IT Audit Ch 12

ANS: F PTS: 1

1 2

3

4

Ethical issues and legal issues are essentially the same. ANS: F PTS: 1 Internal control systems are recommended but not required to prevent fraud. ANS: F PTS: 1 1 14. Collusion among employees in the commission of a fraud is difficult to prevent but easy to detect. 2 ANS: F PTS: 1 3 15. Database management fraud includes altering, updating, and deleting an organization’s data. 4 ANS: F PTS: 1 5 16. The fraud triangle represents a geographic area in Southeast Asia where international fraud is prevalent. 6 ANS: F PTS: 1 7 17. Situational pressure includes personal or job related stresses that could coerce an individual to act dishonestly. 8 ANS: T PTS: 1 9 18. Opportunity involves direct access to assets and/or access to information that controls assets. 10 ANS: T PTS: 1 11 19. Cash larceny involves stealing cash from an organization before it is recorded on the organiza-tion’s books and records. 12 ANS: F PTS: 1 13 20. Skimming involves stealing cash from an organization after it is recorded on the organization’s books and records 14 ANS: F PTS: 1 The most common access point for perpetrating computer fraud is at the data collection stage. ANS: T PTS: 1 1 22. Changing the Hours Worked field in an otherwise legitimate payroll transaction to increase the amount of the paycheck is an example of data collection fraud. 2 ANS: T PTS: 1 3 23. Scavenging is a form of fraud in which the perpetrator uses a computer program to search for key terms in a database and then steal the data. 4 ANS: F PTS: 1 The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process.

ANS: T PTS: 1

MULTIPLE CHOICE

2

1. 1. Which ethical principle states that the benefit from a decision must outweigh the risks, and that there is no alternative decision that provides the same or greater benefit with less risk? 2. ANS: D PTS: 1 Individuals who acquire some level of skill and knowledge in the field of computer ethics are involved in which level of computer ethics?

a. b. c. d.

minimize risk justice informed consent proportionality

a. b. c. d.

para computer ethics pop computer ethics theoretical computer ethics practical computer ethics

ANS: A PTS: 1 3. All of the following are factors in the fraud triangle except a. b. c. d.

Ethical behavior of an individual Pressure exerted on an individual at home and job related Materiality of the assets Opportunity to gain access to assets

ANS: C PTS: 1 4. Which characteristic is not associated with software as intellectual property? a. b. c.

uniqueness of the product possibility of exact replication automated monitoring to detect intruders

b. c. d.

accounting records accounting system access controls

ANS: A PTS: 1 17. Business ethics involves a. b. c. d.

how managers decide on what is right in conducting business how managers achieve what they decide is right for the business both a and b none of the above

ANS: C PTS: 1 18. All of the following are conditions for fraud except

a. b. c. d.

false representation injury or loss intent material reliance

ANS: D PTS: 1 19. The four principal types of fraud include all of the following except a. b. c. d.

bribery gratuities conflict of interest economic extortion

ANS: B PTS: 1

20. Which of the following is not an issue to be addressed in a business code of ethics required by the SEC? a. b. c. d. e.

Conflicts of interest Full and Fair Disclosures Legal Compliance Internal Reporting of Code Violations All of the above are issues to be addressed

ANS: E PTS: 1 1 2

21. Operations fraud includes ANS: B PTS: 1

3

22. Computer fraud can take on many forms, including each of the following except ANS: D PTS: 1 23. What does the underlying assumption of reasonable assurance regarding implementation of internal control mean? a. Auditor’s are reasonably assured that fraud has not occurred in the period. b. Auditor’s are reasonably assured that employee carelessness can weaken an internal control structure.

4 5 6 7 a. b. c. d.

altering program logic to cause the application to process data incorrectly misusing the firm’s computer resources destroying or corrupting a program’s logic using a computer virus creating illegal programs that can access data files to alter, delete, or

insert values a. b. c. d.

theft or illegal use of computer-readable information theft, misuse, or misappropriation of computer equipment theft, misuse, or misappropriation of assets by altering computerreadable records and files theft, misuse, or misappropriation of printer supplies

c. Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability. d. Management assertions about control effectiveness should provide auditors with reasonable assurance. ANS: C PTS: 1 24. The importance to the accounting profession of the Sarbanes-Oxley Act of 2002 is that 1 a. bribery will be eliminated. 2 b. management will not be able to override the company’s internal controls. 3 c. firms are required to have an effective internal control system. 4 d. firms will not be exposed to lawsuits. SHORTANSWER 1. What are the main issues to be addressed in a business code of ethics required by the SEC? ANS: Conflicts of interest, Full and Fair Disclosures, Legal Compliance, Internal Reporting of Code Violations, Accountability PTS: 1 2. What are the five conditions necessary for an act to be considered fraudulent? ANS: false representation, material fact, intent, justifiable reliance, and injury or loss PTS: 1

3. What is the objective of SAS 99? ANS:The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process.

PTS: 1 4. Distinguish between exposure and risk. ANS:Exposure is the absence or weakness of a control which increases the firm’s risk of financial loss or injury. Risk is the probability of incurring such a loss or injury. PTS: 1 5. Explain the characteristics of management fraud. ANS:Management fraud typically occurs at levels above where the internal control system is effective.Financial statements are frequently modified to make the firm appear more healthy than it actually is.If any misappropriation of assets occurs, it is usually well hidden. PTS: 1

6. __________________________ are intentional mistakes while __________________________ are unintentional mistakes. ANS: Irregularities, Errors PTS: 1 7. The text discusses many questions about personal traits of executives which might help uncover fraudulent activity. What are three? ANS: executives: with high personal debt, living beyond their means, engaged in habitual gambling, appear to abuse alcohol or drugs, appear to lack personal codes of ethics, appear to be unstable, close associations with suppliers PTS: 1 8. Give two examples of employee fraud and explain how the theft might occur. ANS:Charges to expense accounts: Cash could be stolen and charged to a miscellaneous expense account. Once the account is closed, detection would be more difficult. Lapping: This involves converting cash receipts to personal use. If a customer’s check is taken, his/her balance will not reflect a payment and will be detected when a statement is sent. In order to concealthis fraud, a later payment is used to cover the stolen check. This is in effect a small scale Ponzischeme.

PTS: 1 9. What are the six broad classes of physical control activities defined by SAS 78? ANS:Transaction authorization, segregation of duties, supervision, access controls, accounting records, independent verification PTS: 1

10. Explain the pass through fraud. ANS: The perpetrator creates a false vendor and issues purchases orders to it for inventory or supplies. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company a much higher than market price for the items, but pays only the market price to the legitimate vendor. The difference is the profit that the perpetrator pockets. 11. Explain the Pay and Return scheme. ANS: A pay-and-return scheme involves a clerk with check-writing authority who pays a vendor twice for the same products (inventory or supplies) received. The vendor, recognizing that its customer made a double payment, issues a reimbursement to the victim company. The clerk intercepts and cashes the reimbursement check. 12. What is check tampering? ANS:Check tampering involves forging or changing in some material way a check that the organization has written to a legitimate payee. One example of this is an employee who steals an outgoing check to a vendor, forges the payee’s signature, and cashes the check. A variation on this is an employee who steals blank checks from the victim company makes them out to himself or an accomplice. 13. What is program fraud? ANS:Program fraud involves making unauthorized changes to parts of a program for the purpose of committing an illegal act. PTS: 1 14. Explain the shell company fraud. ANS:

A shell company fraud first requires that the perpetrator establish a false supplier on the books of the victim company. The fraudster then manufactures false purchase orders, receiving reports, and invoices in the name of the vendor and submits them to the accounting system, which creates the allusion of a legitimate transaction. Based on these documents, the system will set up an account payable and ultimately issue a check to the false supplier (the fraudster). 15. Name three forms of computer fraud. ANS: Computer fraud includes: The theft, misuse, or misappropriation of assets by altering computer-readable records and files. The theft, misuse, or misappropriation of assets by altering the logic of computer software. The theft or illegal use of computer-readable information. The theft, corruption, illegal copying, or intentional destruction of computer software. The theft, misuse, or misappropriation of computer hardware. PTS: 1 16. Name three types of program fraud. ANS:

Program fraud includes:

(1) creating illegal programs that can access data files to alter, delete, or insert values into accounting records; 1 (2) destroying or corrupting a program’s logic using a computer virus; or 2 (3) altering program logic to cause the application to process data incorrectly. PTS: 1 17. Define operational fraud. ANS:

Operations fraud is the misuse or theft of the firm’s computer resources. This often involves using the computer to conduct personal business. PTS: 1 18. Define database management fraud. ANS:

Database management fraud includes altering, deleting, corrupting, destroying, or stealing an organization’s data. PTS: 1

1. 19. What is scavenging? ANS: 2. Scavenging involves searching through the trash of the computer center for discarded output. PTS: 1

As a form of computer fraud, what is eavesdropping? ANS:

2

Eavesdropping involves listening to output transmissions over telecommunications lines. PTS: 1

ESSAY 1. What fraud detection responsibilities (if any) are imposed on auditors by the Sarbanes-Oxley Act? ANS: Standard No. 2 places responsibility on auditors to detect fraudulent activity. The standard emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. Management is responsible for implementing such controls and auditors are expressly required to test them. PTS: 1 2.

Contrast management fraud with employee fraud.

ANS:Employee fraud is usually designed to directly convert cash or other assets to the employee’s personalbenefit. Management fraud involves less of a direct benefit to the perpetrator. Management fraud may involvean attempt to misstate financial performance in order to gain additional compensation or to earn apromotion. Management fraud may also involve an attempt to misstate financial performance in order to increase the price of the company’s stock or to reduce the cost of debt. Management fraud is moreinsidious than employee fraud because it often escapes detection until the organization has suffered irreparable damage or loss. Management fraud usually does not involve the direct theft of assets. PTS: 1 3. Why are the computer ethics issues of privacy, security, and property ownership of interest to accountants? ANS:Privacy is a concern because the nature of computer data files makes it possible for unauthorized individuals to obtain information without it being recognized as “missing” from its original location. Security is a concern because its absence makes control from a privacy viewpoint questionable. In addition lack of security may permit unauthorized changes to data, therefore distorting information that is reported. Property ownership raises issues of legitimacy of organizational software, valuation of assets, and questions of lost revenues.

PTS: 1

4. According to common law, there are five conditions that must be present for an act to be deemed fraudulent. Name and explain each. ANS:In order for an act to be deemed fraudulent under common law, it must possess the following characteristics:false representation, meaning some misrepresentation or omission must have occurred,material facts, meaning that the facts must influence someone’s actions,intent, meaning there must have been the intention to deceive others,justifiable reliance, meaning it did affect someone’s decision, andinjury or loss must have occurred. PTS: 1 5. Management fraud is regarded as more serious than employee fraud. Three special characteristics have been discussed for management fraud. What are they? Explain. ANS:Management fraud is more insidious than employee fraud because it often escapes detection until theorganization has suffered irreparable damage or loss.It usually occurs at levels above the normal internal control system.There is typically an intent to present a better picture of the business than is valid, often to deceivecreditors and/or shareholders.If assets are misappropriated, the route is quite devious involving a maze of business transactions. PTS: 1 6. Four principal types of corruption are discussed. Name all four and explain at least two. ANS:Corruption involves an executive, manager, or employee of a business working in collusion with an outsider. The four principal types of corruption are: bribery, illegal gratuities, conflicts of interest, and economic extortion. Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in theperformance of his or her lawful duties. An illegal gratuity involves giving. receiving, offering, or soliciting something of value because of an official act that has been taken. A conflict of interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed. Economic extortion is the use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value. PTS: 1 7. Misappropriation of assets can involve various schemes: expense

reimbursement fraud, lapping, and payroll fraud. Explain each and give an example. ANS:Expense reimbursement fraud involve fictitious charges to such accounts as miscellaneous expenseto offset theft of an asset. Because the expense account is closed to revenue at the end of the period, the period in which it could be detected is short. Lapping is a technique whereby an early theft is covered up by a later one, i.e., with the moves“lapping” over each other. The simplest example involves taking a customer’s payment. A later payment is then credited to the first customer’s account, not the second. And on it goes. This requiressome control over billing to avoid tipping off the last customer. Payroll fraud is the distribution of fraudulent paychecks to existent and/or nonexistent employees.PTS: 1 8. Distinguish between skimming and cash larceny. Give an example of each ANS: Skimming involves stealing cash from an organization before it is

recorded on the organiza-tion’s books and records. One example of skimming is an employee who accepts payment from a customer but does not record the sale. Another example is mail room fraud in which an employee opening the mail steals a customer’s check and destroys the associated remit-tance advice. Cash larceny involves schemes in which cash receipts are stolen from an organization after they have been recorded in the organization’s books and records. An example of this is lapping, in which the cash receipts clerk first steals and cashes a check from Customer A. To conceal the accounting imbalance caused by the loss of the asset, Customer A’s account is not credited. Later (the next billing period), the employee uses a check received from Customer B and applies it to Customer A’s account. Funds received in the next period from Customer C are then applied to the account of Customer B, and so on PTS: 1 9. Explain why collusion between employees and management in the commission of a fraud is difficult to both prevent and detect. ANS: Collusion among employees in the commission of a fraud is difficult to both prevent and detect. This is particularly true when the collusion is between managers and their subordinate employees. Manage-ment plays a key role in the internal control structure of an organization. They are relied upon to prevent and detect fraud among their subordinates. When they participate in fraud with the employees over whom they are supposed to provide oversight, the organization’s control structure is weakened, or completely circumvented, and the company becomes more vulnerable to losses. PTS: 1

10. Since all fraud involves some form of financial misstatement, how is Fraudulent Statement fraud different? ANS: Fraudulent statements are associated with management fraud. While all fraud involves some form of financial misstatement, to meet the definition under this class of fraud scheme, the statement itself must bring direct or indirect financial benefit to the perpetrator. In other words, the statement is not simply a vehicle for obscuring or covering a fraudulent act. For example, misstating the cash account balance to cover the theft of cash does not fall under this class of fraud scheme. On the other hand, understating liabilities to present a more favorable financial picture of the organization to drive up stock prices does qualify. PTS: 1 11. Explain the problems associated with lack of auditor independence. ANS: Auditing firms who are also engaged by their clients to perform nonaccounting activities such as actuarial services, internal audit outsourcing services, and consulting lack independence. They are essentially auditing their own work. This risk is that as auditors they will not bring to management’s attention detected problems that may adversely affect their consulting fees. For example, Enron’s auditors – Arthur Andersen – were also their internal auditor’s and their management consultants. PTS: 1 12. Explain the problems associated with lack of director independence ANS: Many boards of directors are comprised of individuals who are not independent. Examples of lack of independence are directors who: have a personal relationship by serving on the boards of other directors companies; have a business trading relationship as key customers or suppliers of the company; have a financial relationship as primary stockholders or have received personal loans from the company; have an operational relationship as employees of the company. PTS: 1 13. Explain the problems associated with Questionable Executive Compensation Schemes ANS: A survey by Thompson Financial revealed the strong belief that executives have abused stock-based compensation. The consensus is that fewer stock options should be offered than currently is the practice. Excessive use of short-term stock options to compensate directors and executives may result in short term thinking and strategies aimed at driving up stock prices at the expense of the firm’s longterm health. In extreme cases, financial statement misrepresentation has been the vehicle to achieve the stock price needed to exercise the option. PTS: 1 14. Explain the problems associated with inappropriate accounting practices.

ANS: The use of inappropriate accounting techniques is a characteristic common to many financial statement fraud schemes. Enron made elaborate use of Special Purpose Entities (SPE) to hide liabilities through off balance sheet accounting. WorldCom management transferred transmission line costs from current expense accounts to capital accounts. This allowed them to defer some operating expenses and report higher earnings. Also, they reduced the book value of hard assets of MCI by $3.4 billion and increased goodwill by the same amount. Had the assets been left at book value, they would have been charged against earnings over four years. Goodwill, on the other hand, was amortized over much longer period. PTS: 1 15. Computer fraud is easiest at the data collection stage. Why? ANS:Computer fraud is easiest at the data collection stage because much of what occurs after the datacollection or input stage is not visible to human eyes. Once entered, the system will presume that theinput is legitimate and will process it as all others. PTS: 1

16. Describe the factors that constitute the fraud triangle. Why is it important to auditors? ANS: The fraud triangle consists of three factors that contribute to or

are associated with manage-ment and employee fraud. These are: 1 (1) situational pressure, which includes personal or job related stresses that could coerce an individual to act dishonestly; 2 (2) opportunity, which involves direct access to assets and/or access to information that controls assets, and; 3 (3) ethics, which pertains to one’s character and degree of moral opposition to acts of dishonesty. An individual with a high level of personal ethics, who is confronted by low pressure and limited opportunity to commit fraud, is more likely to behave honestly than one with weaker personal ethics, who is under high pressure and exposed to greater fraud opportunities. Research by forensic experts and academics has shown that the auditor’s evaluation of fraud is enhanced when the fraud triangle factors are considered. PTS: 1 17. Distinguish between errors and irregularities. Which are of greatest concern to auditors?

ANS: Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a fraud or mislead users of financial statements. Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. All processes that involve human actions are highly susceptible to human error. Computer processes are subject to program errors, faulty systems operating procedures and system malfunction. Errors are typically easier to uncover than misrepresentations, thus auditors typically are more concerned about detecting all irregularities. Also, under SAS No. 99 and Sarbanes-Oxley, auditors are specifically charged with fraud detection. PTS: 1