1 Chapter 3 Ethics, Fraud, and Internal Control COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license

Objectives for Chapter 3  Broad issues pertaining to business ethics  Ethical issues related to the use of information technology  Distinguish between management fraud and employee fraud  Common types of fraud schemes  Key features of SAS 78 / COSO internal control framework  Objects and application of physical controls 2

Business Ethics Why should we be concerned about ethics in the business world?  Ethics are needed when conflicts arise  In business, conflicts may arise between: employees management stakeholders  Litigation 3

Business Ethics Business ethics involves finding the answers to two questions:  How do managers decide on what is right in conducting their business?  Once managers have recognized what is right, how do they achieve it? 4

5 Four Main Areas of Business Ethics

6 Computer Ethics concerns social impact of computer technology (hardware, software, and telecommunications). The main computer ethics issues are:  Privacy  Security and accuracy  Ownership of property  Computer misuse  Internal control integrity

7 Legal Definition of Fraud  false representation - false statement or disclosure  material fact - fact must be important enough so someone will act  intent to deceive must exist  misrepresentation must have resulted in justifiable reliance upon information, which caused someone to act  misrepresentation must have caused injury or loss

Factors that Contribute to Fraud

9 Employee Fraud Usually~ an employee taking cash or other assets for personal gain by circumventing company’s system of internal controls

10 Management Fraud  Perpetrated at management levels But the internal control structure usually relates to activities performed at lower levels  Frequently involves using financial statements Creating the illusion that entity is healthier and more prosperous than it actually is.  If management is stealing assets, Theft probably is hidden in very complicated business transactions.

Underlying Problems of Enron, WorldCom, Adelphia  Lack of Auditor Independence: auditing firms also engaged to perform non-accounting activities (consulting)  Lack of Director Independence: Directors also served on the boards of other companies (good ol’ boy network)  Or had a business trading relationship  Or had a financial relationship as stockholders  Or received personal loans,  Or was employed by the company

Underlying Problems of Enron, WorldCom, Adelphia (contd)  Executive Compensation Schemes: short-term stock options as compensation result in short-term strategies  Drives up stock prices at expense of firm’s long- term health.  Inappropriate Accounting Practices: Common to many financial statement fraud schemes. Enron created many special purpose entities WorldCom transferred transmission line costs from current expense accounts to capital accounts (boosts balance sheet) 12

Sarbanes-Oxley Act of 2002 Created the Public Company Accounting Oversight Board (PCAOB) Requires Auditor independence—more separation between firm’s attestation (auditing) and non- auditing activities Corporate governance—audit committee members must be independent and must oversee external auditors Disclosure requirements—increase auditor and management disclosures New federal crimes for destruction of/tampering with documents, securities fraud, and actions against whistleblowers

14 Association of Certified Fraud Examiners’ 2006 Occupational Fraud & Abuse Survey 2006*1996 Scheme Type%CasesMedian loss %CasesMedian loss Asset Misappropriations91.5%$ 150, %$ 65,000 Corruption Schemes30.8% 538, % 440,000 Fraudulent Statements10.6%2,000, %4,000,000 *More than 100% because some reported in more than one category

15 Fraud Schemes  Three categories of fraud schemes according to the Association of Certified Fraud Examiners: A. Fraudulent statements B. Corruption C. Asset misappropriation

16 A. Fraudulent Statements  Usually management fraud Misstating financial statements to make company appear better than it is  Often tied to short-term financial measures for success  Or management bonus packages are tied to financial statements

17 B. Corruption  Examples: Bribery Illegal gratuities Conflicts of interest Economic extortion  Foreign Corrupt Practice Act of 1977: requires accurate records and internal controls (but management was not required to put it in writing)  Sarbanes-Oxley Act of 2002: management must acknowledge it is responsible for internal controls must assert to effectiveness of those controls - in annual report to SEC (in other words, now it must be in writing)

18 C. Asset Misappropriation  Most common type of fraud Usually employee fraud.  Examples: Making charges to expense accounts to cover theft of asset (such as cash) “Lapping”: using customer’s check from one account to cover theft from a different customer’s account Transaction fraud: deleting, altering, or adding false transactions to steal assets

19 Computer Fraud  Theft or misuse of assets by altering computer data altering software programming  Theft or misuse of computer hardware  Theft, corruption, or destruction of software or hardware Includes illegal copying or sharing of software  Theft or illegal use of computer data /information

Data Collection Fraud  Fraud occurs as data are being entered Most vulnerable because it is relatively easy to change data as it is entered into system.  Also, the GIGO (garbage in, garbage out) principle reminds us If input data are inaccurate, output will be inaccurate. 20

Data Processing Fraud Program Frauds  altering programs to allow illegal access to and/or manipulation of data  destroying programs with a virus Operations Frauds  misuse of company resources, such as using the computer for personal business without permission 21

Database Management Fraud  Altering, deleting, corrupting, destroying, or stealing an organization’s data  Oftentimes conducted by disgruntled or ex-employee This is why you don’t give terminated employees 2 weeks notice! Escort them to their desk, then the door. 22

Information Generation Fraud 23  Stealing, misdirecting, or misusing computer output  Scavenging  searching through trash cans for discarded output (output should be shredded, but frequently is not)

Internal Control Objectives According to AICPA SAS 1.Safeguard assets of the firm 2.Ensure accuracy and reliability of accounting records and information 3.Promote efficiency of the firm’s operations 4.Measure compliance with management’s prescribed policies and procedures 24

25 Assumptions about Internal Control Objectives  Management Responsibility establishment and maintenance of internal control system is responsibility of management (NOT Auditor).  Reasonable Assurance cost of achieving objectives of internal control should not outweigh its benefits. Would you hire an armed guard 24x7 to make sure $100 of petty cash is not stolen?  Methods of Data Processing techniques of achieving internal control objectives vary, depending on technology. Objectives of internal controls are same between manual and computerized systems; methods (techniques) are different.

26 Limitations of Internal Controls  Honest errors Employees get tired, distracted, sick  Collusion When 2 or more employees get together to defraud the company.  Management override Manager tells accountant to enter bogus transaction  Changing conditions in the company especially true when companies grow rapidly

Exposures (Risks) of Weak Internal Controls  Assets may be destroyed  Assets may be stolen  information may be corrupted  Information system may be disrupted 27

28 The Internal Controls Shield

29 Preventive, Detective, and Corrective Controls Least costly

Auditing Standards  Auditors are guided by GAAS (Generally Accepted Auditing Standards)  3 classes of standards: General qualification standards Field work standards Reporting standards  For specific guidance, auditors use AICPA SAS (Statements on Auditing Standards) 30

SAS 78 / COSO Describes relationship between firm’s…  internal control structure,  auditor’s assessment of risk, and  planning of audit procedures How do these three interrelate? 31 The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor testing procedures applied in the audit.

32 Five Internal Control Components of SAS control environment 2. risk assessment 3. information & communication 4. monitoring 5. control activities

33 1: Control Environment  integrity and ethics of management  management’s policies and philosophy  organizational structure  delegation of responsibility and authority  role of board of directors and the audit committee  performance evaluation measures  external influences– (ex: regulatory agencies)

34 2: Risk Assessment  identify, analyze, and manage risks relevant to financial reporting  Examples: changes in external environment foreign markets – carry more risk than domestic markets rapid growth that strains internal controls new product lines restructuring/downsizing changes in accounting policies

35 3: Information and Communication  System (CBIS) should produce quality information that identifies and records all valid transactions provides timely information in appropriate detail for proper classification and financial reporting accurately measures financial value of transactions, and records transactions in time period in which they occurred  Inventory arrives on 12/31/07. Is it recorded in 2007 or 2008?

36 4: Monitoring The process for assessing quality of internal control design and operation  separate procedures--test of controls by internal auditors  ongoing monitoring: computer modules integrated into routine operations management reports that show trends Reports with exceptions from normal performance  Sometimes called ‘exception reports’

37 5: Control Activities  Policies and procedures to ensure that appropriate actions are taken in response to identified risks  Fall into two distinct categories: IT controls—relate specifically to the computer environment Physical controls—primarily pertain to human activities

Two Types of IT Controls  General controls—pertain to the entitywide computer environment Examples: controls over the data center, organization databases, systems development, and program maintenance  Application controls—ensure the integrity of specific systems Examples: controls over sales order processing, accounts payable, and payroll applications 38

Six Types of Physical Controls  Access Control  Accounting Records  Authorization of Transactions  Independent Verification  Segregation of Duties  Supervision 39 Memorize these!

40 Physical Controls (continued) Access Controls  help to safeguard assets by restricting physical access to them Accounting Records  provide audit trail

41  Authorization used to ensure that employees are carrying out only authorized transactions Authorizations may be general (everyday procedures) or specific (non-routine transactions).  Example: A clerk may have general authorization to accept low-value returns from customers; if the return is over a certain dollar amount, clerk asks supervisor to approve (specific). Physical Controls (continued)

42 Physical Controls Independent Verification  reviewing batch totals  reconciling subsidiary ledgers with control accounts Example: Compare A/P sub. ledger total with A/P Control account in General Ledger.

43 Segregation of Duties  In manual system, separation is between: authorizing and processing a transaction custody and recordkeeping of the asset  In computerized system, segregation should exist between: program coding program processing program maintenance Physical Controls

Supervision  compensation for lack of segregation of duties – Such as in a small company that cannot hire many employees Sometimes called a “compensating control” 44

45 Internal Controls in Computer- based Information Systems (CBIS):  Access  Accounting Records  Authorization of Transactions  Independent Verification  Segregation of Duties  Supervision

46 Internal Controls in CBISs Access  data consolidation exposes the organization to computer fraud and excessive losses from disaster  If someone does access data, s/he might get to all of it. All data in here

47 Internal Controls in CBISs Accounting Records  transaction & master files (and some source documents) are kept magnetically – audit trail still exists, but must be read by computer, rather than humans.

48 Internal Controls in CBISs Authorization  rules for transaction authorization frequently embedded in computer programs Electronic Data Interchange (EDI) with Just-in- Time Inventory (JIT): automated re-ordering of inventory without human intervention

49 Internal Controls in CBISs Independent Verification  many of these tasks are performed by computer rather than manually, and need for an independent check on tasks performed by computer is not necessary (however, computer programs should be checked).

50 Internal Controls in CBISs Segregation of Duties  Computer program performs many tasks considered incompatible in manual systems  Therefore, must separate program development, program operations, and program maintenance – in internally developed systems Not as important in commercial software – why?

51 Internal Controls in CBISs Supervision  ability to assess competent employees becomes more challenging due to greater technical knowledge required  “compensating control”

52