CHAPTER 3 Justice.

The benefits of the decision should

Ethics, Fraud, and Internal Control be distributed fairly to those who share the
risks. Those who do not benefit should not
Ethical Issues in Business carry the burden of risk.
Ethical standards are derived from societal
mores and deep-rooted personal beliefs Minimize risk. Even if judged acceptable
about issues of right and wrong that by the principles, the decision should be
are not universally agreed upon. It is implemented so as to minimize all of the
quite possible for two individuals, both of risks and avoid any unnecessary risks.
whom consider themselves to be acting
ethically, to be on opposite sides of an COMPUTER ETHICS
issue. Computer ethics is ‘‘the analysis of the
nature and social impact of computer
BUSINESS ETHICS technology and the corresponding
Ethics pertains to the principles of conduct formulation and justification of policies for
that individuals use in making choices and the ethical use of such technology.
guiding their behavior in situations that
involve the concepts of right and wrong. Three levels of computer ethics:
Pop computer ethics - the exposure to
Business Ethics involves finding the stories and reports found in the popular
answers to two questions: media regarding the good or bad.
(1) How do managers decide what is right
in conducting their business? Para computer ethics - involves taking a
(2) Once managers have recognized what real interest in computer ethics cases and
is right, how do they achieve it? acquiring some level of skill and knowledge
in the field.
Ethical issues in business can be divided
into four areas: Theoretical computer ethics - interest to
● Equity multidisciplinary researchers who apply the
● Rights theories of philosophy, sociology, and
● Honesty psychology to computer science with the
● Exercise of corporate power goal of bringing some new understanding
to the field.
Making Ethical Decisions
Business organizations have conflicting A New Problem or Just a New Twist on
responsibilities to their employees, an Old Problem?
shareholders, customers, and the public. ● Although computer programs are a
Every major decision has consequences new type of asset, many believe that
that potentially harm or benefit these these programs should be
constituents. Seeking a balance between considered no differently from other
these consequences is the managers’ forms of property.
ethical responsibility. The following ethical ● We need only to understand the
principles provide some guidance in the generic values that are at stake and
discharge of this responsibility. the principles that should then apply.

Proportionality. The benefit from a Several issues of concern for students of

decision must outweigh the risks. accounting information systems. the issues
Furthermore, there must be no alternative are briefly defined, and several trigger
decision that provides the same or greater questions are provided:
benefit with less risk.
Privacy
People desire to be in full control of what that this flies in the face of the original
and how much information about intent of the law. Whereas the purpose of
themselves is available to others, and to copyrights is to promote the progress of
whom it is available. This is the issue of science and the useful arts, allowing a user
privacy. The creation and maintenance of interface the protection of copyright may
huge, shared databases make it necessary do just the opposite.
to protect people from the potential misuse
of data. This raises the issue of ownership Equity in Access
in the personal information industry. Should The economic status of the individual or the
the privacy of individuals be protected affluence of an organization will determine
through policies and systems? What the ability to obtain information technology.
information about oneself does the Culture also limits access, for example,
individual own? Should firms that are when documentation is prepared in only
unrelated to individuals buy and sell one language or is poorly translated. Safety
information about these individuals without features, or the lack thereof, have limited
their permission? access to pregnant women, for example.
How can hardware and software be
Security (Accuracy and Confidentiality) designed with consideration for differences
Computer security is an attempt to avoid in physical and cognitive skills? What is the
such undesirable events as a loss of cost of providing equity in access? For what
confidentiality or data integrity. Security groups of society should equity in access
systems attempt to prevent fraud and become a priority?
other misuse of computer systems; they
act to protect and further the legitimate Environmental Issues
interests of the system’s constituencies. Computers with high-speed printers allow
The ethical issues involving security arise for the production of printed documents
from the emergence of shared, faster than ever before. It is probably easier
computerized databases that have the just to print a document than to consider
potential to cause irreparable harm to whether it should be printed and how many
individuals by disseminating inaccurate copies really need to be made. It may be
information to authorized users, such as more efficient or more comforting to have a
through incorrect credit reporting. Which is hard copy in addition to the electronic
the more important goal? Automated version. However, paper comes from trees,
monitoring can be used to detect intruders a precious natural resource, and ends up in
or other misuse, yet it can also be used to landfills if not properly recycled. Should
spy on legitimate users, thus diminishing organizations limit nonessential hard
their privacy. Where is the line to be copies? Can nonessential be defined? Who
drawn? What is an appropriate use and can and should define it? Should proper
level of security? Which is most important: recycling be required? How can it be
security, accuracy, or confidentiality? enforced?

Ownership of Property Artificial Intelligence

Copyright laws have been invoked in an A new set of social and ethical issues has
attempt to protect those who develop arisen out of the popularity of expert
software from having it copied. systems. as decision makers or
Unquestionably, the hundreds of thousands replacements for experts—some people
of program development hours should be rely on them significantly. Therefore, both
protected from piracy. However, many knowledge engineers (those who write the
believe the copyright laws can cause more programs) and domain experts (those who
harm than good. For example, should the provide the knowledge about the task
look and feel of a software package be being automated) must be concerned
granted copyright protection? Some argue about their responsibility for faulty
decisions, incomplete or inaccurate others spurred Congress into passing
knowledge bases, and the role given to the American Competitiveness and
computers in the decision-making process. Corporate Accountability Act of 2002.
Further, because expert systems attempt ● Sarbanes-Oxley Act (SOX) - most
to clone a manager’s decision-making significant securities law since the
style, an individual’s prejudices may Securities and Exchange Commission
implicitly or explicitly be included in the (SEC) Acts of 1933 and 1934. SOX
knowledge base. Some of the questions has many provisions designed to
that need to be explored are: Who is deal with specific problems relating
responsible for the completeness and to capital markets, corporate
appropriateness of the knowledge base? governance, and the auditing
Who is responsible for a decision made by profession.
an expert system that causes harm when
implemented? Who owns the expertise Section 406—Code of Ethics for Senior
once it is coded into a Financial Officers
knowledge base? ● Section 406 of SOX requires public
companies to disclose to the SEC
Unemployment and Displacement whether they have adopted a
Many jobs have been and are being code of ethics that applies to the
changed as a result of the availability of organization’s chief executive officer
computer technology. People unable or (CEO), CFO, controller, or persons
unprepared to change are displaced. performing similar functions. If the
Should employers be responsible for company has not adopted such a
retraining workers who are displaced as a code, it must explain why.
result of the computerization of their
functions? A public company may disclose its code of
ethics in several ways:
Misuse of Computers (1) included as an exhibit to its annual
Computers can be misused in many ways. report.
Copying proprietary software, using a (2) as a posting to its Web site.
company’s computer for personal benefit, (3) by agreeing to provide copies of the
and snooping through other people’s files code upon request.
are just a few obvious examples. Although
copying proprietary software (except to ● A company’s code of ethics should
make a personal backup copy) is clearly apply equally to all employees. Top
illegal, it is commonly done. Why do people management’s attitude toward
think that it is not necessary to obey this ethics sets the tone for business
law? Are there any good arguments for practice, but it is also the
trying to change this law? What harm is responsibility of lower-level
done to the software developer when managers and nonmanagers to
people make unauthorized copies? A uphold a firm’s ethical standards.
computer is not an item that deteriorates
with use, so is there any harm to the The SEC has ruled that compliance with
employer if it is used for an employee’s Section 406 necessitates a written code of
personal benefit? ethics that addresses the following ethical
issues.
SARBANES-OXLEY ACT AND ETHICAL
ISSUES CONFLICTS OF INTEREST. The
● Public outcry surrounding ethical company’s code of ethics should outline
misconduct and fraudulent acts by procedures for dealing with actual or
executives of Enron, Global Crossing, apparent conflicts of interest between
Tyco, Adelphia, WorldCom, and personal and professional relationships.
Managers and employees alike should be Statement on Auditing Standards
made aware of the firm’s code of ethics, be (SAS) No. 99, Consideration of Fraud
given decision models, and participate in in a Financial Statement Audit
training programs that explore conflict of ● The current authoritative guidelines
interest issues. on fraud detection are presented in
SAS 99.
FULL AND FAIR DISCLOSURES. This ● The objective of SAS 99 is to
provision states that the organization seamlessly blend the auditor’s
should provide full, fair, accurate, timely, consideration of fraud into all phases
and understandable disclosures in the of the audit process.
documents, reports, and financial
statements that it submits to the SEC and ● SAS 99 requires the auditor to
to the public. perform new steps such as a
brainstorming during audit planning
LEGAL COMPLIANCE. Codes of ethics to assess the potential risk of
should require employees to follow material misstatement of the
applicable governmental laws, rules, and financial statements from fraud
regulations. schemes.

INTERNAL REPORTING OF CODE DEFINITIONS OF FRAUD

VIOLATIONS. The code of ethics must ● Fraud - a false representation of a
provide a mechanism to permit prompt material fact made by one party to
internal reporting of ethics violations. This another party with the intent to
provision is similar in nature to Sections deceive and induce the other party
301 and 806, which were designed to to justifiably rely on the fact to his or
encourage and protect whistle-blowers. her detriment.
Employee ethics hotlines are emerging as
the mechanism for dealing with these According to common law, a fraudulent act
related requirements. Because SOX must meet the following five conditions:
requires this function to be confidential,
many companies are outsourcing their 1. False representation. There must be a
employee hotline service to independent false statement or a nondisclosure.
vendors. 2. Material fact. A fact must be a
substantial factor in inducing someone to
ACCOUNTABILITY. An effective ethics act.
program must take appropriate action 3. Intent. There must be the intent to
when code violations occur. This will deceive or the knowledge that one’s
include various disciplinary measures, statement is false.
including dismissal. Employees must see an 4. Justifiable reliance. The
employee hotline as credible, or they will misrepresentation must have been a
not use it. Section 301 directs the substantial factor on which the injured
organization’s audit committee to establish party relied.
procedures for receiving, retaining, and 5. Injury or loss. The deception must
treating such complaints about accounting have caused injury or loss to the victim of
procedures and internal control violations. the fraud.
Audit committees will also play an
important role in the oversight of ethics ● Fraud in the business - It is an
enforcement activities. intentional deception,
misappropriation of a company’s
Fraud and Accountants assets, or manipulation of its
financial data to the advantage of
the perpetrator. In accounting
 literature, fraud is also commonly ● Situational pressure - personal or
known as white-collar crime, job-related stresses that could
defalcation, embezzlement, and coerce an individual to act
irregularities. dishonestly.
● Opportunity - direct access to
Auditors encounter fraud at two levels: assets and/or access to information
employee fraud and management fraud. that controls assets
● Ethics - one’s character and degree
Employee Fraud of moral opposition to acts of
● Fraud by non management dishonesty.
employees
● Generally designed to directly Research by forensic experts and
convert cash or other assets to the academics has shown that the auditor’s
employee’s personal benefit. evaluation of fraud is enhanced when the
● The employee circumvents the fraud triangle factors are considered. To
company’s internal control system provide insight into these factors, auditors
for personal gain. often use a red-flag checklist consisting of
the following types of questions:
Usually involves three steps:
(1) stealing something of value (an asset) ● Do key executives have unusually
(2) converting the asset to a usable form high personal debt?
(cash) ● Do key executives appear to be
(3) concealing the crime to avoid detection. living beyond their means?
● Do key executives engage in
Management Fraud habitual gambling?
● More insidious than employee fraud ● Do key executives appear to abuse
because it often escapes detection alcohol or drugs?
until the organization has suffered ● Do any of the key executives appear
irreparable damage or loss. to lack personal codes of ethics?
● Usually does not involve the direct ● Are economic conditions unfavorable
theft of assets. within the company’s industry?
● Does the company use several
Contains three special characteristics: different banks, none of which sees
1. The fraud is perpetrated at levels of the company’s entire financial
management above the one to which picture?
internal control structures generally ● Do any key executives have close
relate. associations with suppliers?
2. The fraud frequently involves using ● Is the company experiencing a rapid
the financial statements to create an turnover of key employees, either
illusion that an entity is healthier and through resignation or termination?
more prosperous than, in fact, it is. ● Do one or two individuals dominate
3. If the fraud involves misappropriation the company?
of assets, it frequently is shrouded in
a maze of complex business FINANCIAL LOSSES FROM FRAUD
transactions, often involving related The actual cost of fraud is difficult to
third parties. quantify for a number of reasons:
1. not all fraud is detected
THE FRAUD TRIANGLE 2. of that detected, not all is reported
The fraud triangle consists of three factors 3. in many fraud cases, incomplete
that contribute to or are associated with information is gathered
management and employee fraud. These
are:
 4. information is not properly Fraud schemes can be classified in a
distributed to management or law number of different ways. For purposes of
enforcement authorities discussion, this section presents the
5. too often, business organizations Association of Certified Fraud Examiners
decide to take no civil or criminal (ACFE) classification format. Three broad
action against the perpetrator(s) of categories of fraud schemes are defined:
fraud.
➢ Fraudulent statements
THE PERPETRATORS OF FRAUDS ● Associated with management fraud.
Notwithstanding the importance of personal ● All fraud involves some form of
ethics and situational pressures in inducing financial misstatement.
one to commit fraud, opportunity is the ● The statement itself must bring
factor that actually facilitates the act. direct or indirect financial benefit to
Opportunity was defined previously as the perpetrator.
access to assets and/or the information
that controls assets. No matter how The following underlying problems are at
intensely driven by situational pressure one the root of this concern:
may become, even the most unethical
individual cannot perpetrate a fraud if no ● Lack of Auditor Independence.
opportunity to do so exists. Auditing firms that are also engaged
● Position. Individuals in the highest by their clients to perform non-
positions within an organization are accounting activities such as
beyond the internal control structure actuarial services, internal audit
and have the greatest access to outsourcing services, and consulting,
company funds and assets. lack independence. The firms are
● Gender. Women are not essentially auditing their own work.
fundamentally more honest than The risk is that as auditors they will
men, but men occupy high corporate not bring to management’s attention
positions in greater numbers than detected problems that may
women. This affords men greater adversely affect their consulting
access to assets. fees.
● Age. Older employees tend to
occupy higher-ranking positions and ● Lack of Director Independence.
therefore generally have greater Many boards of directors are
access to company assets. composed of individuals who are not
● Education. Generally, those with independent. It is neither practical
more education occupy higher nor wise to establish a board of
positions in their organizations and directors that is totally void of self-
therefore have greater access to interest, popular wisdom suggests
company funds and other assets. that a healthier board of directors is
● Collusion. One reason for one in which the majority of directors
segregating occupational duties is to are independent outsiders, with the
deny potential perpetrators the integrity and the qualifications to
opportunity they need to commit understand the company and
fraud. When individuals in critical objectively plan its course.
positions collude, they create
opportunities to control or gain ● Questionable Executive
access to assets that otherwise Compensation Schemes. The
would not exist. consensus is that fewer stock options
should be offered than currently is
FRAUD SCHEMES the practice. Excessive use of short-
term stock options to compensate
 directors and executives may result 2. Auditor Independence. The act
in short-term thinking and strategies addresses auditor independence by
aimed at driving up stock prices at creating more separation between a firm’s
the expense of the firm’s long-term attestation and non auditing activities. This
health. In extreme cases, financial is intended to specify categories of services
statement misrepresentation has that a public accounting firm cannot
been the vehicle to achieve the stock perform for its client. These include the
price needed to exercise the option. following nine functions:
a. Bookkeeping or other services
● Inappropriate Accounting related to the accounting records or
Practices. The use of inappropriate financial statements
accounting techniques is a b. Financial information systems design
characteristic common to many and implementation
financial statement fraud schemes. c. Appraisal or valuation services,
fairness opinions, or contribution-in-
SARBANES-OXLEY ACT AND FRAUD kind reports
● This landmark legislation was written d. Actuarial services
to deal with problems related to e. Internal audit outsourcing services
capital markets, corporate f. Management functions or human
governance, and the auditing resources
profession and has fundamentally g. Broker or dealer, investment adviser,
changed the way public companies or investment banking services
do business and how the accounting h. Legal services and expert services
profession performs its attest unrelated to the audit
function. i. Any other service that the PCAOB
● The act establishes a framework to determines is impermissible
modernize and reform the oversight
and regulation of public company Whereas SOX prohibits auditors from
auditing. providing these services to their audit
clients, they are not prohibited from
Its principal reforms pertain to: performing such services for non audit
● The creation of an accounting clients or privately held companies.
oversight board
● Auditor independence 3. Corporate Governance and
● Corporate governance and Responsibility. The act requires all audit
responsibility committee members to be independent
● Disclosure requirements and requires the audit committee to hire
● Penalties for fraud and other and oversee the external auditors. This
violations provision is consistent with many investors
who consider the board composition to be a
These provisions are discussed in the critical investment factor.
following section:
Two other significant provisions of the act
1. Accounting Oversight Board. SOX relating to corporate governance are:
created a Public Company Accounting 1. Public companies are prohibited from
Oversight Board (PCAOB). The PCAOB is making loans to executive officers
empowered to set auditing, quality control, and directors.
and ethics standards; to 2. The act requires attorneys to report
inspect registered accounting firms; to evidence of a material violation of
conduct investigations; and to take securities laws or breaches of
disciplinary actions. fiduciary duty to the CEO, CFO, or
the PCAOB.
 is similar to a bribe, but the
4. Issuer and Management Disclosure. transaction occurs after the fact.
SOX imposes new corporate disclosure
requirements, including: 3. Conflict of interest - occurs when
a. Public companies must report all off- an employee acts on behalf of a third
balance-sheet transactions. party during the discharge of his or
b. Annual reports filed with the SEC her duties or has self-interest in the
must include a statement by activity being performed.
management asserting that it is
responsible for creating and 4. Economic extortion - is the use (or
maintaining adequate internal threat) of force (including economic
controls and asserting to the sanctions) by an individual or
effectiveness of those controls. organization to obtain something of
c. Officers must certify that the value. The item of value could be a
company’s accounts ‘‘fairly present’’ financial or economic asset,
the firm’s financial condition and information, or cooperation to obtain
results of operations. a favorable decision on some matter
d. Knowingly filing a false certification under review.
is a criminal offense.
➢ Asset Misappropriation
5. Fraud and Criminal Penalties. SOX ● Assets are either directly or indirectly
imposes a range of new criminal penalties diverted to the perpetrator’s benefit.
for fraud and other wrongful acts. In ● Transactions involving cash,
particular, the act creates new federal checking accounts, inventory,
crimes relating to the destruction of supplies, equipment, and information
documents or audit work papers, securities are the most vulnerable to abuse.
fraud, tampering with documents to be
used in an official proceeding, and actions The following sections provide definitions
against whistle-blowers. and examples of the fraud schemes:

➢ Corruption Skimming
● Involves an executive, manager, or ● Stealing cash from an organization
employee of the organization in before it is recorded on the
collusion with an outsider. organization’s books and records.
● Example: mail room fraud in which
Four principal types of corruption: an employee opening the mail steals
1. Bribery - involves giving, offering, a customer’s check and destroys the
soliciting, or receiving things of value associated remittance advice. By
to influence an official in the destroying the remittance advice, no
performance of his or her lawful evidence of the cash receipt exists.
duties. Officials may be employed by
government (or regulatory) agencies Cash Larceny
or by private organizations. Bribery ● Involves schemes in which cash
defrauds the entity (business receipts are stolen from an
organization or government agency) organization after they have been
of the right to honest and loyal recorded in the organization’s books
services from those employed by it. and records.
● Example: Lapping
2. Illegal gratuity - involves giving,
receiving, offering, or soliciting Billing Schemes
something of value because of an ● Also known as vendor fraud, are
official act that has been taken. This perpetrated by employees who
 causes their employer to issue a Payroll Fraud
payment to a false supplier or ● The distribution of fraudulent
vendor by submitting invoices for paychecks to existent and/or
fictitious goods or services, inflated nonexistent employees.
invoices, or invoices for personal ● The fraud works best in organizations
purchases. in which the supervisor is responsible
for distributing paychecks to
Three examples of billing scheme: employees. The supervisor may
1. Shell company fraud - first intercept the paycheck, forge the
requires that the perpetrator former employee’s signature, and
establish a false supplier on the cash it.
books of the victim company. The
fraudster then manufactures false Expense Reimbursement Frauds
purchase orders, receiving reports, ● Schemes in which an employee
and invoices in the name of the makes a claim for reimbursement of
vendor and submits them to the fictitious or inflated business
accounting system, which creates expenses.
the allusion of a legitimate
transaction. Based on these Thefts of Cash
documents, the system will set up an ● Schemes that involve the direct theft
account payable and ultimately issue of cash on hand in the organization.
a check to the false supplier (the
fraudster). Non-Cash Misappropriations
● Non-cash fraud schemes involve the
2. Pass through fraud - similar to the theft or misuse of the victim
shell company fraud with the organization’s non-cash assets.
exception that a transaction actually
takes place. The false vendor Computer Fraud
charges the victim company a much ● Because computers lie at the heart
higher than market price for the of modern accounting information
items, but pays only the market price systems, the topic of computer fraud
to the legitimate vendor. The is of importance to auditors.
difference is the profit that the Although the fundamental structure
perpetrator pockets. of fraud is unchanged by computers-
fraudulent statements, corruption,
3. Pay-and-return scheme - This and asset misappropriation-
typically involves a clerk with check computers do add complexity to the
writing authority who pays a vendor fraud picture.
twice for the same products
(inventory or supplies) received. The Internal Control Concepts and
vendor, recognizing that its customer Techniques
made a double payment, issues a The internal control system comprises
reimbursement to the victim policies, practices, and procedures
company, which the clerk intercepts employed by the organization to achieve
and cashes. four broad objectives:
1. To safeguard assets of the firm.
Check Tampering 2. To ensure the accuracy and
● Involves forging or changing in some reliability of accounting records and
material way a check that the information.
organization has written to a 3. To promote efficiency in the firm’s
legitimate payee. operations.
 4. To measure compliance with Exposures and Risk
management’s prescribed policies ● The absence or weakness of a
and procedures. control is called an exposure.
● Exposures increase the firm’s risk to
Modifying Assumptions financial loss or injury from
● MANAGEMENT RESPONSIBILITY. undesirable events.
This concept holds that the
establishment and maintenance of a A weakness in internal control may expose
system of internal control is a the firm to one or more of the following
management responsibility. This types of risks:
point is made eminent in SOX 1. Destruction of assets (both physical
legislation. assets and information).
2. Theft of assets.
● REASONABLE ASSURANCE. The 3. Corruption of information or the
internal control system should information system.
provide reasonable assurance that 4. Disruption of the information system.
the four broad objectives of internal
control are met in a cost-effective The Preventive–Detective–Corrective
manner. This means that no system Internal Control Model
of internal control is perfect and the
cost of achieving improved control Preventive Controls
should not outweigh its benefits. ● Passive techniques designed to
reduce the frequency of occurrence
● METHODS OF DATA PROCESSING. of undesirable events.
Internal controls should achieve the ● Force compliance with prescribed or
four broad objectives regardless of desired actions and thus screen out
the data processing method used. aberrant events.
The control techniques used to
achieve these objectives will, Detective Controls
however, vary with different types of ● Form the second line of defense
technology. ● Are devices, techniques, and
procedures designed to identify and
● LIMITATIONS. Every system of expose undesirable events that
internal control has limitations on its elude preventive controls
effectiveness. These include ● Reveal specific types of errors by
(1) The possibility of error - no comparing actual occurrences to pre-
system is perfect established standards.
(2) Circumvention - personnel
may circumvent the system Corrective Controls
through collusion or other ● Actions taken to reverse the effects
means of errors detected in the previous
(3) Management override - step.
management is in a position to
override control procedures by Sarbanes-Oxley and Internal Control
personally distorting ● Sarbanes-Oxley legislation requires
transactions or by directing a management of public companies to
subordinate to do so implement an adequate system of
(4) Changing conditions - internal controls over their financial
conditions may change over reporting process. This includes
time so that existing controls controls over transaction processing
may become ineffectual. systems that feed data to the
financial reporting systems.
 ● Section 302 requires that corporate decisions in connection with the
management (including the CEO) organization’s operations and to
certify their organization’s internal prepare reliable financial statements
controls on a quarterly and annual
basis. 4. Monitoring - is the process by
● Section 404 requires the which the quality of internal control
management of public companies to design and operation can be
assess the effectiveness of their assessed. This may be accomplished
organization’s internal controls. by separate procedures or by
ongoing activities.
SAS 78/COSO INTERNAL CONTROL
FRAMEWORK 5. Control activities - are the policies
The SAS 78/COSO framework consists of and procedures used to ensure that
five components: appropriate actions are taken to deal
with the organization’s identified
1. Control environment - the risks. Control activities can be
foundation for the other four control grouped into two distinct categories:
components. The control information technology (IT) controls
environment sets the tone for the and physical controls.
organization and influences the
control awareness of its ● IT controls relate specifically
management and employees. SAS to the computer environment.
78/COSO requires that auditors They fall into two broad
obtain sufficient knowledge to assess groups: general controls and
the attitude and awareness of the application controls. General
organization’s management, board controls pertain to entity-
of directors, and owners regarding wide concerns such as
internal control. controls over the data center,
organization databases,
2. Risk Assessment - organizations systems development, and
must perform a risk assessment to program maintenance.
identify, analyze, and manage risks Application controls ensure
relevant to financial reporting. SAS the integrity of specific
78/COSO requires that auditors systems such as sales order
obtain sufficient knowledge of the processing, accounts payable,
organization’s risk assessment and payroll applications.
procedures to understand how
management identifies, prioritizes, ● Physical controls do not
and manages the risks related to relate to the computer logic
financial reporting. that actually performs
accounting tasks. Rather, they
3. Information and Communication relate to the human activities
- The accounting information system that trigger and utilize the
consists of the records and methods results of those tasks. In other
used to initiate, identify, analyze, words, physical controls focus
classify, and record the on people, but are not
organization’s transactions and to restricted to an environment
account for the related assets and in which clerks update paper
liabilities. The quality of information accounts with pen and ink.
the accounting information system Virtually all systems,
generates impacts management’s regardless of their
ability to take actions and make sophistication, employ human
 activities that need to be ● These records capture the economic
controlled. essence of transactions and provide
an audit trail of economic events.
Issues pertaining to six categories of ● The audit trail enables the auditor to
physical control activities: trace any transaction through all
phases of its processing from the
1. TRANSACTION AUTHORIZATION initiation of the event to the financial
● The purpose of transaction statements.
authorization is to ensure that all ● Organizations must maintain audit
material transactions processed by trails for two reasons:
the information system are valid and 1. This information is needed for
in accordance with management’s conducting day-to-day
objectives. operations.
● Authorizations may be general or 2. The audit trail plays an
specific. essential role in the financial
● General authority is granted to audit of the firm.
operations personnel to perform day-
to-day operations. 5. ACCESS CONTROL
● Specific authorizations deal with ● The purpose of access controls is to
case-by-case decisions associated ensure that only authorized
with nonroutine transactions. personnel have access to the firm’s
assets.
2. SEGREGATION OF DUTIES ● Unauthorized access exposes assets
● One of the most important control to misappropriation, damage, and
activities is the segregation of theft. Therefore, access controls play
employee duties to minimize an important role in safeguarding
incompatible functions. assets.
● Segregation of duties can take many ● Access to assets can be direct or
forms, depending on the specific indirect. Physical security devices,
duties to be controlled. such as locks, safes, fences, and
electronic and infrared alarm
3. SUPERVISION systems, control against direct
● Implementing adequate segregation access. Indirect access to assets is
of duties requires that a firm employ achieved by gaining access to the
a sufficiently large number of records and documents that control
employees. the use, ownership, and disposition
● Achieving adequate segregation of of the asset.
duties often presents difficulties for
small organizations. 6. INDEPENDENT VERIFICATION
● Obviously, it is impossible to ● Verification procedures are
separate five incompatible tasks
among three employees. independent checks of the
● Therefore, in small organizations or accounting system to identify errors
in functional areas that lack and misrepresentations.
sufficient personnel, management ● Verification differs from supervision
must compensate for the absence of because it takes place after the fact,
segregation controls with close by an individual who is not directly
supervision.
involved with the transaction or task
● For this reason, supervision is often
called a compensating control. being verified. Supervision takes
place while the activity is being
4. ACCOUNTING RECORDS performed, by a supervisor with
● Consist of source documents, direct responsibility for the task.
journals, and ledgers.
 ● Through independent verification the accounts receivable subsidiary
procedures, management can ledger performs the monthly
assess: reconciliation of the subsidiary ledger
1. The performance of individuals and the control account.
2. The integrity of the
transaction processing system 3. The underlying assumption of
3. The correctness of data reasonable assurance regarding
contained in accounting implementation of internal control means
records. that
a. auditor is reasonably assured that fraud
● Verifications may occur several times has not occurred in the period.
an hour or several times a day. In b. auditors are reasonably assured that
some cases, a verification may occur employee carelessness can weaken an
daily, weekly, monthly, or annually. internal control structure.
c. implementation of the control
Multiple-Choice Questions procedure should not have a
1. Management can expect various significant adverse effect on efficiency
benefits to follow from implementing a or profitability.
system of strong internal control. Which of d. management assertions about control
the following benefits is least likely to effectiveness should provide auditors with
occur? reasonable assurance.
e. a control applies reasonably well to all
a. reduction of cost of an external audit forms of computer technology.
b. prevention of employee collusion to
commit fraud 4. To conceal the theft of cash receipts
c. availability of reliable data for decision- from customers in payment of their
making purposes accounts, which of the following journal
d. some assurance of compliance with the entries should the bookkeeper make? DR,
Foreign Corrupt Practices Act of 1977 CR
e. some assurance that important
documents and records are protected a. Miscellaneous Expense, Cash
b. Petty Cash, Cash
2. Which of the following situations is NOT c. Cash Accounts, Receivable
a segregation of duties violation? d. Sales Returns, Accounts Receivable
e. None of the above
a. The treasurer has the authority to sign
checks but gives the signature block to the 5. Which of the following controls would
assistant treasurer to run the check-signing best prevent the lapping of accounts
machine. receivable?
b. The warehouse clerk, who has custodial
responsibility over inventory in the a. Segregate duties so that the clerk
warehouse, selects the vendor and responsible for recording in the accounts
authorizes purchases when inventories are receivable subsidiary ledger has no access
low. to the general ledger.
c. The sales manager has the responsibility b. Request that customers review their
to approve credit and the authority to write monthly statements and report any
off accounts. unrecorded cash payments.
d. The department time clerk is given the c. Require customers to send
undistributed payroll checks to mail to payments directly to the company’s
absent employees. bank.
e. The accounting clerk who shares d. Request that customers make checks
the record-keeping responsibility for payable to the company.
6. Providing timely information about
transactions in sufficient detail to permit
proper classification and financial reporting
is an example of

a. the control environment.

b. risk assessment.
c. information and communication.
d. monitoring.
7. Ensuring that all material transactions
processed by the information system are
valid and in accordance with
management’s objectives is an example of

a. transaction authorization.
b. supervision.
c. accounting records.
d. independent verification.

8. Which of the following is often called a

compensating control?

a. transaction authorization
b. supervision
c. accounting records
d. independent verification

9. Which of the following is NOT an element

of the fraud triangle?

a. ethics
b. justifiable reliance
c. situational pressure
d. opportunity

10. The fraud scheme that is similar to the

‘‘borrowing from Peter to pay Paul’’ scheme
is

a. expense account fraud.

b. bribery.
c. lapping.
d. transaction fraud.