncash misappropriation
9) Computer fraud
Losses from Asset Misappropriation Schemes
• Skimming
• Skimming involves stealing cash from an organization before
it is recorded on the organization’s books and records.
• Another example is mail room fraud, in which an employee
opening the mail steals a customer’s check and destroys the
associated remittance advice.
• Skimming
Skimming: Review of Credit & Debit Card Fraud (slideshare.net)

• Cash Larceny
• Cash larceny is theft of cash receipts from an organization
after those receipts have been recorded in the organization’s
books and records.
• Lapping is the use of customer checks, received in payment
of their accounts, to conceal cash previously stolen by an
employee.
• Billing Schemes
• Billing schemes, also known as vendor fraud, are schemes
under which an employee causes the employer to issue a
payment to a false supplier or vendor by submitting invoices
for fictitious goods/services, inflated invoices, or invoices for
personal purchases.
• Billing Schemes (continued)
• A shell company is establishing a false vendor on the company’s
books, and then making false purchase orders, receiving reports,
and invoices in the name of the vendor and submitting them to the
accounting system, creating the illusion of a legitimate
transaction. The system ultimately issues a check to the false
vendor.
• A pass-through fraud is similar to shell company fraud except
that a transaction actually takes place. The perpetrator creates a
false vendor and issues purchase orders to it for inventory or
supplies. The false vendor purchases the needed inventory from
a legitimate vendor, charges the victim company a much higher
than market price for the items, and pockets the difference.
• A pay-and-return is a scheme under which a clerk with check
writing authority pays a vendor twice for the same products
(inventory or supplies) received and then intercepts and cashes
the overpayment returned by the vendor.
• Check Tampering
• Check tampering involves forging, or changing in some
material way, a check that was written to a legitimate payee.
• Payroll Fraud
• Payroll fraud is the distribution of fraudulent paychecks to
existent and/or nonexistent employees.
• Expense Reimbursements
• Expense reimbursement fraud involves claiming
reimbursement of fictitious or inflated business expenses.
• Thefts of Cash
• Thefts of cash is the direct theft of cash on hand in the
organization.
• Noncash Misappropriations
• Noncash fraud is the theft or misuse of non-cash assets (e.g.,
inventory, confidential information).
• Computer Fraud
• Computer fraud involves theft, misuse, or misappropriation of
assets by altering computer-readable records and files, or by
altering the logic of computer software; the illegal use of
computer-readable information; or the intentional destruction of
computer software or hardware.
Internal Control Concepts and Techniques
• The internal control system is a set of policies a firm employs

1) to safeguard the firm’s assets,
2) to ensure accurate and reliable accounting records and
information,
3) to promote efficiency, and
4) to measure compliance with established policies.
• Modifying Assumptions
• Management responsibility is the concept under which the
responsibility for the establishment and maintenance of a
system of internal control falls to management.
• Reasonable assurance is an assurance provided by the
internal control system that the four broad objectives of internal
control are met in a cost-effective manner.
• METHODS OF DATA PROCESSING

• LIMITATIONS
• Modifying Assumptions
• METHODS OF DATA PROCESSING
• Internal controls should achieve the four broad objectives regardless of
the data processing method used.
• The control techniques used to achieve these objectives vary with
different type of technologies.
• LIMITATIONS ON EFFECTIVENESS
1) The possibility of error – no system is perfect
2) Circumvention – through collusion or other means.
3) Management override – by distorting transactions or by directing a
subordinate to do so
4) Changing conditions – conditions may change overtime and render
existing controls ineffective
(continued)
• Control Weaknesses and Risks

• Control weaknesses increase the firm’s risk to financial loss
or injury from the threats.
• The weaker the internal control the higher the risk.
• The higher the risk, the higher the possibility that the financial
statements are materially misstated (fraudulent financial
statements)
(continued)
• The Preventive-Detective-Corrective Internal Control

Model
• Preventive controls are passive techniques designed to
reduce the frequency of occurrence of undesirable events.
• The first line of defense in the control structure
• Example: a well-designed source document
• Not all problems can be anticipated and prevented
• Detective controls are devices, techniques, and procedures

designed to identify and expose undesirable events that elude
preventive controls.
• It forms the second line of defense
• It reveals specific type of errors by comparing actual occurrences to pre-
established standards.
• Example: Recalculation of the total value using the price and quantity,
and expose the error.
(continued)
• The Preventive-Detective-Corrective Internal Control

Model (continued)
• Corrective controls are actions taken to reverse the effects of
errors detected. Statement on Auditing Standards (SAS)
No. 109 is the current authoritative document for specifying
internal control objectives and techniques. It is based on the
COSO framework.
• To draw attentions to identified anomalies by the detective controls
• It actually fixes the problems.
• For any detected error, there may be more than one feasible corrective
action, and the best course of action may not always be obvious.
Internal Control Shield
Preventive, Detective, and Corrective Controls
(continued)
• Sarbanes-Oxley and Internal

Control
• Committee of Sponsoring
Organizations of the
Treadway Commission
(COSO) is a joint initiative of
five private sector organizations
and is dedicated to providing
thought leadership through the
development of frameworks and
guidance on enterprise risk
management, internal control,
and fraud deterrence.
COSO INTERNAL CONTROL FRAMEWORK
• The Control Environment

• The control environment is the foundation of internal control.
• It sets the tone of the organization and influences the control
awareness of its management and employees.
• Important elements:
• The integrity and ethical values of management.
• The structure of the organization.
• The participation of the organization’s board of directors and the audit
committee, if one exists.
• Management’s philosophy and operating style.
• The procedures for delegating responsibility and authority.
• Management’s methods for assessing performance.
• External influences, such as examinations by regulatory agencies.
• The organization’s policies and practices for managing its human
resources.
• Risk Assessment
• Risk assessment is the identification, analysis, and
management of risks relevant to financial reporting.
• Risk can arise or change from the following circumstances:
• Changes in the operating environment that impose new or changed competitive
pressures on the firm.
• New personnel who have a different or inadequate understanding of internal control.
• New or reengineered information systems that affect transaction processing.
• Significant and rapid growth that strains existing internal controls.
• The implementation of new technology into the production process or information
system that impacts transaction processing.
• The introduction of new product lines or activities with which the organization has little
experience.
• Organizational restructuring resulting in the reduction and/or reallocation of personnel
such that business operations and transaction processing are affected.
• Entering into foreign markets that may impact operations (that is, the risks associated
with foreign currency transactions).
• Adoption of a new accounting principle that impacts the preparation of financial
statements.
• Information and Communication

• The quality of information the accounting information system
generates impacts management’s ability to take actions and
make decisions in connection with the organization’s
operations and to prepare reliable financial statements.
• An effective accounting information system will:
• Identify and record all valid financial transactions.
• Provide timely information about transactions in sufficient detail to
permit proper classification and financial reporting.
• Accurately measure the financial value of transactions so their effects
can be recorded in financial statements.
• Accurately record transactions in the time period in which they occurred
• Monitoring
• Monitoring is the process by which the quality of internal
control design and operation can be assessed.
• An organization’s internal auditors may monitor the entity’s
activities in separate procedures.
• Gather evidence of control adequacy by testing controls and then
communicate control strengths and weaknesses to management.
• Make specific recommendations for improvements to controls
• Ongoing monitoring techniques:
1) Integrate special computer modules into the information system that
capture key data and/or permit tests of controls to be conducted as
part of routine operations.
2) Judicious use of management reports
1) Highlight the trends
2) Identify exceptions from normal performance
(continued)
• Control Activities
• Control activities are the policies and procedures to ensure
that appropriate actions are taken to deal with the
organization’s risks.
• Two distinct categories:

1. IT CONTROLS:
2. PHYSICAL CONTROLS
(continued)
• IT CONTROLS:
1. General controls are controls that pertain to entity-wide concerns
such as
a) controls over the data center,
b) organization databases,
c) systems development, and
d) program maintenance.
2. Application controls are controls that ensure the integrity of

specific systems. Discussion – from Slide 89.
(continued)
• PHYSICAL CONTROLS
1. Transaction authorization is a procedure to ensure that employees
process only valid transactions within the scope of their authority.
2. Segregation of duties is the separation of employee duties to
minimize incompatible functions. (Authorization, Recording,
Custodianship)
3. Supervision is a control activity involving the critical oversight of
employees.
4. The accounting records of an organization consist of documents,
journals, or ledgers used in transaction cycles.
5. Access controls are controls that ensure that only authorized
personnel have access to the firm’s assets.
6. Independent verification. Verification procedures are independent
checks of the accounting system to identify errors and
misrepresentations; timing depends on technology employed and the
task under review. (Reconcile, Compare, Review)
Segregation of Duties Objectives
(continued)
The 2013 COSO Framework and the Audit Committee - Risk & Compliance Journal - WSJ
IT APPLICATION CONTROLS
• Input Controls
• Input controls are programmed procedures, often called edits,
that perform tests on transaction data to ensure that they are
free from errors.
1) CHECK DIGIT
2) MISSING DATA CHECK
3) NUMERIC-ALPHABETIC CHECK
4) LIMIT CHECK
5) RANGE CHECK
• Input Controls
1) CHECK DIGIT:
1) Transcription errors are the type of errors that can corrupt a data
code and cause processing errors.
2) Transposition errors are errors that occur when digits are
transposed.
3) A check digit is a method for detecting data coding errors in which a
control digit is added to the code when it is originally designed to allow
the integrity of the code to be established during subsequent
processing.
Customer code : 5327

Calculated check digit : 5 + 3 + 7 + 2 = 17
Customer new code: 53727
• Input Controls
2) MISSING DATA CHECK
• The edit identifies blank or incomplete input fields that should
contain data are required to process the transactions.
3) NUMERIC-ALPHABETIC CHECK
• The edit identifies when data in a particular field are in the wrong
form.
• Example: Customer’s account balance should not contain
alphabetic data.
4) LIMIT CHECK
• Used to identify field values that exceed an authorized limit.
• Example: Maximum employee work per week is 44 hours
5) RANGE CHECK
• Having an upper and lower limit to their acceptable values
• Example: Monthly salary is between P 10,000 to 11,000, a certain
deduction will be P 500.
IT APPLICATION CONTROLS (continued)
• Input Controls (continued)
6. REASONABLENESS CHECK
• Error is detected by a test that determines if a value in one field,
which has already passed a limit check and a range check, is
reasonable when considered in other fields of the record.
• Example: An employee’s pay rate of P 100 per hour falls within an
acceptable range. If excessive when compared to employee’s job
skill code of 143. Employees in this skill class should not earn more
than P 80 per hour.
7. VALIDITY CHECK
• Compares actual field values against known acceptable values.
• The control is used to verify such things as transactions codes,
state abbreviations, or employee job skill codes. If the value does
not match one of the acceptable values, the record is flagged as an
error.
• Frequently used in cash disbursements system – nonexistent
vendor from the list of valid vendors.
• Processing Controls
• Batch controls
• Run-to-run controls
• Hash total
• Batch controls is an effective method of managing high
volumes of transaction data through a system.
• It ensures:
1) All records in the batch are processed.
2) No records are processed more than once.
3) An audit trail of transactions is created from input through
processing to the output stage of the system.
• Run-to-run controls
are controls that use
batch figures to monitor
the batch as it moves
from one programmed
procedure to another.
• Hash total is a control
technique that uses
nonfinancial data to keep
track of the records in a
batch.
• Audit Trail Controls
• Audit trail controls ensures that every transaction can be
traced through each stage of processing from its economic
source to its presentation in financial statements.
• Examples:
1) TRANSACTION LOGS
– Every transaction the system successfully processes should be recorded on a
transaction log, which serves as a journal.
a permanent record of transactions, although the input transaction
•
file is typically a temporary file.
• not all of the records in the input file may be successfully
processed.
2) LOG OF AUTOMATIC TRANSACTIONS
– The system triggers some transactions internally.
– To maintain an audit trail of these activities, all internally generated
transactions must be placed in a transaction log
Transaction Log to Preserve the Audit Trail
• Master File Backup Controls
• The procedures may depend on the type of system in place.
• This can be viewed either as (a) a general control, or (b) an
application control.
• In database environment:
• It is a general control because database supports all corporate users
and database backup procedures apply to all.
• In a flat-file environment:
• It is an application control because corporate users do not share data
files, therefore, individual backup procedures need to be designed
specifically for each user’s application.
GFS BACKUP TECHNIQUE
• For batch processing using sequential files
• The grandfather-father-son (GFS) is a back-up technique employed
by systems that use sequential master files (whether tape or disk).
– It is an integral part of the master file update process.
– The systems designer determines the number of backup master files
needed for each application.
– Two factors influence this decision:
(1) the financial significance of the system and
(2) the degree of file activity.
Grandfather-Father-Son Approach
BACKUP PROCESS IN BATCH SYSTEM USING
DIRECT ACCESS FILES
• Each record in a direct access file is assigned a unique
disk location or address that is determined by its primary
key value.
• The destructive update approach leaves no backup copy
of the original master file.
• Only the current value is available to the user.
• To back-up the master prior to each scheduled update run:
1) Copy the master file being updated to create a back up version.
2) Should the original master file be destroyed or corrupted, reconstruct
the master file by either of the following ways:
a) A special recovery program uses the back-up master file to
reconstruct a new master file.
b) The file update process is repeated using the previous batch of
transactions to restore the master to current status.
Destructive Update Approach
Backup Procedures for Batch Systems Using Direct
Access Files
BACKUP OF MASTER FILES IN A REAL-TIME
SYSTEM
• Real-time systems pose a more difficult problem because
transactions are being processed continuously.
• Backup procedures are therefore scheduled at
prespecified intervals throughout the day (e.g., every 15
minutes).
• If the current version of the master file is destroyed through a
disk failure or corrupted by a program error, it can be
reconstructed from the most current backup file.
• The transactions processed since the last backup, however,
need to be reprocessed to bring the master file to current
status.
• These records are retrieved from the transaction log, which is created
continuously in real-time.
Backup Procedures for Real-Time Processing
System
OUTPUT CONTROLS
• OUTPUT CONTROLS
• A combination of programmed routines and other procedures
to ensure that system output is not lost, misdirected, or
corrupted and that the privacy is not violated.
• Example: If the checks that a firm’s cash disbursements
system produces are lost, misdirected, or destroyed, trade
accounts payable and other bills may go unpaid (could
damage firm’s credit rating).
• Controlling Hard-Copy Output (Common to batch system)
• OUTPUT SPOOLING
• PRINT PROGRAMS
• WASTE
• REPORT DISTRIBUTION
• END-USER CONTROLS
• Controlling Digital Output
OUTPUT CONTROLS
• Controlling Hard-Copy Output
• OUTPUT SPOOLING:
• Spooling is directing an application’s output to a magnetic disk file
rather than to the printer directly.
– Later, when printer resources become available, the output files are
printed.
– The creation of output file as an intermediate step in the printing
process presents an added exposure (risks).
• Access the output file and change critical data values.
• Access the file and change the number of copies to be printed.
• Make copy of the output file to produce illegal output reports,
• Destroy the output file before output printing takes place.
– The management and auditors need to be aware of these potential
exposures and ensure that proper backup procedures are in place to
protect output files.
OUTPUT CONTROLS
• PRINT PROGRAMS
• The print run program produces hard-copy output from the output file.
• Print program controls deal with two types of exposures present in this
environment:
1) the production of unauthorized copies of output and
2) employee browsing of sensitive data
• Print programs are often complex systems that require operator

intervention whose four common types of actions are the following:
1) Pausing the print program to load the correct type of output
documents (check stocks, invoices, or other special forms).
2) Entering parameters that the print run needs, such as the number of
copies to be printed.
3) Restarting the print run at a prescribed checkpoint after a printer
malfunction.
4) Removing printed output from the printer for review and distribution.
OUTPUT CONTROLS
• WASTE
• Computer output waste is a
potential source of
– Exposure
– passwords
• These must be disposed of
properly.
• To control these threats, all
sensitive computer output should
be passed through a shredder.
How to Clean a Paper Shredder That Is Gumme

d Up (chron.com)
OUTPUT CONTROLS
• REPORT DISTRIBUTION
• Risks: being stolen, lost, or misdirected in transit
to the user.
• Control techniques:
1) The reports may be placed in a secure
mailbox to which only the user has the key.
2) The user may be required to appear in
person at the distribution center and sign for
the report.
3) A security officer or special courier may
deliver the report to the user.
Secure Mail Vault - Keyless Locking M

ailbox (thegreenhead.com)
OUTPUT CONTROLS
• END-USER CONTROLS
• Recipient-user of the report should examine the output reports for error.
• Errors the user detects should be reported to the appropriate IT
management.
• Such errors may be symptoms of:

1) An improper system design
2) Incorrect procedures
3) Errors accidentally inserted during systems maintenance
4) Unauthorized access to data files or programs
• Reports received once served the purpose should be:

1) Stored in a secure location until its retention process has expired
2) Then its should be shredded.
OUTPUT CONTROLS
• Controlling Digital Output
• Digital output can be directed to the user’s computer screen or
printer.
• The primary output threat is the interception, disruption,

destruction, or corruption of the output message as it passes
across the communications network.
• This threat comes from two types of exposures:

1) exposures from equipment failure, and
2) exposures from subversive acts.
Stages in the Output Process

CHAPTER 3 - Ethics, Fraud and Internal Control

Uploaded by

Copyright:

Available Formats

CHAPTER 3 - Ethics, Fraud and Internal Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHAPTER 3 - Ethics, Fraud and Internal Control

Uploaded by

Copyright:

Available Formats

What are some of the ethical issues discussed in business?

What are some of the ethical issues discussed in business?

What are the principles of making ethical decisions?

What are the principles of making ethical decisions?

Additional slides and texts provided by

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Additional slides and texts provided by

Excessive CEO retirement perks

The Fall of WorldCom and Rise of Corporate Whistlebl

Additional texts provided by

• An attempt to prevent fraud and other misuse of computer

10 Common IT Security Risks in the Workplace (ccsinet.com)

• Part of the problem lies in

• Unemployment and Displacement

As of March 25, 2019

Automation could replace 1.5 m

• Sarbanes-Oxley Act (SOX) is the most significant federal

• Section 406—Code of Ethics for Senior Financial Officers

Additional texts provided by

Additional texts provided by

Additional texts provided by

• Section 406—Code of Ethics for Senior Financial Officers

• Section 406—Code of Ethics for Senior Financial Officers

• The passage of SOX has had

Additional texts provided by

• Fraud must meet the following five conditions:

• In accounting, fraud is commonly known as:

Two levels of fraud encountered by auditors

Additional texts provided by

• Lower-level management fraud typically involves

WorldCom Scandal (slideshare.net)

The Fraud Triangle and Your Business (kmco.com)

• Fraud Losses by Age

• Fraud Losses by Education

Additional image provided by

Background - Adelphia Family Scandal -

Balance Sheet Example - India Dictionary (1investing.in)

• Bribery involves giving, offering, soliciting, or receiving things

• An illegal gratuity involves giving, receiving, offering, or

• A conflict of interest is an outline of procedures for dealing

Skimming: Review of Credit & Debit Card Fraud (slideshare.net)

• The internal control system is a set of policies a firm employs

• METHODS OF DATA PROCESSING

• Control Weaknesses and Risks

• The weaker the internal control the higher the risk.

• The Preventive-Detective-Corrective Internal Control

• Detective controls are devices, techniques, and procedures

• The Preventive-Detective-Corrective Internal Control

• Sarbanes-Oxley and Internal

• The Control Environment

• Information and Communication

• Two distinct categories:

2. Application controls are controls that ensure the integrity of

Customer code : 5327

• Print programs are often complex systems that require operator

How to Clean a Paper Shredder That Is Gumme

Secure Mail Vault - Keyless Locking M

• Such errors may be symptoms of:

• Reports received once served the purpose should be: