AIS Chapter 3 Ethics 2

Ethics, Fraud and Internal Control

Ethics Pertains to the principles of conduct that individuals use in making choices and guiding g uiding their behavior in situations that involve the concepts of right and wrong. Business Ethics 1. How do managers managers decide what what is right right in in conducting conducting their their business business?? 2. Once manager managerss have recogniz recognized ed what is right, right, how do they achieve achieve it?

Ethical responsibility – seeking the balance between the consequences that may  potentially harm or benefit your constituents.  Proportionality – The benefit from a decision must outweigh the risks. Furthermore, there must be no alternative decision that same or better benefit with less risk.  Justice – The benefits of the decision decision should distributed fairly fairly to those who share the risk. Those who do not benefit should should not carry the burden of risk. Minimize risks – Even if judged acceptable by the principles, the decision should be implemented to minimize all of the risk and avoid any unnecessary risk. Issues Computer Ethics “the analysis of nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology … This includes concerns about networks connecting computers as well as computers themselves.” (J. H. Moor)

Issues: Privacy – the desire to control what and how information is to made available to others. o thers. (raises the question of the ownership of this information) Security (Accuracy and Confidentiality) – shared computerized databases have the  potential to give the inaccurate information to the right people and accurate a ccurate information to those who may exploit to their ends. Ownership of Property – what can an individual or organization own? Equity in Access – unavoidable barriers due to socio-economic and cultural factors that limit to information technology Environmental Issues – print vs. electronic Artificial Intelligence – reliance on technology for decision making leads to various questions.

Unemployment and Displacement – the change in jobs as a result of the advance of  computer technology and the consequences Misuse of Computers – examples: copying proprietary software, use of computers for   personal tasks.

Fraud A false representation of material fact made by on e party to another party with the intent with the intent to deceive and induce the other party to justifiably rely on the fact to his or  her detriment Five conditions that must be present 1. False representation 2. Material fact 3. Intent 4. Justifiable reliance 5. Injury or loss Employee fraud – generally designed to directly convert cash or other assets to the employee’s benefit Management fraud – can be perpetrated by overriding an otherwise effective internal control structure, Factors that contribute to fraud 1. Situational pressures 2. Opportunities 3. Personal characteristics Fraud Schemes Fraudulent Statements 1. Lack of Auditor Independence 2. Lack of Director Independence 3. Questionable Executive Compensation Scheme 4. Inappropriate Accounting Practices

Corruption Bribery – giving, offering, soliciting or receiving things of value to influence an • official in the performance of his or her duties Illegal gratuities - giving, offering, soliciting or receiving things of value becau se • of an official that has been taken Conflicts of Interest – occurs when an employee acts on behalf of a third party • during the discharge of his or her duties or has self-interest in the activity being  performed Economic Extortion – use or threat of force, including economic sanctions to • obtain something of value Asset Misappropriation

•

•

•

Charges to expense accounts – causes an imbalance in the accounting equation which must be adjusted if it is to undetected Lapping – use of customer checks, received as payment to conceal cash  previously stolen by the employee Transaction Fraud – involves deleting, altering, or add ing false transactions to divert assets to the perpetrator 

Upcoming: Fraud (Computer Fraud Internal Control SOX and Ethics, Fraud and Internal Control Computer Fraud Schemes  Data Collection – 1st operational stage. The simplest way to perpetrate computer fraud Computer equivalent of transaction fraud. Involves falsifying data as it enters the system.

Transaction fraud from remote locations due to the exposure of networked systems. Masquerading Piggybacking Hacking  Data Processing  Program fraud involves 1.) creating illegal programs that can access data files to alter, delete, or insert values into accounting records 2.) destroying or corrupting a program’s logic using a computer virus, or 3.) altering program logic to cause the application to  process data incorrectly. Operations fraud – the misuse of the firm’s computer resources. Often involves using the computer to conduct personal business.  Database Management  Fraud can be perpetrated by altering, deleting, corrupting, destroying, or stealing an organization’s data.  Information Generation Common fraud acts at this stage involve stealing, misdirecting, or misusing computer  output. Scavenging Eavesdropping

Internal Control 1. To safeguard assets of the firm. 2. To ensure the accuracy and reliability of accounting records and information. 3. To promote efficiency in the firm’s operations. 4. To measure compliance with management’s prescribed policies and procedures.

Preventive controls – the first line of defense. These are passive techniques designed to reduce the occurrence of undesirable events. Detective controls – the second line. These are designed to identify and expose undesirable events that elude preventive controls. Corrective controls – are actions taken to reverse the effects of errors detected in the  previous step. Internal Control Framework 

The Control Environment – at minimum adopt the provisions of SOX. Best practices: Separate CEO and Chairman Set Ethical Standards Establish an Independent Audit Committee Compensation committee  Nominating committees Access to outside professionals • • • • • •

Risk Assessment – identify, analyze and manage risks relevant in financial reporting. It is likely that internal control risks could be more pervasive in the IT organization than in other areas of the company Information and Communication Effective AIS will: Identify and record all valid financial transactions. • Provide timely information about transactions in sufficient detail to permit proper  • classification and financial reporting Accurately measure the financial value of transactions so their effects can be recorded in • financial statements. Accurately record transaction in the time period they occur. • Auditors should obtain sufficient knowledge of the AIS to understand: The classes of transactions that are material to the financial statements and how those • transactions are initiated. The accounting records and accounts that are used in the processing of material • transactions. The transaction processing steps involved from the initiation of a transaction to its • inclusion in the financial statements. The financial reporting process used to prepare financial statements, disclosures, and • accounting estimates.

Monitoring – assess quality of internal control design and op eration. Important to IT management. Control Activities IT controls Physical controls

Transaction Authorization – ensures that all material transactions processed by the information system are valid and in accordance with management’s objective Segregation of Duties - minimize incompatible functions. Supervision – compensate for the absence of segregation controls. Operates under the assumption that the firm employs competent and trustworthy personnel. Accounting Records – provide audit trail Access Control – ensures that only authorized personnel have access to assets. Independent Verification – independent checks of the accounting system to identify errors and misrepresentations. American Competitiveness and Corporate Accountability Act of 2002 Sarbanes-Oxley Act Sonored by U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley

Ethics Section 406 – Code of Ethics for Senior Financial Officers This requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organization’s CEO, CFO, controller, or persons performing similar functions. If not, it is required to explain why. Their code of ethics may be disclosed by: 1.) Included as an exhibit to its annual report. 2.) As a posting to its website, 3.) By agreeing to provide copies of the code upon request. This must apply to all employees. This should address the following issues: Conflicts of Interest • Full and Fair Disclosures • Legal Compliance • Internal Reporting of Code Violations • Accountability • Fraud SOX established a framework to modernize and reform the oversight and regulation of   public company auditing. 1. Public Company Accounting Oversight Board 2. Auditor Independence. 3. Corporate Governance and Responsibility 4. Issues and Management Disclosure 5. Fraud and Criminal Penalties Internal Control SOX requires management of public companies to implement an adequate system of  internal controls over their financial reporting process. This includes controls over  transaction processing systems that feed data to the financial reporting systems.

Section 302: The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the  period in which the periodic reports are being prepared. Requires a company’s management, with the participation of the principal executive and financial officers (the certifying officers), to make the following quarterly and annual certifications with respect to the company’s internal control over financial reporting: • A statement that the certifying officers are responsible for establishing and maintaining  internal control over financial reporting  • A statement that the certifying officers have designed such internal control over   financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external   purposes in accordance with generally accepted accounting principles • A statement that the report discloses any changes in the company’s internal  control over financial reporting that occurred during the most recent fiscal quarter (the company’s fourth fiscal quarter in the case of an annual report) that have materially affected, or are reasonably likely to materially affect, the company’s internal control  over financial reporting  When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine and the auditor  should evaluate whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading

Section 404: The directives of Sarbanes-Oxley section 404 require that management  provide an annual report on its assessment of internal control over financial reporting in its annual filing. Section 404 states: Management’s report on internal control over financial reporting is required to include the following: • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control o ver  financial reporting • An assessment of the effectiveness of the company’s internal control o ver  financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting Management should provide, both in its report on internal control over financial

reporting and in its representation letter to the aud itor, a written conclusion about the effectiveness of the company’s internal control over financial reporting. The conclusion about the effectiveness of a company’s internal control over financial reporting can take many forms; however, management is required to state a direct conclusion about whether  the company’s internal control over financial reporting is effective. Management is precluded from concluding that the company’s internal control over  financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year. Management might be able to accurately represent that internal control over financial reporting, as of the end of the company’s most recent fiscal year, is effective even if one or more material weaknesses existed during the period. To make this representation, management must have changed the internal control over  financial reporting to eliminate the material weaknesses sufficiently in advance of the “as of” date and have satisfactorily tested the effectiveness over a period of time that is adequate for it to determine whether, as of the end of the fiscal year, the design and operation of internal control over financial reporting a re effective.