Chapter 3 Computer ethics is ‘‘the analysis of the nature and social impact

of computer technology and the corresponding formulation and

Ethics, Fraud, and Internal Control justification of policies for the ethical use of such technology
This chapter examines three closely related areas of concern, Three levels of computer ethics:
which are specifically addressed by the Sarbanes-Oxley Act
(SOX 404) and are important to accountants and 1. Pop computer ethics is simply the exposure to stories and
management. These are ethics, fraud, and internal control. reports found in the popular media regarding the good or
Ethical standards are derived from societal mores and deep- bad ramifications of computer technology
rooted personal beliefs about issues of right and wrong that 2. Para computer ethics involves taking a real interest in
are not universally agreed upon computer ethics cases and acquiring some level of skill and
knowledge in the field.
3. Theoretical computer ethics, is of interest to
BUSINESS ETHICS
multidisciplinary researchers who apply the theories of
Ethics pertains to the principles of conduct that individuals use philosophy, sociology, and psychology to computer science
in making choices and guiding their behavior in situations that with the goal of bringing some new understanding to the
involve the concepts of right and wrong. field.
More specifically, business ethics involves finding the answers
PRIVACY People desire to be in full control of what and how
to two questions:
much information about themselves is available to others, and to
(1) How do managers decide what is right in conducting their
whom it is available. This is the issue of privacy
business? and (2) Once managers have recognized what is
right, how do they achieve it? SECURITY (ACCURACY AND CONFIDENTIALITY) Computer security is
Ethical issues in business can be divided into four areas: an attempt to avoid such undesirable events as a loss of
equity, rights, honesty, and the exercise of corporate power. confidentiality or data integrity. Security systems attempt to prevent
fraud and other misuse of computer systems; they act to protect and
Seeking a balance between these consequences is the managers’
further the legitimate interests of the system’s constituencies.
ethical responsibility
OWNERSHIP OF PROPERTY Laws designed to preserve real property
The following ethical principles provide some guidance in the
rights have been extended to cover what is referred to as intellectual
discharge of this responsibility.
property, that is, software.
PROPORTIONALITY The benefit from a decision must
EQUITY IN ACCESS Some barriers to access are intrinsic to the
outweigh the risks. Furthermore, there must be no alternative
technology of information systems, but some are avoidable through
decision that provides the same or greater benefit with less risk.
careful system design. Several factors, some of which are not unique
OMPUTER ETHICS to information systems, can limit access to computing technology.

ENVIRONMENTAL ISSUES Computers with high-speed printers

allow for the production of printed documents faster than ever
before. It may be more efficient or more comforting to have a hard (CEO), CFO, controller, or persons performing similar
copy in addition to the electronic version. However, paper comes functions. If the company has not adopted such a code, it
from trees, a precious natural resource, and ends up in landfills if not must explain why.
properly recycled A public company may disclose its code of ethics in several
ways:
ARTIFICIAL INTELLIGENCE A new set of social and ethical issues (1) included as an exhibit to its annual report
has arisen out of the popularity of expert systems. Because of the (2) as a posting to its Web site, or (3) by agreeing to
way these systems have been marketed—that is, as decision makers provide copies of the code upon request.
or replacements for experts—some people rely on them significantly
The SEC has ruled that compliance with Section 406 necessitates a
UNEMPLOYMENT AND DISPLACEMENT Many jobs have been written code of ethics that addresses the following ethical issues.
and are being changed as a result of the availability of computer
technology. People unable or unprepared to change are displaced CONFLICTS OF INTEREST. The company’s code of ethics should
outline procedures for dealing with actual or apparent conflicts of
MISUSE OF COMPUTERS COMPUTERS can be misused in many ways. interest between personal and professional relationships. Note that
Copying proprietary software, using a company’s computer for the issue here is in dealing with conflicts of interest, not prohibiting
personal benefit, and snooping through other people’s files are just a them
few obvious examples.
FULL AND FAIR DISCLOSURES. This provision states that the
SARBANES-OXLEY ACT AND ETHICAL ISSUES organization should provide full, fair, accurate, timely, and
Public outcry surrounding ethical misconduct and fraudulent understandable disclosures in the documents, reports, and financial
acts by executives of Enron, Global Crossing, Tyco, Adelphia, statements that it submits to the SEC and to the public.
WorldCom, and others spurred Congress into passing the LEGAL COMPLIANCE. Codes of ethics should require employees to
American Competitiveness and Corporate Accountability Act follow applicable governmental laws, rules, and regulations. As stated
of 2002. previously, we must not confuse ethical issues with legal issues.
This wide-sweeping legislation, more commonly known as the
Sarbanes-Oxley Act (SOX), is the most significant securities INTERNAL REPORTING OF CODE VIOLATIONS. The code of ethics
law since the Securities and Exchange Commission (SEC) Acts must provide a mechanism to permit prompt internal reporting of
of 1933 and 1934. ethics violations. This provision is similar in nature to Sections 301
SOX has many provisions designed to deal with specific and 806, which were designed to encourage and protect whistle-
problems relating to capital markets, corporate governance, blowers.
and the auditing profession.
ACCOUNTABILITY. An effective ethics program must take appropriate
Section 406—Code of Ethics for Senior Financial Officers action when code violations occur. This will include various
disciplinary measures, including dismissal.
Section 406 of SOX requires public companies to disclose
to the SEC whether they have adopted a code of ethics FRAUD AND ACCOUNTANTS
that applies to the organization’s chief executive officer
 The passage of SOX has had a tremendous impact on the 1. Employee fraud, or fraud by nonmanagement employees, is
external auditor’s responsibilities for fraud detection during a generally designed to directly convert cash or other assets to
financial audit. the employee’s personal benefit. Typically, the employee
It requires the auditor to test controls specifically intended to circumvents the company’s internal control system for
prevent or detect fraud likely to result in a material personal gain. If a company has an effective system of internal
misstatement of the financial statements. control, defalcations or embezzlements can usually be
The current authoritative guidelines on fraud detection are prevented or detected.
presented in Statement on Auditing Standards (SAS) No. 99, Employee fraud usually involves three steps:
Consideration of Fraud in a Financial Statement Audit. (1) stealing something of value (an asset),
The objective of SAS 99 is to seamlessly blend the auditor’s (2) converting the asset to a usable form (cash), and
consideration of fraud into all phases of the audit process. (3) concealing the crime to avoid detection.
In addition, SAS 99 requires the auditor to perform new steps 2. Management fraud is more insidious than employee fraud
such as a brainstorming during audit planning to assess the because it often escapes detection until the organization has
potential risk of material misstatement of the financial suffered irreparable damage or loss. Management fraud
statements from fraud schemes. usually does not involve the direct theft of assets. Top
management may engage in fraudulent activities to drive up
DEFINITIONS OF FRAUD the market price of the company’s stock. This may be done to
Fraud denotes a false representation of a material fact made by meet investor expectations or to take advantage of stock
one party to another party with the intent to deceive and induce options that have been loaded into the manager’s
the other party to justifiably rely on the fact to his or her compensation package. The Commission on Auditors’
detriment. According to common law, a fraudulent act must meet Responsibilities calls this performance fraud, which often
the following five conditions: involves deceptive practices to inflate earnings or to forestall
the recognition of either insolvency or a decline in earnings
1. False representation. There must be a false statement or a 1. The fraud is perpetrated at levels of management above the
nondisclosure. one to which internal control structures generally relate.
2. Material fact. A fact must be a substantial factor in inducing 2. The fraud frequently involves using the financial statements
someone to act. to create an illusion that an entity is healthier and more
3. Intent. There must be the intent to deceive or the knowledge prosperous than, in fact, it is.
that one’s statement is false. 3. If the fraud involves misappropriation of assets, it
4. Justifiable reliance. The misrepresentation must have been a frequently is shrouded in a maze of complex business
substantial factor on which the injured party relied. transactions, often involving related third parties
5. Injury or loss. The deception must have caused injury or loss
to the victim of the fraud. THE FRAUD TRIANGLE

In accounting literature, fraud is also commonly known as white- The fraud triangle consists of three factors that contribute to or are
collar crime, defalcation, embezzlement, and irregularities. Auditors associated with management and employee fraud. These are
encounter fraud at two levels:
 (1) situational pressure, which includes personal or job-related relied upon to prevent and detect fraud among their subordinates.
stresses that could coerce an individual to act dishonestly; When they participate in fraud with the employees over whom they
are supposed to provide oversight, the organization’s control
(2) opportunity, which involves direct access to assets and/or access structure is weakened, or completely circumvented, and the company
to information that controls assets, and; becomes more vulnerable to losses.
(3) ethics, which pertains to one’s character and degree of moral Fraud Losses by Gender the median fraud loss per case caused
opposition to acts of dishonesty. by males ($250,000) was more than twice that caused by females
FINANCIAL LOSSES FROM FRAUD ($110,000).

The actual cost of fraud is, however, difficult to quantify for a number Fraud Losses by Age perpetrators younger than 26 years of age
of reasons: caused median losses of $25,000, while those perpetrated by
individuals 60 and older were approximately 20 times larger.
(1) not all fraud is detected;
Fraud Losses by Education median loss from frauds relative to the
(2) of that detected, not all is reported; perpetrator’s education level. Frauds committed by high school
graduates averaged only $100,000, whereas those with bachelor’s
(3) in many fraud cases, incomplete information is gathered; degrees averaged $210,000. Perpetrators with advanced degrees
(4) information is not properly distributed to management or law were responsible for frauds with a median loss of $550,000.
enforcement authorities; and CONCLUSIONS TO BE DRAWN
(5) too often, business organizations decide to take no civil or criminal No matter how intensely driven by situational pressure one may
action against the perpetrator(s) of fraud. become, even the most unethical individual cannot perpetrate a
THE PERPETRATORS OF FRAUDS fraud if no opportunity to do so exists. Indeed, the opportunity factor
explains much of the financial loss differential in each of the
Fraud Losses by Position within the Organization 40 percent of the demographic categories presented in the ACFE study:
reported fraud cases were committed by nonmanagerial employees,
37 percent by managers, and 23 percent by executives or owners. Position. Individuals in the highest positions within an organization
Although the reported number of frauds perpetrated by employees is are beyond the internal control structure and have the greatest
higher than that of managers and almost twice that of executives, the access to company funds and assets.
average losses per category are inversely related. Gender. Women are not fundamentally more honest than men, but
Fraud Losses and the Collusion Effect Collusion among men occupy high corporate positions in greater numbers than
employees in the commission of a fraud is difficult to both prevent women. This affords men greater access to assets.
and detect. This is particularly true when the collusion is between Age. Older employees tend to occupy higher-ranking positions and
managers and their subordinate employees. Management plays a key therefore generally have greater access to company assets.
role in the internal control structure of an organization. They are
Education. Generally, those with more education occupy higher personal loans; or have an operational relationship as employees of
positions in their organizations and therefore have greater access to the company
company funds and other assets.
Questionable Executive Compensation Scheme Excessive use of
Collusion. One reason for segregating occupational duties is to deny short-term stock options to compensate directors and executives may
potential perpetrators the opportunity they need to commit fraud. result in short-term thinking and strategies aimed at driving up stock
When individuals in critical position collude, they create opportunities prices at the expense of the firm’s long-term health.
to control or gain access to assets that otherwise would not exist.
Inappropriate Accounting Practices. The use of inappropriate
FRAUD SCHEMES accounting techniques is a characteristic common to many financial
statement fraud schemes.
Three broad categories of fraud schemes are defined:
 Enron made elaborate use of special-purpose entities to hide
1. Fraudulent Statements are associated with management liabilities through off-balance-sheet accounting
fraud. Whereas all fraud involves some form of financial  WorldCom management decided to transfer transmission line
misstatement, to meet the definition under this class of fraud
costs from current expense accounts to capital accounts.
scheme the statement itself must bring direct or indirect
financial benefit to the perpetrator. In other words, the SARBANES-OXLEY ACT AND FRAUD. To address plummeting
statement is not simply a vehicle for obscuring or covering a institutional and individual investor confidence triggered in part by
fraudulent act. For example, misstating the cash account business failures and accounting restatements, Congress enacted SOX
balance to cover the theft of cash is not financial statement into law in July 2002.
fraud. On the other hand, understating liabilities to present a
more favorable financial picture of the organization to drive Its principal reforms pertain to
up stock prices does fall under this classification.
(1) the creation of an accounting oversight board, -
Enron, WorldCom, and Adelphia UNDERLYING PROBLEMS. Public Company Accounting Oversight Board (PCAOB).

Lack of Auditor Independence. Auditing firms that are also engaged (2) auditor independence, - more separation between a firm’s
by their clients to perform nonaccounting activities such as actuarial attestation and nonauditing activities
services, internal audit outsourcing services, and consulting, lack
(3) corporate governance and responsibility, -audit committee
independence. The firms are essentially auditing their own work.
members to be independent and requires the audit committee to hire
Lack of Director Independence. Many boards of directors are and oversee the external auditors
composed of individuals who are not independent. Examples of lack
(4) disclosure requirements, increase issuer and management
of independence are directors who have a personal relationship by
disclosure and
serving on the boards of other directors’ companies; have a business
trading relationship as key customers or suppliers of the company; (5) penalties for fraud and other violations new criminal penalties for
have a financial relationship as stockholders or have received fraud and other wrongful acts new federal crimes relating to the
destruction of documents or audit work papers, securities fraud, are either directly or indirectly diverted to the perpetrator’s
tampering with documents to be used in an official proceeding, and benefit. Ninety percent of the frauds included in the ACFE
actions against whistle-blowers. study fall in this general category. Transactions involving cash,
checking accounts, inventory, supplies, equipment, and
2. Corruption involves an executive, manager, or employee of information are the most vulnerable to abuse
the organization in collusion with an outsider. The ACFE study
identifies four principal types of corruption: bribery, illegal Skimming involves stealing cash from an organization before it
gratuities, conflicts of interest, and economic extortion. is recorded on the organization’s books and records.
Corruption accounts for about 10 percent of occupational Cash Larceny involves schemes in which cash receipts are
fraud cases stolen from an organization after they have been recorded in
Bribery involves giving, offering, soliciting, or receiving things the organization’s books and records.
of value to influence an official in the performance of his or Billing schemes, also known as vendor fraud, are perpetrated
her lawful duties by employees who causes their employer to issue a payment
Illegal Gratuities. An illegal gratuity involves giving, receiving, to a false supplier or vendor by submitting invoices for
offering, or soliciting something of value because of an official fictitious goods or services
act that has been taken. This is similar to a bribe, but the Check Tampering involves forging or changing in some
transaction occurs after the fact. For example, the plant material way a check that the organization has written to a
manager in a large corporation uses his influence to ensure legitimate payee. One example of this is an employee who
that a request for proposals is written in such a way that only steals an outgoing check to a vendor, forges the payee’s
one contractor will be able to submit a satisfactory bid. pricing signature, and cashes the check.
of the construction. Payroll fraud is the distribution of fraudulent paychecks to
Conflicts Of Interest. Every employer should expect that his or existent and/or nonexistent employees.
her employees will conduct their duties in a way that serves Expense Reimbursements frauds are schemes in which an
the interests of the employer. A conflict of interest occurs employee makes a claim for reimbursement of fictitious or
when an employee acts on behalf of a third party during the inflated business expenses.
discharge of his or her duties or has self-interest in the activity Thefts of cash are schemes that involve the direct theft of
being performed. When the employee’s conflict of interest is cash on hand in the organization.
unknown to the employer and results in financial loss, then Non-cash fraud schemes involve the theft or misuse of the
fraud has occurred. victim organization’s non-cash assets. One example of this is a
Economic extortion is the use (or threat) of force (including warehouse clerk who steals inventory from a warehouse or
economic sanctions) by an individual or organization to obtain storeroom.
something of value. The item of value could be a financial or Computer Fraud Because computers lie at the heart of
economic asset, information, or cooperation to obtain a modern accounting information systems, the topic of
favorable decision on some matter under review. computer fraud is of importance to auditors.

3. Asset Misappropriation The most common fraud schemes INTERNAL CONTROL CONCEPTS AND TECHNIQUES
involve some form of asset misappropriation in which assets
With a backdrop of ethics and fraud in place, let’s now examine (3) management override—management is in a position
internal control concepts and techniques for dealing with these to override control procedures by personally distorting
problems. transactions or by directing a subordinate to do so, and
(4) changing conditions—conditions may change over time so
The internal control system comprises policies, practices, and that existing controls may become ineffectual
procedures employed by the organization to achieve four broad
objectives: Exposures and Risk- internal control system as a shield that protects
the firm’s assets from numerous undesirable events that bombard
1. To safeguard assets of the firm. the organization. These include attempts at unauthorized access to
2. To ensure the accuracy and reliability of accounting records and the firm’s assets (including information); fraud perpetrated by
information. persons both inside and outside the firm; errors due to employee
incompetence, faulty computer programs, and corrupted input data;
3. To promote efficiency in the firm’s operations. and mischievous acts, such as unauthorized access by computer
hackers and threats from computer viruses that destroy programs
4. To measure compliance with management’s prescribed and databases.
policies and procedures.
The absence or weakness of a control is called an exposure.
Modifying Assumptions Exposures, increase the firm’s risk to financial loss or injury from
undesirable events. A weakness in internal control may expose the
Inherent in these control objectives are four modifying
firm to one or more of the following types of risks:
assumptions that guide designers and auditors of internal
controls. 1. Destruction of assets (both physical assets and information).
MANAGEMENT RESPONSIBILITY. The establishment and 2. Theft of assets.
maintenance of a system of internal control is a management
responsibility. 3. Corruption of information or the information system.
REASONABLE ASSURANCE. This means that no system of
internal control is perfect and the cost of achieving improved 4. Disruption of the information system.
control should not outweigh its benefits. The Preventive–Detective–Corrective Internal Control Model
METHODS OF DATA PROCESSING. The control techniques used Internal control shield is composed of three levels of control:
to achieve these objectives will, however, vary with different preventive controls, detective controls, and corrective controls.
types of technology.
LIMITATIONS. Every system of internal control has limitations
on its effectiveness. These include
(1) the possibility of error—no system is perfect,
(2) circumvention—personnel may circumvent the system
through collusion or other means,
PREVENTIVE CONTROLS. Prevention is the first line of defense in the Committee of Sponsoring Organizations of the Treadway
control structure. Preventive controls are passive techniques Commission (COSO)
designed to reduce the frequency of occurrence of undesirable
events. Preventive controls force compliance with prescribed or SAS 78/COSO INTERNAL CONTROL FRAMEWORK The SAS
desired actions and thus screen out aberrant events. Preventing 78/COSO framework consists of five components: the control
errors and fraud is far more cost-effective than detecting and environment, risk assessment, information and communication,
correcting problems after they occur. monitoring, and control activities.

DETECTIVE CONTROLS. Detective controls form the second line of 1. The Control Environment The control environment is the
defense. These are devices, techniques, and procedures designed to foundation for the other four control components. The control
identify and expose undesirable events that elude preventive environment sets the tone for the organization and influences
controls. Detective controls reveal specific types of errors by the control awareness of its management and employees.
comparing actual occurrences to pre-established standards. Important elements of the control environment are:
 The integrity and ethical values of management.
CORRECTIVE CONTROLS. Corrective controls are actions taken to  The structure of the organization.
reverse the effects of errors detected in the previous step. There is an  The role organization’s board of directors and the
important distinction between detective controls and corrective audit committee
controls. Detective controls identify anomalies and draw attention to  Management’s philosophy and policies
them; corrective controls actually fix the problem.  Delegating responsibility and authority.
 Management’s methods for assessing performance.
The PDC control model is conceptually pleasing but offers little
 External influences, -regulatory agencies.
practical guidance for designing specific controls. For this, we need a
 Policies and practices for managing its human resources.
more precise framework. The current authoritative document for
2. Risk Assessment Organizations must perform a risk
specifying internal control objectives and techniques is Statement on
assessment to identify, analyze, and manage risks relevant to
Auditing Standards (SAS) No. 78, which is based on the COSO
financial reporting. External Risks can arise or change from
framework. We discuss the key elements of these documents in the
circumstances such as:
following section
 Changes in external environment
Sarbanes-Oxley and Internal Control Sarbanes-Oxley  Risky foreign market
 Significant and rapid growth that strains existing internal
legislation requires management of public companies to controls.
implement an adequate system of internal controls over their  New product lines
financial reporting process. This includes controls over  Organizational restructuring
transaction processing systems that feed data to the financial  Adoption of a new accounting
reporting systems. Management’s responsibilities for this are
codified in Sections 302 and 404 of SOX. 3. Information and Communication The accounting information
Regarding the control framework to be used, both the PCAOB system consists of the records and methods used to initiate,
and the SEC have endorsed the framework put forward by the identify, analyze, classify, and record the organization’s
 transactions and to account for the related assets and General controls pertain to entity-wide concerns such as controls
liabilities over the data center, organization databases, systems development,
 Identify and record all valid financial transactions. and program maintenance.
 Provide timely information about transactions in sufficient
detail to permit proper classification and financial reporting. Application controls ensure the integrity of specific systems such as
 Accurately measure the financial value of transactions sales order processing, accounts payable, and payroll applications.
 Accurately record transactions in the time period in which  Physical Controls. relates primarily to the human activities
they occurred. employed in accounting systems
SAS 78/COSO requires that auditors obtain sufficient
knowledge of the organization’s information system to Transaction Authorization. The purpose of transaction authorization
understand: is to ensure that all material transactions processed by the
 The classes of transactions that are material to the financial information system are valid and in accordance with management’s
statements and objectives.
 how those transactions are initiated. [input]
 The accounting records and accounts that are used in Segregation Of Duties. One of the most important control activities is
the processing of material transactions.[input] the segregation of employee duties to minimize incompatible
functions. Segregation of duties can take many forms, depending on
 The transaction processing steps involved from the initiation
of a transaction to its inclusion in the financial statements. the specific duties to be controlled
[process] Supervision. Implementing adequate segregation of duties requires
 The financial reporting process used to prepare financial that a firm employ a sufficiently large number of employees. For this
statements, disclosures, and accounting estimates.[output] reason, supervision is often called a compensating control.

4. Monitoring Management is the process by which the quality Accounting Records. The accounting records of an organization
of internal control design and operation can be assessed. This consist of source documents, journals, and ledgers. These records
may be accomplished by separate procedures or by ongoing capture the economic essence of transactions and provide an audit
activities[feedback] trail of economic events. The audit trail enables the auditor to trace
5. Control activities are the policies and procedures used to any transaction through all phases of its processing from the initiation
ensure that appropriate actions are taken to deal with the of the event to the financial statement
organization’s identified risks. Control activities can be
Access Control. The purpose of access controls is to ensure that only
grouped into two distinct categories: information technology
authorized personnel have access to the firm’s assets. Unauthorized
(IT) controls and physical controls.
access exposes assets to misappropriation, damage, and theft.
 IT controls relate specifically to the computer
Therefore, access controls play an important role in safeguarding
environment.
assets.

Independent Verification. Verification procedures are independent

checks of the accounting system to identify errors and
misrepresentations. Verification differs from supervision because it
takes place after the fact, by an individual who is not directly involved
with the transaction or task being verified.