Chapter 2 - : Ethics, Fraud, and Internal Control

Chapter 2 –
Part 11
Ethics, Fraud,
and Internal
Control
James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Understand the broad issues pertaining to business
ethics.
• Have a basic understanding of ethical issues related to
the use of information technology.
• Be able to distinguish between management fraud and
employee fraud.
• Be familiar with common types of fraud schemes.
• Be familiar with the key features of the COSO internal
control framework.
• Understand the objectives and application of both physical
and IT control activities.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
FRAUD SCHEMES
• Three categories of fraud schemes according to the
Association of Certified Fraud Examiners (ACFE):
(1) Fraudulent Statements
(2) Corruption
(3) Asset Misappropriation
• Fraudulent Statements
• Misstating the financial statements to make the copy
appear better than it is
• Usually occurs as management fraud
• For example:
• Understating liabilities to present a more favorable
financial picture of the organization.
FRAUD SCHEMES (continued)
• Corruption
• Corruption involves an executive, a manager, or an
employee of the organization in collusion with an
outsider.
• Bribery involves giving, offering, soliciting, or
receiving things of value to influence an official in the
performance of his or her lawful duties.
• An illegal gratuity involves giving, receiving, offering,
or soliciting something of value because of an official
act that has been taken.
• A conflict of interest is an outline of procedures for
dealing with actual or apparent conflicts of interest
between personal and professional relationships.
• Economic extortion is the use (or threat) of force
(including economic sanctions) by an individual or
organization to obtain something of value. The item of
value could be a financial or economic asset,
information, or cooperation to obtain a favorable
decision on some matter under review.
• Asset Misappropriation
• Most common type of fraud and often occurs as
employee fraud.
• Skimming
• Skimming involves stealing cash from an organization
before it is recorded on the organization’s books and records.
Another example is mail room fraud, in which an employee
opening the mail steals a customer’s check and destroys the
associated remittance advice.
Losses from Fraud by Scheme Type
Losses from Asset Misappropriation Schemes
• Cash Larceny
• Cash larceny is theft of cash receipts from an
organization after those receipts have been recorded
in the organization’s books and records.
• Lapping is the use of customer checks, received in
payment of their accounts, to conceal cash previously
stolen by an employee.
• Billing Schemes
• Billing schemes, also known as vendor fraud, are
schemes under which an employee causes the
employer to issue a payment to a false supplier or
vendor by submitting invoices for fictitious
goods/services, inflated invoices, or invoices for
personal purchases.
• Billing Schemes (continued)
• A shell company is establishing a false vendor on the
company’s books, and then making false purchase orders,
receiving reports, and invoices in the name of the vendor and
submitting them to the accounting system, creating the illusion of
a legitimate transaction. The system ultimately issues a check to
the false vendor.
• A pass-through fraud is similar to shell company fraud except
that a transaction actually takes place. The perpetrator creates a
false vendor and issues purchase orders to it for inventory or
supplies. The false vendor purchases the needed inventory from
a legitimate vendor, charges the victim company a much higher
than market price for the items, and pockets the difference.
• A pay-and-return is a scheme under which a clerk with check
writing authority pays a vendor twice for the same products
(inventory or supplies) received and then intercepts and cashes
the overpayment returned by the vendor.
• Check Tampering
• Check tampering involves forging, or changing in
some material way, a check that was written to a
legitimate payee.
• Payroll Fraud
• Payroll fraud is the distribution of fraudulent
paychecks to existent and/or nonexistent employees.
• Expense Reimbursements
• Expense reimbursement fraud involves claiming
reimbursement of fictitious or inflated business
expenses.
• Thefts of Cash
• Thefts of cash is the direct theft of cash on hand in
the organization.
• Noncash Misappropriations
– Noncash fraud is the theft or misuse of non-cash
assets (e.g., inventory, confidential information).
• Computer Fraud
• Computer fraud involves theft, misuse, or
misappropriation of assets by altering computer-
readable records and files, or by altering the logic of
computer software; the illegal use of computer-
readable information; or the intentional destruction of
computer software or hardware.
Computer Fraud: Classifications
Data
Fraud
Input Processor Output

Fraud Fraud Fraud
Computer
Instructions
Fraud
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
(a) Input Fraud
• Thesimplest and most common way - to alter/falsify

computer input
• This phase of the system is most vulnerable because it
is very easy to change data as it is being entered into
the system.
• Perpetrators need only to understand how the system
operates.
• GIGO (Garbage In, Garbage Out) - if the input data is
inaccurate, processing will result in inaccurate output.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 13
(b) Processor Fraud
• Include
unauthorized system use, including the theft of
computer time and services.
• Ex:use company computers for personal or outside business
records.
(b) Processor Fraud (Cont…)
Program Frauds
• Creating illegal programs that can access data files to alter, delete, or
insert values into accounting records.
• Destroying programs using a virus
• Altering program to cause the application to process data incorrectly.
Operations Frauds
• Misuseor theft of company computer resources, such as using the
computer for personal business
(c) Computer Instructions Fraud
• Tampering with the software that processes company data.

• Includemodifying the software, making illegal software
copies, using software in an unauthorized manner,
developing a software program or module to carry out an
unauthorized activity.
• Least common – requires specialized programming
knowledge.
(d) Data Fraud
• Illegally using, copying, browsing, searching, or harming.

• Ex: employee removed the external labels from hundreds
of tape files.
(e) Output Fraud
• Stealing or misusing system output.

• System output is usually displayed on monitors or printed on
paper.
• Monitor and printer output is subject to prying eyes and
unauthorized copying.
Computer Fraud Techniques
• What are some of the more common techniques to commit computer fraud?
 Data diddling Changing data before it is entered
 Data leakage into the computer or after it has
 Denial of service attack
entered into the computer
 Eavesdropping
 E-mail forgery and threats
 Hacking Example: Employees are able to
 Internet misinformation falsify time cards before the data
 Internet terrorism
 Logic time bomb
contained on the cards is entered
 Masquerading or impersonation into the computer for payroll
 Password cracking computation.
 Piggybacking
 Software piracy
 Scavenging / Dumpster diving
 Social engineering
 Super zapping
 Trap door / Back door
 Trojan horse
 Virus
 Worm
Risk Exposure
in AIS

Risk in AIS
• Business firms face risks that reduce the chances of

achieving their control objectives.
• Risk:the likelihood that a threat or hazard will actually
come to pass.
• Risk exposures: the threats to a firm’s assets and
information quality due to lapses or inadequacies in controls.
Types of Risks
• Natural and Political Disasters

• Include:
– Fire or excessive heat
– Floods
– Earthquakes
– High winds
– War and terrorist attack
• Software errors and equipment malfunction
• Include:
– Hardware or software failures
– Software errors or bugs
– Operating system crashes
– Power outages and fluctuations
– Undetected data transmission errors
Types of Risks
• Unintentional Acts
• Include
– Accidents caused by:
• Human carelessness
• Failure to follow established procedures
• Poorly trained or supervised personnel
– Innocent errors or omissions
– Lost, destroyed, or misplaced data
– Logic errors
– Systems that do not meet needs or are incapable of
performing intended tasks
Types of Risks
• Intentional Acts
• Include:
– Sabotage
– Computer fraud
– Misrepresentation, false use, or unauthorized disclosure of
data
– Misappropriation of assets
– Financial statement fraud
Degrees of Risk Exposure
• Frequency - the more frequent an occurrence of a

transaction, the greater the exposure to risk
• Vulnerability - liquid and/or portable assets contribute to

risk exposure
• Sizeof the potential loss - the higher the monetary value of

a loss, the greater the risk exposure
Internal
Control
Concepts and
Techniques

Internal Control Concepts and Techniques
• The internal control system is a set of policies a firm employs

to safeguard the firm’s assets, ensure accurate and reliable
accounting records and information, promote efficiency, and
measure compliance with established policies.
• Modifying Assumptions
• Management responsibility is the concept under which the
responsibility for the establishment and maintenance of a
system of internal control falls to management.
• Reasonable assurance is an assurance provided by the
internal control system that the four broad objectives of internal
control are met in a cost-effective manner.
• METHODS OF DATA PROCESSING
• LIMITATIONS
(continued)
• Control Weaknesses and Risks

• Control weaknesses increase the firm’s risk to financial loss
or injury from the threats.
• The Preventive-Detective-Corrective Internal Control
Model
• Preventive controls are passive techniques designed to
reduce the frequency of occurrence of undesirable events.
• Detective controls are devices, techniques, and procedures
designed to identify and expose undesirable events that elude
preventive controls.
Internal Control Shield
Preventive, Detective, and Corrective Controls
(continued)
• The Preventive-Detective-Corrective Internal Control

Model (continued)
• Corrective controls are actions taken to reverse the effects of
errors detected. Statement on Auditing Standards (SAS)
No. 109 is the current authoritative document for specifying
internal control objectives and techniques. It is based on the
COSO framework.
• Sarbanes-Oxley and Internal Control
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a joint initiative of five private sector
organizations and is dedicated to providing thought leadership
through the development of frameworks and guidance on
enterprise risk management, internal control, and fraud
deterrence.
The Internal Control Structure
• The control framework is called the Internal Control

Structure – COSO (Committee of Sponsoring
Organisations )
• COSO internal control framework five
components:
COSO INTERNAL CONTROL FRAMEWORK
• The Control Environment
• The control environment is the foundation of internal control.
• Risk Assessment
• Risk assessment is the identification, analysis, and
management of risks relevant to financial reporting.
• Information and Communication
• Monitoring
• Monitoring is the process by which the quality of internal
control design and operation can be assessed.
• Control Activities
• Control activities are the policies and procedures to ensure
that appropriate actions are taken to deal with the
organization’s risks.
Control environment
• Actions, policies, and procedures that reflect the overall
attitude of the top management, directors, and owners of a
business about internal control and its importance
• Role of the board of directors and senior

management – IC importance & expectation (tone at
the top)
• Integrity and ethical values of management
• Management’s policies and philosophy
• Organizational structure - responsibility and authority
• Policies and practices managing human resources –
competent individuals – hiring, compensating,
training, evaluating, promoting, etc.
• Performance evaluation measures – rigor incentives
and rewards
• External influences—regulatory agencies – MASB,
SC
Risk assessment
• The organization must be aware of and deal with the risks
it faces.
• It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and manage
the related risks.
• Identify, analyze and manage risks relevant to

financial reporting:
 changes in external environment
 risky foreign markets
 significant and rapid growth that strain
internal controls
 new product lines
 restructuring, downsizing
 changes in accounting policies
Information and communication
• Identification, capture, and exchange of information in a form
and time frame that enables people to carry out their
responsibilities.
The AIS should produce high quality information

which:
 identifies and records all valid transactions
 provides timely information in appropriate detail to permit proper
classification and financial reporting
 accurately measures the financial value of transactions
 accurately records transactions in the time period in which
they occurred
Monitoring
• A process that access the quality of internal
control performance over time
• Conducts ongoing and/or separate evaluations:
 Separate procedures--test of controls by
internal auditors
 Ongoing monitoring:
computer modules integrated into routine
operations
management reports which highlight
trends and exceptions from normal
performance
(continued)
• Control Activities
• Control activities are the policies and procedures to ensure
that appropriate actions are taken to deal with the
organization’s risks.
1. IT CONTROLS - relate specifically to the computer environment

 General controls are controls that pertain to entity-wide
concerns such as controls over the data center, organization
databases, systems development, and program maintenance.
 Application controls are controls that ensure the integrity of
specific systems.
(continued)
• Control Activities (continued)

2. PHYSICAL CONTROLS - primarily pertain to human activities
• Transaction authorization is a procedure to ensure that
employees process only valid transactions within the scope of
their authority. Typically at least two levels of authorization:
• General authorization – day-to-day operations’ decisions
• Specific authorization – case-by-case decisions
• Segregation of duties is the separation of employee duties to
minimize incompatible functions including separating: (1)
transaction authorization and processing and (2) asset custody
and record-keeping.
• Effective segregation of accounting duties is achieved when
the following functions are separated:
• Authorization
• Recording
• Custody
Segregation of Duties Objectives
(continued)

• Supervision is a compensating control in small organizations
for sufficient segregation of duties.
• Supervisors
• CCTV
• The accounting records of an organization consist of
documents, journals, or ledgers which capture economic
essence and provide an audit trail.
• Access controls are controls that ensure that only authorized
personnel have access to the firm’s assets.
• Verification procedures are independent checks of the
accounting system to identify errors and misrepresentations.
(continued)

• Includes:
– Reconciling batch totals during transaction processing.
– Comparing physical assets with accounting records.
– Reconciling subsidiary accounts with control accounts.
– Reviewing management reports that summarize business
activities..

Chapter 2 - : Ethics, Fraud, and Internal Control

Uploaded by

Copyright:

Available Formats

You might also like

Chapter 2 - : Ethics, Fraud, and Internal Control

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2 - : Ethics, Fraud, and Internal Control

Uploaded by

Copyright:

Available Formats

Chapter 2 –

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Input Processor Output

• Thesimplest and most common way - to alter/falsify

• Tampering with the software that processes company data.

• Illegally using, copying, browsing, searching, or harming.

• Stealing or misusing system output.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

• Business firms face risks that reduce the chances of

• Natural and Political Disasters

• Frequency - the more frequent an occurrence of a

• Vulnerability - liquid and/or portable assets contribute to

• Sizeof the potential loss - the higher the monetary value of

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

• The internal control system is a set of policies a firm employs

• Control Weaknesses and Risks

• The Preventive-Detective-Corrective Internal Control

• The control framework is called the Internal Control

• Role of the board of directors and senior

• Identify, analyze and manage risks relevant to

The AIS should produce high quality information

1. IT CONTROLS - relate specifically to the computer environment

• Control Activities (continued)

• Control Activities (continued)

• Control Activities (continued)

You might also like