AIS CHAPTER 3: ETHICS, FRAUD, INTERNAL CONTROL formulation and justification of policies for the ethical use of

such technology
 Ethical standards are derived from societal mores and  Three levels of computer ethics
deep-rooted personal beliefs about issues of right and 1) Pop computer ethics is simply the exposure to stories
wrong that are not universally agreed upon. and reports found in the popular media regarding the
 Ethics - pertains to the principles of conduct that individuals good or bad ramifications of computer technology.
use in making choices and guiding their behavior in 2) Para computer ethics involves taking a real interest in
situations that involve the concepts of right and wrong. computer ethics cases and acquiring some level of skill
Business ethics involves finding the answers to two and knowledge in the field
questions: 3) Theoretical computer ethics, is of interest to
(1) How do managers decide what is right in conducting multidisciplinary researchers who apply the theories of
their business? philosophy, sociology, and psychology to computer
(2) Once managers have recognized what is right, how do science with the goal of bringing some new
they achieve it? understanding to the field.
 Ethical issues in business can be divided into four areas:  Several issues of concern for students of accounting
information systems
Equity Executive Salaries Comparable 1) Privacy - People desire to be in full control of what and
Worth Product Pricing how much information about themselves is available to
Rights Corporate Due Process Employee others, and to whom it is available.
Health Screening Employee Privacy This raises the issue of ownership in the personal
Sexual Harassment Diversity information industry
Equal Employment Opportunity 2) Security (Accuracy and Confidentiality)
Whistle-Blowing Computer security is an attempt to avoid such
Honesty *Employee and Management undesirable events as a loss of confidentiality or data
Conflicts of Interest integrity.
*Security of Organization Data and
3) Ownership of Property
Records
*Misleading Advertising 4) Equity in Access
*Questionable Business Practices in 5) Environmental Issues
Foreign Countries *Accurate 6) Artificial Intelligence
Reporting of Shareholder Interests 7) Unemployment and Displacement
exercise of Political Action Committees 8) Misuse of Computers
corporate Workplace Safety
power Product Safety  Sarbanes-Oxley Act (SOX), is the most significant
Environmental Issues Divestment of securities law since the Securities and Exchange
Interests Corporate Commission (SEC) Acts of 1933 and 1934.
PoliticalContributions Downsizing
and Plant Closures Section 406—Code of Ethics for Senior Financial Officers

 Business organizations have conflicting responsibilities to  Section 406 of SOX requires public companies to disclose
their employees, shareholders, customers, and the public. to the SEC whether they have adopted a code of ethics
Seeking a balance between these consequences is the that applies to the organization’s chief executive officer
managers’ ethical responsibility (CEO), CFO, controller, or persons performing similar
functions.
Ethical principles
PROPORTIONALITY. The benefit from a decision must A public company may disclose its code of ethics in several
outweigh the risks ways:
Justice. The benefits of the decision should be (1) included as an exhibit to its annual report,
distributed fairly to those who share the risks. (2) as a posting to its Web site, or
Those who do not benefit should not carry the (3) by agreeing to provide copies of the code upon request.
burden of risk.
Minimize risk. Even if judged acceptable by the Whereas Section 406 applies specifically to executive and
principles, the decision should be implemented financial officers of a company, a company’s code of ethics
so as to minimize all of the risks and avoid any should apply equally to all employees.
unnecessary risks.
Top management’s attitude toward ethics sets the tone for
 COMPUTER ETHICS - analysis of the nature and social business practice, but it is also the responsibility of lower-
impact of computer technology and the corresponding
 level managers and nonmanagers to uphold a firm’s ethical 2. Material fact. A fact must be a substantial factor in inducing
standards. someone to act.
3. Intent. There must be the intent to deceive or the knowledge that
one’s statement is false.
 The SEC has ruled that compliance with Section 406 4. Justifiable reliance. The misrepresentation must have been a
necessitates a written code of ethics that addresses the substantial factor on which the injured party relied.
following ethical issues 5. Injury or loss. The deception must have caused injury or loss to
1) CONFLICTS OF INTEREST the victim of the fraud.
The company’s code of ethics should outline procedures
for dealing with actual or apparent conflicts of interest Auditors encounter fraud at two levels
between personal and professional relationships. 1. employee fraud
2) FULL AND FAIR DISCLOSURES. 2. Management fraud.
o The organization should provide full, fair, accurate,
timely, and understandable disclosures in the  Employee fraud, or fraud by nonmanagement
documents, reports, and financial statements that it employees
submits to the SEC and to the public. Generally designed to directly convert cash or other assets to
o Future disclosures are candid, open, truthful, and the employee’s personal benefit. Typically, the employee
void of such deceptions. circumvents the company’s internal control system for personal
3) LEGAL COMPLIANCE. Codes of ethics should require gain
employees to follow applicable governmental laws, rules,
and regulations. Employee fraud usually involves three steps:
4) INTERNAL REPORTING OF CODE VIOLATIONS. (1) Stealing something of value (an asset)
o The code of ethics must provide a mechanism to (2) Converting the asset to a usable form (cash)
permit prompt internal reporting of ethics violations. (3) Concealing the crime to avoid detection. - The most difficult.
o This provision is similar in nature to Sections 301
and 806, which were designed to encourage and  Management fraud
protect whistle-blowers. o More insidious than employee fraud because it often
5) ACCOUNTABILITY. Employees must see an employee escapes detection until the organization has suffered
hotline as credible, or they will not use it. irreparable damage or loss.
o Management fraud usually does not involve the direct
Fraud and Accountants theft of assets
o involves deceptive practices to inflate earnings or to
Statement on Auditing Standards (SAS) No. 99, Consideration of forestall the recognition of either insolvency or a
Fraud in a Financial Statement Audit. decline in earnings

 The objective of SAS 99 is to seamlessly blend the Three special characteristics:

auditor’s consideration of fraud into all phases of the audit 1. The fraud is perpetrated at levels of management
process. above the one to which internal control structures
 SAS 99 requires the auditor to perform new steps such as generally relate.
a brainstorming during audit planning to assess the 2. The fraud frequently involves using the financial
potential risk of material misstatement of the financial statements to create an illusion that an entity is
statements from fraud schemes healthier and more prosperous than, in fact, it is.
3. If the fraud involves misappropriation of assets, it
Fraud frequently is shrouded in a maze of complex business
 denotes a false representation of a material fact made by transactions, often involving related third parties.
one party to another party with the intent to deceive and
induce the other party to justifiably rely on the fact to his or THE FRAUD TRIANGLE
her detriment. Three factors that contribute to or are associated with
 It is an intentional deception, misappropriation of a management and employee fraud.
company’s assets, or manipulation of its financial data to (1) Situational Pressure, which includes personal or job-related
the advantage of the perpetrator. stresses that could coerce an individual to act dishonestly;
 In accounting literature, commonly known as white-collar (2) Opportunity, which involves direct access to assets and/or
crime, defalcation, embezzlement, and irregularities. access to information that controls assets
(3) Ethics, which pertains to one’s character and degree of
Fraudulent act must meet the following five conditions: moral opposition to acts of dishonesty.
1. False representation. There must be a false statement or a
nondisclosure.
 The actual cost of fraud is, however, difficult to quantify for a
number of reasons:
(1) not all fraud is detected
(2) of that detected, not all is reported
(3) in many fraud cases, incomplete information is gathered  Corruption
(4) information is not properly distributed to management or law
enforcement authorities Corruption involves an executive, manager, or employee of the
(5) too often, business organizations decide to take no civil or organization in collusion with an outsider.
criminal action against the perpetrator(s) of fraud. Four principal types of corruption:
1. Bribery
2. Illegal gratuities
THE PERPETRATORS OF FRAUDS 3. Conflicts of interest
o Fraud Losses by Position within the Organization 4. Economic extortion
o Fraud Losses and the Collusion Effect
o Collusion among employees in the commission of a fraud 1. BRIBERY. Bribery involves giving, offering, soliciting, or
is difficult to both prevent and detect. receiving things of value to influence an official in the
o Fraud Losses by Gender performance of his or her lawful duties.
o Fraud Losses by Age 2. ILLEGAL GRATUITIES.
o Fraud Losses by Education  An illegal gratuity involves giving, receiving, offering, or
soliciting something of value because of an official act that
has been taken
 Opportunity is the factor that actually facilitates the act
 This is similar to a bribe, but the transaction occurs after
(fraud).
the fact.
Opportunity - access to assets and/or the information that
3. CONFLICTS OF INTEREST occurs when an employee acts on
controls assets
behalf of a third party during the discharge of his or her duties or
has self-interest in the activity being performed
Opportunity factor explains much of the financial loss differential
4. ECONOMIC EXTORTION is the use (or threat) of force
in each of the demographic categories
(including economic sanctions) by an individual or organization
to obtain something of value.
Position. Individuals in the highest positions within an
organization are beyond the internal control structure and have
 Asset Misappropriation
the greatest access to company funds and assets.
The most common fraud schemes involve some form of asset
Gender. Women are not fundamentally more honest than men,
misappropriation in which assets are either directly or
but men occupy high corporate positions in greater numbers
indirectly diverted to the perpetrator’s benefit
than women. This affords men greater access to assets.
 Skimming involves stealing cash from an organization before
Age. Older employees tend to occupy higher-ranking positions
it is recorded on the organization’s books and records
and therefore generally have greater access to company assets.
Example:
Education. Generally, those with more education occupy higher
 employee who accepts payment from a customer
positions in their organizations and therefore have greater
but does not record the sale
access to company funds and other assets.
 mail room fraud in which an employee opening the
Collusion. When individuals in critical positions collude, they
mail steals a customer’s check and destroys the
create opportunities to control or gain access to assets that
associated remittance advice
otherwise would not exist
 Cash larceny involves schemes in which cash receipts are
stolen from an organization after they have been recorded in
FRAUD SCHEMES
the organization’s books and records
Three broad categories of fraud schemes are defined:
Example: Lapping
 fraudulent statements
 Billing schemes, also known as vendor fraud,
 Corruption are perpetrated by employees who causes their employer to
 asset misappropriation issue a payment to a false supplier or vendor by submitting
invoices for fictitious goods or services, inflated invoices, or
 Fraudulent statements are associated with management invoices for personal purchases.
fraud Three examples of billing scheme :
 Shell company fraud first requires that the
The Underlying Problems: perpetrator establish a false supplier on the books
1. Lack of Auditor Independence of the victim company.
2. Lack of Director Independence  Pass through fraud is similar to the shell company
3. Questionable Executive Compensation Schemes fraud with the exception that a transaction actually
4. Inappropriate Accounting Practices. takes place
  pay-and-return fraud involves a clerk with check  Detective controls form the second line of defense. These
writing authority who pays a vendor twice for the are devices, techniques, and procedures designed to
same products (inventory or supplies) received identify and expose undesirable events that elude
 Check Tampering involves forging or changing in some preventive controls.
material way a check that the organization has written to a  Corrective controls are actions taken to reverse the effects
legitimate payee of errors detected in the previous step.
 Payroll fraud is the distribution of fraudulent paychecks to
existent and/or nonexistent employees. Sarbanes-Oxley and Internal Control
 Expense reimbursement frauds are schemes in which an
employee makes a claim for reimbursement of fictitious or Section 404 requires the management of public companies to assess
inflated business expenses. the effectiveness of their organization’s internal controls
 Thefts of cash are schemes that involve the direct theft of
cash on hand in the organization SAS 78/COSO INTERNAL CONTROL FRAMEWORK
 Non-cash fraud schemes involve the theft or misuse of the Five components:
victim organization’s non-cash assets. 1. control environment
 Computer Fraud  the foundation for the other four control components
 sets the tone for the organization
. 2. risk assessment
Internal Control Concepts and Techniques  to identify, analyze, and manage risks relevant to financial
reporting.
Internal control system comprises policies, practices, and procedures 3. information and communication
employed by the organization to achieve four broad objectives:  consists of the records and methods used to initiate,
1) To safeguard assets of the firm. identify, analyze, classify, and record the organization’s
2) To ensure the accuracy and reliability of accounting transactions and to account for the related assets and
records and information. liabilities.
3) To promote efficiency in the firm’s operations. 4. Monitoring
4) To measure compliance with management’s prescribed  the process by which the quality of internal control design
policies and procedures and operation can be assessed.
5. control activities
Inherent in these control objectives are four modifying assumptions  policies and procedures used to ensure that appropriate
that guide designers and auditors of internal controls: actions are taken to deal with the organization’s identified
 MANAGEMENT RESPONSIBILITY. This concept holds risks
that the establishment and maintenance of a system of  two distinct categories:
internal control is a management responsibility. 1. information technology (IT) controls
 REASONABLE ASSURANCE. four broad objectives of 2. Physical controls.
internal control are met in a cost-effective manner.
 METHODS OF DATA PROCESSING. Internal controls IT CONTROLS relate specifically to the computer environment.
should achieve the four broad objectives regardless of the Two broad groups:
data processing method used. 1. general controls - pertain to entity-wide concerns such as
 LIMITATIONS. controls over the data center, organization databases,
 possibility of error systems development, and program maintenance
 circumvention 2. Application controls. - ensure the integrity of specific
 management override systems such as sales order processing, accounts
 changing conditions payable, and payroll applications.
PHYSICAL CONTROLS. This class of controls relates primarily to
 The absence or weakness of a control is called an exposure. the human activities employed in accounting systems.
A weakness in internal control may expose the firm to one or Six categories of physical control activities:
more of the following types of risks: 1) Transaction Authorization is to ensure that all material
1. Destruction of assets (both physical assets and information). transactions processed by the information system are
2. Theft of assets. valid and in accordance with management’s objectives.
3. Corruption of information or the information system. 2) Segregation of duties One of the most important control
4. Disruption of the information system. activities is the segregation of employee duties to
minimize incompatible functions
The Preventive–Detective–Corrective Internal Control Model (PDC 3) Supervision. management must compensate for the
Control Model) absence of segregation controls with close supervision
 Preventive controls are passive techniques designed to 4) Accounting records consist of source documents,
reduce the frequency of occurrence of undesirable events. journals, and ledgers. These records capture the
 economic essence of transactions and provide an audit
trail of economic events.

5) Independent Verification.
Verification procedures are independent checks of the
accounting system to identify errors and
misrepresentations.

Through independent verification procedures, management

can assess
(1) the performance of individuals
(2) the integrity of the transaction processing system, and
(3) the correctness of data contained in accounting
records.