CHAPTER 3

ETHICS, FRAUD AND INTERNAL CONTROL

ETHICS
- Pertain to the principles of conduct that individuals use in making choices and guiding
their behavior in situations that involve the concepts of right and wrong.
- Four areas of business ethics:
a. Equity- the benefits of the decision should be distributed fairly to those who share
the risks.
Examples- executive salaries, product pricing
b. Rights - examples: corporate due process equal employment opportunity and
whistle- blowing
c. Honesty- misleading advertising, security of organization data and records
d. Exercise of Corporate Power- workplace safety, product safety, environmental
issues
COMPUTER ETHICS
- The analysis of the nature and social impact of computer technology and the
corresponding formulation and justification of policies for the ethical use of technology
- Three Levels of Computer Ethics
a. Pop Computer Ethics- simply the exposure to stories and reports found in the
popular media regarding the good or bad ramifications of computer technology
b. Para Computer Ethics- involves taking a real interest in computer ethics cases
and acquiring some level of skill and knowledge in the field
c. Theoretical Computer Ethics- is of interest to multidisciplinary researchers who
apply the stories of philosophy, sociology and psychology to computer science with
goal
of
bringing
some
new
understanding
in
the
field.
New Problems or Just a Twist on an Old Problem
1. Privacy- the creation and maintenance of huge, shared databases make it necessary to
protect people from the misuse of data.
2. Security- an attempt to avoid such undesirable events as a loss of confidentiality or
data integrity.
3. Ownership of Property4. Environmental Issues- computers with high- speed printers allow for the production
of printed documents faster than ever before
5. Unemployment and Displacement- many jobs have been and are being changed as
a result of the availability of computer technology. People are unable or unprepared to
change as displaced.
Misuse of Computers -can be copying proprietary software, using a companys computer for
personal benefit, and snooping through other peoples files.
Sarbanes- Oxley Act and Ethical Issues (SOX)
-the most significant securities law since the Securities and Exchange Commission (SEC) Acts
of 1933 and 1934
-designed to deal with specific problems relating to capital markets, corporate governance
and the auditing profession.
Section 406- Code of ethics for senior financial officers- requires public companies to disclose
to the SEC whether they have adopted a code of ethics that applies to the organizations chief
executive officer (CEO), CFO and controller.
- It addresses the following issues:
1. Conflict of Interest- companys code of ethics in should outline procedures for dealing
with actual or apparent conflicts of interest between personal and professional
relationships

2. Full and Fair Disclosures-the organization should provide full, fair, accurate, timely
and understandable disclosures in the documents, reports and FS that it submits to the
SEC and to the public
3. Legal Compliance- code of ethics should require employees to follow applicable
governmental laws, rules, and regulations
4. Internal Reporting of Code Violations- the code of ethics must provide a
mechanism in permit prompt internal reporting of ethics violations.
5. Accountability- an effective ethics program must take appropriate action when code
violation occurs.
- Includes various disciplinary measures, including dismissal.
Fraud and Accountants
Fraud - false representation of a material fact made by one party with the intent to deceive or
induce the other party to justifiably rely on the fact to his/ her detriment.
According to law, a fraudulent act must meet the ff conditions:
a. False representation- there must be false statement or a nondisclosure
b. Material fact- a fact must be substantial factor in inducing someone to act
c. Intent- there must be the intent to deceive or the knowledge that ones statement is
false.
d. Justifiable reliance- the misrepresentation must have been a substantial factor on
which the injured party relied.
e. Injury or loss- the deception must have caused injury or loss to the victim of the fraud
In accounting, fraud is also commonly known as white-collar crime, defalcation,
embezzlement, and irregularities
Two levels
1. Employee Fraud - fraud by non-management employees; is generally designed to
directly convert cash or other assets to the employees personal benefit.
Examples: stealing something of value, concealing the crime to avoid detection
2. Management Fraud - more insidious than employee fraud because it often escapes
detection until the organization has suffered irreparable damages or loss
- This may be done to meet investor expectations or to take advantage of stock options
that have been loaded into the managers compensation package
The Fraud Triangle
-consists of three factors
a. Situational Pressure- which includes personal or job- related stresses that could
coerce an individual to act dishonestly
b. Opportunity - involves direct access to assets and/ or access to information that
controls assets
c. Ethics- pertains to ones character and degree of moral opposition to acts of
dishonesty
Fraud Scheme
1. Fraudulent Statements
2. Corruption
3. Asset Misappropriation
Internal Control Concepts and Techniques
Internal Control
- the process designed and effected by those charged with governance, management, and
other personnel to provide reasonable assurance about the achievement of the entitys
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.
Components of Internal Control

Control Environment- includes the attitudes, awareness, and actions of management

and those charged with governance concerning the entitys internal control and its
importance in the entity.
- it sets the tone of an organization, influencing the control consciousness of people

Factors reflected in the control environment:

1. Integrity and Ethical Values- management will establish ethical standards that
discourage employees from engaging in dishonest, unethical or illegal acts that could
materially affect the financial statements.
2. Management Philosophy and Style- the management attitude towards financial
reporting and their emphasis on meeting projected profit goals.
3. Active Participation of those charged with governance- the entity must have an
audit committee which will be responsible for overseeing the financial reporting policies
and practices of entity.
4. Commitment to Competence- the entity should consider the level of competence
required for each task and translate it to requisite knowledge and skills.
5. Personnel Policies and Procedures- the entity must implement appropriate policies for
hiring, training, evaluating, promoting, and compensating entitys personnel.
6. Assignment of responsibility and authority or Organizational structure- provides
framework for planning, directing and controlling the entitys operations.

Risk Assessment - organization must perform a risk assessment to identify, analyze and
manage risks relevant to financial reporting.
Risks can arise or change from circumstances such as:
1. Changes in the operating environment that impose new or changed competitive
pressures on the firm.
2. New personnel who have different or inadequate understanding of internal control
3. New or reengineering information systems that affect transaction processing.
4. Significant and rapid growth that strains existing internal controls.
5. The implementation of new technology into the production process that impacts
transaction processing.

Information and Communication Systems - an effective internal control must provide

timely information and communication.
An information system encompasses methods and records that:
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
3. Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
4. Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
5. Present properly the transactions and related disclosures in the financial statements.

Control Activities- are policies and procedures that help ensure that management
directives are carried out.
Specific procedures that are relevant to financial statement audit would
include:
1. Performance Reviews- it includes reviews and analyses of actual performance
versus budgets, forecasts and prior period performance.

2. Information Processing- to check accuracy, completeness, and authorization of

transactions. When computer processing is used in significant accounting
applications, internal control procedures can be classified into two types:
A. General Control-policies and procedures that relate to the overall computer
information system. It includes:
a.1 Organizational Controls- the plan of an organization for an entitys
computer system should include segregation between the user and CIS
Department and segregation of duties within the CIS department.
- Segregation of duties within the CIS department- functions within the CIS
department should be properly segregated for good organizational controls.
-Segregation of duties between the CIS department CIS department must be
independent of all departments within the organization that provide input data or
that use output generated by the CIS.
a. 2 Systems development and documentation controls- software
development as well as changes thereof must be approved by the appropriate
level of management and the user department.
a. 3 Access Controls- every computer system should have adequate security
controls to protect equipment, files and programs.
a. 4 Data Recovery controls- provides for the maintenance of back- up files
and off-site storage procedures.
- Grandfather, father, son practice requires an entity to keep two most recent
generation master files and transaction files in order to permit reconstruction of
files.
a. 5 Monitoring controls- designed to ensure that CIS controls
B. Application Controls- the processing of transaction involves thee stage: input,
processing and output stage.
- These are policies and procedures that relate to specific use of the system. These
include
b. 1 Controls over input- are designed to provide reasonable assurance that
data submitted for processing are complete, properly authorized and accurately
translated into machine readable form.
Examples:
o Key Verification - this requires data to be entered twice to provide assurance
that there are no key entry errors committed.
o Field Check- ensures that data agree with the required field format
o Validity Check- information entered are compared with valid information in the
master file to determine the authenticity of the input.
o Self- checking digit- a mathematically calculated digit which is usually added
to a document number to detect common transpositional error in data submitted
for processing.
o Limit Check or reasonable check is designed to ensure that data submitted
for processing do not exceed a pre-determined limit or reasonable amount.
o Control totals- these are totals computed based on the data submitted for
processing. To ensure the completeness of data before and after they are
processed.
b. 2 Controls over processing- designed to provide reasonable assurance that
input data are processed accurately, and that data are not lost, added, excluded,
duplicated or improperly changed.

b. 3 Controls over output- designed to provide reasonable assurance that the

results of processing are complete, accurate and that these output are distributed
only to authorized personnel.
Test of Control in a CIS Environment
- It involves evaluating the clients internal control policies and procedures to determine if
they are functioning as intended.
Testing the reliability of general controls include
1. Observing clients personnel in performing their duties
2. Inspecting program documentation
3. Observing the security measures in force
Testing application controls, the auditor may either:
1. Audit around the computer; or
2. Use computer- assisted audit techniques
Auditing around the Computer- it involves examination of documents and reports to
determine the reliability of a system. When using this approach, the auditor ignores the
clients data processing procedures, focusing solely on the input documents and the CIS
input.
- Also known as the black-box approach
-

Computer assisted audit techniques( CAATs)

Auditor will have to audit directly the clients computer program
Also known as the white box approach
It includes:
1. Test Data- primarily designed to test the effectiveness of the internal control
procedures which are incorporated in the clients computer program.
2. Integrated Test Facility- it integrates the processing of test data with the
actual processing of ordinary transactions without management being aware
of the testing process.
3. Parallel Simulation- requires the auditor write a program that simulates key
features or processes of the program under review. It can be accomplished by
using generalized audit software or purpose written programs.
-

Generalized audit software- consists generally available computer

packages which have been designed to perform common audit tasks.
Purpose- written programs-designed to perform audit tasks in specific
circumstamces.