1. For a local city council, letters of complaint received from rate payers are entered into a complaints master file by the City Manager’s office. The date, department code, and a complaint description are stored for each letter. Weekly reports are produced from the complaints master file and given to the City Manager. Two weekly reports are produced: a department summary and a detail list.
context level DFD (level 0) can be produced…

3. Is there something missing from this scenario?
Yes,  the council should really  acknowledge the letter of complaint.

4. Key Learning Points
What are the main ethical issues pertaining to business and to the use of information technology?
What is the difference between management fraud and employee fraud?
Discuss common types of fraud schemes.
What are the key features of SAS 78 / COSO internal control framework 3

5. Ethics, Fraud, and Internal Control
Business Ethics
How do managers decide on what is right in conducting their business?
Once managers have recognized what is right, how do they achieve it?
Business ethics involves finding the answers to two questions: see slide
Why should we be concerned about ethics in the business world?
Ethics are needed when conflicts of interest arise need prodcedures for dealing with conflicts of interest between personal and professional interests.
In business, conflicts may arise between:
employees
management
stakeholders
Full and fair disclosure – procedures to ensure all disclosures are open candid and without deception
Legal compliance – employees are required to comply with the law
Internal reproting of code violations – mechanism to promote reporting of ethics violations
Accountability – appropriate actions will be taken if violations are reported.
Three ethical frameworks – proportionality – benefits outweigh risks
Justice – benefirs are shared among risk holders
Minimize risks – regardless of framework risks must be minimized.

6. Computer Ethics…
concerns the social impact of computer technology (hardware, software, and telecommunications).
What are the main computer ethics issues?
Privacy
Security—accuracy and confidentiality
Ownership of property
Equity in access
Environmental issues
Artificial intelligence
Unemployment and displacement
Misuse of computer
Three levels of computer ethics considerations
Pop – media reports of positive and negative effects of technology
Para – interest along with acquired skill and knowledge of computer ethics
Theoretical – application of social, philosophical and psychological theory to computer ethics questions
Are computer ethics different in nature from traditional issues such as property rights, trade secrets, copyright, and paten laws.
Class discussion over the following issues
Privacy- control over what and to whom information is available
Security – an attempt to avoid loss of confidentiality or data integrity
Ownership of property – intellectual prop and what and indiv or caompany might own
Equity access – which barrers to access exist and why
Evironm issues – which print jobs might be non – essential and paper wasting
Artif intell – reliance and personnel replacement issues - stems from embedding expertise in sw
Unemplo and displace – impact of tech develpments of jobs
Misuse of computers – issues of copying and access to data
Managers- must establish and maintain a sys of internal controls to ensure the integrity and reliabili of their data
Sarbanes Oxley Act (2002) and Ethical Issues - most sweeoping securitues legislation since 1933 – 1934 SEC acts – SOX as it applies to ethical issues that most affects AIS.
Section 406 – Code of ethics for Senior Financial offiers – publicly held cos must disclose whether or not they have code of ethics for officers – if not – then disclose why not.
Disclosure may be : Part of annual report
Reported on a web site, Copied and provided on request
Mgmt sets ethical tone of or – methods should be devised to address the following ethical issues.
Conflicts of Interest – procedures for dealing with conflicts of interest personal and professional intersts
Full and fai disclossure – procedures to ensure disclosres are open, candid and without deception
Legal compliances - employees are required to comply with law
Internal reporting of code violations – mechanisms to promote reprting of thics violation
Accountability – appropriate actions will taken if violations are reported 8

7. Legal Definition of Fraud
False representation
Material fact
Intent to deceive
Justifiable reliance
Injury or loss
SAS no 99 – considerations of fraud in a financial statement audit
False repres- false statement or disclosure
Material fact - a fact must be substantial in inducing someone to act
Intent to deceive must exist
The misrepresentation must have resulted in justifiable reliance upon information, which caused someone to act
The misrepresentation must have caused injury or loss 9

8. Sarbanes-Oxley Act of 2002 Reforms pertain to:
Creation of the Public Company Accounting Oversight Board (PCAOB)
Auditor independence
Corporate governance and responsibility
Disclosure requirements
New federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers
Attestation activities are what? The process of authorizing established internal controls, processes, policies, programs, and data, is commonly referred to as attestation. An attestation process includes the reviewers, the data to be attested, and the schedule for attestation activities. —more separation between a firm’s attestation and non-auditing activities
—audit committee members must be independent and the audit committee must oversee the external auditors
—increase issuer and management disclosure

9. Fraudulent Statements
Misstating the financial statements to make the copy appear better than it is
Usually occurs as management fraud
May be tied to focus on short-term financial measures for success
May also be related to management bonus packages being tied to financial statements
Associated with management fraud
Comprise 8% of fraud cases
Present a significantly higher amount of loss
Underlying problems – lack of auditor independence (audit firm also supplies nonaudit services)
Lack of director independence (board of directors have a financila relationship with the co.)
Questionable executive compensation schemes (use of stock options)
Inappropriate acctg practices (Enron for ex. Used special purpose entities to hide liabilities) 16

10. Corruption Foreign Corrupt Practice Act of 1977 bribery
illegal gratuities
conflicts of interest
economic extortion
Foreign Corrupt Practice Act of 1977
Accounts for 10% fraud cases
Briber – giving offering solicing or recieveing things of value to influence an offical in performace of his/her lawful duty
Illegal gratuities – giving receivein offering or soliciting something of value - because an offical act that has been take
Conflicts inteerst – when an employee acts on behalf of third party during the discharge of his /her duties
Economic extortion – use or threat of force by an individual or organization to obtain something of value
Foreign Corrupt Practice Act of 1977:
indicative of corruption in business world
impacted accounting by requiring accurate records and internal controls 16

11. Asset Misappropriation
Charges to expense accounts.
Lapping.
Transaction fraud.
92% - most common type-often occurs as employee fraud
Charges - to cover theft of asset (especially cash).
Lapping - using customer’s check from one account to cover theft from a different account
Transaction - deleting, altering, or adding false transactions to steal assets 16

12. Computer Fraud Schemes
Theft, misuse, or misappropriation of assets by
altering computer-readable records and files
altering logic of computer software
Theft or illegal use of computer-readable information
Theft, corruption, illegal copying or intentional destruction of software
Theft, misuse, or misappropriation of computer hardware 22

13. The General IS Model
Using, explain how fraud can occur at the different stages of information processing?data collection, processing, management and generation. 13

14. Data Collection Fraud
Relatively easy to change data as it is being entered into the system.
Also, the GIGO (garbage in, garbage out) principle reminds us that if the input data is inaccurate, processing will result in inaccurate output.
This aspect of the system is the most vulnerable
1st stage in an IS – objective to ensure data are valid, complete and free from material errors.
Simplest way to perpetrate a computer fraud is at collection state – this is the computer equiv of transaction fraud 23

15. Data Processing Fraud Program Frauds Operations Frauds
altering programs to allow illegal access to and/or manipulation of data files
destroying programs with a virus
Operations Frauds
misuse of company computer resources, such as using the computer for personal business
Altering program logic so data is processed incorrectly. 24

16. Database Management Fraud
Altering, deleting, corrupting, destroying, or stealing an organization’s data
Oftentimes conducted by disgruntled or ex-employee 25

17. Information Generation Fraud
Scavenging
searching through the trash cans on the computer center for discarded output (the output should be shredded, but frequently is not)
Stealing, misdirecting, or misusing computer output
HARMFULL _ Information characteristics – relevance, timeliness, accuracy, completeness and summarization
Involves scavenging
eavesdropping – listening to output generation over telecommunications lines, 26

18. Internal Control Objectives According to AICPA SAS
Safeguard assets of the firm
Ensure accuracy and reliability of accounting records and information
Promote efficiency of the firm’s operations
Measure compliance with management’s prescribed policies and procedures 28

19. Modifying Assumptions to the Internal Control Objectives
Management Responsibility
The establishment and maintenance of a system of internal control is the responsibility of management.
Reasonable Assurance
The cost of achieving the objectives of internal control should not outweigh its benefits.
Methods of Data Processing
The techniques of achieving the objectives will vary with different types of technology.
Limitations of Internal Controls
No system is perfect
Possibility of honest errors
Personnel - Circumvention via collusion -
Management override
Changing conditions--especially in companies with high growth 29

20. The Internal Controls Shield
Exposures of Weak Internal Controls (Risk)
ABSENCE OR WEAKNESS OF A CONTROL IS AN EXPOSURE:
Destruction of an asset
Theft of an asset
Corruption of information
Disruption of the information system

21. Preventive, Detective, and Corrective Controls
Preventive controls – passive techniques designed to reduce occurrence of undesirable events
Detective - devices techniques and procedures designed to identify and expose undesirable events that elude preventive controls
Corrective – actions taken to reverse the effects of errors detected in previous step

22. Five Internal Control Components: SAS 78 / COSO
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
Describes the relationship between the firm’s…
internal control structure,
auditor’s assessment of risk, and
the planning of audit procedures
How do these three interrelate?
The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor procedures applied in the audit. 36

23. 3: Information and Communication
The AIS should produce high quality information which:
identifies and records all valid transactions
provides timely information in appropriate detail to permit proper classification and financial reporting
accurately measures the financial value of transactions
accurately records transactions in the time period in which they occurred 40

24. Information and Communication
Auditors must obtain sufficient knowledge of the IS to understand:
the classes of transactions that are material
how these transactions are initiated [input]
the associated accounting records and accounts used in processing [input]
the transaction processing steps involved from the initiation of a transaction to its inclusion in the financial statements [process]
the financial reporting process used to compile financial statements, disclosures, and estimates [output]
[red shows relationship to the AIS model] 41

25. [This is feedback in the general AIS model.]
4: Monitoring
The process for assessing the quality of internal control design and operation
[This is feedback in the general AIS model.]
Separate procedures—test of controls by internal auditors
Ongoing monitoring:
computer modules integrated into routine operations
management reports which highlight trends and exceptions from normal performance
[red shows relationship to the AIS model] 42

26. 5: Control Activities
Policies and procedures to ensure that the appropriate actions are taken in response to identified risks
Fall into two distinct categories:
IT controls—relate specifically to the computer environment
Physical controls—primarily pertain to human activities 43

27. Two Types of IT Controls
General controls—pertain to the entity-wide computer environment
Examples: controls over the data center, organization databases, systems development, and program maintenance
Application controls—ensure the integrity of specific systems
Examples: controls over sales order processing, accounts payable, and payroll applications

28. Six Types of Physical Controls
Transaction Authorization
Segregation of Duties
Supervision
Accounting Records
Access Control
Independent Verification

29. Physical Controls Transaction Authorization In IT Context
used to ensure that employees are carrying out only authorized transactions
general (everyday procedures) or specific (non-routine transactions) authorizations
In IT Context
The rules are often embedded within computer programs.
EDI/JIT: automated re-ordering of inventory without human intervention 46

30. Physical Controls Segregation of Duties In IT Context
In manual systems, separation between:
authorizing and processing a transaction
custody and recordkeeping of the asset
subtasks
In computerized systems, separation between:
program coding
program processing
program maintenance
In IT Context
A computer program may perform many tasks that are deemed incompatible.
Thus the crucial need to separate program development, program operations, and program maintenance. 44

31. Physical Controls Supervision IT Context Accounting Records
a compensation for lack of segregation; some may be built into computer systems
IT Context
The ability to assess competent employees becomes more challenging due to the greater technical knowledge required.
Accounting Records
provide an audit trail
ledger accounts and sometimes source documents are kept magnetically
no audit trail is readily apparent 46

32. Physical Controls Access Controls IT Context Independent Verification
help to safeguard assets by restricting physical access to them
IT Context
Data consolidation exposes the organization to computer fraud and excessive losses from disaster.
Independent Verification
reviewing batch totals or reconciling subsidiary accounts with control accounts
When tasks are performed by the computer rather than manually, the need for an independent check is not necessary.
However, the programs themselves are checked. 47