Chapter 2 –

Part 1
Ethics, Fraud,
and Internal
Control

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Understand the broad issues pertaining to business
ethics.
• Have a basic understanding of ethical issues related to
the use of information technology.
• Be able to distinguish between management fraud and
employee fraud.
• Be familiar with common types of fraud schemes.
• Be familiar with the key features of the COSO internal
control framework.
• Understand the objectives and application of both physical
and IT control activities.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
 Ethical Issues in Business
• Ethical standards are derived from societal mores and
deep-rooted personal beliefs about issues of right and
wrong that are not universally agreed upon.
• Often, we confuse ethical issues with legal issues.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
BUSINESS ETHICS
• Ethics are the principles of conduct that individuals use in
making choices that guide their behavior in situations
involving the concepts of right and wrong.
• Business ethics pertains to the principles of conduct that
individuals use in making choices and guiding their
behavior in situations that involve the concepts of right
and wrong.
• Making Ethical Decisions
• Ethical responsibility is the responsibility of organization
managers to seek a balance between the risks and benefits to
their constituents that result from their decisions.
• PROPORTIONALITY

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
 Ethical Issues in Business

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
COMPUTER ETHICS
• Computer ethics is the analysis of the nature and social
impact of computer technology and the corresponding
formulation and justification of policies for the ethical use
of such technology. This includes details about software
as well as hardware and concerns about networks
connecting computers as well as computers themselves.
• A new problem or just a new twist on an old problem?
• Privacy
• Privacy is full control of what and how much information about
an individual is available to others and to whom it is available.
• Ownership is the state or fact of exclusive rights and control
over property, which may be an object, land/real estate,
intellectual property, or some other kind of property.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
COMPUTER ETHICS (continued)
• Security (Accuracy and Confidentiality)
• Computer security is an attempt to avoid such undesirable
events as a loss of confidentiality or data integrity.
• Ownership of Property
• Equity in Access
• Environmental Issues
• Artificial Intelligence
• Unemployment and Displacement
• Misuse of Computers

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
SARBANES-OXLEY ACT AND ETHICAL ISSUES

• Sarbanes-Oxley Act (SOX) is the most significant federal

securities law, with provisions designed to deal with
specific problems relating to capital markets, corporate
governance, and the auditing profession.
• Section 406—Code of Ethics for Senior Financial Officers
• CONFLICTS OF INTEREST
• FULL AND FAIR DISCLOSURES
• LEGAL COMPLIANCE
• INTERNAL REPORTING OF CODE VIOLATIONS
• ACCOUNTABILITY

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
 Fraud and Accountants
• The passage of SOX has had a tremendous impact on the
external auditor’s responsibilities for fraud detection
during a financial audit.
• The Statement on Auditing Standards (SAS) No. 99 is
the current authoritative document that defines fraud as
an intentional act that results in a material misstatement in
financial statements.
• The objective of SAS 99 is to seamlessly blend the
auditor’s consideration of fraud into all phases of the audit
process.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
DEFINITIONS OF FRAUD
• Fraud is the false representation of a material fact made
by one party to another party, with the intent to deceive
and induce the other party to justifiably rely on the
material fact to his or her detriment.
• Employee fraud is the performance fraud by
nonmanagement employee generally designed to directly
convert cash or other assets to the employee’s personal
benefit.
• Management fraud is the performance fraud that often
uses deceptive practices to inflate earnings or to forestall
the recognition of either insolvency or a decline in
earnings.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
THE FRAUD TRIANGLE
• The fraud triangle is a triad of factors associated with
management and employee fraud: situational pressure
(includes personal or job-related stresses that could
coerce an individual to act dishonestly); opportunity
(involves direct access to assets and/ or access to
information that controls assets); and ethics (pertains to
one’s character and degree of moral opposition to acts of
dishonesty).

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
 Fraud Triangle

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
FINANCIAL LOSSES FROM FRAUD
• The actual cost of fraud is, however, difficult to quantify for
a number of reasons:
• Not all fraud is detected.
• Of that detected, not all is reported.
• In many fraud cases, incomplete information is gathered.
• Information is not properly distributed to management or law
enforcement authorities.
• Too often, business organizations decide to take no civil or
criminal action against the perpetrator(s) of fraud.
• In addition to the direct economic loss to the organization,
indirect costs—including reduced productivity, the cost of
legal action, increased unemployment, and business
disruption due to investigation of the fraud—need to be
considered.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
 Distribution of Losses

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
THE PERPETRATORS OF FRAUDS
• Fraud Losses by Position within the Organization
• Individuals in the highest positions within an organization are
beyond the internal control structure and have the greatest
access to company funds and assets.
• Fraud Losses and the Collusion Effect
• One reason for segregating occupational duties is to deny
potential perpetrators the opportunity they need to commit
fraud. When individuals in critical positions collude, they create
opportunities to control or gain access to assets that otherwise
would not exist.
• Fraud Losses by Gender
• Women are not fundamentally more honest than men, but men
occupy high corporate positions in greater numbers than
women. This affords men greater access to assets.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
 Losses from Fraud by Position

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
 Losses from Fraud by Collusion

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
 Losses from Fraud by Gender

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
THE PERPETRATORS OF FRAUDS
(continued)

• Fraud Losses by Age

• Older employees tend to occupy higher-ranking positions and
therefore generally have greater access to company assets.
• Fraud Losses by Education
• Generally, those with more education occupy higher positions
in their organizations and therefore have greater access to
company funds and other assets.
• Conclusions to Be Drawn

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
 Losses from Fraud by Age

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
 Losses from Fraud by Education Level

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
FRAUD SCHEMES
• Fraudulent Statements
• Fraudulent statements are statements associated with
management fraud. In this class of fraud scheme, the financial
statement misrepresentation must itself bring direct or indirect
financial benefit to the perpetrator.
• THE UNDERLYING PROBLEMS
• SARBANES-OXLEY ACT AND FRAUD: Public Company
Accounting Oversight Board (PCAOB), which is the federal
organization empowered to set auditing, quality control, and
ethics standards; to inspect registered accounting firms; to
conduct investigations; and to take disciplinary actions.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
FRAUD SCHEMES (continued)
• Corruption
• Corruption involves an executive, a manager, or an employee
of the organization in collusion with an outsider.
• Bribery involves giving, offering, soliciting, or receiving things
of value to influence an official in the performance of his or her
lawful duties.
• An illegal gratuity involves giving, receiving, offering, or
soliciting something of value because of an official act that has
been taken.
• A conflict of interest is an outline of procedures for dealing
with actual or apparent conflicts of interest between personal
and professional relationships.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
FRAUD SCHEMES (continued)
• Corruption (continued)
• Economic extortion is the use (or threat) of force (including
economic sanctions) by an individual or organization to obtain
something of value. The item of value could be a financial or
economic asset, information, or cooperation to obtain a
favorable decision on some matter under review.
• Asset Misappropriation
• Skimming
• Skimming involves stealing cash from an organization before
it is recorded on the organization’s books and records. Another
example is mail room fraud, in which an employee opening
the mail steals a customer’s check and destroys the
associated remittance advice.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
 Losses from Fraud by Scheme Type

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
Losses from Asset Misappropriation Schemes

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
FRAUD SCHEMES (continued)
• Cash Larceny
• Cash larceny is theft of cash receipts from an organization
after those receipts have been recorded in the organization’s
books and records.
• Lapping is the use of customer checks, received in payment
of their accounts, to conceal cash previously stolen by an
employee.
• Billing Schemes
• Billing schemes, also known as vendor fraud, are schemes
under which an employee causes the employer to issue a
payment to a false supplier or vendor by submitting invoices
for fictitious goods/services, inflated invoices, or invoices for
personal purchases.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
FRAUD SCHEMES (continued)
• Billing Schemes (continued)
• A shell company is establishing a false vendor on the company’s
books, and then making false purchase orders, receiving reports,
and invoices in the name of the vendor and submitting them to the
accounting system, creating the illusion of a legitimate
transaction. The system ultimately issues a check to the false
vendor.
• A pass-through fraud is similar to shell company fraud except
that a transaction actually takes place. The perpetrator creates a
false vendor and issues purchase orders to it for inventory or
supplies. The false vendor purchases the needed inventory from
a legitimate vendor, charges the victim company a much higher
than market price for the items, and pockets the difference.
• A pay-and-return is a scheme under which a clerk with check
writing authority pays a vendor twice for the same products
(inventory or supplies) received and then intercepts and cashes
the overpayment returned by the vendor.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
FRAUD SCHEMES (continued)
• Check Tampering
• Check tampering involves forging, or changing in some
material way, a check that was written to a legitimate payee.
• Payroll Fraud
• Payroll fraud is the distribution of fraudulent paychecks to
existent and/or nonexistent employees.
• Expense Reimbursements
• Expense reimbursement fraud involves claiming
reimbursement of fictitious or inflated business expenses.
• Thefts of Cash
• Thefts of cash is the direct theft of cash on hand in the
organization.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
FRAUD SCHEMES (continued)
• Noncash Misappropriations
• Noncash fraud is the theft or misuse of non-cash assets (e.g.,
inventory, confidential information).
• Computer Fraud
• Computer fraud involves theft, misuse, or misappropriation of
assets by altering computer-readable records and files, or by
altering the logic of computer software; the illegal use of
computer-readable information; or the intentional destruction of
computer software or hardware.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
 Computer Fraud: Classifications

Data
Fraud

Input Processor Output

Fraud Fraud Fraud

Computer
Instructions
Fraud
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 (a) Input Fraud

• Thesimplest and most common way - to alter/falsify

computer input
• This phase of the system is most vulnerable because it
is very easy to change data as it is being entered into
the system.
• Perpetrators need only to understand how the system
operates.
• GIGO (Garbage In, Garbage Out) - if the input data is
inaccurate, processing will result in inaccurate output.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 32
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 (b) Processor Fraud

• Include
unauthorized system use, including the theft of
computer time and services.
• Ex:use company computers for personal or outside business
records.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 33
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 (b) Processor Fraud (Cont…)

Program Frauds
• Creating illegal programs that can access data files to alter, delete, or
insert values into accounting records.
• Destroying programs using a virus
• Altering program to cause the application to process data incorrectly.

Operations Frauds
• Misuse
or theft of company computer resources, such as using the
computer for personal business

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 34
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 (c) Computer Instructions Fraud

• Tampering with the software that processes company data.

• Includemodifying the software, making illegal software
copies, using software in an unauthorized manner,
developing a software program or module to carry out an
unauthorized activity.
• Least common – requires specialized programming
knowledge.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 35
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 (d) Data Fraud

• Illegally using, copying, browsing, searching, or harming.

• Ex:employee removed the external labels from hundreds of
tape files.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 36
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 (e) Output Fraud

• Stealing or misusing system output.

• System output is usually displayed on monitors or printed on
paper.
• Monitor and printer output is subject to prying eyes and
unauthorized copying.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 37
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Computer
Computer Fraud
Fraud Techniques
Techniques

• What are some of the more common techniques to commit computer fraud?
 Data diddling Changing data before it is entered
 Data leakage into the computer or after it has
 Denial of service attack
entered into the computer
 Eavesdropping
 E-mail forgery and threats
 Hacking Example: Employees are able to
 Internet misinformation falsify time cards before the data
 Internet terrorism
 Logic time bomb
contained on the cards is entered
 Masquerading or impersonation into the computer for payroll
 Password cracking computation.
 Piggybacking
 Software piracy
 Scavenging / Dumpster diving
 Social engineering
 Super zapping
 Trap door / Back door
 Trojan horse
 Virus
 Worm
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Risk in AIS

• Business firms face risks that reduce the chances of

achieving their control objectives.
• Risk:the likelihood that a threat or hazard will actually
come to pass.
• Risk exposures: the threats to a firm’s assets and
information quality due to lapses or inadequacies in controls.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 39
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Types of Risks

• Natural and Political Disasters

• Include:
– Fire or excessive heat
– Floods
– Earthquakes
– High winds
– War and terrorist attack
• Software errors and equipment malfunction
• Include:
– Hardware or software failures
– Software errors or bugs
– Operating system crashes
– Power outages and fluctuations
– Undetected data transmission errors

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 40
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Types of Risks

• Unintentional Acts

• Include
– Accidents caused by:
• Human carelessness
• Failure to follow established procedures
• Poorly trained or supervised personnel
– Innocent errors or omissions
– Lost, destroyed, or misplaced data
– Logic errors
– Systems that do not meet needs or are incapable of
performing intended tasks

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 41
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Types of Risks

• Intentional Acts
• Include:
– Sabotage
– Computer fraud
– Misrepresentation, false use, or unauthorized disclosure of
data
– Misappropriation of assets
– Financial statement fraud

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 42
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Degrees of Risk Exposure

• Frequency - the more frequent an occurrence of a

transaction, the greater the exposure to risk

• Vulnerability - liquid and/or portable assets contribute to

risk exposure

• Sizeof the potential loss - the higher the monetary value of

a loss, the greater the risk exposure

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 43
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Internal Control Concepts and Techniques

• The internal control system is a set of policies a firm employs

to safeguard the firm’s assets, ensure accurate and reliable
accounting records and information, promote efficiency, and
measure compliance with established policies.
• Modifying Assumptions
• Management responsibility is the concept under which the
responsibility for the establishment and maintenance of a
system of internal control falls to management.
• Reasonable assurance is an assurance provided by the
internal control system that the four broad objectives of internal
control are met in a cost-effective manner.
• METHODS OF DATA PROCESSING
• LIMITATIONS

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
Internal Control Concepts and Techniques
(continued)

• Control Weaknesses and Risks

• Control weaknesses increase the firm’s risk to financial loss
or injury from the threats.
• The Preventive-Detective-Corrective Internal Control
Model
• Preventive controls are passive techniques designed to
reduce the frequency of occurrence of undesirable events.
• Detective controls are devices, techniques, and procedures
designed to identify and expose undesirable events that elude
preventive controls.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
 Internal Control Shield

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
Preventive, Detective, and Corrective Controls

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47
Internal Control Concepts and Techniques
(continued)

• The Preventive-Detective-Corrective Internal Control

Model (continued)
• Corrective controls are actions taken to reverse the effects of
errors detected. Statement on Auditing Standards (SAS)
No. 109 is the current authoritative document for specifying
internal control objectives and techniques. It is based on the
COSO framework.
• Sarbanes-Oxley and Internal Control
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a joint initiative of five private sector
organizations and is dedicated to providing thought leadership
through the development of frameworks and guidance on
enterprise risk management, internal control, and fraud
deterrence.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48
 The Internal Control Structure

• The control framework is called the Internal Control

Structure – COSO (Committee of Sponsoring
Organisations )
• COSO internal control framework five
components:

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved. 49
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
COSO INTERNAL CONTROL FRAMEWORK

• The Control Environment

• The control environment is the foundation of internal control.
• Risk Assessment
• Risk assessment is the identification, analysis, and
management of risks relevant to financial reporting.
• Information and Communication
• Monitoring
• Monitoring is the process by which the quality of internal
control design and operation can be assessed.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50
Control environment
• Actions, policies, and procedures that reflect the overall
attitude of the top management, directors, and owners of a
business about internal control and its importance

• Role of the board of directors and senior

management – IC importance & expectation (tone at
the top)
• Integrity and ethical values of management
• Management’s policies and philosophy
• Organizational structure - responsibility and authority
• Policies and practices managing human resources –
competent individuals – hiring, compensating,
training, evaluating, promoting, etc.
• Performance evaluation measures – rigor incentives
and rewards
• External influences—regulatory agencies – MASB,
SC
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Risk assessment
• The organization must be aware of and deal with the risks
it faces.
• It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and manage
the related risks.

• Identify, analyze and manage risks relevant to

financial reporting:
 changes in external environment
 risky foreign markets
 significant and rapid growth that strain
internal controls
 new product lines
 restructuring, downsizing
 changes in accounting policies

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Information and communication
• Identification, capture, and exchange of information in a form
and time frame that enables people to carry out their
responsibilities.

The AIS should produce high quality information

which:
 identifies and records all valid transactions
 provides timely information in appropriate detail to permit proper
classification and financial reporting
 accurately measures the financial value of transactions
 accurately records transactions in the time period in which
they occurred

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Monitoring
• A process that access the quality of internal
control performance over time
• Conducts ongoing and/or separate evaluations:
 Separate procedures--test of controls by
internal auditors
 Ongoing monitoring:
computer modules integrated into routine
operations
management reports which highlight
trends and exceptions from normal
performance

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
COSO INTERNAL CONTROL FRAMEWORK
(continued)

• Control Activities
• Control activities are the policies and procedures to ensure
that appropriate actions are taken to deal with the
organization’s risks.

1. IT CONTROLS - relate specifically to the computer environment

 General controls are controls that pertain to entity-wide
concerns such as controls over the data center, organization
databases, systems development, and program maintenance.
 Application controls are controls that ensure the integrity of
specific systems.

James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 55
COSO INTERNAL CONTROL FRAMEWORK
(continued)

• Control Activities (continued)

2. PHYSICAL CONTROLS - primarily pertain to human activities
• Transaction authorization is a procedure to ensure that
employees process only valid transactions within the scope of
their authority.
• Segregation of duties is the separation of employee duties to
minimize incompatible functions.
• Supervision is a control activity involving the critical oversight
of employees.
• The accounting records of an organization consist of
documents, journals, or ledgers used in transaction cycles.
• Access controls are controls that ensure that only authorized
personnel have access to the firm’s assets.
• Verification procedures are independent checks of the
accounting system to identify errors and misrepresentations.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 56