Ethics, Fraud,

and Internal
Control
• Understand the broad
issues pertaining to
business ethics
• Have a basic
understanding of ethical
issues related to the use
of information technology
• Be able to distinguish
between management
fraud and employee fraud

Intended Learning Outcomes

• Be familiar with
common types of
fraud schemes
• Be familiar with the
key features of SAS
78/ COSO internal
control
• Understand the
objectives and
application of
physical Controls

Intended Learning Outcomes 3

• the analysis of the
nature and social
impact of computer
technology and the
• corresponding
formulation and
justification of policies
for the ethical use of
such technology.

COMPUTER ETHICS 4
• Pop computer ethics
• Para computer ethics
• Theoretical computer ethics

Three levels of Computer

Ethics 5
• Control of what and
how much information
is available to others
• Ownership of personal
information
• Corporate use of
personal data (e.g.
buying/selling of
personal information)

PRIVACY 6
• Accuracy of relevant data given to authorized
users
• Distribution of confidential data to unauthorized
users
• Extent of protection to be given to personal data
(e.g. extraction of personal data for legal
• purposes)

SECURITY (ACCURANCY
AND CONFIDENTIALITY) 7
• Intellectual Property
and its many forms
• Different ways people
use and access
property
• Copyright laws

8
• Availability of computer technology
to individuals or organizations
• Cultural differences e.g. language
• Differences in physical and cognitive
ability
• Cost-benefit analysis

EQUITY IN ACCESS 9
• Environment concerns are one
aspect of Corporate Social
Responsibility
• Policies regarding excessive
printing
• Proper disposal and recycling

ENVIRONMENTAL ISSUES 10
• Expert systems
• Knowledge base
integrity
• Decision-making
responsibility

ARTIFICIAL INTELLIGENCE 11
• Technology as replacement for human
labor
• Retention of employees replaced by
computer technology

UNEMPLOYMENT AND
DISPLACEMENT 12
• Copying proprietary software
• Use of company computer for
personal benefit
• Looking through someone else’s
files without permission

MISUSE OF COMPUTERS 13
• Law passed by the American Congress to
deal with specific problems relating to
• Capital markets, corporate governance,
and the auditing profession. Largely due to
ethical misconducts; and
• Fraudulent acts by executives of Enron,
WorldCom, and others.

SARBANES-OXLEY ACT 14
Section 406 – Code of
Ethics for Senior
Financial Officers 15
• Required public companies to
disclose to the SEC whether they
have adopted a code of ethics
• Applies to the organization’s chief
executive officer (CEO), CFO,
controllers or persons
• Performing similar functions

16
•CONFLICT OF
INTEREST

17
•FULL AND FAIR
DISCLOSURE

18
 •LEGAL
COMPLIANCE

19
•INTERNAL
REPORTING
CODE
VIOLATIONS
20
•ACCOUNTABILITY

21
 • Fraud denotes a false
representation of a material fact
made by one party to another
party with the intent to deceive the
other party to justifiably rely on
the fact to his/her detriment

Fraud and accountants 22

 • False representation
• Material Act
• Intent
• Justifiable reliance
• Injury or loss

FIVE CONDITIONS 23
 IT IS AN INTENTIONAL DECEPTION,
MISAPPROPRIATION OF A COMPANY’S
ASSETS OR MANIPULATION OF A
COMPANY’S FINANCIAL DATA TO THE
ADVANTAGE OF THE PERPRETRATOR.

24
 • White collar crime
• Defalcation
• Embezzlement
• Irregularities

ACCOUNTING LITERATURE 25
LEVELS OF FRAUD
(Encountered by
auditors)
26
THREE STEPS INVOLVE:

Stealing something of value (an asset)

Converting the asset to a usable form
(cash)
Concealing the crime to avoid detection

EMPLOYEE FRAUD 27
THREE DEFINING CHARACTERISTICS:

The fraud is perpetrated at levels of management

above the one to which internal control structures
generally relate
The fraud frequently involves using the financial
statements to create an illusion that an entity is
healthier and more prosperous than in fact, it is
If fraud involves misappropriation of assets, it
frequently is shrouded in a maze of complex business
transaction, often involving related third parties.

MANAGEMENT FRAUD 28
  SITUATIONAL PRESSURE
 OPPORTUNITY
 ETHICS

FRAUD TRIANGLE 29
PRESSURE OPPORTUNITY

ETHICS
30
PRESSURE OPPORTUNITY

ETHICS
31
REASONS WHY ACTUAL COST OF FRAUD
IS DIFFICULT TO QUANTIFY
 Not all fraud is detected
Not all are reported (IF DETECTED)
 Incomplete information is gathered
Information is not properly distributed to
management or law enforcement authorities
Business organizations decide to take no civil or
criminal actions against the perpetrator/s of fraud

Financial losses from fraud 32

THE
PERPETRATORS OF
FRAUD 33
AMOUNT OF LOSS ($) PERCENT OF FRAUD
1 – 200,000 53.6%
200,000 – 400,000 11.5%
400,000 – 600,000 5.1%
600,000- 800,000 3.5%
800,000 – 1,000,000 2.1%
1,000,000 AND ABOVE 23.2%

Distribution of losses 34
POSITION PERCENT OF FRAUD LOSS ($)
OWNER/EXECUTIVE 18.9 703,000
MANAGER 36.8 173,000
EMPLOYEE 40.9 65,000
OTHER 3.4 104,000

Losses from fraud by

position 35
EDUCATIONAL LEVEL LOSS ($)
HIGH SCHOOL 90,000
COLLEGE 200,000
POSTGRADUATE 300,000

Losses from fraud by

education level 36
Position
• Individuals in the highest position within an organization are
beyond internal control and have the greatest access to
company funds and assets

Gender
• Women are not fundamentally more honest than men, but
men occupy high corporate positions in greater numbers than
women

Conclusions to be drawn 37
Age
• Older employees tend to occupy higher ranking
positions

Education
• Those with more educational background occupy
higher-ranking positions

Collusion

38
It is an illegal
enterprise (such as
extortion or fraud or
drug peddling or
prostitution) carried on
for profit.

FRAUD SCHEME 39
THREE CATEGORIES
40
• Associated with management fraud
• Frauds involves some form of financial
misstatement
• Financial misrepresentation must bring
itself direct/ indirect financial benefit to the
perpetrator

FRAUDELENT STATMENTS 41
Lack of Auditor Independence
• Engaged by their clients to perform
nonaccounting activities

Lack of Director Independence

Underlying problems 42
Questionable Executive Compensation Schemes
• Executives have abused stock-based compensation

Inappropriate Accounting practices

• Use of special-purpose entitles to hide liabilities to hide
liabilities through off-balance-sheet accounting

43
 • The act establishes a framework to
modernize and reform the oversight and
regulation of public company auditiong

Sarbanes-Oxley Act and

Fraud 44
Creation of an accounting oversight board
• SOX created a public company accounting oversight
board. It is to empowered to set auditing, quality control,
ethics standards in order to inspect registered accounting
firms, conduct investigations, and take disciplinary
actions

Principal reforms to pertain: 45

Auditor Independence
• Creating separation between a firm’s attestation and
nonauditing activities
• Specify categories of services that a public accounting
firm cannot perform for its clients

Corporate Governance and responsibility

• Requires all audit committee members to be independent
and requires the audit committee to hire and oversee
external auditors

46
2 relating provisions of Corporate Governance and
responsibility:
1. Public companies are prohibited from making loans to
executives officers and directors
2. Requires attorneys to report evidence of a material
violation securities laws or breaches of fiduciary duty

Issuer and management disclosure

• Public companies must report all off-balance-sheet
transactions
• Annual reports are filed
47
• it involves an
executive,
manager, or
employee of the
organization in
collusion with an
outsider.

CORRUPTION 48
• it involves giving,
offering, soliciting, or
receiving things of value
to influence an official

• in the performance of his

or her lawful duties.
Officials may be
employed by government
(or regulatory) agencies
or by private
organizations.

Bribery 49
• it involves giving,
receiving, offering, or
soliciting something
of value because of an
official act that has
been taken. This is
similar to a bribe, but
the transaction occurs
after the fact.

Illegal Gratuities 50
• it occurs when an
employee acts on
behalf of a third party
during the discharge
of his or her duties or
has self-interest in the
activity being
performed.

Conflict of Interest 51
• It is the use (or
threat) of force
(including economic
sanctions) by an
individual or
organization to
obtain something of
value.

Economic Extortion 52
• Skimming - involves stealing cash from an organization before
it is recorded on the organization’s books and records.
• Cash larceny - involves schemes in which cash receipts are
stolen from an organization after they have been recorded in the
organization’s books and records. For example, lapping.
• Billing schemes - also known as vendor fraud, are perpetrated
by employees who causes their employer to issue a payment to
a false supplier or vendor by submitting invoices for fictitious
goods or services.
• Check tampering - involves forging or changing in some
material way a check that the organization has written to a
legitimate payee.

Different types of fraud

schemes 53
• Payroll fraud - is the distribution of fraudulent paychecks to existent
and/or nonexistent employees. For example, a supervisor keeps an
employee on the payroll who has left the organization.
• Expense reimbursement frauds- are schemes in which an employee
makes a claim for reimbursement of fictitious or inflated business
expenses.
• Thefts of cash - are schemes that involve the direct theft of cash on
hand in the organization.
• Non-cash fraud schemes - involve the theft or misuse of the victim
organization’s non-cash assets.
• Computer fraud – refers to she act of using a computer to take or
alter electronic data, or to gain unlawful use of a computer or system.

54
• The internal control system comprises policies, practices,
and procedures employed by the organization to achieve
four broad objectives:

1. To safeguard assets of the firm.

2. To ensure the accuracy and reliability of accounting
records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed
policies and procedures

Internal Control and

Concepts and Techniques 55
• Management Responsibility - it holds that the
establishment and maintenance of a system of internal
control.
• Reasonable Assurance - means that no system of internal
control is perfect and the cost of achieving improved
control should not outweigh its benefits.
• Methods of data processing - Internal controls should
achieve the four broad objectives regardless of the data
processing method used.
• Limitations - every system of internal control has
limitations on its effectiveness.

Four Modifying Assumptions 56

• Exposure – is the absence or weakness of a control.
• The weakness in internal control may expose the firm to
one or more of the following types of risks:
•
1. Destruction of assets (both physical assets and
information)
2. 2. Theft of assets.
3. 3. Corruption of information or the information
system.
4. 4. Disruption of the information system.

Exposures and Risks 57

58
4 Broad Objectives

1. To safeguard assets of the firm.

2.To ensure the accuracy and reliability of accounting
records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed
policies and procedures.

Internal Control Concepts

and Techniques 59
Modifying Assumptions
• Four modifying assumptions

Management Responsibility
• Holds the maintenance and establishment of a system
control

Reasonable Assurance
• Cost-effective

Methods of Data Processing

• Different types of technology

60
Limitations
• The possibility of error,
• Circumvention,
• Management override

Exposures and Risk

• Shield that protects a firm's assets

Exposure
• The absence or weakness of a control is called an
exposure

61
Risks
1. Destruction of assets (both physical assets and
information).
2. Theft of assets.
3. Corruption of information or the information
system.
4. Disruption of the information system

62
The Preventive–
Detective–Corrective
Internal Control Model 63
64
PREVENTIVE CONTROLS
• Prevention is the first line of defense in the control
structure. Preventive controls are passive techniques
designed to reduce the frequency of occurrence of
undesirable events. Preventive controls force compliance
with prescribed or desired actions and thus screen out
aberrant events

DETECTIVE CONTROLS
• Detective controls form the second line of defense. These
are devices, techniques, and procedures designed to
identify and expose undesirable events that elude
preventive controls.

65
• Sarbanes-Oxley legislation requires
management of public companies to
implement an adequate system of internal
controls over their financial reporting
process.

Sarbanes-Oxley and Internal

Control 66
 The Control Environment

• The control environment is the foundation for the

other four control components. The control
environment sets the tone for the organization
and influences the control awareness of its
management and employees.

SAS 78/COSO INTERNAL

CONTROL FRAMEWORK 67
• The integrity and ethical values of management.
• The structure of the organization.
• The participation of the organization’s board of directors
and the audit committee, if one exists.
• Management’s philosophy and operating style.
• The procedures for delegating responsibility and authority.
• Management’s methods for assessing performance.
• External influences, such as examinations by regulatory
agencies.
• The organization’s policies and practices for managing its
human resources.

Important Elements 68
• SAS 78/COSO requires that auditors obtain sufficient
knowledge to assess the attitude and awareness of the
organization’s management, board of directors, and owners
regarding internal control. The following paragraphs provide
examples of techniques that may be used to obtain an
understanding of the control environment

1. Auditors should assess the integrity of the organization’s

management and may use investigative agencies to report on
the backgrounds of key managers.

2. 2. Auditors should be aware of conditions that would

predispose the management of an organization to commit
fraud.

69
3. Auditors should understand a client’s business and industry
and should be aware of conditions peculiar to the industry that
may affect the audit.

4. The board of directors should adopt, as a minimum, the

provisions of SOX. In addition, the following guidelines
represent established best practices
• Separate CEO and chairman
• Set ethical standards
• Establish an independent audit committee
• Compensation committees
• Nominating committees
• Access to outside professionals
70
Organizations must perform a risk assessment to identify,
analyze, and manage risks relevant to financial reporting.

Risks can arise or change from circumstances such as:

• Changes in the operating environment that impose new or
changed competitive pressures on the firm.
• New personnel who have a different or inadequate
understanding of internal control.
• New or reengineered information systems that affect
transaction processing.
• Significant and rapid growth that strains existing internal
controls.

Risk Assessment 71
The accounting information system consists of the records and
methods used to initiate, identify, analyze, classify, and record the
organization’s transactions and to account for the related assets
and liabilities.

An effective accounting information system will:

• Identify and record all valid financial transactions.
• Provide timely information about transactions in sufficient
detail to permit proper classification and financial reporting.
• Accurately measure the financial value of transactions so their
effects can be recorded in financial statements.
• Accurately record transactions in the time period in which they
occurred.

Information and Communication 72

• Monitoring is the process by which the quality of internal
control design and operation can be assessed.
• An organization’s internal auditors may monitor the
entity’s activities in separate procedures. They gather
evidence of control adequacy by testing controls and then
communicate control strengths and weaknesses to
management. As part of this process, internal auditors
make specific recommendations for improvements to
controls.
• Achieved by: Integrating special computer modules into
the information system & Judicious use of management
reports

Monitoring 73
• Control activities are the policies and procedures
used to ensure that appropriate actions are taken
to deal with the organization’s identified risks.

Control Activities 74
IT CONTROLS
• IT controls relate specifically to the computer environment.
They fall into two broad groups: general controls and
application controls.
• General controls pertain to entity-wide concerns such as
controls over the data center, organization databases, systems
development, and program maintenance
• Application controls ensure the integrity of specific systems
such as sales order processing, accounts payable, and payroll
applications.

PHYSICAL CONTROLS
• This class of controls relates primarily to the human activities
employed in accounting systems.

75
Six categories of physical
control activities
76
TRANSACTION AUTHORIZATION.
• The purpose of transaction authorization is to ensure that
all material transactions processed by the information
system are valid and in accordance with management’s
objectives. Authorizations may be general or specific

SEGREGATION OF DUTIES
• One of the most important control activities is the
segregation of employee duties to minimize incompatible
functions. Segregation of duties can take many forms,
depending on the specific duties to be controlled.

77
78
SUPERVISION
• In a small organizations or in functional areas that lack
sufficient personnel, management must compensate for the
absence of segregation controls with close supervision.

ACCOUNTING RECORDS
• The accounting records of an organization consist of source
documents, journals, and ledger.

ACCESS CONTROL
• The purpose of access controls is to ensure that only
authorized personnel have access to the firm’s assets.
Unauthorized access exposes assets to misappropriation,
damage, and theft.

79
• Verification procedures are independent checks of the
accounting system to identify errors and misrepresentations.
Verification differs from supervision because it takes place
after the fact, by an individual who is not directly involved
with the transaction or task being verified. Supervision takes
place while the activity is being performed, by a supervisor
with direct responsibility for the task

• Through independent verification procedures, management can

assess (1) the performance of individuals, (2) the integrity of
the transaction processing system, and (3) the correctness of
data contained in accounting records

INDEPENDENT VERIFICATION 80