CHAPTER 3
Ethics, Fraud, and Internal Control
Ethical Issues in Business
• Ethical standards are derived from societal mores
and deep-rooted personal beliefs about issues of
right and wrong that are not universally agreed
upon.
• Ethics are the principles of conduct that
individuals use in making choices that guide their
behaviour in situations involving the concepts of
right and wrong.
• Often, we confuse ethical issues with legal issues.
BUSINESS ETHICS
• Business ethics involves answering two
questions:
o How do managers decide what is right in
conducting business?
o Once recognized, how do managers
achieve what is right?
• Making Ethical Decisions
o Businesses having conflicting
responsibilities to employees,
shareholders, customers and the public.
o Ethical responsibility is the
responsibility of organization managers
to seek a balance between the risks and
benefits to their constituents that result
from their decisions.
• PROPORTIONALITY - The benefit from a
decision must outweigh the risks and no
alternative should provide greater or same
benefit with less risk.
COMPUTER ETHICS
• Computer ethics is the analysis of the nature
and social impact of computer technology and the
corresponding formulation and justification of
policies for the ethical use of such technology.
This includes details about software as well as
hardware and concerns about networks
connecting computers as well as computers
themselves.
3 Levels of Computer Ethics
1. Pop – exposure to stories about computer
technology on popular media;
2. Para – having real interest in computer ethics;
acquiring skill and level in the field (e.g. for
systems professional and AIS students);
3. Theoretical – for multidisciplinary researchers;
applying theories of other fields (e.g. philo, socio,
psych) to computer science
• A new problem or just a new twist on an old
problem?
• Privacy
o Privacy is full control of what and how
much information about an individual is
available to others and to whom it is
available.
• Ownership
o The creation and maintenance of shared
databases make it necessary to protect
people from the potential misuse of data.
o It is the state or fact of exclusive rights
and control over property, which may be
an object, land/real estate, intellectual
property, or some other kind of property.
• Security (Accuracy and Confidentiality)
o Computer security is an attempt to
avoid such undesirable events as a loss
of confidentiality or data integrity.
• Ownership of Property
o What can an individual or organization
own?
• Equity in Access
o related to economic status, culture and
safety.
• Environmental Issues
o e.g. papers from trees
• Artificial Intelligence
o e.g. responsibility of decision making by
expert systems
• Unemployment and Displacement
o e.g. employers responsible in retraining
displaced employees due to
computerization?
• Misuse of Computers
o e.g. copying software, used personally
SARBANES-OXLEY ACT AND ETHICAL ISSUES
• Sarbanes-Oxley Act (SOX) is the most
significant federal securities law, with provisions
designed to deal with specific problems relating
to capital markets, corporate governance, and
the auditing profession.
• It requires public companies to disclose to the
SEC if they have a code of ethics that applies to
 the CEO, CFO and controller. If a company does
not have a code, it must explain why.
Section 406—Code of Ethics for Senior Financial
Officers
• CONFLICTS OF INTEREST - Procedures for
dealing with conflicts of interest (not necessarily
preventing, provide trainings)
• FULL AND FAIR DISCLOSURES - To ensure
candid, open, truthful disclosures (not complex
and misleading accounting techniques)
• LEGAL COMPLIANCE - Requiring employees to
follow applicable laws, rules and regulations.
• INTERNAL REPORTING OF CODE
VIOLATIONS - A mechanism to permit prompt
internal reporting of ethical violations (whistle
blowers)
• ACCOUNTABILITY - Taking appropriate actions
when code violations occur (audit committee in-
charge).
Fraud and Accountants
• The passage of SOX has had a tremendous
impact on the external auditor’s responsibilities
for fraud detection during a financial audit.
• The Statement on Auditing Standards (SAS)
No. 99 is the current authoritative document that
defines fraud as an intentional act that results in
a material misstatement in financial statements.
• The objective of SAS 99 is to seamlessly blend the
auditor’s consideration of fraud into all phases of
the audit process.
DEFINITIONS OF FRAUD
• Fraud is the false representation of a material
fact made by one party to another party, with the
intent to deceive and induce the other party to
justifiably rely on the material fact to his or her
detriment.
• Act must meet five conditions:
o False representation: false statement
or disclosure.
o Material fact: fact must be substantial
factor in inducing someone to act.
o Intent to deceive: must exist or
knowledge that statement is false.
o Justifiable reliance:
misrepresentation must have been a
substantial factor relied on.
o Injury or loss: must have been
sustained by the victim.
• Fraud in business has a more specialized
meaning:
o Intentional deception, asset
misappropriation or financial data
manipulation to the advantage of the
perpetrator.
o White collar crime, defalcation,
embezzlement and irregularities.
• Employee fraud is the performance fraud by
non-management employee generally designed
to directly convert cash or other assets to the
employee’s personal benefit.
• Management fraud is the performance fraud
that often uses deceptive practices to inflate
earnings or to forestall the recognition of either
insolvency or a decline in earnings. It does not
involve direct theft and is more harmful as it
usually involves material misstatements of
financial data.
o Perpetrated at levels of management
above internal control structures.
o Frequently involves exaggerated financial
statement results.
o Misappropriation of assets often
shrouded in complex transactions
involving related third parties.
THE FRAUD TRIANGLE
• The fraud triangle is a triad of factors
associated with management and employee
fraud:
o situational pressure (includes personal or
job-related stresses that could coerce an
individual to act dishonestly);
o opportunity (involves direct access to
assets and/ or access to information that
controls assets); and
o ethics (pertains to one’s character and
degree of moral opposition to acts of
dishonesty).
FINANCIAL LOSSES FROM FRAUD
• A recent study suggests fraud losses equal 5% of
revenue.
• The actual cost of fraud is, however, difficult to
quantify for a number of reasons:
o Not all fraud is detected.
o Of that detected, not all is reported.
o In many fraud cases, incomplete
information is gathered.
 o Information is not properly distributed to
management or law enforcement
authorities.
o Too often, business organizations decide
to take no civil or criminal action against
the perpetrator(s) of fraud.
• In addition to the direct economic loss to the
organization, indirect costs—including reduced
productivity, the cost of legal action, increased
unemployment, and business disruption due to
investigation of the fraud—need to be
considered.
• Collusion in the commission of a fraud is difficult
to prevent and detect.
Distribution of Losses
THE PERPETRATORS OF FRAUDS
• Fraud Losses by Position within the Organization
o Individuals in the highest positions within
an organization are beyond the internal
control structure and have the greatest
access to company funds and assets.
• Fraud Losses and the Collusion Effect
o One reason for segregating occupational
duties is to deny potential perpetrators
the opportunity they need to commit
fraud.
o When individuals in critical positions
collude, they create opportunities to
control or gain access to assets that
otherwise would not exist.
• Fraud Losses by Gender
o Women are not fundamentally more
honest than men, but men occupy high
corporate positions in greater numbers
than women.
o This affords men greater access to
assets.
• Fraud Losses by Age
o Older employees tend to occupy higher-
ranking positions and therefore generally
have greater access to company assets.
• Fraud Losses by Education
o Generally, those with more education
occupy higher positions in their
organizations and therefore have greater
access to company funds and other
assets.
Conclusions to Be Drawn
• Opportunity factor, other than situational
pressure and ethics, explains much of the
financial loss differential
• Those in higher position – with greatest access to
the assets
• Position – those with highest position are above
the internal control
• Gender – more men occupy the higher corporate
positions
• Age – older employees occupy higher positions
• Education – those with higher education occupy
higher positions
• Collusion – it creates opportunities for greater
access to assets that otherwise would not exist
FRAUD SCHEMES
Fraudulent Statements
• Fraudulent statements are statements
associated with management fraud.
• In this class of fraud scheme, the financial
statement misrepresentation must itself bring
direct or indirect financial benefit to the
perpetrator.
THE UNDERLYING PROBLEMS
• Lack of Auditor Independence: Audit firms also
engaged by their clients to perform non-
accounting activities.
 • Lack of Director Independence: Many board of
directors are comprised of directors who are not
independent.
• Questionable Executive Compensation Schemes:
Stock options as compensation result in strategies
aimed at driving up stock prices at the expense
of the firm’s long-term health.
o In extreme cases financial statement
misrepresentation has been used to
achieve stock prices needed to exercise
options
• Inappropriate Accounting Practices: Common
characteristic to many financial statement fraud
schemes.
• SOX establishes a framework for oversight and
regulation of public companies. Principal reforms
pertain to:
o Creation of the Public Company
Accounting Oversight Board
(PCAOB) to set standards, inspect firms,
conduct investigations and take regulator
actions.
o Auditor independence: More separation
between a firm’s attestation and non-
auditing activities.
o Corporate governance and responsibility:
Audit committee members must be
independent and committee must hire
and oversee the external auditors.
o Issuer and management disclosure:
Increased requirements.
o Fraud and criminal penalties: New
penalties for destroying or tampering
with documents, securities fraud, and
taking actions against whistleblowers.
Corruption
• Corruption involves an executive, a manager, or
an employee of the organization in collusion with
an outsider.
• Bribery involves giving, offering, soliciting, or
receiving things of value to influence an official in
the performance of his or her lawful duties.
• An illegal gratuity involves giving, receiving,
offering, or soliciting something of value because
of an official act that has been taken. Similar to a
bribe, but after the fact.
• A conflict of interest is an outline of procedures
for dealing with actual or apparent conflicts of
interest between personal and professional
relationships.
• Economic extortion is the use (or threat) of
force (including economic sanctions) by an
individual or organization to obtain something of
value.
o The item of value could be a financial or
economic asset, information, or
cooperation to obtain a favorable
decision on some matter under review.
• Asset Misappropriation
o most common fraud schemes involve
some type of asset misappropriation
(almost 90% according to ACFE study).
• Skimming involves skimming cash from an
organization before it is recorded on the
organization’s books and records.
o Another example is mail room fraud,
in which an employee opening the mail
steals a customer’s check and destroys
the associated remittance advice.
• Cash larceny is theft of cash receipts from an
organization after those receipts have been
recorded in the organization’s books and records.
o Lapping is the use of customer checks,
received in payment of their accounts, to
conceal cash previously stolen by an
employee.
• Billing schemes, also known as vendor fraud,
are schemes under which an employee causes
the employer to issue a payment to a false
supplier or vendor by submitting invoices for
fictitious goods/services, inflated invoices, or
invoices for personal purchases.
o A shell company is establishing a false
vendor on the company’s books, and
then making false purchase orders,
receiving reports, and invoices in the
name of the vendor and submitting them
to the accounting system, creating the
illusion of a legitimate transaction. The
system ultimately issues a check to the
false vendor.
o A pass-through fraud is similar to shell
company fraud except that a transaction
actually takes place. The perpetrator
creates a false vendor and issues
purchase orders to it for inventory or
supplies. The false vendor purchases the
needed inventory from a legitimate
vendor, charges the victim company a
much higher than market price for the
items, and pockets the difference.
o A pay-and-return is a scheme under
which a clerk with check writing authority
pays a vendor twice for the same
products (inventory or supplies) received
and then intercepts and cashes the
overpayment returned by the vendor.
• Check tampering involves forging, or changing
in some material way, a check that was written to
a legitimate payee.
• Payroll fraud is the distribution of fraudulent
paychecks to existent and/or nonexistent
employees.
• Expense reimbursement fraud involves
claiming reimbursement of fictitious or inflated
business expenses.
• Thefts of cash is the direct theft of cash on hand
in the organization.
 • Noncash fraud is the theft or misuse of non-
cash assets (e.g., inventory, confidential
information).
• Computer fraud involves theft, misuse, or
misappropriation of assets by altering computer-
readable records and files, or by altering the logic
of computer software; the illegal use of
computer-readable information; or the intentional
destruction of computer software or hardware.
Losses from Asset Misappropriation Schemes
The Preventive-Detective-Corrective Internal
Control Model
• Preventive controls are passive techniques
designed to reduce the frequency of occurrence
of undesirable events by forcing compliance with
prescribed or desired actions. Preventing errors
and fraud is more cost-effective than detecting
and correcting them.
• Detective controls are devices, techniques, and
procedures designed to identify and expose
undesirable events that elude preventive
controls.
• Corrective controls are actions taken to
reverse the effects of errors detected.

Internal Control Shield

Losses from Fraud by Scheme Type

INTERNAL CONTROL CONCEPTS AND

TECHNIQUES
• The internal control system is a set of policies
a firm employs to safeguard the firm’s assets,
ensure accurate and reliable accounting records
and information, promote efficiency, and
measure compliance with established policies.
• Modifying Assumptions (inherent to the control
objectives; guide designers and auditors of
internal controls)
o Management responsibility is the
concept under which the responsibility
for the establishment and maintenance
of a system of internal control falls to Preventive, Detective, and Corrective Controls
management.
o Reasonable assurance is an assurance
provided by the internal control system
that the four broad objectives of internal
control are met in a cost-effective
manner. Cost of achieving objectives
should not outweigh the benefits.
• METHODS OF DATA PROCESSING. Control
techniques vary with different types of
technology.
• LIMITATIONS. These include (1) possibility of
error, (2) circumvention, (3) management
override and (4) changing conditions.

Control Weaknesses and Risks

• Control weaknesses increase the firm’s risk to
financial loss or injury from the threats.
 • Statement on Auditing Standards (SAS) No.
109 is the current authoritative document for
specifying internal control objectives and
techniques. It is based on the COSO framework.
• SOX and Internal Control:
o Public company management
responsibilities are codified in Sections
302 and 404 of SOX:
o Section 302 requires management to
certify organization’s internal controls on
a quarterly and annual basis.
o Section 404 requires management to
assess internal control effectiveness.
o Committee of Sponsoring
Organizations of the Treadway
Commission (COSO) is a joint initiative
of five private sector organizations and is
dedicated to providing thought
leadership through the development of
frameworks and guidance on enterprise
risk management, internal control, and
fraud deterrence.
COSO internal control framework five
components:
• The Control Environment
o The control environment is the
foundation of internal control.
o It sets the tone for the organization and
influences control awareness.
o SAS 109 requires auditors obtain
sufficient knowledge to assess attitudes
and awareness of the management,
board and owners regarding internal
controls.
o As a minimum, board should adopt the
provisions of SOX.
• Risk Assessment
o Risk assessment is the identification,
analysis, and management of risks
relevant to financial reporting.
• Information and Communication
o The quality of information the AIS
generates impacts management’s ability
to take actions and make decisions.
o An effective accounting information
system records all valid transactions and
provides timely and accurate information.
• Monitoring
o Monitoring is the process by which the
quality of internal control design and
operation can be assessed.
o This can be done thru separate
procedures (e.g. internal audits) or
ongoing activities (e.g. computer
modules, management reports)
• Control Activities
o Control activities are the policies and
procedures to ensure that appropriate
actions are taken to deal with the
organization’s risks.
o IT CONTROLS: General controls are
controls that pertain to entity-wide
concerns such as controls over the data
center, organization databases, systems
development, and program maintenance.
Application controls are controls that
ensure the integrity of specific systems.
o PHYSICAL CONTROLS relate to human
activities.
o Transaction authorization is a
procedure to ensure that employees
process only valid transactions within the
scope of their authority.
o Segregation of duties is the separation
of employee duties to minimize
incompatible functions. These include
separating: (1) transaction authorization
and processing, (2) asset custody and
record-keeping, (3) tasks so that
successful fraud must require collusion.
o Supervision is a control activity
involving the critical oversight of
employees. It is a compensating control
in organizations too small for sufficient
segregation of duties.
o The accounting records of an
organization consist of documents,
journals, or ledgers used in transaction
cycles. These capture economic essence
and provide an audit trail.
o Access controls are controls that
ensure that only authorized personnel
have access to the firm’s assets.
Segregation of Duties Objectives
o Verification procedures are
independent checks of the accounting
system to identify errors and
misrepresentations.
o These differ from supervision – these
happen after the fact by an individual not
directly involved in the transaction or task
being verified. Supervision happens
 during the activity by a superior directly • Hash total is a control technique that uses
responsible for the task. nonfinancial data to keep track of the records in
o Management can assess (1) individual a batch.
performance, (2) system integrity and (3)
data correctness. Batch Control Record
o Includes:
• Reconciling batch totals during
transaction processing.
• Comparing physical assets with
accounting records.
• Reconciling subsidiary accounts
with control accounts.
• Reviewing management reports
that summarize business Run-to-Run Controls
activities.

IT APPLICATION CONTROLS
• are associated with applications.

Input controls are programmed procedures, often

called edits, that perform tests on transaction data to
ensure that they are free from errors.
• CHECK DIGIT: A check digit is a method for
detecting data coding errors in which a control
digit is added to the code when it is originally
designed to allow the integrity of the code to be
established during subsequent processing.
o It allows integrity to be established
during processing and helps prevent two
common errors:
o Transcription errors are the type of
errors that can corrupt a data code and
cause processing errors.
o Transposition errors are errors that
occur when digits are transposed.
• MISSING DATA CHECK identifies blank or • Audit trail controls ensures that every
incomplete input fields. transaction can be traced through each stage of
• NUMERIC-ALPHABETIC CHECK identifies data in processing from its economic source to its
the wrong form. presentation in financial statements.
• LIMIT CHECK identify fields that exceed • Every transaction the system processes, including
authorized limits. automatic ones, should be recorded on a
• RANGE CHECK verify that all amounts fall within transaction log.
an acceptable range. o TRANSACTION LOGS – serve as journals;
• REASONABLENESS CHECK verify that amounts contain only successful transactions
that have based limit and range checks are o LOG OF AUTOMATIC TRANSACTIONS –
reasonable.* log or audit trail of internally generated
• VALIDITY CHECK compare actual fields against transactions (system triggered).
acceptable values.
Transaction Log to Preserve the Audit Trail
Processing Controls are programmed procedures to
ensure an application’s logic is functioning properly.
• Batch controls is an effective method of
managing high volumes of transaction data
through a system.
o The objective is to reconcile system
output with original input.
• Run-to-run controls are controls that use
batch figures to monitor the batch as it moves
from one programmed procedure to another.

MASTERFILE BACK-UP CONTROLS AND GFS
BACKUP TECHNIQUE
• Master File Backup Controls may be viewed as
either a general control or an application control.
o The grandfather-father-son (GFS) is
a back-up technique employed by
systems that use sequential master files
(whether tape or disk). It is an integral
part of the master file update process.
o The systems designer determines the
number of backup master files needed
for each application. Two factors
influence this decision: (1) the financial
significance of the system and (2) the
degree of file activity.
Grandfather-Father-Son Approach
BACKUP PROCESS IN BATCH SYSTEM USING
DIRECT ACCESS FILES
• Each record in a direct access file is assigned a
unique disk location or address that is determined
by its primary key value.
• The destructive update approach leaves no
backup copy of the original master file. It requires
a special recovery program if data is destroyed or
corrupted.
Destructive Update Approach
Backup Procedures for Batch Systems Using Direct Access
Files
BACKUP OF MASTER FILES IN A REAL-TIME
SYSTEM
• Real-time systems pose a more difficult problem
because transactions are being processed
continuously.
• Backup procedures are therefore scheduled at
pre-specified intervals throughout the day (e.g.,
every 15 minutes).
Backup Procedures for Real-Time Processing System
Output controls are procedures to ensure output is not
lost, misdirected or corrupted and that privacy is not
violated.
• Can cause disruption, financial loss and litigation.
Controlling Hard-Copy Output
• OUTPUT SPOOLING: Spooling is directing an
application’s output to a magnetic disk file rather
than to the printer directly because output data
in output devices can become backlogged
(bottleneck). Proper access and backup
procedures must be in place to protect these
output (spool) files.
• PRINT PROGRAM CONTROLS should be designed
to prevent unauthorized copies and employee
browsing of sensitive data.
• SENSITIVE COMPUTER WASTE should be
shredded for protection.
• REPORT DISTRIBUTION must be controlled.*
• END-USER should examine reports for
correctness, report errors and maintain report
security.
Controlling Digital Output
• Can be directed to the user’s computer screen or
printer
• Threat: interception, disruption, destruction,
corruption of output message
• Two types: a) exposures from equipment failure,
b) exposures from subversive threats

Stages in the Output Process