BURAO UNIVERSITY

COURSE: ACCOU NTING INFORMATION SYSTEM

CHAPTER FOUR: Fraud, Ethics, and Internal Control

SEMESTER SEVEN: ACCOUNTING

INSTRUCTOR: ABDIHAKIM TIYARI ( BA, MBA).

Contact: abdi.177@hotmail.com
Phone number: 063-4075785
1
 Fraud, Ethics, and Internal
Control
This chapter will help you gain an understanding of the following concepts:

An introduction to the need for a code of ethics and internal controls.
The accounting‐related fraud that can occur when ethics codes and internal
controls are weak or not correctly applied
The nature of management fraud
The nature of employee fraud
The nature of customer fraud
The nature of vendor fraud
The nature of computer fraud
The policies that assist in the avoidance of fraud and errors
The maintenance of a code of ethics
The maintenance of accounting internal controls
The maintenance of information technology controls 2
Fraud and Internal Control

Fraud
can be defined as the theft, concealment, and conversion to
personal gain of another’s money, physical assets, or
information.

Three factors that

contribute to
fraudulent activity.

Illustration 8-1

SO 1 Define fraud and internal control.

3
Fraud and Internal Control

In fraud, there is a distinction between misappropriation of

assets and misstatement of financial records.
 Misappropriation of assets: involves theft of any item of
value. It is sometimes referred to as a defalcation, or internal
theft, and the most common examples are theft of cash or
inventory.
• Restaurants and retail stores are especially susceptible to
misappropriation of assets because their assets are readily
accessible by employees.
 Misstatement of financial records: involves the
falsification of accounting reports. This is often referred to as
earnings management, or fraudulent financial reporting.
4
 Categories of Accounting‐Related Fraud

• In an organization, fraud can be perpetrated by

four categories of people:
I. Management Fraud
II. Employees Fraud
III. Customers Fraud
IV. Vendors Fraud

5
 Management fraud

• Management fraud: conducted by one or more top‐level

managers within the company, is usually in the form of
fraudulent financial reporting. Oftentimes, the chief
executive officer (CEO) or chief financial officer (CFO)
conducts fraud by misstating the financial statements
through elaborate schemes or complex transactions.
• The most effective measure to prevent or detect
management fraud is to establish a professional internal
audit staff that periodically checks up on management
activities and reports to the audit committee of the board of
directors.

6
 Employee fraud
• Employee fraud: is conducted by non management employees. This usually
means that an employee steals cash or assets for personal gain. While there are
many different kinds of employee fraud, some of the most common are as
follows:

1. Inventory theft: Inventory can be stolen or misdirected. This could be

merchandise, raw materials, supplies, or finished goods inventory.
2. Cash receipts theft: This occurs when an employee steals cash from the
company. An example would be the theft of checks collected from customers.
3. Accounts payable fraud: Here, the employee may submit a false invoice,
create a fictitious vendor, or collect kickbacks from a vendor. A kickback is a cash
payment that the vendor gives the employee in exchange for the sale; it is like
a business bribe.
4. Payroll fraud: This occurs when an employee submits a false or inflated time
card.
5. Expense account fraud: This occurs when an employee submits false travel
or entertainment expenses, or charges an expense account to cover the theft of
cash. 7
 Employee fraud

• Cash receipts theft is the most common type of

employee fraud. It is often pulled off through a technique
known as skimming, where the organization’s cash is
stolen before it is entered into the accounting records.
This type of theft is the most difficult to discover, since
there is no internal record of the cash.
• For example, consider the case of a ticket agent in a
movie theater who accepts cash from customers and
permits those customers to enter the theater without a
ticket. The cash collected could be pocketed by the
agent, and there would be no record of the transaction.
8
 Employee fraud

• Fraudsters may also steal the company’s cash after

it has been recorded in the accounting records.
This practice is known as larceny.
• Consider an example of an employee responsible
for making the bank deposit who steals the cash
after it has been recorded in the accounts
receivable records. This type of fraud is
uncommon because the fraudster is likely to be
caught, since the accounting records provide
evidence of collecting cash.
9
 Employee fraud

• Collusion: occurs when two or more people

work together to commit a fraud.
• For example, Collusion can occur between
employees, employees and customers, or
employees and vendors. Collusion between
employees within a company is the most
difficult to prevent or detect because it
compromises the effectiveness of internal
controls
10
 Customer fraud

• Customer fraud: occurs when a customer

improperly obtains cash or property from a
company, or avoids a liability through deception.
• Although customer fraud may affect any company,
it is an especially common problem for retail firms
and companies that sell goods through Internet‐
based commerce.

11
 Vendor fraud

• Vendor fraud: occurs when vendors obtain

payments to which they are not entitled.
Unethical vendors may intentionally submit
duplicate or incorrect invoices, send
shipments in which the quantities are short,
or send lower‐quality goods than ordered

12
PART TWO: COMPUTER FRAUD

13
 COMPUTER FRAUD
• These two sources of computer fraud into internal computer
fraud and external computer fraud

1. Internal Sources of Computer Fraud

When an employee of an organization attempts to conduct fraud

through the misuse of a computer‐based system, it is called
internal computer fraud. Internal computer fraud concerns each of
the following activities:
1. Input manipulation
2. Program manipulation
3. Output manipulation 14
 1. Internal Sources of Computer Fraud

• Input manipulation: usually involves: altering data that is input into

the computer.
• For example, altering payroll time cards to be entered into a
computerized payroll system is a type of input manipulation. Other
examples of input manipulation would be creating false or fictitious
data inputs, entering data without source documents, or altering
payee addresses of vendors or employees.
• Program manipulation: occurs when a program is altered in some
fashion to commit a fraud. Examples of program manipulation include
the salami technique, Trojan horse programs, and trap door alterations.
• Output Manipulation: Computer systems generate many different
kinds of output, including checks and reports. If a person alters the
system’s checks or reports to commit fraud, this is known as output
manipulation
15
 2. External Sources of Computer Fraud

• Two common types of external computer

fraud are hacking and spoofing.
Hacking: is the term commonly used for
computer network break‐ins. Hacking may be
undertaken for various reasons, including
industrial espionage, credit card theft from
online databases, destruction or alteration of
data, or merely thrill‐seeking

16
 2. External Sources of Computer Fraud

Spoofing: occurs when a person, through a

computer system, pretends to be someone
else. There are two kinds of spoofing that
are currently prevalent:
1. Internet spoofing and
2. e‐mail spoofing.

17
 Policies to Assist in the
Avoidance of Fraud and Errors
• Following are three critical actions that an organization can
undertake to assist in the prevention or detection of fraud
and errors:

1. Maintain and enforce a code of ethics.

2. Maintain a system of accounting internal controls.
3. Maintain a system of information technology controls.

These ongoing actions will not entirely prevent or detect

all fraud or errors, but they can greatly reduce the chance
of fraud and errors
18
1. Maintain and enforce a code of ethics.

19
 2. Maintain a system of accounting
internal controls.
Principles of Internal Control Activities
Illustration 8-2

Physical
Controls

SO 2 Identify the principles of internal control activities.

20
 3. Maintain a system of information
technology controls.
• Risk and controls in IT are divided into five
categories in the Trust Services Principles, as follows:
1.Security. The risk related to security is unauthorized
access, which may both physical access and logical
access. An example of unauthorized physic access
would be a person breaking into the computer room
and damaging computer equipment. An example of
logical access would be an unauthorized hacker
stealing data such as credit card numbers. Internal
controls must be designed and implemented to limit
both types of unauthorized access.
21
 3. Maintain a system of information technology controls

2. Availability. The risk related to availability is

system or subsystem failure due to hardware or
software problems. An example of a risk that
can cause interruptions to the system would be
a virus that causes the system to slow down or
fail. Internal controls can be implemented to
limit the chances of failure and thereby help
improve availability of the system to process
information and support ongoing business.

22
 3. Maintain a system of information technology controls

3.Processing integrity. The risk related to

processing integrity could be inaccurate,
incomplete, or improperly authorized information.
An example of this type of risk would be an error in
entering hours worked for a worker’s pay.
• The person keying hours worked into the payroll
software might accidentally type an incorrect
number of hours. Controls should be implemented
to reduce erroneous, incomplete, or unauthorized
transactions or data.
23
 3. Maintain a system of information technology controls

4. Online privacy. The risk in this area is that personal

information about customers may be used inappropriately or
accessed by those either inside or outside the company. An
example is the theft of credit card numbers when orders are
placed through the company website. Internal controls should
be implemented to limit the chance of personal information
being misused.
5. Confidentiality. The risk related to confidentiality is that
confidential information about the company or its business
partners may be subject to unauthorized access during its
transmission or storage in the IT system. Examples of
confidential information are banking information and price lists.

24
 Summary of Study
Objectives
• The accounting‐related fraud that can occur when ethics codes and
internal controls are weak or not correctly applied. In organizations
where codes of ethics are not enforced or when proper controls are not
correctly applied, fraud and errors are much more likely to occur. There
are many kinds of fraud that can occur, including management fraud,
employee fraud, customer fraud, and vendor fraud.
• The nature of management fraud. Management fraud is conducted by
upper‐level managers and usually involves fraudulent financial
statements. Managers are above the level of most internal controls;
therefore, internal controls are usually not effective in preventing or
detecting management fraud.
• The nature of employee fraud. Employee fraud is conducted by non‐
management employees and usually involves theft or misuse of assets

25
 Summary of Study Objectives
• The nature of customer fraud. Customer fraud occurs when
customers engage in credit card fraud, check fraud, or refund
fraud. Internal controls can assist in the prevention or detection of
some customer fraud.
• The nature of vendor fraud. Vendor fraud is usually conducted by
vendors requesting fictitious or duplicate payments. Internal
controls can assist in the prevention or detection of some vendor
fraud.
• The nature of computer fraud. Computers can be used internally
or by those out‑side the organization as a tool to conduct such
fraud as manipulating transactions or data, and hacking or other
network break‐ins. Internal controls and IT controls can assist in
the prevention or detection of computer fraud.

26
 Summary of Study Objectives
• The policies that assist in the avoidance of fraud and errors. There are
three sets of policies that an organization can institute to help prevent or
detect fraud, errors, and ethical violations: implementation and
maintenance of a code of ethics, accounting internal controls, and IT
controls.
• The maintenance of a code of ethics. When management is unethical,
fraud is likely to occur. On the other hand, if the top management of a
company emphasizes ethical behavior, models ethical behavior, and hires
ethical employees, the chance of fraud or ethical lapses can be reduced.
• The maintenance of accounting internal controls. The components of
accounting internal controls are defined by the COSO report as the control
environment, risk assessment, control activities, information and
communication, and monitoring. Control activities include authorization,
segregation of duties, adequate record keeping, security over assets and
records, and independent verifications.

27
Thank
you all
28