Accounting Accou nting Information Systems, 6th edition James A. Hall
COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western are trademarks used herein under license
Objectives for Chapter 3 y y
y
y y
y
Broad issues pertaining
to business ethics Ethical issues related to the use of information technology Distinguish Distinguis h between management f raud and employee f raud Common types of f raud schemes Key features of SAS 78 / COSO internal control f ramework Objects and application of of physical cont controls
Business Ethics W hy hy should should we be conce concerned about ethics in
y
y
the business busin ess wo world? Ethics are needed when conf conflicts licts arisethe need to choose In business, conflicts conf licts may arise between: y
y
y
y
employees management stak eholde eholders
Litigation
Business Ethics
y
y
finding the answers to two Business ethics involves finding questions: How do manage managers decide on what is right in conducting their business? Once managers have recognized what is right, how do they achieve it?
Four
Main Areas of Business Ethics
Computer Ethics concerns the social impact of computer technology (hardware, software, and telecommunications). hat are the main computer ethics issues? W hat
Privacy Security²accuracy and confidentiality Ownership of property Equity in access Environmental issues Artificial intelligence Unemployment and displacement Misuse of computer
Legal y
y
y y
y
Definition of Fraud
False representation - false false stat statement ement or disclosure aterial fact - a fact must be substantial M aterial substan tial in inducing someone someo ne to act ntent to deceive must exist I ntent The misrepresentation must mus t have have resulted in stif iable reliance reliance upon information, which justifiable caused someone some one to act The misrepresentation must mus t have have caused in jury or loss
Factors
that Contribute to Fraud
2004 y
y
ACFE Study of Fraud
Loss due to f raud equal to 6% of revenues approximately $660 billion Loss by position position within the company:
Other results: higher losses losses due to men, employees acting in in collusion, and employ empl oyees ees with advance deg rees
y
Enron, WorldCom, Adelphia Underlying Problems y
y
y
y
Lack of Auditor Independence: auditing uditing fi f irms also engaged by thei r
clients to perform nonaccounting nonaccounting activities Lack of Director Independence: directors who who also als o ser ve on the boards of other companies, have a business t rading relationship, have a financial relationship as stock holde holders or have received personal loans, or have an operational relationship as employees Questionable Executive Compensation Schemes: S chemes: short-term stock options as compensation result in short-term strategies aimed at driving up stock prices at the expense of the fi rms long-term health. Inappropriate Accounting Practices: a characteristic common to many financial statement f raud schemes. Enron made elaborate use of special pu rpose entities W orldCom transferred transmission line costs f rom current expense accounts to capital capita l accounts y y
Sarbanes-Oxley Act of 2002 Its principal reforms pertain to: y
y
y
y
y
Creation of the Public Company Accounting Accounting Ove Oversight Board (PCAOB) Auditor independencemo re separation between bet ween a fi rms ms attestation attestation and non-auditing non-audi ting activities Corporate governance and responsibilityaudit committee members must be independent and the audit committee must oversee the external auditors Disclosure requirementsincrease issuer and management disclosure New federal crimes for the destruction of or tampering with documents, securities f raud, and actions against whistleblowers
Employee Fraud y y
Committed by non-management personnel empl oyee tak ing ing cash or other Usually consists of: an employee assets for personal gain by circumventing a company companys s system of internal controls
Management Fraud y
y
y
Perpetrated at levels of management above above the one to which internal control structure relates Frequently involves using financial statements to create an illusion that th at an entity is more healthy and prosperous than it actually is Involves misappropriation of assets, it f requently is shrouded in a maze of complex complex business transactions
Fraud
Schemes
Three categories of f raud schemes schemes acco according to the
Association of Ce rtified Fraud Examiners:
A. f raudulent statements B. corruption C. asset misappropriation
A. Fraudulent Statements y
y y
y
Misstating
the financial statements to ma k e the copy appear better than it is Usually occurs as management f raud May be tied to focus on sho rt-term financial measu res for success be related to management bonus pac k ages ages May also be being tied to financial f inancial statements
B. Corruption y
Examples: y
y
y
y
y
briber y illegal gratuities conflicts conf licts of interest economic extortion
Foreign Corrupt Practice Act Act of 1977: 197 7: y
y
indicative of co rruption in business world impacted accounting by requiring accurate records and internal controls
C. Asset Misappropriation y
common type of f raud and often occurs as Most common
y
employee f raud Examples: y
y
y
mak ing ing charges to expense accounts to cover theft of asset (especially cash) lapping: using customers check f rom one account to cover theft f rom a different account transaction fraud : deleting, altering, or adding false transactions to steal assets
Computer Fraud Schemes y
y
y
y
y
Theft,
misuse, or misappropriation of assets by altering computer-readable records and files Theft, misuse, o r misappropriation of assets by altering logic of computer software Theft or illegal use of computer-readable information Theft, corruption, illegal copying copying or intentional destruction of software Theft, misuse, o r misappropriation of computer hardware
Using the general IS model, explain how fraud can occur at the different stages of information processing?
Data Dat a Collection Fraud y
y
This
aspect of the system is the most vulnerable because it is relatively easy to change data as it is being entered into the system. Also, the GIGO (ga rbage in, garbage out) principle reminds us that if the input data is inaccu rate, processing will result in inaccurate output. output.
Data Processing Fraud Program Frauds y
y
altering programs to allow illegal access to to and/or manipulation of data files destroying programs with a virus
Operations Frauds y
misuse of company compute computer resources, such as using the computer for personal business
Database Management Fraud y
y
Altering, deleting, co rrupting, destroying, or stealing an organization ganizationss data Oftentimes conducted by disg runtled or ex-employee
Information
Generation Fraud
Stealing, misdirecting, misdirecting, or misusing computer output Scavenging searching through the trash cans on the computer center for discarded output (the output should be shredded, but f requently is not) y
Internal
Control Objectives According to AICPA SAS 1. 2.
3. 4.
of the firm Ensure accuracy and reliability accounting reliabili ty of accounting records and information Promote romote efficiency eff iciency of the firms operations Measure compliance with managements prescribed policies and p rocedures Safeguard assets
Modif ying Assumptions to the Internal Control Objectives y
Management
Responsibility
The
establishment and maintenance ma intenance of a system of inte i nternal control is the responsibility of management. management.
y
Reasonable Assurance The
cost of achieving the objectives of inte rnal control should not outweigh its benefits.
y
Methods The
of Data Processing
techniques of achieving the objectives will va r y with different types of technology. technology.
Limitations y y y y
of Internal Controls
Possibility of honest errors Circumvention via collusion collusion Management override Changing conditions--especially in companies with with high growth
Exposures of Weak Internal Controls (Risk) y y y y
Destruction of an asset Theft of an asset Corruption of information Disruption of the information system
The Internal
Controls Shield
Preventive, Detective, and Corrective Controls Undesirable Events
Preventive
Levels of Control
Preventive
Detective
Corrective
Preventive
Detective
Corrective
Preventive
Detective
Corrective
SAS 78 / COSO Describes the relationship between the fi rms internal control structure, auditors assessment assessment of risk , and the planning of audit procedures H ow ow do these three interrelate? y y y
The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor procedures applied in the audit.
Five Internal
Control Components: SAS 78 / COSO 1. Control environment 2. Risk assessment 3. Information and communication 4. Monitoring 5. Control activities
1: The y y y
y y y y y
Control Environment
Integrity and ethics of management Organizational structure Role of the board of directors and the audit committee Managements policies policies and philosophy philos ophy Delegation of responsibility and authority Performance evaluation measures External influenc inf luences esregulator y agencies Policies and practices managing human resources
2: y
Risk Assessment Identify Identif y, analyze and manage manage risk s relevant elevant to to financial reporting: y y y
y y y
changes in external environment risk y foreign mark ets ets significant and rapid growth that strain internal controls new product lines restructuring, downsizing changes in accounting accounting policies poli cies
3: Inf nformation ormation and Communication y
The AIS should p roduce high quality info rmation
which: y y
y y
identifies and records all valid transactions provides timely information in appropriate detail to permit proper classification and financial reporting accurately measures the financial value of t ransactions accurately records transactions in the time period in which they occurred
Inf nformation ormation y
and Communication
Auditors must obtain sufficient k nowledge nowledge of the IS to understand: the classes classes of transactions that are material y
y
y
y
y
how these transactions are initiated [input] the associated accounting records and accounts used in processing [input]
the transaction processing steps involved f rom the initiation of a t ransaction to its inclusion in the financial statements [process] the financial reporting process used to compile financial statements, statements, disclosures, and estimates [output] [red shows relationship to the general AIS model]
4:
Monitoring
The process for assessing the quality of
internal control
design and operation y y
[This is feedback in the general AIS model.] Separate procedurestest of controls by internal auditors Ongoing monitoring: computer modules integrated into routine operations management reports which highlight t rends and exceptions exceptions f rom normal performance y
y
[red shows relationship to the general AIS model]
5: y
y
Control Activities Control Activities
Policies and procedures to ensure that the app ropriate actions are tak en en in response to identified risk s Fall into two distinct catego ries: y
y
IT controlsrelate specifically specif ically to the compute computer environment Physical controlsprimarily pertain to human activities
Two Types y
General controlspertain to the entitywide computer environment y
y
of IT Controls
Examples: controls over the data center, organization databases, systems development, and p rogram maintenance
Application controls ensure the integrity of specific systems y
Examples: controls over sales order processing, accounts payable, and pay roll applications
Six Types of Physical Controls y y y y y y
Transaction
Authorization Segregation of Duties Super vision Accounting Reco rds Access Cont rol Independent Independent Ve Verification
Physical Controls Authorizat ion Transaction Authorization y
y
used to ensure that employees are carr ying out only authorized transactions general (ever yday p rocedures) or specific (nonroutine transactions) autho rizations
Physical Controls egregation of Segregation y
In manual systems, separation between: y
y
y
y
Duties
authorizing and processing a transaction custody and recordkeeping of the asset subtasks
In computerized systems, separation between: y
y
y
program coding program processing program maintenance
Physical Controls Supervision y
a compens compensation ation for lack of segregation; some may be built into compute r systems
Accounting Accounting Records y
provide an audit trail
Physical Controls Access Controls y
help to safeguard assets by restricting physical access to them
ndependent Verif Verification ication Independent y
reviewing batch totals o r reconciling subsidia r y
accounts with control accounts
Nested
Control Objectives for Transactions
Control Authorization Objective 1
Control Authorization Objective 2
Processing
Custody
Recording
Custody Control Authorization Objective 3
Task 1
Recording
Task 2
Task 1
Task 2
Physical Controls in IT Contexts Authorizat ion Transaction Authorization y
The rules are often embedded within compute r
programs. y
EDI/JIT: automated re-o rdering of inventor y without human inter vention
Physical Controls in IT Contexts egregation of Segregation y
y
Duties
A compute r program may perform many task s that are deemed incompatible. Thus the c rucial need to sepa rate program development, program operations, and program maintenance.
Physical Controls in IT Contexts Supervision y
compe tent employees becomes become s The ability to assess competent more challenging due to the greater technical nowledge required. k nowledge
Physical Controls in IT Contexts Accounting Accounting Records y
ledger accounts and sometimes sou rce documents are ept magnetically k ept y
no audit trail is readily apparent
Physical Controls in IT Contexts Access Control y
Data consolidation consolidation exposes the o rganization ganization to computer f raud and excessive losses f rom disaster.
Physical Controls in IT Contexts ndependent Verif Verificatio ication n Independent y
y
hen W hen
task s are performed by the compute r rather than manually manually, the need for an independent chec k is not necessar y. y. However, the programs themselves a re check ed. ed.