Ethics, Fraud and Internal Control

Ethics
Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. Business Ethics 1. How do managers decide what is right in conducting their business? 2. Once managers have recognized what is right, how do they achieve it? Ethical responsibility seeking the balance between the consequences that may potentially harm or benefit your constituents. Proportionality The benefit from a decision must outweigh the risks. Furthermore, there must be no alternative decision that same or better benefit with less risk. Justice The benefits of the decision should distributed fairly to those who share the risk. Those who do not benefit should not carry the burden of risk. Minimize risks Even if judged acceptable by the principles, the decision should be implemented to minimize all of the risk and avoid any unnecessary risk. Issues Computer Ethics the analysis of nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology This includes concerns about networks connecting computers as well as computers themselves. (J. H. Moor) Issues: Privacy the desire to control what and how information is to made available to others. (raises the question of the ownership of this information) Security (Accuracy and Confidentiality) shared computerized databases have the potential to give the inaccurate information to the right people and accurate information to those who may exploit to their ends. Ownership of Property what can an individual or organization own? Equity in Access unavoidable barriers due to socio-economic and cultural factors that limit to information technology Environmental Issues print vs. electronic Artificial Intelligence reliance on technology for decision making leads to various questions.

Unemployment and Displacement the change in jobs as a result of the advance of computer technology and the consequences Misuse of Computers examples: copying proprietary software, use of computers for personal tasks.

Fraud
A false representation of material fact made by one party to another party with the intent with the intent to deceive and induce the other party to justifiably rely on the fact to his or her detriment Five conditions that must be present 1. False representation 2. Material fact 3. Intent 4. Justifiable reliance 5. Injury or loss Employee fraud generally designed to directly convert cash or other assets to the employees benefit Management fraud can be perpetrated by overriding an otherwise effective internal control structure, Factors that contribute to fraud 1. Situational pressures 2. Opportunities 3. Personal characteristics Fraud Schemes Fraudulent Statements 1. Lack of Auditor Independence 2. Lack of Director Independence 3. Questionable Executive Compensation Scheme 4. Inappropriate Accounting Practices Corruption Bribery giving, offering, soliciting or receiving things of value to influence an official in the performance of his or her duties Illegal gratuities - giving, offering, soliciting or receiving things of value because of an official that has been taken Conflicts of Interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed Economic Extortion use or threat of force, including economic sanctions to obtain something of value Asset Misappropriation

Charges to expense accounts causes an imbalance in the accounting equation which must be adjusted if it is to undetected Lapping use of customer checks, received as payment to conceal cash previously stolen by the employee Transaction Fraud involves deleting, altering, or adding false transactions to divert assets to the perpetrator

Upcoming: Fraud (Computer Fraud Internal Control SOX and Ethics, Fraud and Internal Control Computer Fraud Schemes Data Collection 1st operational stage. The simplest way to perpetrate computer fraud Computer equivalent of transaction fraud. Involves falsifying data as it enters the system. Transaction fraud from remote locations due to the exposure of networked systems. Masquerading Piggybacking Hacking Data Processing Program fraud involves 1.) creating illegal programs that can access data files to alter, delete, or insert values into accounting records 2.) destroying or corrupting a programs logic using a computer virus, or 3.) altering program logic to cause the application to process data incorrectly. Operations fraud the misuse of the firms computer resources. Often involves using the computer to conduct personal business. Database Management Fraud can be perpetrated by altering, deleting, corrupting, destroying, or stealing an organizations data. Information Generation Common fraud acts at this stage involve stealing, misdirecting, or misusing computer output. Scavenging Eavesdropping Internal Control 1. To safeguard assets of the firm. 2. To ensure the accuracy and reliability of accounting records and information. 3. To promote efficiency in the firms operations. 4. To measure compliance with managements prescribed policies and procedures.

Preventive controls the first line of defense. These are passive techniques designed to reduce the occurrence of undesirable events. Detective controls the second line. These are designed to identify and expose undesirable events that elude preventive controls. Corrective controls are actions taken to reverse the effects of errors detected in the previous step. Internal Control Framework The Control Environment at minimum adopt the provisions of SOX.
Best practices: Separate CEO and Chairman Set Ethical Standards Establish an Independent Audit Committee Compensation committee Nominating committees Access to outside professionals

Risk Assessment identify, analyze and manage risks relevant in financial reporting. It is likely that internal control risks could be more pervasive in the IT organization than in other areas of the company Information and Communication
Effective AIS will: Identify and record all valid financial transactions. Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting Accurately measure the financial value of transactions so their effects can be recorded in financial statements. Accurately record transaction in the time period they occur. Auditors should obtain sufficient knowledge of the AIS to understand: The classes of transactions that are material to the financial statements and how those transactions are initiated. The accounting records and accounts that are used in the processing of material transactions. The transaction processing steps involved from the initiation of a transaction to its inclusion in the financial statements. The financial reporting process used to prepare financial statements, disclosures, and accounting estimates.

Monitoring assess quality of internal control design and operation. Important to IT management. Control Activities IT controls Physical controls

Transaction Authorization ensures that all material transactions processed by the information system are valid and in accordance with managements objective Segregation of Duties - minimize incompatible functions. Supervision compensate for the absence of segregation controls. Operates under the assumption that the firm employs competent and trustworthy personnel. Accounting Records provide audit trail Access Control ensures that only authorized personnel have access to assets. Independent Verification independent checks of the accounting system to identify errors and misrepresentations. American Competitiveness and Corporate Accountability Act of 2002 Sarbanes-Oxley Act
Sonored by U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley

Ethics Section 406 Code of Ethics for Senior Financial Officers This requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organizations CEO, CFO, controller, or persons performing similar functions. If not, it is required to explain why. Their code of ethics may be disclosed by: 1.) Included as an exhibit to its annual report. 2.) As a posting to its website, 3.) By agreeing to provide copies of the code upon request. This must apply to all employees. This should address the following issues: Conflicts of Interest Full and Fair Disclosures Legal Compliance Internal Reporting of Code Violations Accountability Fraud SOX established a framework to modernize and reform the oversight and regulation of public company auditing. 1. Public Company Accounting Oversight Board 2. Auditor Independence. 3. Corporate Governance and Responsibility 4. Issues and Management Disclosure 5. Fraud and Criminal Penalties Internal Control SOX requires management of public companies to implement an adequate system of internal controls over their financial reporting process. This includes controls over transaction processing systems that feed data to the financial reporting systems.

Section 302: The signing officers must certify that they are responsible for establishing and maintaining internal controls and have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared. Requires a companys management, with the participation of the principal executive and financial officers (the certifying officers), to make the following quarterly and annual certifications with respect to the companys internal control over financial reporting: A statement that the certifying officers are responsible for establishing and maintaining internal control over financial reporting A statement that the certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles A statement that the report discloses any changes in the companys internal control over financial reporting that occurred during the most recent fiscal quarter (the companys fourth fiscal quarter in the case of an annual report) that have materially affected, or are reasonably likely to materially affect, the companys internal control over financial reporting When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine and the auditor should evaluate whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading Section 404: The directives of Sarbanes-Oxley section 404 require that management provide an annual report on its assessment of internal control over financial reporting in its annual filing. Section 404 states: Managements report on internal control over financial reporting is required to include the following: A statement of managements responsibility for establishing and maintaining adequate internal control over financial reporting for the company A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the companys internal control over financial reporting An assessment of the effectiveness of the companys internal control over financial reporting as of the end of the companys most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on managements assessment of the companys internal control over financial reporting Management should provide, both in its report on internal control over financial

reporting and in its representation letter to the auditor, a written conclusion about the effectiveness of the companys internal control over financial reporting. The conclusion about the effectiveness of a companys internal control over financial reporting can take many forms; however, management is required to state a direct conclusion about whether the companys internal control over financial reporting is effective. Management is precluded from concluding that the companys internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year. Management might be able to accurately represent that internal control over financial reporting, as of the end of the companys most recent fiscal year, is effective even if one or more material weaknesses existed during the period. To make this representation, management must have changed the internal control over financial reporting to eliminate the material weaknesses sufficiently in advance of the as of date and have satisfactorily tested the effectiveness over a period of time that is adequate for it to determine whether, as of the end of the fiscal year, the design and operation of internal control over financial reporting are effective.