Chapter 3 - Ethics, Fraud, And Internal Control

Instructors Manual
Introduction To The Need For A Code Of Ethics And Internal Controls. If the top
management of a company emphasizes ethical behavior, models ethical behavior,
and hires ethical employees, the chance of fraud or ethical lapses can be reduced.
In addition to acting ethically, the management of any organization has an obligation
to maintain a set of processes and procedures that assure accurate and complete
records and protection of assets. Management has a stewardship responsibility,
which is the careful and responsible oversight and use of the assets entrusted to
management. The stewardship and reporting obligations point to need to maintain
accurate and complete accounting systems and to protect assets. To fulfill these
obligations, management must maintain internal controls and enforce a code of
ethics.
Accounting Related Fraud. Fraud is the theft, concealment and conversion to
personal gain of another's money, physical assets, or information. There is a
distinction between misappropriation of assets and misstatement of financial
records. Misappropriation of assets involves theft of any item of value.
Misstatement of financial records involves the falsification of accounting reports. For
fraud to occur, three conditions must exist: incentive to commit the fraud, opportunity
to commit the fraud, and rationalization of the fraudulent action. This is called the
fraud triangle. Understanding the nature of fraud helps accounts create effective
systems to prevent or detect fraud.
o Categories Of Accounting Fraud. The four categories of fraud are
management fraud, employee fraud, customer fraud, and vendor fraud.
o The Nature Of Management Fraud. It is conducted by one or more top-level
managers within the company, and it usually is misstating financial
statements through elaborate schemes or complex transactions. The
incentive for managers can include to increase incentive pay, or stock price,
opportunities for promotion, or the delay of cash flow or bankruptcy problems.
Some fraud involves circumventing internal controls, or management
override.
o The Nature Of Employee Fraud. It is usually the theft of assets, or the theft
of cash through false or fraudulent documentation. An example would be a
false or inflated time card. Cash receipts theft is the most common type of
employee fraud. It is often pulled off through a technique known as
skimming, where the organizations cash is stolen before it is entered into
the accounting records. Larceny is stealing the companys cash after it has
been recorded in the accounting records. Collusion means that two or more
people work together to commit a fraud. Collusion is the most difficult to
prevent or detect because it compromises the effectiveness of internal
controls
o The Nature Of Customer Fraud. Customer fraud occurs when a customer
improperly obtains cash or property from a company, or avoids a liability
1

through deception. Although customer fraud may affect any company, it is an

especially common problem for retail firms and companies that sell goods
through internet-based commerce. Examples of customer fraud include credit
card fraud, check fraud, and refund fraud.
o The Nature Of Vendor Fraud. Vendor fraud occurs when vendors obtain
payments to which they are not entitled. Unethical vendors may accomplish
this by submitting duplicate or incorrect invoices, intentionally sending
shipments in which the quantities are short, or sending lower quality goods
than ordered. Vendor fraud may also be perpetrated through collusion. For
example, an employee of a company could make an agreement with a vendor
to continue the vendor relationship in the future if the employee receives a
kickback. Vendor audits involve the reviewing supporting documentation for
these labor or other expenses incurred by its vendor. This could reveal
whether or not the vendor is honest in reporting expenses.
o The Nature Of Computer Fraud. The computer system can be used as a
tool to commit fraud. A computer fraud can be conducted by someone
internal, or external to the company. Internal fraud can be conducted by input
manipulation, program manipulation, or output manipulation. Input
manipulation is altering or falsifying data that is input into the system.
Program manipulation is the alteration of a program to commit a fraud. Some
methods of program manipulation are the salami technique, Trojan Horse,
and trap door alteration. Altering reports or outputs such as checks would be
output manipulation. An outsider who gains unauthorized access is an
external source of fraud. Three popular kinds are hacking, denial of service
(DoS) attacks, and spoofing. A hacker breaks in to steal, alter, or browse data
or programs. A DoS attack is intended to shut down the computer system.
Spoofing occurs when an unauthorized user pretends to be an authorized
user.
Policies To Assist In The Avoidance Of Fraud And Errors. There are three main
policies an organization can undertake to help prevent or detect fraud. The three
are: maintain and enforce a code of ethics, maintain a system of accounting internal
controls, and maintain a system of IT controls.
Maintain A Code Of Ethics. While it has always been a good idea to have and
enforce a corporate code of ethics, the Sarbanes-Oxley act of 2002 requires publicly
traded companies to maintain one. To be of effect, the code should be adhered to
by top management and enforced throughout the company.
Maintain A System Of Internal Controls. Internal controls have four objectives: (1)
safeguard assets, (2) maintain accuracy and integrity of data, (3) promote
operational efficiency, and (4) ensure compliance with management directives. The
internal control system to meet these objectives should have preventive controls,
detective controls, and corrective controls. However, no internal control system can
prevent or detect all errors or fraud. Human error, human nature, and cost
considerations limit the ability of internal controls to detect or prevent all fraud and
errors.
o The Details Of The COSO Report. The COSO report has become the
standard definition and description of internal control. It identifies five
2

interrelated components: the control environment; risk assessment; control

activities; information and communication; and monitoring.
The control environment sets the tone of an organization and influences the
control consciousness of its employees. The factors that are part of the
control environment are: the integrity, ethical values, and competence of the
people; managements philosophy and operating style; the way management
assigns authority and responsibility; the way management organizes and
develops its people; the attention and direction provided by the board of
directors. Each of these factors influence whether an organization has a
more risky environment, or a less risky environment.
Risk assessment is the continual monitoring of the risks from external and
internal sources. In order for management to maintain control over threats to
its business, it must constantly be engaged in risk assessment. It is important
that management develop a systematic and ongoing way to: Identify the
sources of risks, both internal and external; Determine the impact of such
risks in terms of finances and reputation; Estimate the chance of such risks
occurring; Develop an action plan to reduce the impact or probability of these
risks; Execute the action plan and continue the cycle beginning again with the
first step above.
Control activities as the policies and procedures that help ensure that
management directives are carried out and that management objectives are
achieved. A good internal control system must include control activities that
occur at all levels and in all functions within the company. The control
activities include a range of activities that can be divided into the following
categories: Authorization of transactions; Segregation of duties; Adequate
records and documents; Security of assets and documents; Independent
checks and reconciliation. Authorization can be general authorization, or
specific authorization. Segregation of duties means that for any given
business process, no single person or department should authorize, record,
and have custody of the assets. Supervision is a compensating control when
segregation cannot be fully achieved. Adequate records and documents
means that there must be an audit trail as verifiable information about the
accuracy of the accounting records. Security of assets and documents
includes physical controls to limit access to assets, and policies and practices
to limit who has access to assets. Independent checks and reconciliations
are procedures to verify the accuracy and completeness of accounting
information.
Information and communication is a set of systems and processes that
ensuring formation flows down, across, and up the organization. It includes
the accounting system and the reports that result from it. It also includes the
procedures to disseminate reports and information throughout the enterprise.

Monitoring is the ongoing review and evaluation of the system. This includes
both continuous and periodic monitoring of the accounting system and
controls. Continuous review of reports and information by managers and
periodic audits are part of monitoring.
o Reasonable Assurance Of Internal Controls. The whole set of internal
control must be established and monitored with the idea of reasonable
assurance in mind. Reasonable assurance means that the controls achieve a
sensible balance of reducing risk when compared to the cost of the control.
Maintain A System Of Information Technology Of Controls. Information
technology increases the efficiency and effectiveness of organizations that use them,
but at the same time, it increases vulnerability. The risks include unauthorized
access, hackers, business interruption, and data inaccuracies. These extra risks of
computer systems call attention to the need for internal controls over and above
those described in the COSO report. One way to organize these risks and controls
is the Trust Services Principles. These principles divide IT risks and controls into
five categories: security; availability, processing integrity; online privacy; and
confidentiality.
Security risk is the unauthorized physical or logical access to the IT system.
Availability risk is the risk of hardware or software failure. Processing integrity risk is
the risk of inaccurate, incomplete, or improperly authorized information entering the
IT system. Online privacy risk is that personal information about customers will be
accessed in an unauthorized manner. Confidentiality risk is the risk that sensitive
information about the company or its business partners may be subject to
unauthorized access. IT controls can be designed and implemented to limit risks in
each of these five categories.
Appendix A: Recent History Of Internal Control Standards. The 1977 Foreign
Corrupt Practices Act (FCPA) included a requirement that corporations that sell stock
in an SEC regulated stock exchange maintain a system of internal controls. In 1988
the AICPA issued SAS 55 which further emphasized managements obligation to
maintain internal controls. In 1992, the COSO report was issued by the Committee
of Sponsoring Organizations (COSO). This report details the findings of a
comprehensive study of internal control and is recognized within the accounting
industry as the definition and description of internal control. Since that time, the
AICPA has rewritten SAS guidelines to incorporate COSO concepts. SAS 55 was
replaced by SAS 78 in 1994, and in 2002 SAS 78 was amended by SAS 94. This
current internal control guide in SAS 94 maintains the COSO internal control
concepts. In addition, SAS 99 expands the auditors duties with regard to internal
control and fraud. The Sarbanes-Oxley Act of 2002 attempted to curb the fraud and
stock market abuses of the previous two years. Section 302 of this bill designates
management (specifically, the chief executive officer, chief financial officer and
others performing similar functions) of the company as having responsibility for the
establishment and maintenance of an effective system of internal controls. Section
404 of the Sarbanes-Oxley Act requires companies to include an internal control
report within its annual report to stockholders. Thus, not only is the establishment

and operation of an internal control system a good practice, it has become

mandatory for publicly traded companies.
Appendix B: Control Objectives For Information Technology (COBIT). The
COBIT framework is a comprehensive description of the risks and controls in IT
environments. The framework establishes what COBIT terms four domains of High
Level Control Objectives. The domains are: Planning and organization; Acquisition
and implementation; Delivery and support; Monitoring. For each domain, controls
over processes can be categorized as to the information criteria that apply to the
process and the IT resources managed by the process. COBIT defines information
criteria as effectiveness, efficiency, confidentiality, integrity, availability, compliance,
and reliability. COBIT defines IT resources as people, application systems,
technology, facilities, and data.