1. Computer ethics involves analyzing the social impact of technology and justifying policies for its ethical use, including concerns about privacy, ownership, and equity in access.
2. Ethical issues in business and computing can be divided into areas like equity, rights, honesty, and power, with responsibilities of proportionality, justice and minimizing risk.
3. Fraud detection guidelines provided in SAS 99 aim to seamlessly consider fraud risks at all audit stages, recognizing pressures, opportunities, and ethics that can contribute to management or employee fraud.
1. Computer ethics involves analyzing the social impact of technology and justifying policies for its ethical use, including concerns about privacy, ownership, and equity in access.
2. Ethical issues in business and computing can be divided into areas like equity, rights, honesty, and power, with responsibilities of proportionality, justice and minimizing risk.
3. Fraud detection guidelines provided in SAS 99 aim to seamlessly consider fraud risks at all audit stages, recognizing pressures, opportunities, and ethics that can contribute to management or employee fraud.
1. Computer ethics involves analyzing the social impact of technology and justifying policies for its ethical use, including concerns about privacy, ownership, and equity in access.
2. Ethical issues in business and computing can be divided into areas like equity, rights, honesty, and power, with responsibilities of proportionality, justice and minimizing risk.
3. Fraud detection guidelines provided in SAS 99 aim to seamlessly consider fraud risks at all audit stages, recognizing pressures, opportunities, and ethics that can contribute to management or employee fraud.
Ethical standards are derived from societal mores and deep-rooted with the goal of bringing some new
goal of bringing some new understanding to the
personal beliefs about issues of right and wrong that are not field. universally agreed upon. Ethics pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. COMPUTER ETHICS (PSOEEAUM) Business ethics involves finding the answers to two questions: (1) Privacy. People desire to be in full control of what and how much How do managers decide what is right in conducting their business? information about themselves is available to others, and to whom it is and (2) Once managers have recognized what is right, how do they available. achieve it? 1. Ownership. The creation and maintenance of huge, shared Ethical issues in business can be divided into databases make it necessary to protect people from the potential o Four areas: misuse of data. equity, Computer security is an attempt to avoid such undesirable events rights, as a loss of confidentiality or data integrity. honesty, and Ownership of Property. Laws designed to preserve real property the exercise of corporate power. rights have been extended to cover what is referred to as intellectual Ethical responsibility property, that is, software. PROPORTIONALITY. The benefit from a decision Equity in Access. Some barriers to access are intrinsic to the must outweigh the risks. Furthermore, there must be technology of information systems, but some are avoidable through no alternative decision that provides same or greater careful system design. benefit with less risk. Environmental Issues. Computers with high-speed printers allow 1. Justice. The benefits of the decision should be for the production of printed documents faster than ever before. distributed fairly to those who share the risks. Artificial Intelligence. A new set of social and ethical issues has Those who do not benefit should not carry the arisen out of the popularity of expert systems. Because of the way burden of risk. these systems have been marketed—that is, as decision makers or 2. Minimize risk. Even if judged acceptable by replacements for experts—some people rely on them significantly. the principles, the decision should be Knowledge engineers (those who write the implemented so as to minimize all of the risks and programs) avoid any unnecessary risks. Domain experts (those who provide the knowledge Computer ethics is ‘‘the analysis of the nature and social impact of about the task being automated) computer technology and the corresponding formulation and Unemployment and Displacement. Many jobs have been and are justification of policies for the ethical use of such technology.… [This being changed as a result of the availability of computer technology. includes] concerns about software as well as hardware and concerns People unable or unprepared to change are displaced. about networks connecting computers as well as computers Misuse of Computers. Computers can be misused in many ways. themselves.’’ Copying proprietary software, using a company’s computer for Three levels of computer ethics: pop, para, and theoretical. personal benefit, and snooping through other people’s files are just a Pop computer ethics is simply the exposure to stories and few obvious examples. reports found in the popular media regarding the good or bad ramifications of computer technology. Sarbanes-Oxley Act (SOX), is the most significant securities law Para computer ethics involves taking a real interest in since the Securities and Exchange Commission (SEC) Acts of 1933 computer ethics cases and acquiring some level of skill and and 1934. SOX have many provisions designed to deal with specific knowledge in the field. problems relating to capital markets, corporate governance, and the Theoretical computer ethics, is of interest to auditing profession. multidisciplinary researchers who apply the theories of SARBANES-OXLEY ACT AND ETHICAL ISSUES (CFLIA) philosophy, sociology, and psychology to computer science Section 406 of SOX requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organization’s chief executive officer (CEO), CFO, controller, or (1) stealing something of value (an asset), persons performing (2) converting the asset to a usable form (cash), Similar functions. (3) concealing the crime to avoid detection CONFLICTS OF INTEREST. The company’s code of ethics should Management fraud is more insidious than employee fraud because outline procedures for dealing with actual or apparent conflicts of it often escapes detection until the organization has suffered interest between personal and professional relationships. irreparable damage or loss. FULL AND FAIR DISCLOSURES. This provision states that the Management fraud typically organization should provide full, fair, accurate, timely, and contains three special characteristics: understandable disclosures in the documents, reports, and financial 1. The fraud is perpetrated at levels of management above the one statements that it submits to the SEC and to the public. to which internal control structures generally relate. LEGAL COMPLIANCE. Codes of ethics should require employees 2. The fraud frequently involves using the financial statements to to follow applicable governmental laws, rules, and regulations. create an illusion that an entity is healthier and more prosperous INTERNAL REPORTING OF CODE VIOLATIONS. The code of than, in fact, it is. ethics must provide a mechanism to permit prompt internal reporting 3. If the fraud involves misappropriation of assets, it frequently is of ethics violations. shrouded in a maze of complex business transactions, often ACCOUNTABILITY. An effective ethics program must take involving related third parties. appropriate action when code violations occur. This will include Fraud triangle consists of three factors that contribute to or are various disciplinary measures, including dismissal. associated with management and employee fraud. These are (SOE) Fraud and Accountants (1) situational pressure, which includes personal or job-related Statement on Auditing Standards (SAS) No. 99, Consideration stresses that could coerce an individual to act dishonestly; of Fraud in a Financial Statement Audit. The current authoritative (2) opportunity, which involves direct access to assetsand/or guidelines on fraud detection are presented. The objective of SAS 99 access to information that controls assets, and; is to seamlessly blend the auditor’s consideration of fraud into all (3) ethics, which pertains to one’s character and degree of moral phases of the audit process. opposition to acts of dishonesty. Fraud denotes a false representation of a material fact made by one Demographic categories presented in the ACFE study: party to another party with the intent to deceive and induce the other Position. Individuals in the highest positions within an organization party to justifiably rely on the fact to his or her detriment. According are beyond the internal control structure and have the greatest to common law, a fraudulent act must meet the following five access to company funds and assets. conditions: (FMIJI) Gender. Women are not fundamentally more honest than men, but 1. False representation. There must be a false statement or a men occupy high corporate positions nondisclosure. in greater numbers than women. This affords men greater access to 2. Material fact. A fact must be a substantial factor in inducing assets. someone to act. Age. Older employees tend to occupy higher-ranking positions and 3. Intent. There must be the intent to deceive or the knowledge that therefore generally have greater access to company assets one’s statement is false. . Education. Generally, those with more education occupy higher 4. Justifiable reliance. The misrepresentation must have been a positions in their organizations and therefore have greater access to substantial factor on which the injured party relied. company funds and other assets. 5. Injury or loss. The deception must have caused injury or loss to Collusion. One reason for segregating occupational duties is to the victim of the fraud. deny potential perpetrators the opportunity they need to commit Fraud is also commonly known as white-collar crime, defalcation, fraud. When individuals in critical positions collude, they create embezzlement, and irregularities. opportunities to control or gain access to assets that otherwise would Employee fraud, or fraud by non-management employees, is not exist. generally designed to directly convert cash or other assets to the FRAUD SCHEMES employee’s personal benefit. Three broad categories of fraud schemes are defined: Employee fraud usually involves three steps: o fraudulent statements, o corruption, and inflated invoices, or invoices for personal purchases. o asset misappropriation. shell company fraud first requires that the Fraudulent statements are associated with management fraud. perpetrator establish a false supplier on the books of Whereas all fraud involves some form of financial. Mis-statement, to the victim company. meet the definition under this class of fraud scheme the statement pass through fraud is similar to the shell company itself must bring direct or indirect financial benefit to the perpetrator. fraud with the exception that a transaction 1. Lack of Auditor Independence actually takes place. 2. Lack of Director Independence Pay-and-return scheme is a third form of vendor 3. Questionable Executive Compensation Schemes fraud. This typically involves a clerk with 4. Inappropriate Accounting Practices. checkwriting The act establishes a framework to modernize and reform the authority who pays a vendor twice for the same oversight and regulation of public company auditing. Its principal products (inventory or supplies) received. reforms pertain to (1) the creation of an accounting oversight board, 4. Check tampering involves forging or changing in some material way a (2) auditor independence, check that the organization has (3) corporate governance and responsibility, written to a legitimate payee. (4) disclosure requirements, and 5. Payroll fraud is the distribution of fraudulent paychecks to existent and/or (5)penalties for fraud and other violations. nonexistent employees. Corruption involves an executive, manager, or employee of the 6. Expense reimbursement frauds are schemes in which an employee organization in collusion with an outsider. makes a claim for reimbursement of fictitious or inflated business expenses. 1. Bribery involves giving, offering, soliciting, or receiving things of 7. Thefts of cash are schemes that involve the direct theft of cash on hand value to influence an official in the organization. in the performance of his or her lawful duties. 8. Non-cash fraud schemes involve the theft or misuse of the victim 2. Illegal gratuity involves giving, receiving, offering, or soliciting organization’s non-cash assets. something 9. Computer fraud of value because of an official act that has been taken. 3. conflict of interest occurs when an employee Internal Control System comprises policies, practices, and acts on behalf of a third party during the discharge of his or her procedures employed by the organization to achieve objectives. duties or has self-interest in the activity being performed. o Four broad objectives: 4. Economic extortion is the use (or threat) of force (including 1. To safeguard assets of the firm. economic sanctions) by an individual or organization to obtain 2. To ensure the accuracy and reliability of something of value. The item of value could be a financial or accounting records and information. economic asset, information, or cooperation to obtain a favorable 3. To promote efficiency in the firm’s operations. decision on some matter 4. To measure compliance with management’s under review. prescribed policies and procedures.16 Asset Misappropriation. The most common fraud schemes involve Modifying Assumptions some form of asset misappropriation in which assets are either o MANAGEMENT RESPONSIBILITY. This concept holds that directly or indirectly diverted to the perpetrator’s benefit. the establishment and maintenance of a system of internal 1. Skimming involves stealing cash from an organization before it is control. recorded on the organization’s books and records. (Mail room F) o REASONABLE ASSURANCE. The internal control system 2. Cash larceny involves schemes in which cash receipts are stolen should provide reasonable assurance that the four broad from an organization after they have been recorded in the objectives of internal control are met in a cost-effective organization’s books and records. ( Lapping) manner. 3. Billing schemes, also known as vendor fraud, are perpetrated by o METHODS OF DATA PROCESSING. Internal controls employees who causes their employer should achieve the four broad objectives regardless of the to issue a payment to a false supplier or vendor by submitting invoices for data processing method used. fictitious goods or services, o LIMITATIONS. Every system of internal control has 1. The control environment is the foundation for the other four control limitations on its effectiveness. components. The control environment 1. Possibility of error sets the tone for the organization and influences the control awareness of its 2. Circumvention management and 3. Management override employees. 4. Changing Condition 2. Risk Assessment. Organizations must perform a risk assessment to The absence or weakness of a control is called an exposure. identify, analyze, and manage risks relevant to financial reporting. Weakness in internal control may expose the firm to one or more of 3. Information and Communication. The accounting information system the following types of consists of the records and methods used to initiate, identify, analyze, risks: classify, and record the organization’s transactions and to account for the 1. Destruction of assets (both physical assets and information). related assets and liabilities. 2. Theft of assets. 4. Monitoring. Management must determine that internal controls are 3. Corruption of information or the information system. functioning as intended. Monitoring is the process by which the quality of 4. Disruption of the information system. internal control design and operation can be assessed. This may be accomplished by separate procedures or by ongoing activities. Internal control shield is composed of three levels of control: 5. Control Activities. Control activities are the policies and procedures o preventive controls, used to ensure that appropriate actions are taken to deal with the o detective controls, and organization’s identified risks. Control activities can be grouped into two o corrective controls. distinct categories: information technology (IT) controls and physical This is the preventive–detective–corrective (PDC) controls. control model. IT CONTROLS. IT controls relate specifically to the computer environment. They fall into PREVENTIVE CONTROLS. Prevention is the first line of defense in o Two broad groups: the control structure. Preventive controls are passive techniques general controls and designed to reduce the frequency of occurrence of undesirable application controls. events. General controls pertain to entity-wide concerns such as controls over the data center, organization databases, systems DETECTIVE CONTROLS. Detective controls form the second line development, and program maintenance. of defense. These are devices, techniques, and procedures Application controls ensure the integrity of specific systems designed to identify and expose undesirable events that elude such as sales order processing, accounts payable, and payroll preventive controls. applications. PHYSICAL CONTROLS. This class of controls relates primarily to the human activities employed in accounting systems. These CORRECTIVE CONTROLS. Corrective controls are actions taken activities may be purely manual, such as the physical custody of to reverse the effects of errors detected in the previous step. There is assets, or they an important distinction between detective controls and corrective may involve the physical use of computers to record transactions or controls update accounts. TRANSACTION AUTHORIZATION. The purpose of transaction authorization is to ensure that all material transactions processed SAS 78/COSO INTERNAL CONTROL FRAMEWORK by the information system are valid and in accordance with management’s objectives. o Five components: SEGREGATION OF DUTIES. One of the most important control Control Environment, activities is the segregation of employee duties to minimize Risk Assessment, incompatible functions. Segregation of duties can take many forms, Information and Communication, depending on the specific duties to be controlled. Monitoring, and Control Activities SUPERVISION. Implementing adequate segregation of duties requires that a firm employ a sufficiently large number of employees. Achieving adequate segregation of duties often presents difficulties for small organizations. ACCOUNTING RECORDS. The accounting records of an organization consist of source documents, journals, and ledgers. These records capture the economic essence of transactions and provide an audit trail of economic events. ACCESS CONTROL. The purpose of access controls is to ensure that only authorized personnel have access to the firm’s assets. INDEPENDENT VERIFICATION. Verification procedures are independent checks of the accounting system to identify errors and misrepresentations.