ETHICAL ISSUES IN BUSINESS that potentially harm or benefit these

constituents.
Ethical standards are derived from
societal mores and deep-rooted personal For example, implementing a new
beliefs about issues of right and wrong computer information system within an
that are not universally agreed upon. organization may cause some employees
to lose their jobs, while those who remain
BUSINESS ETHICS
enjoy the benefit of improved working
Ethics - principles of conduct that conditions. Seeking a balance between
individuals use in making choices and these consequences is the managers’
guiding their behavior in situations that ethical responsibility.
involve the concepts of right and wrong.
ETHICAL PRINCIPLES
Business Ethics answers to two
 PROPORTIONALITY
questions
The benefit from a decision must
(1)How do managers decide what is outweigh the risks.
right in conducting There must be no alternative
(2)Once managers have recognized decision that provides the same or
what is right, how do they achieve greater benefit with less risk.
it?  JUSTICE
The benefits of the decision should
4 AREAS OF ETHICAL ISSUES IN
be distributed fairly to those who
BUSINESS
share the risks.
1. Equity Those who do not benefit should not
2. Rights carry the burden of risk.
3. Honesty  MINIMIZE RISK
4. Exercise of corporate power Even if judged acceptable by the
principles, the decision should be
implemented so as
to minimize all of the risks and avoid
any unnecessary risks.

COMPUTER ETHICS

The analysis of the nature and social

impact of computer technology and the
corresponding formulation and
justification of policies for the ethical use
of such technology.

Concerns about software as well as

hardware and concerns about networks
MAKING ETHICAL DECISIONS connecting computers as well as
computers themselves.
Business organizations have conflicting
responsibilities to their employees, 3 Levels of Computer Ethics
shareholders, customers, and the public.
Every major decision has consequences 1. Pop Computer Ethics
2. Para Computer Ethics Computer security - attempt to avoid
3. Theoretical Computer Ethics such risks as a loss of confidentiality or
data integrity.
Security systems attempt to prevent
fraud and other misuse of computer
POP COMPUTER ETHICS systems; they act to protect and further
the legitimate interests of the system’s
exposure to stories and reports found in
constituencies.
the popular media regarding the good or
bad ramifications of computer Arise from the emergence of shared,
technology. computerized databases that have the
potential to cause irreparable harm to
individuals by disseminating inaccurate
PARA COMPUTER ETHICS information to authorized users, such as
through incorrect credit reporting
taking a real interest in computer ethics
cases and acquiring some level of skill OWNERSHIP OF PROPERTY
and knowledge in the field.
Laws designed to preserve real property
rights have been extended to cover what
is referred to as intellectual property,
THEORETICAL COMPPSUTER ETHICS that is, software.
Interest to multidisciplinary researchers Copyright laws have been invoked in an
who apply the theories of philosophy, attempt to protect those who develop
sociology, and psychology to computer software from having it copied.
science with the goal of bringing some
new understanding to the field. EQUITY IN ACCESS
Some barriers to access are intrinsic to
the technology of information systems,
PRIVACY but some are avoidable through careful
Issue of privacy - People desire to be in system design.
full control of what and how much Some of which are not unique to
information about themselves is available information systems, can limit access to
to others, and to whom it is available. computing technology.
The creation and maintenance of huge, Others: Culture, Safety features
shared databases make it necessary to
protect people from the potential misuse ENVIRONMENTAL ISSUES
of data.
High speed printers allow faster
Leading to the issue of ownership in the production of printed documents with the
personal industry. use of papers.
Paper, however, comes from trees, which
are a precious natural resource that ends
SECURITY (Accuracy and up in landfills if not properly recycled.
Confidentiality)
ARTIFICIAL INTELLIGENCE
A new set of social and ethical issues has controller, or persons performing similar
arisen out of the popularity of expert functions. If the company has not
systems. Because of the way these adopted such a code, it must explain why
systems have been marketed—that is, as
Public company may disclose its code of
decision makers or replacements for
ethics in several ways:
experts—some people rely on them
significantly.  by including the code as an exhibit to
its annual report
UNEMPLOYMENT AND
 by posting the code to the company
DISPLACEMENT
website
Many jobs have been and are being  by agreeing to provide copies of the
changed as a result of the availability of code upon request.
computer technology. People unable or
CONFLICTS OF INTEREST
unprepared to change are displaced.
Company’s code of ethics should outline
procedures for dealing with actual or
MISUSE OF COMPUTERS apparent conflicts of interest between
personal and professional relationships.
Computers can be misused in many
ways:
 Copying proprietary software, using a
company’s computer for personal
FULL AND FAIR DISCLOSURESB
benefit.
 Snooping through other people’s The organization should provide full, fair,
files. accurate, timely, and understandable
disclosures in the documents, reports,
SARBANES-OXLEY ACT AND ETHICAL
and financial statements that it submits
ISSUES
to the SEC and to the public.
This wide-sweeping legislation, more
The objective of this rule is to ensure that
commonly known as the Sarbanes-Oxley
future disclosures are candid, open,
Act (SOX), is the most significant
truthful, and void of such deceptions.
securities law since the Securities and
Exchange Commission (SEC) Acts of 1933
and 1934.
LEGAL COMPLIANCE
SOX has many provisions designed to
Codes of ethics should require employees
deal with specific problems relating to
to follow applicable governmental laws,
capital markets, corporate governance,
rules, and regulations.
and the auditing profession.
To accomplish this, organizations must
Section 406—Code of Ethics for
provide employees with training and
Senior Financial Officers
guidance.
Section 406 of SOX requires public
companies to disclose to the SEC
whether they have adopted a code of INTERNAL REPORTING OF CODE
ethics that applies to the organization’s VIOLATIONS
chief executive officer (CEO), CFO,
The code of ethics must provide a 3. Intent. There must be the intent to
mechanism to permit prompt internal deceive or the knowledge that one’s
reporting of ethics violations. statement is false.
4. Justifiable reliance. The
Similar in nature to Sections 301 and
misrepresentation must have been a
806, which were designed to encourage
substantial factor on which the injured
and protect whistle-blowers.
party relied.
Such as: Employee ethics hotlines 5. Injury or loss. The deception must
have caused injury or loss to the
victim of the fraud.
ACCOUNTABILITY
It is an intentional deception,
An effective ethics program must take misappropriation of a company’s assets,
appropriate action when code violations or manipulation of a company’s financial
occur. This will include various data to the advantage of the perpetrator.
disciplinary measures, including
In accounting literature, fraud is also
dismissal.
commonly known as white-collar crime,
Employees must see an employee hotline defalcation, embezzlement, and
as credible, or they will not use it. irregularities.

Section 301 directs the organization’s 2 levels of fraud that Auditors

audit committee to establish procedures encounter:
for receiving, retaining, and treating such
1. Employee fraud.
complaints about accounting procedures
Also known as fraud by
and internal control violations.
management employees, is
FRAUD AND ACCOUNTANTS generally designed to directly
convert cash or other assets to the
employee’s personal benefit.
FRAUD
Employee circumvents the
Often the result of poor management company’s internal control system
decisions or adverse business conditions for personal gain.
Denotes a false representation of a
material fact made by one party to 3 Steps of Employee Fraud:
another party with the intent to deceive 1. Stealing something of value (an
and induce the other party to justifiably asset)
rely on the fact to his or her detriment. 2. Converting the asset to a usable
form (cash)
According to common law, a fraudulent 3. Concealing the crime to avoid
act must meet the following five detection
conditions:
1. False representation. There must 2. Management Fraud
be a false statement or a
nondisclosure. more insidious than employee fraud
2. Material fact. A fact must be a because it often escapes detection
substantial factor in inducing someone until the organization has suffered
to act. irreparable damage or loss.
Includes personal or job-related
Management fraud usually does not stresses that coerce an individual to
involve the direct theft of assets. Top act dishonestly
management may engage in 2. Opportunity
fraudulent activities to drive up the Direct access to assets and/or
market price of the company’s stock. access to information that controls
assets
This may be done to meet investor 3. Ethics
expectations or to take advantage of Pertains to one’s character and
stock options that have been loaded degree of moral disposition to acts
into the manager’s compensation of dishonesty
package. The Commission on
Auditors’ Responsibilities calls this
performance fraud, which often
involves deceptive practices to
inflate earnings or to forestall the
recognition of either insolvency or a
decline in earnings.

Lower-level management fraud

typically involves materially
misstating financial data and internal
reports to gain additional
compensation, to garner a
promotion, or to escape the penalty
for poor performance.
Fraud Losses and the Collusion
Effect Collusion among employees
3 defining characteristics:
in the commission of a fraud is
1. The fraud is perpetrated at levels
difficult to both prevent and detect.
of management above the one to
This is particularly true when the
which internal control structures
collusion is between managers and
generally relate.
their subordinate employees.
2. The fraud frequently involves
Management plays a key role in the
using the financial statements to
internal control structure of an
create an illusion that an entity is
organization. Managers are relied
healthier and more prosperous
upon to prevent and detect fraud
than, in fact, it is.
among their subordinates. When
3. If the fraud involves
they participate in fraud with the
misappropriation of assets, it
employees over whom they are
frequently is shrouded in a maze
supposed to provide oversight, the
of complex business transactions,
organization’s control structure is
often involving related third
weakened or completely
parties.
circumvented, and the company
THE FRAUD TRIANGLE becomes more vulnerable to
losses.
3 Factors of Fraud triangle:
1. Situational pressure FINANCIAL LOSSES FROM FRAUD
men, but men occupy high corporate
The actual cost of fraud is, however, positions in greater numbers than
difficult to quantify for a number of women. This affords men greater
reasons: access to assets.
1. not all fraud is detected;  Age. Older employees tend to
2. of that detected, not all is reported; occupy higher-ranking positions and
3. in many fraud cases, incomplete therefore generally have greater
information is gathered; access to company assets.
4. information is not properly  Education. Generally, those with
distributed to management or law more education occupy higher
enforcement authorities; and positions in their organizations and
5. too often, business organizations therefore, have greater access to
decide to take no civil or criminal company funds and other assets.
action against the perpetrator(s) of  Collusion. One reason for
fraud. segregating occupational duties is to
deny potential perpetrators the
THE PERPETRATORS OF FRAUDS opportunity they need to commit
fraud. When individuals in critical
positions collude, they create
opportunities to control or gain
access to assets that otherwise
would not exist.

FRAUD SCHEMES
3 broad categories of fraud schemes
1. Fraudulent statements
2. Corruption
3. Asset misappropriation

I. FRAUDULENT STATEMENTS
Associated with management fraud.
While all fraud involves some form of
financial misstatement, to meet the
definition under this class of fraud
scheme, the financial statement
misrepresentation must itself bring direct
or indirect financial benefit to the
CONCLUSION TO BE DRAWN perpetrator.
 Position. Individuals in the highest
positions within an organization are Misstating the cash account balance to
beyond the internal control structure cover the theft of cash is not financial
and have the greatest access to statement fraud. Understating liabilities
company funds and assets. to present a more favorable financial
 Gender. Women are not picture of the organization, to drive up
fundamentally more honest than stock prices.
4. Inappropriate Accounting
Practices
THE UNDERLYING PROBLEMS
Using of special-purpose entities to
The series of events symbolized by the hide liabilities through off-balance-
Enron, WorldCom, and Adelphia debacles sheet accounting
caused many to question whether our Ex. When a company sold a contract
existing federal securities laws were (providing gas for a period of 2 years),
adequate to ensure full and fair financial the company would recognize all the
disclosures by public companies. future revenue in the period when the
contract was sold.
1. Lack of Auditor Independence.
Auditing firms that are also engaged
SARBANES-OXLEY ACT AND FRAUD
by their clients to perform
 This landmark legislation was
nonaccounting activities, such as
written to deal with problems
actuarial services, internal audit
related to capital markets,
outsourcing services, and consulting,
corporate governance, and the
lack independence.
auditing profession.
The firms audit their own work and the
 Framework to modernize and reform
risk is that as auditors they will not
the oversight and regulation of
bring to management’s attention the
public company auditing. Its
detected problems that may affect
principal reforms pertain to:
their consulting fees.
1. The creation of an accounting
Ex. Internal auditors are also the
oversight board;
management consultants.
2. auditor independence;
3. corporate governance and
2. Lack of Director Independence.
responsibility;
Directors who have personal
4. disclosure requirements; and
relationships by serving on the boards
5. penalties for fraud and other
of other directors of companies
violations
Business trading relationship – key
customers/suppliers. Provisions
Financial relationship – primary
1. Accounting Oversight Board.
stockholders/received personal loans
 SOX created a Public Company
from the company
Accounting Oversight Board.
Operational relationship – employee of
PCAOB is empowered to set
the company
auditing, quality control, and ethics
standards; to inspect registered
3. Questionable Executive
accounting firms; conduct
Compensation Schemes.
investigations; and take disciplinary
Excessive use of short-term stock
actions.
options to compensate directors and
executives may result in short-term
2. Auditor Independence
thinking and strategies aimed at
 addresses auditor independence by
driving up stock prices at the expense
creating more separation between a
of the firm’s long-term health.
firm’s attestation and non-auditing
activities.
 intended to specify categories of  new corporate disclosure
services that a public accounting requirements:
firm cannot perform for its client a. Public companies must report
all off-balance-sheet
transactions.
 9 functions: b. Annual reports filed with the
a. Bookkeeping or other services SEC must include a statement
related to the accounting records by management asserting that
or financial statements it is responsible for creating and
b. Financial information systems maintaining adequate internal
design and implementation controls and asserting to the
c. Appraisal or valuation services, effectiveness of those controls.
fairness opinions, or contribution- c. Officers must certify that the
in-kind reports company’s accounts “fairly
d. Actuarial services present” the firm’s financial
e. Internal audit outsourcing services condition and results of
f. Management functions or human operations.
resources d. Knowingly filing a false
g. Broker or dealer, investment certification is a criminal
adviser, or investment banking offense.
services
h. Legal services and expert services 5. Fraud and Criminal Penalties
unrelated to the audit Creates new federal crimes relating to
i. Any other service that the PCAOB the destruction of documents or audit
determines is impermissible work papers, securities fraud,
tampering with documents to be used
3. Corporate Governance and in an official proceeding, and actions
Responsibility against whistle-blowers.
 requires all audit committee
members to be independent and II. CORRUPTION
requires the audit committee to Involves an executive, manager, or
hire and oversee the external employee of the organization in collusion
auditors. with an outsider.
 Two other significant provisions of four principal types of corruption:
the act relating to corporate bribery, illegal gratuities, conflicts of
governance are: interest, and economic extortion.
o public companies are prohibited
from making loans to executive BRIBERY
officers and directors, Giving, offering, soliciting, or receiving
o the act requires attorneys to things of value to influence an official in
report evidence of a material the performance of his or her lawful
violation of securities laws or duties.
breaches of fiduciary duty to
the CEO, CFO, or the PCAOB. ILLEGAL GRATUITIES
Giving, receiving, offering, or soliciting
4. Issuer and Management something of value because of an official
Disclosure. act that has been taken. This is similar to
a bribe, but the transaction occurs period from Customer C. are then applied
after the fact. to the account of Customer B, and so on.

CONFLICTS OF INTEREST BILLING SCHEMES

Occurs when an employee acts on behalf Also known as vendor fraud, are
of a third party during the discharge of perpetrated by employees who cause
his or her duties or has self-interest in the their employer to issue a payment to a
activity being performed. false supplier (vendor) by submitting
When the employee’s conflict of interest invoices for fictitious goods or services,
is unknown to the employer and results inflated invoices, or invoices for personal
in financial loss, then fraud has occurred purchases.
Examples:
(1)shell company fraud - first
requires that the perpetrator
III. ASSET MISAPPROPRIATION establish a false supplier on the
Most common fraud schemes involve books of the victim company. The
some form of asset misappropriation in fraudster then manufactures false
which assets are either directly or purchase orders, receiving reports,
indirectly diverted to the perpetrator’s and invoices in the name of the
benefit. vendor and submits them to the
accounting system, which creates
SKIMMING the illusion of a legitimate
Stealing cash from an organization before transaction.
it is recorded on the organization’s books (2)pass-through fraud - similar to
and records. the shell company fraud with the
Ex. (1) an employee who accepts exception that a transaction
payment from a customer but does not actually takes place. The difference
record the sale. is the profit that the perpetrator
(2) mail room fraud – employee pockets.
opening the mail steals a customer’s (3)Pay-and-return - a clerk with
check and destroys the associated check-writing authority who
remittance advice intentionally pays a vendor twice
for the same invoice for the
CASH LARCENY purchase of inventory or supplies.
Cash receipts are stolen from an The vendor, recognizing that its
organization after they have been customer made a double payment,
recorded in the organization’s books and issues a reimbursement check to
records. the victim company, which the
Ex. Lapping - cash receipts clerk first clerk intercepts and cashes.
steals and cashes a check from Customer
A. To conceal the accounting imbalance
CHECK TAMPERING
caused by the loss of the asset,
Forging or changing in some material
Customer A’s account is not credited.
way a check that the organization has
Later (the next billing period), the
written to a legitimate payee.
employee uses a check received from
Ex. an employee who steals an outgoing
Customer B and applies it to Customer
check to a vendor, forges the payee’s
A’s account. Funds received in the next
signature, and cashes the check.
The internal control system comprises
PAYROLL FRAUD policies, practices, and procedures
Distribution of fraudulent paychecks to employed by the organization to achieve
existent and/or nonexistent employees. four broad objectives:

EXPENSE REIMBURSEMENTS 1. To safeguard assets of the firm.

Employee makes a claim for 2. To ensure the accuracy and reliability
reimbursement of fictitious or inflated of accounting records and
business expenses. information.
For example, a company salesperson files 3. To promote efficiency in the firm’s
false expense reports, claiming meals, operations.
lodging, and travel that never occurred. 4. To measure compliance with
management’s prescribed policies
THEFTS OF CASH and procedures
Direct theft of cash on hand in the
organization. MODIFYING ASSUMPTIONS
Ex. an employee who makes false entries
on a cash register, such as voiding a sale, four modifying assumptions that guide
to conceal the fraudulent removal of designers and auditors of internal
cash. controls.

NONCASH MISAPPROPRIATIONS 1. MANAGEMENT RESPONSIBILITY

Noncash fraud involves the theft or The establishment and maintenance
misuse of the victim organization’s of a system of internal control is a
noncash assets. management responsibility.
Ex. a warehouse clerk who steals
inventory from a warehouse or 2. REASONABLE ASSURANCE
storeroom. Customer services clerk who The internal control system should
sells confidential customer information to provide reasonable assurance that the
a third party. four broad objectives of internal
control are met in a cost-effective
COMPUTER FRAUD manner.
Because computers lie at the heart of No system of internal control is perfect
modern accounting information systems, and the cost of achieving improved
the topic of computer fraud is of control should not outweigh its
importance to auditors. benefits.
Although the fundamental structure of
fraud is 3. METHODS OF DATA PROCESSING
unchanged by computers—fraudulent Internal controls should achieve the
statements, corruption, and asset four broad objectives regardless of the
misappropriation—computers do add data processing method used.
complexity to the fraud picture
4. LIMITATIONS
INTERNAL CONTROL CONCEPTS AND Every system of internal control has
TECHNIQUES limitations on its effectiveness.
(1) the possibility of error—no
system is perfect,
(2) circumvention—personnel may These increase the firm’s risk to financial
circumvent the system through loss or injury from the threats listed
collusion or other means, discussed earlier. Weaknesses in internal
(3) management override— control may expose the firm to one or
management is in a position to more of the following types of risks:
override control procedures by 1. Destruction of assets (both physical
personally distorting transactions or assets and information).
by directing a subordinate to do so, 2. Theft of assets.
and 3. Corruption of information or the
(4) changing conditions—conditions information system.
may change over time and render 4. Disruption of the information system.
existing controls ineffective.
THE PREVENTIVE-DETECTIVE-
CONTROL WEAKNESS AND RISKS CORRECTIVE INTERNAL CONTROL
the purpose of internal control is to MODEL
mitigate risk. The internal control shield is composed of
three layers of control: preventive
controls, detective controls, and
corrective controls. This is known as the
preventive-detective-corrective (PDC)
control model.

Include attempts at unauthorized access

to the firm’s assets; attempts at fraud
perpetrated by persons both inside and
outside the firm; errors due to employee PREVENTIVE CONTROLS
incompetence, faulty computer programs
and corrupted input data; and malicious Prevention is the first line of defense in
acts, such as unauthorized access by the control structure
computer hackers, malware, and Passive techniques designed to reduce
computer viruses that destroy programs the frequency of occurrence of risks.
and databases. Preventive controls force compliance with
prescribed or desired actions and thus
Control Weaknesses screen out aberrant events.
SARBANES-OXLEY AND INTERNAL
When designing internal control systems, CONTROL
an ounce of prevention is most certainly Requires management of public
worth a pound of cure. Preventing errors companies to implement an adequate
and fraud is far more cost-effective than system of internal controls over their
detecting and correcting problems after financial reporting process. This includes
they occur. controls over transaction processing
systems that feed data to the financial
DETECTIVE CONTROLS reporting systems.

Form a second line of defense, identify Section 302 requires that corporate
anomalies and draw attention to them management (including the CEO) certify
the organization’s internal controls on a
Devices, techniques, and procedures quarterly and annual basis.
designed to identify and expose risks
that have eluded preventive controls. Section 404 requires the management of
Detective controls reveal specific types of public companies to assess the
errors by comparing actual occurrences effectiveness of the organization’s
to preestablished standards. internal controls. This entails providing
an annual report addressing the following
When the detective control identifies a points:
departure from standard, it sounds an (1)a statement of management’s
alarm to focus attention on the problem. responsibility for establishing and
maintaining adequate internal
CORRECTIVE CONTROLS control,
(2)an assessment of the effectiveness
Actions taken to reverse the effects of of the company’s internal controls
errors over financial reporting,
detected in the previous step. (3)a statement that the organization’s
external auditors have issued an
Corrective controls actually fix the attestation report on management’s
problem. For any detected error, assessment of the company’s
however, there may be more than one internal controls,
feasible corrective action, and the best (4)an explicit written conclusion as to
course of action may not always be the effectiveness of internal control
obvious. over financial reporting, and
(5)a statement identifying the
The PDC control model is conceptually framework used in the assessment
complete but offers little practical of internal controls.
guidance for designing specific controls.
For this, we need a more precise COSO INTERNAL CONTROL
framework. The current authoritative FRAMEWORK
document for specifying internal control COSO framework consists of five
objectives and techniques is Statement components: the control environment,
on Auditing Standards (SAS) No. 109,19 risk assessment, information and
which is based on the COSO framework. communication, monitoring, and control
activities.
THE CONTROL ENVIRONMENT
The foundation for the other four control Risks can arise or change from the
components. The control environment following circumstances:
sets the tone for the organization and  Changes in the operating
influences the control awareness of its environment that impose new or
management and employees. changed competitive pressures on
Elements: the firm.
 The integrity and ethical values of  New personnel who have a different
management. or inadequate understanding of
 The structure of the organization. internal control.
 The participation of the  New or reengineered information
organization’s board of directors and systems that affect transaction
the audit committee, if one exists. processing.
 Management’s philosophy and  Significant and rapid growth that
operating style. strains existing internal controls.
 The procedures for delegating  The implementation of new
responsibility and authority. technology into the production
 Management’s methods for process or information system that
assessing performance. impacts transaction processing.
 External influences, such as  The introduction of new product lines
examinations by regulatory agencies. or activities with which the
 The organization’s policies and organization has little experience.
practices for managing its human  Organizational restructuring resulting
resources. in the reduction and/or reallocation
of personnel such that business
SAS 109 requires that auditors obtain operations and transaction
sufficient knowledge to assess the processing are affected.
attitude and awareness  Entering into foreign markets that
of the organization’s management, board may impact operations (i.e., the risks
of directors, and owners regarding associated with foreign currency
internal control. transactions).
 Adoption of a new accounting
Guidelines that represent best practices principle that impacts the
 Sepearate CEO and chairman preparation of financial statements.
 Set ethical standards
 Establish and independent audit
committee INFORMATION AND COMMUNICATION
 Compensation committees
The accounting information system
 Nominating committees
consists of the records and methods used
 Access to outside professionals
to initiate, identify, analyze, classify, and
record the organization’s transactions
RISK ASSESSMENT
and to account for the related assets and
liabilities.
Organizations must perform a risk
assessment to identify, analyze, and The quality of information the accounting
manage risks relevant to financial information system generates impacts
reporting. management’s ability to take actions and
make decisions in connection with the separate procedures or by ongoing
organization’s operations and to prepare activities.
reliable financial statements.

CONTROL ACTIVITIES
Policies and procedures used to ensure
An effective accounting information that appropriate actions are taken to deal
system will: with the organization’s identified risks. 2
categories of control activities:
 Identify and record all valid financial
transactions.  Information Technology (IT) controls
 Provide timely information about  Physical controls
transactions in sufficient detail to
IT CONTROLS
permit proper classification and
financial reporting. 2 broad groups:
 Accurately measure the financial
General Controls - entity-wide IT
value of transactions so their effects
concerns such as controls over the data
can be recorded in financial
center, organization databases, network
statements.
security, systems development, and
 Accurately record transactions in the
program maintenance.
time period in which they occurred.
Application controls - ensure the
SAS 109 requires that auditors obtain
integrity of specific computer systems
sufficient knowledge of the organization’s
such as sales order processing, accounts
information system to understand:
payable, and payroll applications.
 The classes of transactions that are
PHYSICAL CONTROLS
material to the financial statements
and how those transactions are Relates to the human activities employed
initiated. in accounting systems. These activities
 The accounting records and accounts may be purely manual, such as the
that are used in the processing of physical custody of assets, or they may
material transactions. involve the physical use of computers to
 The transaction processing steps record transactions or update accounts.
involved from the initiation of a
transaction to its inclusion in the Physical controls do not relate to the
financial statements. computer logic that actually performs
 The financial reporting process used accounting tasks. They relate to the
to prepare financial statements, human activities that trigger those tasks
disclosures, and accounting or utilize the results of those tasks.
estimates. In other words, physical controls focus on
people but are not restricted to an
MONITORING environment in which clerks update
paper accounts with pen and ink.
Process by which the quality of internal
control design and operation can be six categories of physical control
assessed. This may be accomplished by activities:
1. transaction authorization
2. segregation of duties 2. Responsibility for the custody of
3. supervision assets should be separate from the
4. accounting records record-keeping responsibility.
5. access control 3. The organization should be
6. independent verification. structured so that a successful
fraud requires collusion between
two or more individuals with
incompatible responsibilities.

SUPERVISION
Implementing adequate segregation of
duties requires that a firm employ a
sufficiently large number of employees.
Achieving adequate segregation of duties
TRANSACTION AUTHORIZATION often presents difficulties for small
The purpose of transaction authorization organizations.
is to ensure that all material transactions it is impossible to separate five
processed by the information system are incompatible tasksamong three
valid and in accordance with employees. Therefore, in small
management’s objectives. Authorizations organizations or in functional areas that
may be general or specific. lack sufficient personnel, management
General authority - is granted to must compensate for the absence of
operations personnel to perform day-to- segregation controls with close
day operations. supervision.

Specific authorizations - deal with

case-by-case decisions associated with ACCOUNTING RECORDS.
nonroutine transactions.
The accounting records of an
organization consist of source
SEGREGATION OF DUTIES documents, journals, and ledgers. These
records capture the economic essence of
One of the most important control transactions and provide an audit trail of
activities is the segregation of employee economic events.
duties to minimize incompatible
functions. Segregation of duties can take
many forms, depending on the specific ACCESS CONTROL
duties to be controlled.
Ensure that only authorized personnel
Objectives have access to the firm’s assets.
1. The segregation of duties should be Unauthorized access exposes assets to
such that the authorization for a misappropriation, damage, and theft.
transaction is separate from the Therefore, access controls play an
processing of the transaction. important role in safeguarding assets.
Access to assets can be direct or indirect.
Physical security devices, such as locks, under review. Verifications may occur
safes, fences, and electronic and infrared several times an hour or several
alarm systems, control against direct times a day. In some cases,
access. verification may occur daily, weekly,
monthly, or annually.
Indirect access to assets is achieved by
gaining access to the records and
documents that control the use,
IT APPLICATION CONTROLS
ownership, and disposition of the asset.
Management and auditors are required
under SOX to consider IT application
INDEPENDENT VERIFICATION controls relevant to financial reporting.
Application controls are associated with
independent checks of the accounting
specific applications, such as payroll,
system to identify errors and
purchases, and cash disbursements
misrepresentations.
systems, and fall into three broad
Verification takes place after the fact, by categories:
an individual who is not directly involved
1. input controls
with the transaction or task being
2. processing controls
verified.
3. output controls.
Supervision takes place while the activity
INPUT CONTROLS
is being performed, by a supervisor with
direct responsibility for the task. Programmed procedures, often called
edits, which perform tests on transaction
Through independent verification
data to ensure that they are free from
procedures, management can assess
errors.
(1)the performance of individuals,
Edit routines are designed into systems
(2)the integrity of the transaction
at different points, depending on whether
processing system, and
processing is real time or batch.
(3)the correctness of data contained in
accounting records.
Examples of independent Examples of input edit controls:
verifications:
 CHECK DIGIT
 Reconciling batch totals at points 
during transaction processing. If the data code of a particular
 Comparing physical assets with transaction is entered incorrectly and
accounting records. goes undetected, then a transaction
 Reconciling subsidiary accounts with processing error will occur, such as
control accounts. posting to the wrong account.
 Reviewing management reports Two common types of data input
(both computer and manually errors:
generated) that summarize business 1. TRANSCRIPTION ERRORS
activity. fall into 3 categories:
 The timing of verification depends on - Addition errors occur when an
the technology employed in the extra digit or character is
accounting system and the task added to the code.
- Truncation errors occur when a detect keystroke errors by data entry
digit or character is removed clerks.
from the end of a code.
REASONABLENESS CHECK.
- Substitution errors are the
replacement of one digit in a The error above may be detected by a
code with another. test that determines if a value in one
field, which has already passed a limit
2. TRANSPOSITION ERRORS check and a range check, is reasonable
Two types: when considered along with data in other
- Single transposition errors fields of the record.
occur when two adjacent digits
VALIDITY CHECK.
are reversed.
- Multiple transposition errors A validity check compares actual field
occur when nonadjacent digits values against known acceptable values.
are transposed. This control is used to verify such things
as transaction codes, state abbreviations,
A check digit is a control digit (or digits)
or employee job skill codes. If the value
that is added to the data code when it is
in the field does not match one of the
originally assigned. This allows the
acceptable values, the record is flagged
integrity of the code to be established
as an error.
during subsequent processing.
This is a frequently used control in cash
The check digit can be located anywhere
disbursements systems.
in the code, as a prefix, a suffix, or
embedded someplace in the middle. The
simplest form of check digit is to sum the
digits in the code and use this sum as the PROCESSING CONTROLS
check digit. After input data have been edited, the
transactions enter the processing stage
of the application. Processing controls are
MISSING DATA CHECK programmed procedures to ensure that
an application’s logic is functioning
This edit identifies blank or incomplete
properly.
input fields that should contain
Batch controls are used to manage the
data that are required to process the
flow of high volumes of transactions
transaction.
through batch processing systems. The
NUMERIC-ALPHABETIC CHECK. objective of batch control is to reconcile
system output with the input originally
This edit identifies when data in a
entered into the system. This control
particular field are in the wrong form.
ensures that:
LIMIT CHECK.
 All records in the batch are
Limit checks are used to identify field processed.
values that exceed an authorized limit.  No records are processed more than
once.
RANGE CHECK. Many times, data have
 An audit trail of transactions is
upper and lower limits to their acceptable
created from input through
values. The purpose of this control is to
processing to the output stage of the 4. output.
system.
Batch control begins at the data input
stage and continues through all data
processing phases of the application. To
achieve this, a batch control record is
created when the batch of transactions is
entered into the system. The control
record contains relevant information
about the batch, such as:
 A unique batch number.
 A batch date.
 A transaction code (indicating the
types of transactions, such as a sales
order or cash receipt).
 The number of records in the batch
(record count).
 The total dollar value of a financial
field (batch control total).
 The total of a unique nonfinancial AUDIT TRAIL CONTROLS
field (hash total).
Audit trail controls in an IT environment
ensure that every transaction can be
traced through each stage of processing
from its economic source to its
presentation in financial statements.
Examples of audit trail controls:

Run-to-run controls use the values in TRANSACTIONAL LOGS

the batch control record to monitor the
Every transaction the system
batch as it moves from one programmed
successfully processes should be
procedure (run) to another.
recorded on a transaction log, which
Thus, at various points throughout serves as a journal.
processing and at the end of processing,
the batch totals are recalculated and
compared to the batch control record.
This ensures that each run in the system
processes the batch correctly and
completely.

This application comprises four runs:

Three reasons underscore the importance
1. data input of this log.
2. AR update
3. inventory update
First, the transaction log is a permanent the original father becomes the backup
record of transactions, although the input file (grandfather).
transaction file is typically a temporary
The systems designer determines the
file. Second, not all of the records in the
number of backup master files needed
input file may be successfully processed.
for each application.
Some of them will fail tests during
subsequent processing and will be Two factors influence this decision: (1)
passed to an error file. A transaction log the financial significance of the system
contains only successful transactions— and (2) the degree of file activity.
those that have changed master file
account balances. Then, the transaction
logs facilitate master file backup
procedures.

LOG OF AUTOMATIC TRANSACTIONS.

The system triggers some transactions
internally

MASTER FILE BACKUP CONTROLS

Depending on the type of system in
place, master file backup procedures
may be viewed as either a general
control or an application control. In a BACKUP PROCESS IN BATCH SYSTEM
database environment, the database USING DIRECT ACCESS FILES
supports all corporate users, and
database backup procedures apply to all Each record in a direct access file is
applications. Therefore, backup in a assigned a unique disk location or
databases environment is a general address (see Chapter 2 appendix for
control. examples of direct access file structures)
that is determined by its primary key
GFS BACKUP TECHNIQUE value. Because only a single valid
Systems that use sequential master files location exists for each record, updating
(whether tape or disk) employ a backup the record must occur in place.
technique called grandfather-father-son The destructive update approach
(GFS), which is an integral part of the leaves no backup copy of the original
master file update process. It begins master file. Only the current value is
when the current master file (the available to the user.
father) is processed against the
transaction file to produce a new
updated master file (the son). Note BACKUP OF MASTER FILES IN A
that the son is a physically different file REAL-TIME SYSTEM
from the father. With the next batch of
transactions, the son becomes the Real-time systems pose a more difficult
current master file (the new father), and problem because transactions are being
processed continuously. Backup types of output is violated, a firm could
procedures are therefore scheduled at have its business objectives
prespecified intervals throughout the day compromised or could become exposed
(e.g., every 15 minutes). If the current to litigation.
version of the master file is destroyed
through a disk failure or corrupted by a
program error, it can be reconstructed CONTROLLING HARD-COPY OUTPUT
from the most current backup file.
Batch systems usually produce hard
copy, which typically requires the
involvement of intermediaries in its
production and distribution.

OUTPUT SPOOLING.
In large-scale data processing operations,
output devices such as line printers can
become backlogged with many programs
simultaneously demanding limited
resources. This can cause a bottleneck
and adversely affect system throughput.
To ease this burden, applications are
often designed to direct their output to a
magnetic disk file rather than print it
OUTPUT CONTROLS directly. This is called spooling. Later,
when printer resources become
Output controls are a combination of
available, the output files are printed.
programmed routines and other
procedures to ensure that system output The creation of an output file as an
is not lost, misdirected, or corrupted and intermediate step in the printing process
that privacy is not violated. Exposures of presents an added exposure. A computer
this sort can cause serious disruptions to criminal may use this opportunity to:
operations and may result in financial
losses to a firm. If the privacy of certain
1. Access the output file and change Computer output waste is a potential
critical data values (e.g., dollar source of exposure. Aborted reports and
amounts on checks). The printer the carbon copies from multipart paper
program will then print the fallacious need to be disposed of properly.
output as if the system produced it. Computer criminals disguised as
2. Access the file and change the janitorial staff have been known to sift
number of copies of output to be through trash cans searching for
printed. The extra copies may then carelessly discarded output that is
be removed without notice during presumed to be of no value.
the printing stage.
From such trash, computer criminals may
3. Make a copy of the output file to
obtain information about a firm’s market
produce illegal output reports.
research, credit ratings of its customers,
4. Destroy the output file before output
or even trade secrets, which they can sell
printing takes place.
to a competitor. Computer waste is also a
source of passwords that a perpetrator
PRINT PROGRAMS may use to access the firm’s computer
system.
When a printer becomes available, the
print run program produces hardcopy To control against this threat, all sensitive
output from the output file. Print computer output should be passed
programs are often complex systems that through a paper shredder.
require operator intervention.
Four common types of operator
REPORT DISTRIBUTION
actions are:
The primary risks associated with the
1. Pausing the print program to load
distribution of sensitive reports include
the correct type of output
their being lost, stolen, or misdirected in
documents (check stocks, invoices,
transit to the user. The following control
or other special forms).
techniques can be used:
2. Entering parameters that the print
run needs, such as the number of 1. The reports may be placed in a
copies to be printed. secure mailbox to which only the
3. Restarting the print run at a user has the key.
prescribed checkpoint after a 2. The user may be required to
printer malfunction. appear in person at the distribution
4. Removing printed output from the center and sign for the report.
printer for review and distribution. 3. A security officer or special courier
may deliver the report to the user.
Print program controls should be
designed to deal with two types of END-USER CONTROLS
exposures present in this environment:
Once in the hands of the user, output
(1) the production of unauthorized
reports should be examined for
copies of output and (2) employee
correctness. Errors the user detects
browsing of sensitive data.
should be reported to the appropriate IT
management.
WASTE
Such errors may be symptoms of an
improper systems design, incorrect
procedures, errors accidentally inserted
during systems maintenance, or
unauthorized access to data files or
programs.
Once a report has served its purpose, it
should be stored in a secure location until
its retention period has expired and then
it should be shredded.

CONTROLLING DIGITAL OUTPUT

Digital output can be directed to the
user’s computer screen or printer. The
primary output threat is the interception,
disruption, destruction, or corruption of
the output message as it passes across
the communications network.
This threat comes from two types of
exposures:
1. exposures from equipment failure
and
2. exposures from subversive acts.