Ethics,

Fraud & Internal

Control
Module 3
Learning Objectives
• Understand the broad issues pertaining to business ethics.
• Have a basic understanding of ethical issues related to the use of information
technology.
• Be able to distinguish between management fraud and employee fraud.
• Be familiar with common types of fraud schemes.
• Be familiar with the key features of the COSO internal control framework.
• Understand the objectives and application of both physical and IT control
activities.

2
 Ethical Issues in Business

• Ethical standards are derived from societal mores and deep-rooted

personal beliefs about issues of right and wrong that are not
universally agreed upon.
• Often, we confuse ethical issues with legal issues.

3
BUSINESS ETHICS
• Ethics are the principles of conduct that individuals use in making
choices that guide their behavior in situations involving the concepts
of right and wrong.
• Business ethics pertains to the principles of conduct that individuals
use in making choices and guiding their behavior in situations that
involve the concepts of right and wrong.
• Making Ethical Decisions
• Ethical responsibility is the responsibility of organization managers to seek a
balance between the risks and benefits to their constituents that result from
their decisions.
• PROPORTIONALITY

4
Ethical Issues in Business

5
COMPUTER ETHICS
• Computer ethics is the analysis of the nature and social impact of
computer technology and the corresponding formulation and justification
of policies for the ethical use of such technology. This includes details
about software as well as hardware and concerns about networks
connecting computers as well as computers themselves.
• A new problem or just a new twist on an old problem?
• Privacy
• Privacy is full control of what and how much information about an individual is
available to others and to whom it is available.
• Ownership is the state or fact of exclusive rights and control over property, which
may be an object, land/real estate, intellectual property, or some other kind of
property.

6
COMPUTER ETHICS (continued)
• Security (Accuracy and Confidentiality)
• Computer security is an attempt to avoid such undesirable events as a loss of
confidentiality or data integrity.
• Ownership of Property
• Equity in Access
• Environmental Issues
• Artificial Intelligence
• Unemployment and Displacement
• Misuse of Computers
7
SARBANES-OXLEY ACT AND ETHICAL ISSUES
• Sarbanes-Oxley Act (SOX) is the most significant
federal securities law, with provisions designed to
deal with specific problems relating to capital
markets, corporate governance, and the auditing
profession.
• Section 406—Code of Ethics for Senior Financial
Officers
• CONFLICTS OF INTEREST
• FULL AND FAIR DISCLOSURES
• LEGAL COMPLIANCE
• INTERNAL REPORTING OF CODE VIOLATIONS
• ACCOUNTABILITY

8
 Fraud and Accountants

• The passage of SOX has had a tremendous impact on the external

auditor’s responsibilities for fraud detection during a financial audit.
• The Statement on Auditing Standards (SAS) No. 99 is the current
authoritative document that defines fraud as an intentional act that
results in a material misstatement in financial statements.
• The objective of SAS 99 is to seamlessly blend the auditor’s
consideration of fraud into all phases of the audit process.

9
DEFINITIONS OF FRAUD
• Fraud is the false representation of a material fact made by one party
to another party, with the intent to deceive and induce the other
party to justifiably rely on the material fact to his or her detriment.
• Employee fraud is the performance fraud by nonmanagement
employee generally designed to directly convert cash or other assets
to the employee’s personal benefit.
• Management fraud is the performance fraud that often uses
deceptive practices to inflate earnings or to forestall the recognition
of either insolvency or a decline in earnings.

10
THE FRAUD TRIANGLE
• The fraud triangle is a triad of factors associated with management
and employee fraud: situational pressure (includes personal or job-
related stresses that could coerce an individual to act dishonestly);
opportunity (involves direct access to assets and/ or access to
information that controls assets); and ethics (pertains to one’s
character and degree of moral opposition to acts of dishonesty).

11
Fraud Triangle

12
FINANCIAL LOSSES FROM FRAUD
• The actual cost of fraud is, however, difficult to quantify for a number of
reasons:
• Not all fraud is detected.
• Of that detected, not all is reported.
• In many fraud cases, incomplete information is gathered.
• Information is not properly distributed to management or law enforcement
authorities.
• Too often, business organizations decide to take no civil or criminal action against the
perpetrator(s) of fraud.
• In addition to the direct economic loss to the organization, indirect costs—
including reduced productivity, the cost of legal action, increased
unemployment, and business disruption due to investigation of the fraud—
need to be considered.
13
THE PERPETRATORS OF FRAUDS
• Fraud Losses by Position within the Organization
• Individuals in the highest positions within an organization are beyond the internal
control structure and have the greatest access to company funds and assets.
• Fraud Losses and the Collusion Effect
• One reason for segregating occupational duties is to deny potential perpetrators the
opportunity they need to commit fraud. When individuals in critical positions
collude, they create opportunities to control or gain access to assets that otherwise
would not exist.
• Fraud Losses by Gender
• Women are not fundamentally more honest than men, but men occupy high
corporate positions in greater numbers than women. This affords men greater access
to assets.

14
THE PERPETRATORS OF FRAUDS (continued)
• Fraud Losses by Age
• Older employees tend to occupy higher-ranking positions and therefore
generally have greater access to company assets.
• Fraud Losses by Education
• Generally, those with more education occupy higher positions in their
organizations and therefore have greater access to company funds and other
assets.
• Conclusions to Be Drawn

15
FRAUD SCHEMES
• Fraudulent Statements
• Fraudulent statements are statements associated with management fraud. In
this class of fraud scheme, the financial statement misrepresentation must
itself bring direct or indirect financial benefit to the perpetrator.
• THE UNDERLYING PROBLEMS
• SARBANES-OXLEY ACT AND FRAUD: Public Company Accounting Oversight
Board (PCAOB), which is the federal organization empowered to set auditing,
quality control, and ethics standards; to inspect registered accounting firms;
to conduct investigations; and to take disciplinary actions.

16
FRAUD SCHEMES (continued)
• Corruption
• Corruption involves an executive, a manager, or an employee of the
organization in collusion with an outsider.
• Bribery involves giving, offering, soliciting, or receiving things of value to
influence an official in the performance of his or her lawful duties.
• An illegal gratuity involves giving, receiving, offering, or soliciting something
of value because of an official act that has been taken.
• A conflict of interest is an outline of procedures for dealing with actual or
apparent conflicts of interest between personal and professional
relationships.

17
FRAUD SCHEMES (continued)
• Corruption (continued)
• Economic extortion is the use (or threat) of force (including economic
sanctions) by an individual or organization to obtain something of value. The
item of value could be a financial or economic asset, information, or
cooperation to obtain a favorable decision on some matter under review.
• Asset Misappropriation
• Skimming
• Skimming involves stealing cash from an organization before it is recorded on
the organization’s books and records. Another example is mail room fraud, in
which an employee opening the mail steals a customer’s check and destroys
the associated remittance advice.

18
FRAUD SCHEMES (continued)
• Cash Larceny
• Cash larceny is theft of cash receipts from an organization after those receipts
have been recorded in the organization’s books and records.
• Lapping is the use of customer checks, received in payment of their accounts,
to conceal cash previously stolen by an employee.
• Billing Schemes
• Billing schemes, also known as vendor fraud, are schemes under which an
employee causes the employer to issue a payment to a false supplier or
vendor by submitting invoices for fictitious goods/services, inflated invoices,
or invoices for personal purchases.

19
FRAUD SCHEMES (continued)
• Billing Schemes (continued)
• A shell company is establishing a false vendor on the company’s books, and then making
false purchase orders, receiving reports, and invoices in the name of the vendor and
submitting them to the accounting system, creating the illusion of a legitimate transaction.
The system ultimately issues a check to the false vendor.
• A pass-through fraud is similar to shell company fraud except that a transaction actually
takes place. The perpetrator creates a false vendor and issues purchase orders to it for
inventory or supplies. The false vendor purchases the needed inventory from a legitimate
vendor, charges the victim company a much higher than market price for the items, and
pockets the difference.
• A pay-and-return is a scheme under which a clerk with check writing authority pays a vendor
twice for the same products (inventory or supplies) received and then intercepts and cashes
the overpayment returned by the vendor.

20
FRAUD SCHEMES (continued)
• Check Tampering
• Check tampering involves forging, or changing in some material way, a check
that was written to a legitimate payee.
• Payroll Fraud
• Payroll fraud is the distribution of fraudulent paychecks to existent and/or
nonexistent employees.
• Expense Reimbursements
• Expense reimbursement fraud involves claiming reimbursement of fictitious
or inflated business expenses.
• Thefts of Cash
• Thefts of cash is the direct theft of cash on hand in the organization.

21
FRAUD SCHEMES (continued)
• Noncash Misappropriations
• Noncash fraud is the theft or misuse of non-cash assets (e.g., inventory,
confidential information).
• Computer Fraud
• Computer fraud involves theft, misuse, or misappropriation of assets by
altering computer-readable records and files, or by altering the logic of
computer software; the illegal use of computer-readable information; or the
intentional destruction of computer software or hardware.

22
 Internal Control Concepts and Techniques
• The internal control system is a set of policies a firm employs to safeguard the firm’s
assets, ensure accurate and reliable accounting records and information, promote
efficiency, and measure compliance with established policies.
• Modifying Assumptions
• Management responsibility is the concept under which the responsibility for
the establishment and maintenance of a system of internal control falls to
management.
• Reasonable assurance is an assurance provided by the internal control system
that the four broad objectives of internal control are met in a cost-effective
manner.
• METHODS OF DATA PROCESSING
• LIMITATIONS

23
 Internal Control Concepts and Techniques
(continued)

• Control Weaknesses and Risks

• Control weaknesses increase the firm’s risk to financial loss or injury from the
threats.
• The Preventive-Detective-Corrective Internal Control Model
• Preventive controls are passive techniques designed to reduce the frequency
of occurrence of undesirable events.
• Detective controls are devices, techniques, and procedures designed to
identify and expose undesirable events that elude preventive controls.

24
Internal
Control Shield

25
Preventive, Detective, and Corrective Controls

26
 Internal Control Concepts and Techniques
(continued)

• The Preventive-Detective-Corrective Internal Control Model (continued)

• Corrective controls are actions taken to reverse the effects of errors detected.
Statement on Auditing Standards (SAS) No. 109 is the current authoritative
document for specifying internal control objectives and techniques. It is based
on the COSO framework.
• Sarbanes-Oxley and Internal Control
• Committee of Sponsoring Organizations of the Treadway Commission
(COSO) is a joint initiative of five private sector organizations and is dedicated
to providing thought leadership through the development of frameworks and
guidance on enterprise risk management, internal control, and fraud
deterrence.

27
COSO INTERNAL CONTROL FRAMEWORK
• The Control Environment
• The control environment is the foundation of internal control.
• Risk Assessment
• Risk assessment is the identification, analysis, and management of risks
relevant to financial reporting.
• Information and Communication
• Monitoring
• Monitoring is the process by which the quality of internal control design and
operation can be assessed.

28
COSO INTERNAL CONTROL FRAMEWORK (continued)
• Control Activities
• Control activities are the policies and procedures to ensure that appropriate
actions are taken to deal with the organization’s risks.
• IT CONTROLS: General controls are controls that pertain to entity-wide
concerns such as controls over the data center, organization databases,
systems development, and program maintenance. Application controls are
controls that ensure the integrity of specific systems.
• PHYSICAL CONTROLS
• Transaction authorization is a procedure to ensure that employees process
only valid transactions within the scope of their authority.

29
COSO INTERNAL CONTROL FRAMEWORK (continued)
• Control Activities (continued)
• Segregation of duties is the separation of employee duties to minimize
incompatible functions.
• Supervision is a control activity involving the critical oversight of employees.
• The accounting records of an organization consist of documents, journals, or
ledgers used in transaction cycles.
• Access controls are controls that ensure that only authorized personnel have
access to the firm’s assets.
• Verification procedures are independent checks of the accounting system to
identify errors and misrepresentations.

30
Segregation of Duties Objectives

31
IT APPLICATION CONTROLS
• Input Controls
• Input controls are programmed procedures, often called edits, that perform
tests on transaction data to ensure that they are free from errors.
• CHECK DIGIT: Transcription errors are the type of errors that can corrupt a
data code and cause processing errors. Transposition errors are errors that
occur when digits are transposed. A check digit is a method for detecting data
coding errors in which a control digit is added to the code when it is originally
designed to allow the integrity of the code to be established during
subsequent processing.
• MISSING DATA CHECK
• NUMERIC-ALPHABETIC CHECK
• LIMIT CHECK
• RANGE CHECK
32
IT APPLICATION CONTROLS (continued)
• Input Controls (continued)
• REASONABLENESS CHECK
• VALIDITY CHECK
• Processing Controls
• Batch controls is an effective method of managing high volumes of
transaction data through a system.
• Run-to-run controls are controls that use batch figures to monitor the batch
as it moves from one programmed procedure to another.
• Hash total is a control technique that uses nonfinancial data to keep track of
the records in a batch.

33
IT APPLICATION CONTROLS (continued)
• Audit Trail Controls
• Audit trail controls ensures that every transaction can be traced through each
stage of processing from its economic source to its presentation in financial
statements.
• TRANSACTION LOGS
• LOG OF AUTOMATIC TRANSACTIONS
• Master File Backup Controls

34
Transaction Log to Preserve the Audit Trail

35
GFS BACKUP TECHNIQUE
• The grandfather-father-son (GFS) is a back-up technique employed by
systems that use sequential master files (whether tape or disk). It is
an integral part of the master file update process.
• The systems designer determines the number of backup master files
needed for each application. Two factors influence this decision: (1)
the financial significance of the system and (2) the degree of file
activity.

36
Grandfather-Father-Son Approach

37
BACKUP PROCESS IN BATCH SYSTEM USING
DIRECT ACCESS FILES
• Each record in a direct access file is assigned a unique disk location or
address that is determined by its primary key value.
• The destructive update approach leaves no backup copy of the
original master file.

38
Destructive Update Approach

39
Backup Procedures for Batch Systems Using
Direct Access Files

40
BACKUP OF MASTER FILES IN A REAL-TIME
SYSTEM
• Real-time systems pose a more difficult problem because transactions
are being processed continuously.
• Backup procedures are therefore scheduled at prespecified intervals
throughout the day (e.g., every 15 minutes).

41
Backup Procedures for Real-Time Processing
System

42
OUTPUT CONTROLS
• Controlling Hard-Copy Output
• OUTPUT SPOOLING: Spooling is directing an application’s output to a
magnetic disk file rather than to the printer directly.
• PRINT PROGRAMS
• WASTE
• REPORT DISTRIBUTION
• END-USER CONTROLS
• Controlling Digital Output

43
Stages in the
Output Process

44