m3 Ethics, Fraud & Internal Control

Chapter 3
z
Ethics, Fraud,
and Internal
Control
James A. Hall, Accounting Information Systems, 10th Edition. © 2019
Cengage. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.
2
z
Learning Objectives
▪ Understand the broad issues pertaining to business

ethics.
▪ Have a basic understanding of ethical issues related to
the use of information technology.
▪ Be able to distinguish between management fraud and
employee fraud.
▪ Be familiar with common types of fraud schemes.
▪ Be familiar with the key features of the COSO internal

control framework.
▪ Understand the objectives and application of both
physical and IT control activities.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
z
Ethical Issues in Business
▪ Ethical standards are derived from societal mores

and deep-rooted personal beliefs about issues of
right and wrong that are not universally agreed
upon.
▪ Often, we confuse ethical issues with legal issues.
4
z
BUSINESS ETHICS
▪ Ethics are the principles of conduct that individuals

use in making choices that guide their behavior in
situations involving the concepts of right and wrong.
▪ Business ethics pertains to the principles of conduct
that individuals use in making choices and guiding
their behavior in situations that involve the concepts of
right and wrong.
▪ Making Ethical Decisions
• Ethical responsibility is the responsibility of organization
managers to seek a balance between the risks and
benefits to their constituents that result from their
decisions.
• PROPORTIONALITY
5
z
Ethical Issues in Business
6
z
COMPUTER ETHICS
▪ Computer ethics is the analysis of the nature and social
impact of computer technology and the corresponding
formulation and justification of policies for the ethical use of
such technology. This includes details about software as well
as hardware and concerns about networks connecting
computers as well as computers themselves.
▪ A new problem or just a new twist on an old problem?
▪ Privacy
• Privacy is full control of what and how much information about an
individual is available to others and to whom it is available.
• Ownership is the state or fact of exclusive rights and control over

property, which may be an object, land/real estate, intellectual
property, or some other kind of property.
7
z
COMPUTER ETHICS (continued)
▪ Security (Accuracy and Confidentiality)
▪ Computer security is an attempt to avoid such undesirable

events as a loss of confidentiality or data integrity.
▪ Ownership of Property
▪ Equity in Access
▪ Environmental Issues
▪ Artificial Intelligence
▪ Unemployment and Displacement
▪ Misuse of Computers
8
z
SARBANES-OXLEY ACT AND
ETHICAL ISSUES
▪ Sarbanes-Oxley Act (SOX) is the most significant federal
securities law, with provisions designed to deal with specific
problems relating to capital markets, corporate governance, and
the auditing profession.
▪ Section 406—Code of Ethics for Senior Financial Officers
• CONFLICTS OF INTEREST
• FULL AND FAIR DISCLOSURES
• LEGAL COMPLIANCE
• INTERNAL REPORTING OF CODE VIOLATIONS
• ACCOUNTABILITY
9
z
Fraud and Accountants
▪ The passage of SOX has had a tremendous impact on the

external auditor’s responsibilities for fraud detection during
a financial audit.
▪ The Statement on Auditing Standards (SAS) No. 99 is

the current authoritative document that defines fraud as an
intentional act that results in a material misstatement in
financial statements.
▪ The objective of SAS 99 is to seamlessly blend the auditor’s

consideration of fraud into all phases of the audit process.
10
z
DEFINITIONS OF FRAUD
▪ Fraud is the false representation of a material fact made by

one party to another party, with the intent to deceive and
induce the other party to justifiably rely on the material fact
to his or her detriment.
▪ Employee fraud is the performance fraud by

nonmanagement employee generally designed to directly
convert cash or other assets to the employee’s personal
benefit.
▪ Management fraud is the performance fraud that often

uses deceptive practices to inflate earnings or to forestall
the recognition of either insolvency or a decline in earnings.
11
z
THE FRAUD TRIANGLE (J. Hall)
▪ The fraud triangle is a triad of factors associated with

management and employee fraud: situational pressure (includes
personal or job-related stresses that could coerce an individual
to act dishonestly); opportunity (involves direct access to assets
and/ or access to information that controls assets); and ethics
(pertains to one’s character and degree of moral opposition to
acts of dishonesty).
12
z
Fraud Triangle
13
z
The Fraud Triangle (ACFE)
▪ The fraud triangle is a model for
explaining the factors that
cause someone to commit
occupational fraud. It consists
of three components which,
together, lead to fraudulent
behavior:
▪ 1. Perceived unshareable
financial need
▪ 2. Perceived opportunity
▪ 3. Rationalization
https://www.acfe.com/fraud-triangle.aspx
14
z
The Fraud Diamond (Wolfe & Hermanson)
15
z
FINANCIAL LOSSES FROM
FRAUD
▪ The actual cost of fraud is, however, difficult to quantify for a
number of reasons:
▪ Not all fraud is detected.
▪ Of that detected, not all is reported.
▪ In many fraud cases, incomplete information is gathered.
▪ Information is not properly distributed to management or law
enforcement authorities.
▪ Too often, business organizations decide to take no civil or criminal
action against the perpetrator(s) of fraud.
▪ In addition to the direct economic loss to the organization,

indirect costs—including reduced productivity, the cost of legal
action, increased unemployment, and business disruption due
to investigation of the fraud—need to be considered.
16
z
Distribution of Losses
17
z
THE PERPETRATORS OF
FRAUDS
▪ Fraud Losses by Position within the Organization
▪ Individuals in the highest positions within an organization are

beyond the internal control structure and have the greatest access
to company funds and assets.
▪ Fraud Losses and the Collusion Effect

▪ One reason for segregating occupational duties is to deny potential
perpetrators the opportunity they need to commit fraud. When
individuals in critical positions collude, they create opportunities to
control or gain access to assets that otherwise would not exist.
▪ Fraud Losses by Gender

▪ Women are not fundamentally more honest than men, but men
occupy high corporate positions in greater numbers than women.
This affords men greater access to assets.
18
z
Losses from Fraud by Position
19
z
Losses from Fraud by Collusion
20
z
Losses from Fraud by Gender
21
z
THE PERPETRATORS OF
FRAUDS (continued)
▪ Fraud Losses by Age

▪ Older employees tend to occupy higher-ranking positions and
therefore generally have greater access to company assets.
▪ Fraud Losses by Education
▪ Generally, those with more education occupy higher positions in

their organizations and therefore have greater access to
company funds and other assets.
▪ Conclusions to Be Drawn
22
z
Losses from Fraud by Age
23
z
Losses from Fraud by Education
Level
24
z
FRAUD SCHEMES
▪ Fraudulent Statements
▪ Fraudulent statements are statements associated with
management fraud. In this class of fraud scheme, the financial
statement misrepresentation must itself bring direct or indirect
financial benefit to the perpetrator.
• THE UNDERLYING PROBLEMS
• SARBANES-OXLEY ACT AND FRAUD: Public Company

Accounting Oversight Board (PCAOB), which is the federal
organization empowered to set auditing, quality control, and
ethics standards; to inspect registered accounting firms; to
conduct investigations; and to take disciplinary actions.
25
z
FRAUD SCHEMES (continued)
▪ Corruption
▪ Corruption involves an executive, a manager, or an employee
of the organization in collusion with an outsider.
▪ Bribery involves giving, offering, soliciting, or receiving things of

value to influence an official in the performance of his or her
lawful duties.
• An illegal gratuity involves giving, receiving, offering, or

soliciting something of value because of an official act that has
been taken.
▪ A conflict of interest is an outline of procedures for dealing with

actual or apparent conflicts of interest between personal and
professional relationships.
26
z
▪ Corruption (continued)
▪ Economic extortion is the use (or threat) of force (including

economic sanctions) by an individual or organization to obtain
something of value. The item of value could be a financial or
economic asset, information, or cooperation to obtain a favorable
decision on some matter under review.
▪ Asset Misappropriation
▪ Skimming
• Skimming involves stealing cash from an organization before it is

recorded on the organization’s books and records. Another example
is mail room fraud, in which an employee opening the mail steals a
customer’s check and destroys the associated remittance advice.
27
z
Losses from Fraud by Scheme
Type
28
z
Losses from Asset Misappropriation
Schemes
29
z
▪ Cash Larceny
▪ Cash larceny is theft of cash receipts from an organization after
those receipts have been recorded in the organization’s books
and records.
▪ Lapping is the use of customer checks, received in payment of

their accounts, to conceal cash previously stolen by an employee.
▪ Billing Schemes
▪ Billing schemes, also known as vendor fraud, are schemes
under which an employee causes the employer to issue a
payment to a false supplier or vendor by submitting invoices for
fictitious goods/services, inflated invoices, or invoices for
personal purchases.
30
z
▪ Billing Schemes (continued)

▪ A shell company is establishing a false vendor on the company’s
books, and then making false purchase orders, receiving reports,
and invoices in the name of the vendor and submitting them to the
accounting system, creating the illusion of a legitimate transaction.
The system ultimately issues a check to the false vendor.
▪ A pass-through fraud is similar to shell company fraud except that
a transaction actually takes place. The perpetrator creates a false
vendor and issues purchase orders to it for inventory or supplies.
The false vendor purchases the needed inventory from a legitimate
vendor, charges the victim company a much higher than market
price for the items, and pockets the difference.
▪ A pay-and-return is a scheme under which a clerk with check
writing authority pays a vendor twice for the same products
(inventory or supplies) received and then intercepts and cashes the
overpayment returned by the vendor.
31
z
▪ Check Tampering
▪ Check tampering involves forging, or changing in some material

way, a check that was written to a legitimate payee.
▪ Payroll Fraud
• Payroll fraud is the distribution of fraudulent paychecks to

existent and/or nonexistent employees.
▪ Expense Reimbursements
▪ Expense reimbursement fraud involves claiming
reimbursement of fictitious or inflated business expenses.
▪ Thefts of Cash
▪ Thefts of cash is the direct theft of cash on hand in the

organization.
32
z
▪ Noncash Misappropriations
▪ Noncash fraud is the theft or misuse of non-cash assets (e.g.,
inventory, confidential information).
▪ Computer Fraud
▪ Computer fraud involves theft, misuse, or misappropriation of
assets by altering computer-readable records and files, or by
altering the logic of computer software; the illegal use of
computer-readable information; or the intentional destruction of
computer software or hardware.
33
(ACFE).
THE FRAUD TREE.
34
z
Internal Control Concepts and
Techniques
▪ The internal control system is a set of policies a firm

employs to safeguard the firm’s assets, ensure accurate
and reliable accounting records and information, promote
efficiency, and measure compliance with established
policies.
▪ Modifying Assumptions
▪ Management responsibility is the concept under which the responsibility
for the establishment and maintenance of a system of internal control falls to
management.
▪ Reasonable assurance is an assurance provided by the internal control
system that the four broad objectives of internal control are met in a cost-
effective manner.
▪ METHODS OF DATA PROCESSING
▪ LIMITATIONS
35
z
Techniques (continued)
▪ Control Weaknesses and Risks
▪ Control weaknesses increase the firm’s risk to financial loss or

injury from the threats.
▪ The Preventive-Detective-Corrective Internal Control Model

▪ Preventive controls are passive techniques designed to
reduce the frequency of occurrence of undesirable events.
▪ Detective controls are devices, techniques, and procedures

designed to identify and expose undesirable events that elude
preventive controls.
36
z
Internal Control Shield
37
z
Preventive, Detective, and
Corrective Controls
38
z
Techniques (continued)
▪ The Preventive-Detective-Corrective Internal Control Model
(continued)
▪ Corrective controls are actions taken to reverse the effects of errors
detected. Statement on Auditing Standards (SAS) No. 109 is the
current authoritative document for specifying internal control objectives
and techniques. It is based on the COSO framework.
▪ Sarbanes-Oxley and Internal Control

▪ Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a joint initiative of five private sector
organizations and is dedicated to providing thought leadership through
the development of frameworks and guidance on enterprise risk
management, internal control, and fraud deterrence.
39
z
COSO INTERNAL CONTROL
FRAMEWORK
▪ The Control Environment
• The control environment is the foundation of internal control.
▪ Risk Assessment
▪ Risk assessment is the identification, analysis, and
management of risks relevant to financial reporting.
▪ Information and Communication
▪ Monitoring
• Monitoring is the process by which the quality of internal control
design and operation can be assessed.
40
z
FRAMEWORK (continued)
▪ Control Activities
▪ Control activities are the policies and procedures to ensure that
appropriate actions are taken to deal with the organization’s risks.
▪ IT CONTROLS: General controls are controls that pertain to

entity-wide concerns such as controls over the data center,
organization databases, systems development, and program
maintenance. Application controls are controls that ensure the
integrity of specific systems.
▪ PHYSICAL CONTROLS
▪ Transaction authorization is a procedure to ensure that

employees process only valid transactions within the scope of their
authority.
41
z
FRAMEWORK (continued)
▪ Control Activities (continued)
▪ Segregation of duties is the separation of employee duties to
minimize incompatible functions.
▪ Supervision is a control activity involving the critical oversight

of employees.
▪ The accounting records of an organization consist of

documents, journals, or ledgers used in transaction cycles.
▪ Access controls are controls that ensure that only authorized

personnel have access to the firm’s assets.
• Verification procedures are independent checks of the

accounting system to identify errors and misrepresentations.
42
z
Segregation of Duties Objectives
43
z
IT APPLICATION CONTROLS
▪ Input Controls
▪ Input controls are programmed procedures, often called edits, that
perform tests on transaction data to ensure that they are free from
errors.
▪ CHECK DIGIT: Transcription errors are the type of errors that can
corrupt a data code and cause processing errors. Transposition errors
are errors that occur when digits are transposed. A check digit is a
method for detecting data coding errors in which a control digit is added
to the code when it is originally designed to allow the integrity of the
code to be established during subsequent processing.
• MISSING DATA CHECK
• NUMERIC-ALPHABETIC CHECK
• LIMIT CHECK
▪ RANGE CHECK
44
z
(continued)
▪ Input Controls (continued)
▪ REASONABLENESS CHECK
▪ VALIDITY CHECK
▪ Processing Controls
▪ Batch controls is an effective method of managing high volumes of
transaction data through a system.
▪ Run-to-run controls are controls that use batch figures to monitor

the batch as it moves from one programmed procedure to another.
▪ Hash total is a control technique that uses nonfinancial data to keep

track of the records in a batch.
45
z
Batch Control Record
46
z Run-to-Run Controls
47
z
(continued)
▪ Audit Trail Controls
▪ Audit trail controls ensures that every transaction

can be traced through each stage of processing from
its economic source to its presentation in financial
statements.
• TRANSACTION LOGS
• LOG OF AUTOMATIC TRANSACTIONS
▪ Master File Backup Controls
48
z
Transaction Log to Preserve the
Audit Trail
49
z
GFS BACKUP TECHNIQUE
▪ The grandfather-father-son (GFS) is a back-up

technique employed by systems that use sequential
master files (whether tape or disk). It is an integral
part of the master file update process.
▪ The systems designer determines the number of

backup master files needed for each application.
Two factors influence this decision: (1) the financial
significance of the system and (2) the degree of file
activity.
50
z
Grandfather-Father-Son Approach
51
z
BACKUP PROCESS IN BATCH
SYSTEM USING DIRECT ACCESS
FILES
▪ Each record in a direct access file is assigned a

unique disk location or address that is determined
by its primary key value.
▪ The destructive update approach leaves no backup

copy of the original master file.
52
z
Destructive Update Approach
53
z
Backup Procedures for Batch
Systems Using Direct Access Files
54
z
BACKUP OF MASTER FILES IN A
REAL-TIME SYSTEM
▪ Real-time systems pose a more difficult problem

because transactions are being processed
continuously.
▪ Backup procedures are therefore scheduled at

prespecified intervals throughout the day (e.g.,
every 15 minutes).
55
z
Backup Procedures for Real-Time
Processing System
56
z
OUTPUT CONTROLS
▪ Controlling Hard-Copy Output
▪ OUTPUT SPOOLING: Spooling is directing an

application’s output to a magnetic disk file rather than
to the printer directly.
• PRINT PROGRAMS
• WASTE
• REPORT DISTRIBUTION
• END-USER CONTROLS
▪ Controlling Digital Output
57
z
Stages in the Output Process

m3 Ethics, Fraud &amp; Internal Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

m3 Ethics, Fraud &amp; Internal Control

Uploaded by

Copyright:

Available Formats

Chapter 3

▪ Understand the broad issues pertaining to business

▪ Be familiar with the key features of the COSO internal

▪ Ethical standards are derived from societal mores

▪ Often, we confuse ethical issues with legal issues.

▪ Ethics are the principles of conduct that individuals

▪ A new problem or just a new twist on an old problem?

• Ownership is the state or fact of exclusive rights and control over

▪ Security (Accuracy and Confidentiality)

▪ Computer security is an attempt to avoid such undesirable

▪ Unemployment and Displacement

▪ Section 406—Code of Ethics for Senior Financial Officers

• FULL AND FAIR DISCLOSURES

• INTERNAL REPORTING OF CODE VIOLATIONS

▪ The passage of SOX has had a tremendous impact on the

▪ The Statement on Auditing Standards (SAS) No. 99 is

▪ The objective of SAS 99 is to seamlessly blend the auditor’s

▪ Fraud is the false representation of a material fact made by

▪ Employee fraud is the performance fraud by

▪ Management fraud is the performance fraud that often

▪ The fraud triangle is a triad of factors associated with

▪ In addition to the direct economic loss to the organization,

▪ Individuals in the highest positions within an organization are

▪ Fraud Losses and the Collusion Effect

▪ Fraud Losses by Gender

▪ Fraud Losses by Age

▪ Fraud Losses by Education

▪ Generally, those with more education occupy higher positions in

• THE UNDERLYING PROBLEMS

• SARBANES-OXLEY ACT AND FRAUD: Public Company

▪ Bribery involves giving, offering, soliciting, or receiving things of

• An illegal gratuity involves giving, receiving, offering, or

▪ A conflict of interest is an outline of procedures for dealing with

▪ Economic extortion is the use (or threat) of force (including

• Skimming involves stealing cash from an organization before it is

▪ Lapping is the use of customer checks, received in payment of

▪ Billing Schemes (continued)

▪ Check tampering involves forging, or changing in some material

• Payroll fraud is the distribution of fraudulent paychecks to

▪ Thefts of cash is the direct theft of cash on hand in the

▪ The internal control system is a set of policies a firm

▪ Control Weaknesses and Risks

▪ Control weaknesses increase the firm’s risk to financial loss or

▪ The Preventive-Detective-Corrective Internal Control Model

▪ Detective controls are devices, techniques, and procedures

▪ Sarbanes-Oxley and Internal Control

▪ The Control Environment

• The control environment is the foundation of internal control.

▪ Information and Communication

▪ IT CONTROLS: General controls are controls that pertain to

▪ Transaction authorization is a procedure to ensure that

▪ Supervision is a control activity involving the critical oversight

▪ The accounting records of an organization consist of

▪ Access controls are controls that ensure that only authorized

• Verification procedures are independent checks of the

▪ Input Controls (continued)

▪ Run-to-run controls are controls that use batch figures to monitor

▪ Hash total is a control technique that uses nonfinancial data to keep

▪ Audit Trail Controls

▪ Audit trail controls ensures that every transaction

• LOG OF AUTOMATIC TRANSACTIONS

▪ Master File Backup Controls

▪ The grandfather-father-son (GFS) is a back-up

▪ The systems designer determines the number of

m3 Ethics, Fraud & Internal Control

m3 Ethics, Fraud & Internal Control