CHAPTER 3 integrity of the code to be established during reasonable possibility that a material

subsequent processing. misstatement of the company's annual or

Access controls: Controls that ensure that interim financial statements will not be
only authorized personnel have access to the Check tampering: Forging, or changing in prevented or detected on a timely basis.
firm’s assets. some material way, a check that was written to
a legitimate payee. Corrective controls - Actions taken to reverse
Accounting records: Document, journal, or the effects of errors detected
ledger used in transaction cycles. Committee of Sponsoring Organizations of
the Treadway Commission: Corruption - involves an executive, manager,
Application controls: Application controls The Committee of Sponsoring Organizations or employee of the organization in collusion
ensure the integrity of specific systems such of the Treadway Commission is a joint initiative with an outsider. The ACFE study identifies
as sales order processing, accounts payable, to combat corporate fraud. COSO has four principal types of corruption: bribery,
and payroll applications. established a common internal control model illegal gratuities, conflicts of interest, and
against which companies and organizations economic extortion. Corruption accounts for
Audit trail controls: Ensures that every may assess their control about 10 percent of occupational fraud cases.
transaction can be traced through each stage
of processing from its economic source to its Computer ethics - Analysis of the nature and Detective controls - Devices, techniques, and
presentation in financial statements. social impact of computer technology and the procedures designed to identify and expose
corresponding formulation and justification of undesirable events that elude preventive
Batch controls: Effective method of policies for the ethical use of such technology. controls.
managing high volumes of transaction data Includes details about software as well as
through a system. hardware and concerns about networks Economic extortion - Use (or threat) of force
connecting computers as well as computers (including economic sanctions) by an
Billing schemes: Schemes under which an themselves. individual or organization to obtain something
employee causes the employer to issue a of value. The item of value could be a financial
payment to a false supplier or vendor by Computer fraud - Theft, misuse, or or economic asset, information, or cooperation
submitting invoices for fictitious misappropriation of assets by altering to obtain a favorable decision on some matter
goods/services, inflated invoices, or invoices computer-readable records and files, or by under review.
for personal purchases. altering the logic of computer software; the
illegal use of computer readable information; Employee fraud - Performance fraud by non-
Bribery: Giving, offering, soliciting, or or the intentional destruction of computer management employee generally designed to
receiving things of value to influence an official software or hardware directly convert cash or other assets to the
in the performance of his or her lawful duties. employee’s personal benefit
Conflict of interest - Outline of procedures for
Business ethics: Pertains to the principles of dealing with actual or apparent conflicts of Ethical Responsibility - Responsibility of
conduct that individuals use in making choices interest between personal and professional organization managers to seek a balance
and guiding their behavior in situations that relationships. between the risks and benefits to their
involve the concepts of right and wrong. constituents that result from their decision.
Control activities - Policies and procedures to
Cash larceny: Theft of cash receipts from an ensure that appropriate actions are taken to Ethics Principles of conduct that individuals
organization after those receipts have been deal with the organization’s risks. use in making choices that guide their
recorded in the organization’s books and behavior in situations involving the concepts of
records. Control environment - The foundation of right and wrong.
internal control
Check digit: Method for detecting data coding Expense Reimbursement Frauds Claiming
errors in which a control digit is added to the Control weaknesses - is a deficiency, or a reimbursement of fictitious or inflated business
code when it is originally designed to allow the combination of deficiencies, in internal control expenses.
over financial reporting, such that there is a
Exposure Absence or weakness of a control. accurate and reliable accounting records and Pay-and-Return – Scheme under which a
information, promote efficiency, and measure clerk with check writing authority pays a
Fraud False representation of a material fact compliance with established policies. vendor twice for the same products (inventory
made by one party to another party, with the or supplies) received, then intercepts and
intent to deceive and induce the other party to Lapping – Use of customer checks, received cashes the overpayment returned by the
justifiably rely on the material fact to his or her in payment of their accounts, to conceal cash vendor.
detriment. previously stolen by an employee.
Mail Room Fraud – Fraud committed when an Payroll Fraud – Distribution of fraudulent
Fraud Triangle Triad of factors associated employee opening the mail steals a customer’s paychecks to existent and/or nonexistent
with management and employee fraud: check and destroys the associated remittance employees.
situational pressure (includes personal or job- advice.
related stresses that could coerce an individual Preventive controls - Passive techniques
to act dishonestly); opportunity (involves direct Management Fraud – Performance fraud that designed to reduce the frequency of
access to assets and/or access to information often uses deceptive practices to inflate occurrence of undesirable events.
that controls assets); and ethics (pertains to earnings or to forestall the recognition of either
one's character and degree of moral insolvency or a decline in earnings. Privacy - Full control of what and how much
opposition to acts of dishonesty). information about an individual is available to
Monitoring – Process by which the quality of others and to whom it is available.
Fraudulent Statements Statements related to internal control design and operation can be Processing controls - is an engineering
a material fact and known to be untrue or assessed. mechanism that uses continuous monitoring of
made with reckless indifference as to its truth an industrial process' operational variables
or falsity. Non-cash Fraud – Schemes involve the theft (e.g., temperature, pressure, chemical content)
or misuse of the victim organization’s non-cash and algorithms and then uses that information
General Controls Controls that pertain to assets (e.g., inventory, confidential to adjust variables to reach product output
entity-wide concerns such as controls over the information). specifications and objectives.
data center, organization databases, systems
development, and program maintenance. Output Controls – are a combination of Public Company Accounting Oversight
programmed routines and other procedures to Board (PCAOB) - Federal organization
Grandfather-Father-Son A backup technique ensure that system output is not lost, empowered to set auditing, quality control, and
employed by systems that use sequential misdirected, or corrupted and that privacy is ethics standards; to inspect registered
master files (whether tape or disk). It is an not violated. accounting firms; to conduct investigations;
integral part of the master file update process. and to take disciplinary actions.
Ownership – State or fact of exclusive rights
Hash Total Control technique that uses and control over property, which may be an Reasonable assurance - Assurance provided
nonfinancial data to keep track of the records object, land/real estate, intellectual property, or by the internal control system that the four
in a batch. some other kind of property. broad objectives of internal control are met in a
cost-effective manner.
Illegal Gratuity Giving, receiving, offering, or Pass-through Fraud – Similar to shell
soliciting something of value because of an company except that a transaction actually Risk assessment - Identification, analysis,
official act that has been taken. takes place. The perpetrator creates a false and management of risks relevant to financial
vendor and issues purchase orders to it for reporting.
Input Controls Programmed procedures, inventory or supplies. The false vendor
often called edits, that perform tests on purchases the needed inventory from a Run-to-run controls - : Controls that use
transaction data to ensure that they are free legitimate vendor, charges the victim company batch figures to monitor the batch as it moves
from errors. a much higher than market price for the items, from one programmed procedure to another.
and pockets the difference.
Internal Control System Policies a firm Sarbanes-Oxley Act (SOX) - Most significant
employs to safeguard the firm’s assets, ensure federal securities law, with provisions designed
to deal with specific problems relating to Thefts of cash - direct theft of cash on hand in
capital markets, corporate governance, and the organization. [Link] are the main issues to be addressed in
the auditing profession. a business code of ethics required by the
Transaction authorization - a procedure to Securities and Exchange Commission?
Security - Attempt to avoid such undesirable
events as a loss of confidentiality or data ensure that employees process only valid The main issues to be addressed in business
integrity. transactions within the scope of their authority. code ethics are conflict of interset,
Segregation of duties - Separation of accountability, full and fair disclosure, legal
employee duties to minimize incompatible Transcription errors - type of errors that can compliance, and reporting of code violation.
functions. corrupt a data code and cause processing Proportionality, justice, minimize risk.
errors.
Shell company - Establishment of a false
[Link] are the three ethical principles that may
vendor on the company’s books, then
manufacturing false purchase orders, receiving Transposition errors - an error that occurs provide some guidance for ethical
reports, and invoices in the name of the when digits are transposed. responsibility?
vendor and submitting them to the accounting Proportionality, justice and minimize risk
system, creating the illusion of a legitimate Vendor fraud - schemes under which an
transaction. The system ultimately issues a employee causes the employer to issue a [Link] is computer ethics?
check to the false vendor. payment to a false supplier or vendor by Computer ethics is ‘‘the analysis of the nature
submitting invoices for fictitious and social impact of computer technology and the
Skimming - stealing cash from an corresponding formulation and justification of
goods/services, inflated invoices, or invoices
organization before it is recorded on the policies for the ethical use of such technology. This
for personal purchases
organization’s books and records. concerns about software as well as hardware and
concerns about networks connecting computers as
Verification procedures - independent well as the computers themselves.’’
Spooling - direction of an application’s output
checks of the accounting system to identify
to a magnetic disk file rather than to the printer
errors and misrepresentations. [Link] do the three levels of computer ethics -
directly
pop, para, and theoretical - differ?
REVIEW QUESTIONS Pop computer ethics is simply the exposure to
Statement on Auditing Standards (SAS) No. [Link] is ethics? stories and reports found in the popular media
109 - the current authoritative document for Ethics pertains to the principles of conduct that regarding the good or bad ramifications of
specifying internal control objectives and individuals use in making choices and guiding their computer technology. Para computer ethics
techniques. behavior in situations that involve the concepts of involves taking a real interest in computer ethics
right and wrong. cases and acquiring some level of skill and
Statement on Auditing Standards (SAS) No. knowledge in the field. Theoretical computer
[Link] is business ethics? ethics is of interest to multidisciplinary researchers
99, Consideration of Fraud in a Financial
Business ethics involves finding the answers to who apply the theories of philosophy, sociology
Statement Audit - authoritative document that
two questions: (1) How do managers decide what and psychology to computer science with the goal
defines fraud as an intentional act that results is right in conducting their business? and (2) once of bringing some new understanding to the field.
in a material misstatement in financial managers have recognized what is right, how do
statements. they achieve it? [Link] computer ethical issues new problems or
just a new twist on an old problem?
Supervision - control activity involving the [Link] are the four areas of ethical business Some argue that all pertinent ethical issues have
critical oversight of employees. issues? already been examined in some other domain. For
Ethical issues in business can be divided into four example, the issue of property rights has been
areas: equity, rights, honesty and the exercise of explored and has resulted in copyright, trade
corporate power.
secret, and patent laws. Although computer computing technology. Economic status of the
programs are a new type of asset, many believe individual or the affluence of an organization. 17. What is the objective of Statement on
that these programs should be considered no Culture also limits access, for example, when Auditing Standards No. 99?
differently from other forms of property. documentation is prepared in only one language or Objective of SAS 99 is to seamlessly blend the
is poorly translated. Safety features, or the lack auditor's consideration of fraud into all phases of
[Link] are the computer ethical issues thereof. the audit process. It also requires the auditor to
regarding privacy? perform new steps such as a brainstorming during
13. What are the computer ethical issues audit planning to assess the potential risk of
People desire to be in full control of what and how
regarding the environment? material misstatement of the financial statements
much information about themselves is available to
Production of printed documents using papers. from fraud schemes.
others, and to whom it is available. This is the
However, paper comes from trees, which is
issue of privacy. The creation and maintenance of
considered as a precious natural resource, and 18. What are the five conditions that constitute
huge, shared databases make it necessary to
ends up in landfills if not properly recycled. fraud under common law?
protect people from the potential misuse of data.
A. False representation. There must be a
This raises the issue of ownership in the personal
14. What are the computer ethical issues false statement or a nondisclosure.
information industry.
regarding artificial intelligence? B. Material Fact. A fact must be a substantial
As decision makers or replacement for experts,
10. What are the computer ethical issues factor in inducing someone to act.
some people rely on expert systems significantly.
regarding security? C. Intent. Intent to deceive or the knowledge
Both knowledge and domain experts must be
The ethical issues involving security arise that one's statement is false.
concerned about their responsibility for faulty
from the emergence of shared, computerized
decisions, incomplete or inaccurate knowledge D. Justifiable reliance. Misrepresentation
databases that have the potential to cause
bases, and the role given to computers in the must have been a substantial factor on
irreparable harm to individuals by disseminating
decision-making process. And because expert which the injured party relied.
inaccurate information to authorized users, such
systems attempt to clone a manager's decision E. Injury or loss. Deception must have
as through incorrect credit reporting.
style, an individual's prejudices may implicitly or
The ethical issues regarding computer caused injury or loss to the victim of fraud.
explicitly be included in the knowledge base.
security center on unauthorized access to systems
and databases. Individuals can be harmed by the 19. Name the three fraud-motivating forces.
15. What are the computer ethical issues
dissemination of inaccurate information to
regarding unemployment and displacement? The three fraud-motivating forces are: (1)
authorized users, and/or accurate information to
In a new age of technology world, people Situational Pressure, (2) Opportunity, and (3)
unauthorized users. Security can be used to
are thoroughly dependent upon the computers for Ethics.
protect systems and personal information, but it
work done. In any field computer importance has
can also restrict legitimate access.
increased day by day. Today, society adapts
20. What is employee fraud?
computers whole heartedly. Computers made a
11. What are the computer ethical issues Employee fraud, or fraud by non management
great change in today’s ways of living. In an
regarding ownership of property? employees, is generally designed to directly
organization, management may favor the use of
Copyright laws have been invoked in an
technology for improving their product output, convert cash or other assets to the employee’s
attempt to protect those who develop software
which may be the cause of elimination of jobs and personal benefit. Typically, the employee
from having it copied. However, many believe the
employees. circumvents the company’s internal control system
copyright laws can cause more harm than good.
Part of the problem lies in the uniqueness of for personal gain. If a company has an effective
16. What are the computer ethical issues
software, its ease of dissemination, and possibility system of internal control, defalcations or
regarding misuse of computers?
of exact replication. embezzlements can usually be prevented or
Engaging in illegal activities through
computers, doing crime, copying genuine software, detected.
12. What are the computer ethical issues
using company’s computer for personal benefit by
regarding equity in access?
the employee, spying on others to check their 21. What is management fraud?
Several factors, some of which are not unique
personal’s data are few examples of misusing
to information systems, can limit access to
computers.
Management fraud is more insidious than 2. Do key executives appear to be living an objective that is forbidden by law or to gain an
employee fraud because it often escapes detection beyond their means? unfair advantage. It is quite difficult to prevent and
until the organization has suffered irreparable 3. Do key executives engage in habitual detect but one way in doing so is to structure the
damage or loss. Management fraud usually does gambling? organization in such a way that collusion can only
not involve the direct theft of assets. Top 4. Do key executives appear to abuse happen between two or more individuals with
management may engage in fraudulent activities alcohol or drugs? incompatible responsibilities and tasks for these
to drive up the market price of the company’s 5. Do any of the key executives appear to responsibilities are done physically as well.
stock. This may be done to meet investor lack personal codes of ethics?
expectations or to take advantage of stock options 6. Are economic conditions unfavourable 26. What is bribery?
that have been loaded into the manager’s within the company’s industry? Bribery is the giving, offering, soliciting, or
compensation package. The Commission on 7. Does the company use several different receiving things of value to influence an official in
Auditors’ Responsibilities calls this performance banks, none of which sees the company’s the performance of his or her lawful duties. It
fraud, which often involves deceptive practices to entire financial picture? defrauds the entity (business organization or
inflate earnings or to forestall the recognition of 8. Do any key executives have close government agency) of the right to honest and
either insolvency or a decline in earnings. Lower- associations with suppliers? loyal services from those employed by it.
level management fraud typically involves 9. Is the company experiencing a rapid
materially misstating financial data and internal turnover of key employees, either through 27. What is economic extortion?
reports to gain additional compensation, to garner resignation or termination? It is a kind of fraud where perpetrator (employee)
a promotion, or to escape the penalty for poor 10. Do one or two individuals dominate the is demanding the payment from a vendor to
performance. company? influence or make the decision of a company in
favor of the vendor.
22. What three forces constitute the triangle of 24. What is lapping?
fraud? Use of customer checks, received in payment of 28. What is a conflict of interest?
The fraud triangle consists of three factors that their accounts, to conceal cash previously stolen A conflict of interest occurs when an employee
contribute to or are associated with management by an employee. Lapping is usually detected when acts on behalf of a third party during the discharge
and employee fraud. These are (1) situational the employee leaves the organization or becomes of his or her duties or has self-interest in the
activity being performed. Examples are bribery and
pressure, which includes personal or job-related sick and must take time off from work. Unless the
illegal gratuities.
stresses that could coerce an individual to act fraud is perpetuated, the last customer to have
dishonestly; (2) opportunity, which involves direct funds diverted from his or her account will be billed 29. Define check tampering.
access to assets and/or access to information that again, and the lapping technique will be detected. A scheme in which an employer steals company
controls assets, and; (3) ethics, which pertains to Employers can deter lapping by periodically funds by intercepting, forging or altering a check
one’s character and degree of moral opposition to rotating employees into different jobs and forcing drawn on one of the organization's bank accounts.
acts of dishonesty them to take scheduled vacations.
30. What is billing (or vendor) fraud?
23. How can external auditors attempt to 25. What is collusion? It occurs when an employee submits personal,
fake or inflated invoices for goods or services to
uncover motivations for committing fraud? Collusion is when two or more parties unrightfully
the employer.
External auditors can use a checklist of red-flag cooperate and involve themselves in a secret
items that may help to uncover motivations for agreement for a purpose which is deceitful, illegal 31. Define cash larceny.
committing fraud. It consists of the following types or fraudulent. It is also a form of plagiarism. They The intentional taking of an employer's cash
of questions: do this for the settlement that they made among without the consent and against the will of the
1. Do key executives have unusually high themselves for deceiving, misleading, or employer.
personal debt? defrauding others of their legal rights or to obtain
32. What is skimming? An example of detective control is Reviews of 5. monitoring activities
Skimming involves stealing cash from an Performance where management compares
organization before it is recorded on the information about current performance to budgets, 40. What are the six broad classes oh physical
organization’s books and records. An example is forecasts, prior periods, or other benchmarks to control activities defined by COSO?
mail room fraud in which an employee opening the measure the extent to which goals and objectives 1. Transaction authorization
mail steals a customer’s check and destroys the are being achieved and to identify unexpected 2. Segregation of duties
associated remittance advice. results or unusual conditions that require follow-up. 3. Supervision
4. Accounting records
33. What are the four broad objectives of 37. Give an example of a corrective control 5. Access controls
internal control? An example of corrective control would be: Manual 6. Independent verification
The four broad objectives of internal control are: procedures to correct a batch that is not accepted
1. To safeguard assets of the firm because of an incorrect social security number. A
41. What is the purpose of a valid vendor file?
clerical worker would need to investigate and
2. To ensure the accuracy and reliability of Prevents unauthorized purchases from
determine either the correct hash total or the
accounting records and information unapproved vendors.
correct social security number that should be
3. To promote efficiency in the firm’s entered. A responsible party is then needed to
42. Give one example of an error that a check
operations read exception reports and follow up on
digit control detects.
4. To measure compliance with anomalies.
A check digit is a form of redundancy check
management’s prescribed policies and used for error detection on identification
procedures 38. What are management’s responsibilities
numbers, such as bank account numbers, which
under sections 302 and 404? are used in an application where they will at least
Sec 302 Corporate Responsibility for Financial sometimes be input manually. It is analogous to a
34. What are the four modifying assumptions
Reports: binary parity bit used to check for errors in
that guide designers and auditors of The act requires a company's CEO and CFO to computer-generated data.
internal control systems? personally certify that all records are complete and
The four modifying assumptions are the following: accurate. Specifically, they must confirm that they
43. What are the primary objectives of a batch
1. Management Responsibility accept personal responsibility for all internal
controls and have reviewed these controls in the control?
2. Reasonable Assurance
past 90 days - The objective of batch control is to
3. Methods of Data Processing
Sec 404 the Management Assessment of Internal reconcile output produced by the system with the
4. Limitations Control input originally entered into the system. This
35. Give an example of a preventive control final audit report shall have a report of provides assurance that:
Preventive controls attempt to deter or prevent management's assessment of internal control over a. All records in the batch are processed
undesirable events from occurring. They are financial reporting. Stress is on management's
b. No records are processed more than
proactive controls that help to prevent a loss. An certification that appropriate internal controls are in
example of preventive control is Segregation of place that can effectively detect or prevent errors once
Duties where duties are segregated among or fraud that could result in material misstatements c. An audit trail of transactions is created
different people to reduce the risk of error or in the financial statements. from input through processing to the
inappropriate action. Normally, responsibilities for output stage of the system.
authorizing transactions, recording transactions 39. What are five internal control components
(accounting), and handling the related asset described in the COSO framework? 44. If all of the inputs have been validated
(custody) are divided. five objectives of an acceptable system of internal
before processing, then what purpose do run-
controls, which are
36. Give an example of a detective control 1. control environment to-run controls serve?
Detective controls attempt to detect undesirable 2. risk assessment - The run-to-run control is a control device
acts. They provide evidence that a loss has 3. control activities to ensure that no records are lost, unprocessed, or
occurred but do not prevent a loss from occurring. 4. information and communication processed more than once for each of the
computer runs (processes) that the record must ● The total dollar value of a financial field protection, improving worker safety, and
flow through. ● The total of a unique nonfinancial field affirmative action. In the short run, when one firm
incurs these costs and its competitor does not, the
45. What is the objective of a transaction log? DISCUSSION QUESTIONS latter has a competitive advantage over the former.
- The system triggers some transactions [Link] between ethical issues and legal However, the socially responsive firm can
internally. For example, when inventory drops issues. maximize its profitability in the long run by accruing
below the reorder point, the system automatically Ethical issues are typically derived from goodwill in society and avoiding the negative
generates a purchase requisition. The objective is personal feelings and judgements of what is right effects of government regulations.
to maintain an audit trail of these activities where and what is wrong. These feelings and beliefs are
all internally generated transactions must be not typically universally agreed upon. Business [Link] top management’s attitude toward
placed in a transaction log. ethics include principles of conduct that person will ethics sets the tone for business practice,
use in order to make choices of right and wrong sometimes it is the role of lower-level
46. How can spooling present an added and will answer two questions: how do managers managers to uphold a firm’s ethical standards.
exposure? decide what is right in conducting business? And John, an operations-level manager, discovers
- Spooling present an added exposure by once managers have recognized right, how is this that the company is illegally dumping toxic
the creation of an output file as an intermediate achieved? materials and is in violation of environmental
step in the printing process. Legal Issues, on the other hand, can derive regulations. John’s immediate supervisor is
from unethical judgement, but is seen as involved in the dumping. What action should
47. What is the purpose of a limit check? something that goes against legal standards. John take?
- Limit checks are used to identify field Normally, the resolution of an ethical problem
values that exceed an authorized limit. [Link] argue against corporate involvement in on the job would involve consultation between the
48. What is the purpose of a range check? socially responsible behavior because the subordinate and the immediate supervisor. When
- It is to detect keystroke errors by data costs incurred by such behavior place the the supervisor is part of the problem, the matter
entry clerks. organization at a disadvantage in a competitive should be taken to the next higher-level person in
market. Discuss the merits and flaws of this the organization structure.
49. What is a validity check? argument.
- A validity check compares actual field Managers are hired to maximize the profits [Link] a company has a strong internal
values against known acceptable values. This for their organization and shareholders. Hence, if control structure, stockholders can expect the
control is used to verify such things as transaction they tend to indulge in activities which are more elimination of fraud. Comment on the
codes, state abbreviations, or employee job skill socially responsible like for example, paying higher soundness of this statement.
codes. If the value of the does not match one of wages to their workers and charging less for their A strong internal control structure provides a
the acceptable values, the record flagged as an products, this would lead to diminished profit for very good shield against fraud. However, these
error. the company. Managers can devote their time and shields are not 100 percent bulletproof, especially
resources in achieving organization goals instead when employees collude and/or top management
50. What information would a batch control of being diverted by socially responsible activities. is involved. A strong internal control structure
record contain? Companies may misuse the concept of CSR by coupled with good employee morals and ethics is
- The control record contains relevant engaging in what is known as greenwashing, the best deterrence against fraud.
information about the batch, such as: where the firm talks and advertises about being
● A unique batch number socially responsible to the environment and people [Link] between employee fraud and
● A batch date but in reality it is not actually executed. management fraud.
● A transaction code The costs of socially responsible behavior Employee fraud is committed by non-management
● The number of records in the batch include those associated with environmental employees, and it is generally designed to directly
convert cash and other assets for the employee's need to be developed so that they decrease risk to 12. An organization’s internal audit department
personal benefit. In cases of employee fraud, weak a level where management can accept the is usually considered an effective control
internal controls are usually present. Management exposure to that risk. mechanism for evaluation the organizations’
internal control structure. The Birch
frauds, however, are usually committed at a level
9. If detective controls signal error flags, why Company’s internal auditing function reports
above the one to which internal controls generally shouldn’t these types of controls automatically directly to the controller. Comment on the
relate. These frauds are typically shrouded in a make a correction in the identified error? Why effectiveness of this organization structure.
nexus of transactions and are difficult to are corrective controls necessary? The Controller of an organization is the Chief
disentangle. Linking a corrective action to a detected error, as financial Officer who is responsible for all the
an automatic response, may result in an incorrect financial aspects like accounting, statements,
[Link] estimates of losses annually resulting action that causes a worse problem than the payroll, etc. When an internal auditor directly
original error. For this reason, error correction reports to the CFO of the company, the situation
from computer fraud vary widely. Why do you
should be viewed as a separate control step that creates a potential conflict as it undermines the
think obtaining a good estimate of this figure is should be taken cautiously. internal auditor’s position. An internal auditor is
difficult? Necessity of corrective control expected to have an objective view which may not
The top management team of publicly traded There are three types of internal controls: be possible when the boss is the controller of the
organizations is often reluctant to publicly admit Preventive, Detective and Corrective controls. company.
that they have been the victim of computer crime Corrective controls used to restore the process
because of fear of public opinion regarding their back to state prior to the harmful event. 13. According to COSO, the proper segregation
To understand the necessity of the corrective of functions is an effective internal control
internal control structure. Also, many organizations
control, consider the following example. “Quantity procedure. Comment on the exposure (if any)
may not be fully aware of the extent of their = 5; Price = $10; Total = $500”. Corrective caused by combining the tasks of paycheck
damages due to computer fraud. Controls takes some actions to reverse the all preparation and distribution to employees
effects of the errors detected. If a payroll employee were to prepare a paycheck
[Link] has Sarbanes-Oxley Act had a for a nonexistent employee which is known as
significant impact on corporate governance? 10. Discuss the non-accounting services that “ghost employee” fraud, and this employee also
The Sarbanes-Oxley Act of 2002 (SOX) has had a external auditors are no longer permitted to has the task of distributing the checks, then no one
render audit clients would be the wiser. On the other hand, of the
significant impact on strategic management
Auditing firms that are also engaged by their checks go directly another person, who then
practices and strategies. clients to perform non-accounting services such as distributes the paychecks, the extra check should
The Sarbanes-Oxley Act (SOX), passed in 2002, actuarial services, internal audit outsourcing be discovered.
was intended to prevent scandals such as the services, and consulting, lack independence. They
Enron accounting fraud. It tried to prevent fraud in are essentially auditing their own work. They are 14. Explain the five conditions necessary for an
accounting, increase people's confidence in the no longer permitted since auditors may not bring to act to be considered fraudulent.
management's attention detected problems that 1. False representation- there must be a
financial reports of public companies, and
may adversely affect their consulting fees. false statement or a nondisclosure
safeguard shareholders. It created new laws about
2. Material fact- a fact must be a substantial
internal financial reporting and new requirements 11. Discuss whether a firm with fewer
factor in inducing someone to act
for financial audits of public companies. One of the employees than there are incompatible tasks
should rely more heavily on general authority 3. Intent- there must be an intent to deceive
most important effects the law had was that it
than specific authority or the knowledge that one’s statement is
made boards more powerful than management.
Small firms with fewer employees than there are false
incompatible tasks should rely more heavily on 4. Justifiable reliance- the misrepresentation
8. Discuss the concept of exposure and explain
specific authority. More approvals of decision by must have a substantial factor on which
why firms may tolerate some exposure.
management and increased supervision should be the injured party relied
Exposure is the absence or the weakness of the
imposed in order to compensate some for the lack
internal control. Some firms may tolerate some
of separation of duties.
exposure to determine control procedures that
 5. Injury or loss- the deception must have 1. Situational pressure, which includes personal or 20. Distinguish between skimming and cash
caused injury or loss to the victim of the job-related stresses that could coerce and larceny.
fraud individual to act dishonestly. Skimming involves stealing cash from
2. Opportunity, which involves direct access to an organization before it is recorded on the
6.
assets and/or access to information that controls organization’s books and records while In
15. Distinguish between exposure and risk. assets
The absence or weakness of a control is Cash larceny, it involves schemes in which
3. Ethics, which pertains to one’s character and cash receipts are stolen from an organization
called an exposure. Exposures, which are degree of moral opposition to acts of dishonesty.
illustrated as holes in the control shield, increase after they have been recorded in the
the firm’s risk to financial loss or injury from organization’s books and records.
An individual with a high level of personal ethics, Additional information: Skimming may
undesirable events. A weakness in internal control who is confronted with low pressure and limited
may expose the firm to one or more of the also be done to evade tax when the business
opportunity to commit fraud is more likely to owner does not record the sale and uses the
following types of risks: behave honestly than one with weaker personal
1. Destruction of assets (both physical cash from the customer directly for personal
ethics, who is under high pressure and exposed to use. It is more difficult to detect as the act is
assets and information). greater fraud opportunities. performed before the cash receipt or sale is
2. Theft of assets. entered into the books.
3. Corruption of information or the 18. Give two examples of employee fraud and
information system. explain how the thefts might occur. 21. Distinguish between shell company fraud
4. Disruption of the information system. An example is stealing the cash received from a
and pass-through fraud
customer while entering the transaction as paid.
5. Shell company fraud first requires that
Another example could be taking company
16. Explain characteristics of management products and selling them elsewhere in exchange the perpetrator establish a false supplier on
fraud for cash. Employee fraud usually involves three the victim company's book and then
It often escapes detection until the steps: manufactures false purchase orders, receiving
organization has suffered irreparable damage or 1. Stealing something of value reports, and invoices in the name of the
loss. Management fraud usually does not involve vendor and submitting them to the accounting
2. Converting the asset to a usable form
the direct theft of assets. There are three special system, creating the illusion of a legitimate
characteristics of management fraud. such as cash transaction. While Pass-through fraud is
1. The fraud is perpetrated at levels of 3. Concealing the crime to avoid detection similar to shell company fraud with the
management above the one to which internal exception that a transaction actually takes
control structures 19. Discuss the fraud schemes of bribery, place. Again, the perpetrator creates a false
generally relate. illegal gratuities and economic extortion. vendor and issues purchase orders to it for
2. The fraud frequently involves using the Bribery involves giving, offering, soliciting, or inventory or supplies. The false vendor then
financial statements to create an illusion that an receiving things of value to influence an official in purchases the needed inventory from a
entity is healthier and more prosperous than, in the performance of his or her lawful duties. It legitimate vendor. The false vendor charges
fact, it is. defrauds the entity of the right to be honest and the victim company a much higher than market
3. If the fraud involves misappropriation of loyal services from those employed by it. Illegal price for the items, but pays only the market
assets, it frequently is shrouded in a maze gratuities involve giving, receiving, offering, or price to the legitimate vendor. The difference is
of complex business transactions, often soliciting something of value because of an official the profit that the perpetrator pockets.
involving related third parties. act that has been taken. This is similar to a bribe,
but the transaction occurs after the fact. On the 22. Why are the computer ethics issues of
17. The text identifies a number of personal other hand, economic extortion is the use of force privacy, security and property ownership of
traits of managers and other employees that by an individual or organization to obtain interest to accountants?
might help uncover fraudulent activity. something of value. The item of value could be a Privacy is a concern because the
Discuss three traits. financial or economic asset, information, or nature of computer data files makes it possible
The fraud triangle consists of three factors that cooperation to obtain a favorable decision on for unauthorized individuals to obtain
contribute to or are associated with management some matter under review. information without it being recognized as
and employee fraud. These are: "missing" from its original location. Security is
 a concern because its absence makes control 25. Because all fraud involves some form of financial picture, and engaged in embezzlement
from a privacy viewpoint questionable. In financial misstatement, how is fraudulent that resulted in a loss of more than $60 billion to
addition lack of security may permit statement fraud different? [Link] is neither practical nor wise to
unauthorized changes to data, therefore establish a board of directors that is totally void of
Fraudulent statement fraud is
distorting information that is reported. self- interest, popular wisdom suggests that a
different because it involves in financial
Property ownership raises issues of healthier board of directors is one in which the
misstatements in order present a favorable
legitimacy of organizational software, valuation majority of directors are independent outsiders,
financial statements and it benefits the
of assets, and questions of lost revenues. with the integrity and the qualifications to
organization rather than the company.
understand the company and objectively plan its
23. A profile of fraud perpetrators prepared by course.
26. Explain the problems associated with lack
the Association of Certified Fraud of auditor independence.
Examiners revealed that adult males with 28. Explain the problems associated with
Auditing firms that are also engaged by
questionable executive compensation
advances degrees commit a their clients to perform non-accounting activities
schemes.
disproportionate amount of fraud. Explain such as actuarial services, internal audit
A Thomson Financial survey revealed the
these findings. outsourcing services, and consulting, lack
strong belief that executives have abused stock-
independence. The firms are essentially auditing
According to the findings from the based compensation. The consensus is that fewer
their own work. The risk is that as auditors they will
study provided by ACFE, adult males with stock options should be offered than currently, is
not bring to management’s attention detected
advanced degrees commit a disproportionate the practice. Excessive use of short-term stock
problems that may adversely affect their consulting
amount of fraud, which is explained as follows: options to compensate directors and executives
fees. For example, Enron’s auditors—Arthur
Gender. Women are not may result in short-term thinking and strategies
Andersen—were also their internal auditors and
fundamentally more honest than men, but men aimed at driving up stock prices at the expense of
their management consultants.
occupy high corporate positions in greater the firm’s long-term health. In extreme cases,
numbers than women. This affords men financial statement misrepresentation has been
27. Explain the problems associated with lack
greater access toassets. the vehicle to achieve the stock price needed to
of director independence.
Age. Older employees tend to occupy exercise the option.
Many boards of directors are composed of
higher-ranking positions and therefore As a case in point, Enron’s management
individuals who are not independent. Examples of
generally have greater access to company was a firm believer in the use of stock options.
lack of independence are directors who have a
assets. Nearly every employee had some type of
personal relationship by serving on the boards of
Education. Generally, those with arrangement by which he or she could purchase
other directors’ companies; have a business
more education occupy higher positions in shares at a discount or were granted options
trading relationship as key customers or suppliers
their organizations and therefore have greater based on future share prices. At Enron’s
of the company; have a financial relationship as
access to company funds and other assets. headquarters in Houston, televisions were installed
primary stockholders or have received personal
in the elevators so employees could track Enron’s
loans from the company; or have an operational
24. Explain why collusion between employees (and their own portfolio’s) success. Before, the
relationship as employees of the company. A
and management in the commission of a firm’s collapse, Enron executives added millions of
notorious example of corporate inbreeding is
fraud is difficult to both prevent and detect. dollars to their personal fortunes by exercising
Adelphia Communications, a telecommunications
stock options.
It's harder to detect collusion between company. Founded in 1952, it went public in 1986
the employee and management because it is and grew rapidly through a series of acquisitions.
29. Explain the problems associated with
the duty of the management to detect and The founding family (John Rigas, CEO and
inappropriate accounting practices.
prevent fraud among their subordinates. It is chairman of the board; Timothy Rigas, CFO, Chief
The use of inappropriate accounting
also hard to prevent because of the Administrative Officer, and chairman of the audit
techniques is a characteristic common to many
opportunity to commit fraud by the committee; Michael Rigas, Vice President for
financial statement fraud schemes. Enron made
management. operation; and J.P. Rigas, Vice President for
elaborate use of special-purpose entities to hide
strategic planning) perpetrated the fraud. Between
liabilities through off-balance-sheet accounting.
1998 and May 2002, the Rigas family successfully
Special-purpose entities are legal, but their
disguised transactions, distorted the company’s
application in this case was clearly intended to
deceive the market. Enron also employed income- 33. In this age of high technology and 1. An example of a control designed to validate
inflating techniques. For example, when the computer-based information systems, why are a transaction at the point of data entry is
company sold a contract to provide natural gas for accountants concerned about physical
a period of two years, they would recognize all (human) records?
a. recalculation of a batch total
future revenue in the period when the contract was - They relate the physical controls to the
sold. human activities that trigger those tasks or utilize b. a record count
the results of those tasks. All systems need actual c. a check digit
30. Explain the purpose of the Public Company human control every once in a while. d. checkpoints
Accounting Oversight Board. e. recalculation of hash total
SOX created a Public Company 34. What are the classes of transcription error?
Accounting Oversight Board (PCAOB). The 1. Addition errors – occur when an extra Justification: In Check digit, data codes are used
PCAOB is empowered to set auditing, quality digit or character is added to the code.
extensively in transaction processing systems for
control, and ethics standards; to inspect registered 2. Truncation errors – occur when a digit
accounting firms; to conduct investigations; and to or character is removed from the end of a code representing such things as customer accounts,
take disciplinary actions. 3. Substitution errors – replacement of one items of inventory, and general ledger accounts in
digit in a code with another the chart of accounts. If the data code of a
31. Why is an independent audit committee particular transaction is entered incorrectly and
important to a company? 35. What is the purpose of a check digit? goes undetected, then a transaction processing
The audit committee is responsible for - A check digit is a control digit (or digits) error will occur, such as posting to the wrong
selecting and engaging an independent auditor, for that is added to the data code when it is originally
account.
ensuring that an annual audit is conducted, for assigned. This allows the integrity of the code to
reviewing the audit report, and for ensuring that be established during subsequent processing.
deficiencies are addressed. Large organizations [Link] controls are classified as
with complex accounting practices may need to 36. Does a hash total need to be based on a
create audit subcommittees that specialize in financial data field? Explain. a. Input, processing, and output
specific activities. - No, it does not need to be based on a b. Input, processing, output, and storage
financial data because hash total is the summation c. Input, processing, output, and control
32. What are the key points of the “Issuer ad of a nonfinancial field to keep track of the records
d. Input, processing, output, storage, and
Management Disclosure” of the Sarbanes- in a batch. Any numeric field, such us a customer’s
Oxley Act? account number, a purchase order number, or an storage
● Public companies must report all inventory item number may be used to calculated e. Collecting, sorting, summarizing, and
off-balance-sheet transactions a hash total. reporting
● Annual reports filed with the SEC
must include a statement by 37. Explain the GFS background technique. Is Justification: Input controls are programmed
management asserting that it is it used for sequential files or direct access procedures (routines) that perform tests on
responsible for creating and techniques?
- Grandfather-father-son (GFS) is used for transaction data to ensure that they are free from
maintaining adequate internal errors. After passing through the data input stage,
controls and asserting to the sequential master files. GFS background
technique begins when current master file (the transactions enter the processing stage of the
effectiveness of those controls.
father) is processed against the transaction file to system. Processing controls are programmed
● Officer must certify that the
produce a new updated master file (the son). Note procedures and may be divided into three
company’ accounts “fairly present”
that the son is a physically different file from the categories: batch controls, run-to-run controls, and
the firm’s financial condition and
father. With the next batch of transactions, the son
results of operations audit trail controls. Output controls are a
becomes the current master file (the new father),
● Knowingly filing a false and the original father becomes the backup file combination of programmed routines and other
certification is a criminal offense (grandfather). procedures to ensure that system output is not
lost, misdirected, or corrupted and that privacy is
MULTIPLE QUESTIONS not violated.
 reconstructed to the current backup file stored in 7. The underlying assumption of reasonable
[Link] of the following is NOT an element of the disk. assurance regarding implementation of
the fraud triangle? internal control means that
5. In an automated payroll processing
a. Auditors are reasonably assured that fraud
environment, a department manager
a. Ethics has not occurred in the period.
substituted the time card for a terminated
b. Justifiable reliance b. Auditors reasonably assured that
employee with a time card for a fictitious
employee carelessness can weaken an
c. Situational pressure employee. The fictitious employee had the
internal control structure.
d. Opportunity same pay rate and hours worked as the
c. Implementation of the control
e. All of the above are elements terminated employee. The best control
procedure should not have a significant
technique to detect this action using employee
adverse effect on efficiency or
identification numbers would be to use a -
Justification: fraud triangle consists of three profitability
a. Batch total
factors that contribute to or are associated with d. Management's assertions about control
b. Record count effectiveness should provide auditors with
management and employee fraud. These are (1)
c. Hash total reasonable assurance.
situational pressure, which includes personal or
d. Subsequent check e. A control applies reasonably well to all
job-related stresses that could coerce an individual
e. Final total forms of computer technology.
to act dishonestly; (2) opportunity, which involves
Justification: When a company
direct access to assets and/or access to C. Hash total is the addition of a non-financial field. chooses to incorporate a good internal control
information that controls assets, and; (3) ethics, It is used to maintain a track of the record. For system, then the underlying assumption is that
which pertains to one’s character and example, a customer's account number of each the cost of implementing such a procedure
degree of moral opposition to acts of dishonesty. transaction within a record can be added to obtain must not outweigh the benefits. In other words,
Justifiable reliance is part of the five conditions of a hash total. Such hash total would not match if a the company should be able to meet the four
fraudulent act, in which the misrepresentation must perpetrator replaces a transaction with similar objectives of having an internal control
value could be detected. (safeguarding the assets, Accurate and
have been a substantial factor on which the injured
reliable data, increase in efficiency and
party relied. 6. Which of the following is often called adherence to company policies) in a cost-
compensating control? effective manner.
4. How are transactions in real-time processing a. Transaction authorization
systems edited? b. Supervision 8. Which of the following journal entries
a. In a separate computer run c. Accounting records would a bookkeeper make to conceal the
b. In online mode as transactions are entered d. Segregation of duties theft of cash receipts from customers in
c. During a backup procedure payment of their accounts?
d. Not edited due to time constraints B. Usually a good internal control means that the DR CR
e. Editing transactions in real-time is not incompatible tasks are all allotted to different a. Miscellaneous expense Cash
necessary employees. But in the case of a small organization b. Petty cash Cash
with fewer personnel, it may not be possible. In c. Cash Accounts Receivable
C. Back-up of master file in a real-time processing such a scenario, the management may choose to
d. Sales returns Accounts
system is considered difficult because transactions compensate for the lack of segregation of duties
with close supervision. A manager may be asked Receivable
are processed in a continuous way where the
to oversee the roles of various subordinates e. None of the above
backup process is scheduled at particular
intervals. While processing, the current version of across different functions. Hence, called Justification: For making the journal
the master file gets destroyed from disk failure or compensating control. entries, the shopkeeper should have an idea
it will get corrupted due to some programming related to the goods sold. If the sales rectums
error, from which the master file can be are debited and accounts receivable are
credited, then bookkeeper will face no difficulty
 related to the receipts. It is because the 11. What name is given to computer programs ledger. Fraud is a malicious act committed by
bookkeeper will get the cost of goods after that are used for checking the validity and people to fulfill their personal benefits. Fraud
knowing the sales rectums. accuracy of transaction data? B can be committed by people inside or outside
a. Operating System Program the organization.
9. Which of the following is not an example of b. Edit Programs
preventive control? c. Compiler Programs 14.) Ensuring that all material transactions
a. Separation of responsibilities for the d. Integrated Test Programs processed by the information system are valid
E. Interrogation Program in accordance with management’s objectives is
recording, custodial, and authorization
Application uses routines for checking the an example of
functions validity and accuracy of the transaction data. Answer: A. Transaction Authorization
b. Sound personnel practices Edit programs are the programs which are Justification: An employee may be given the
c. Documentation of policies and designed for performing the editing and authority to initiate or approve any transaction.
procedures modification functions or the deletion of the This is done in order to ensure that the transaction
d. Password Authentication software and data. is valid and is in accordance with the policies and
Hardware procedures of the organization. This is called
12. An employee in the receiving department transaction authorization. Hence, the correct
e. Sources documents for capturing sales
keyed in shipment from a remote terminal and option is a.
data inadvertently omitted the purchase order
number. The best application control to detect 15.) Which of the following is an example of an
Justification: documentation of policies this error would be a C input control?
and procedures is a directive control. a. Batch Total Answer: D. Performing a check digit test on a
b. Missing Data Check customer account number.
10. Which of the following is NOT a c. Completeness Check Justification: Control are termed as a
segregation of duties violations? A d. Reasonableness Check programmed procedure which performs the test
a. The treasurer has the authority to sign e. Compatibility Test related to the transaction ensuring the data is free
checks but gives the signature block to the A completeness test checks that all data from any of the error.
assistant treasurer to run the check-signing elements are entered before processing. An ⮚ It is also called as edits which are
machine. interactive system can be programmed to notify designed into the system at various points
b. The warehouse clerk, who has custodial the user to enter the number before accepting which depend on the processing whether it
responsibility over inventory in the warehouse, the receiving report. is real time or batch
selects the vendor and authorizes purchases when ⮚ Input controls are placed in the real time
inventories are low. 13. Which of the following controls would best system at the collection of the data stage
c. The sales manager has the responsibility to prevent the lapping of accounts receivable A for monitoring the data which are entered
approve credit and the authority to write off a. Segregate duties so that the clerk from the terminals.
accounts. responsible for recording in the accounts ⮚ Historical transaction data must be error
d. The department time clerk is given the receivable subsidiary ledger has no access to free for its efficient processing.
undistributed payroll checks to mail to absent the general ledger.
employees. b. Request that customers review their monthly 16.) Providing timely information about
No risk due to combination of tasks. The statements and report any unrecorded cash transactions in sufficient detail to permit
treasurer is responsible for having custody of payments. proper classification and financial reporting is
the assets. The treasurer is not responsible for c. Require customers to send payments directly to an example of
either authorizing or recording the transaction. the company’s bank. Answer: C. Information and communication.
By delegating the task signing, he checks to the d. Request that customers make checks payable Justification: An efficient accounting information
assistant treasurer, no violation of the principle to the company. system is used to initiate, classify and record the
of the separation of functions occurs because In order to prevent lapping, the duties of the transactions related to the assets and liabilities.
the assistant treasurer does not authorize or clerk responsible for recording the accounts This timely, accurate and reliable information is
record transaction either. receivable subsidiary ledger should be very important to the management to make
segregated from that of recording in the general decisions. The details about how a transaction is
initiated, how it is processed and how it is
classified it required also from the audit
perspective.

[Link] fraud scheme that is similar to the

concept of "borrowing from Peter to pay Paul"
is
Answer: C - Lapping is the practice of allocating
one customer's payment to another customer's
account. Hence, borrowing Peter's payment to pay
Paul.

[Link] is the process for posting to

accounting records in a computer system?
Answer: D - Accounting records in the computer
based accounting system consist of a general
ledger of each account which consists of beginning
balance and month-to date total for all
transactions. Computer system allows direct
access for reviewing any of the account balance
by using the monitor which provides current year-
to-date data where master files gets updated
according to the year-to-date files.

19. Which of the following benefits is least

likely to result from a system of internal
controls?
Answer: B - No system can prevent two or more
employees who have authority and control over
the system to get together to commit fraud.

Sometimes, the most

productive thing you
can do is relax. –
mark black