Chapter 3 : Fraud, Ethics, and Internal Control

Need for Code of Ethis and Internal Controls

When management is unethical, fraud is likely to occur. And there is a risk of : Unothorized
transactions (li maysirouch 7asb l procedures taa el company) | Errors |Fraud

Management obligations:

► Stewardship

► Provide accurate reports.

► Maintain internal controls.

► Enforce a code of ethics.

Stewardship: You take care of the assets that you are entrused with (you try to use the funds you are
entrusted with in a deligent way).

I - Accounting Related Fraud

Fraud - theft, concealment, and conversion to personal gain of another’s money, physical assets, or
information.

► Misappropriation of Assets - defalcation or internal theft.

► Misstatement of Financial Records - earnings management or fraudulent financial reporting.

The fraud triangle is based on pyschology: if one element is absent then the fraud cannot occur.

- Incentive: financial pressure, thrill seeking for computer hacking,..

- Opportunity: fraud opportunities are due to internal control weakness (it’s a perceived opportunity,
it may not be an actual opportunity)
- Rationalization: poor moral attitude (finding excuses to justify fraudulent behavior)
 Reducing opportunities is the most effective way to combat fraud.
Categories of Accounting-Related Fraud:

The Nature of Management Fraud

Management Fraud is usually in the form of fraudulent financial reporting.

Managers misstate financial statements in order to:

1. Increased stock price.

2. Improved financial statements.

3. Enhanced chances of promotion, or avoidance of firing or demotion.

4. Increased incentive-based compensation.

5. Delayed cash flow problems or bankruptcy.

 Management fraud is the most dangerous category of fraud

 Management override: top managers circumvent (ignore ) controls.
Management Fraud may involve: Overstating revenues and assets / Understating expenses and
liabilities / Misapplying accounting principles

Cookie jar reserves: you create a jar of profits, you put a lot of liabilities and expenses that will occur
next year then next year you change your mind, and you make a recovery over those allowances. Cookie
jar reserves refer to a company's practice of storing away excess reserves from good financial periods by
overestimating future liabilities and expenses, which can later be reversed to boost profits as needed.
The Nature of Employee Fraud
Employee Fraud usually means that an employee steals cash or assets for personal gain.

Kinds of Employee Fraud:

1. Inventory theft : An employee in a clothing store might ring up a purchase for a friend or
family member, but pocket the cash instead of putting it in the register.

2. Cash receipts theft : A waiter or waitress at a restaurant might void out bills for
customers they know, and keep the cash payment for themselves.

3. Accounts payable fraud : An employee in the purchasing department might create a

fake invoice from a vendor they made up, and then pay the invoice to themselves.

4. Payroll fraud : An employee in the human resources department might submit fake
timecards for themselves or for employees who are no longer with the company, and
collect the unearned wages.

5. Expense account fraud : An employee might submit false or inflated expense reports for
personal expenses, such as meals or travel, and get reimbursed by their employer.

Kickback: A kickback is a bribe or illegal payment made in exchange for a favor or special treatment. For
example, a company executive might give a kickback to a government official in order to win a contract.

Collusion: Collusion is an agreement between two or more people to act in a way that harms others. For
example, two companies might collude to fix prices, which means that they agree to charge the same
high price for their products, even though they could charge less if they competed with each other.

For cash theft there are two cases : Larceny and skimming

Skimming : cash is stolen before it is recorded (skimming expl : in a movie theater the ticket seller can
take the money from you and let you in without providing a ticket and he keeps the money for himself)

Larency : Cash is stolen after it is recorded.

 Skimming is more difficult to detect than Larency

The Nature of Customer Fraud

Customer Fraud occurs when a customer improperly obtains cash or property from a company, or avoids
a liability through deception.

Kinds of Customer Fraud:

1. Credit card fraud : someone uses a stolen credit card number to make unauthorized purchases
online.
2. Check fraud : omeone writes a check on a closed account or forges a signature on a check.
3. Refund fraud : someone buys an item, uses it, and then returns it for a refund even though they
are not eligible for one.
The Nature of Vendor Fraud
Vendor Fraud occurs when vendors obtain payments to which they are not entitled.

Vendors may:
1. Submit duplicate or incorrect invoices.
2. Send shipments in which the quantities are short.
3. Send lower-quality goods than ordered.

The Nature of Computer Fraud

Computer Fraud may include:

1. Industrial espionage : This refers to the illegal stealing of trade secrets or other
confidential business information. An example of this would be a hacker stealing a
company's product designs or manufacturing processes.
2. Software piracy : This refers to the illegal copying or distribution of copyrighted
software.

Internal Sources of Computer Fraud:

1. Input manipulation : you alter the information when you input it.

2. Program manipulation :
a) Salami technique: companies that work with interest rates are exposed to
salami technique. Any digits from that result from rounding down due to
computing with interest rates (very small amounts) accumulate in the account of
the fraudster.
b) Trojan horse programs : a legitimate program that contains a virus that executes
fraudulent activities.
c) Trap door alterations : a programming tool that enables the programmer to
enter the software that he creates. (Trap doors are normal during the
development of the software but when the software is sold to a company for
example, there must be no trap doors that the programmer can exploit)

3. Output manipulation: Output manipulation in internal computer fraud involves insiders altering
or falsifying computer-generated data or reports to benefit illicitly or conceal unauthorized
activities.

External Sources of Computer Fraud:

In most cases conducted by someone outside the company who has gained unauthorized access to the
computer.

Two Common Types:

1. Hacking : Denial of Service attack (DoS): refers to a hacker gaining unauthorized access to a computer
system and disrupting its normal operations, typically by overwhelming it with requests.
 2. Spoofing: when you receive an email that pretends to be sent by a trusted source (junk mail).
Internet spoofing is more serious than email spoofing.

Policies to Assist in the Avoidance of Fraud and Errors

Actions to assist in prevention or detection of fraud and errors:

1. Maintain and enforce a code of ethics.

2. Maintain a system of accounting internal controls.

3. Maintain a system of information technology controls.

II - Maintenance of Accounting Internal Controls

Objectives of an internal control system are:

1. Safeguard assets (from fraud or errors).

2. Maintain accuracy and integrity of accounting data.

3. Promote operational efficiency.

4. Ensure compliance with management directives.

Three types of controls:

• Preventive controls: controls designed to avoid errors, fraud or events not authorized by
management; preventive controls intend to stop undesirable events before they occur.

• Detective controls: controls intended to uncover or discover errors, fraud or unauthorized

events that could not be avoided by preventive controls.

• Corrective controls: steps undertaken to correct an error or recover from a problem uncovered
via detective controls.

COSO Framework (committee of sponsoring organizations) : The COSO framework is widely recognized
and used as a leading framework for designing, implementing, and assessing the effectiveness of internal
control and for managing and mitigating risks in organizations. It provides a structured approach to help
organizations ensure that they achieve their objectives related to operations, reporting, and compliance.

COSO AICPA : american institute of CPA

CIMA : The Chartered Institute of Management Accountants

AAA : American accounting association

IAA : Institue of Internal Auditors

FEI : Financial Excecutives International

 These 5 institutions play a crucial role in shaping, promoting, and supporting the COSO
framework. They act as bridges connecting the framework with professionals and organizations
worldwide, ensuring its continued relevance and impact on improving internal control practices.
COSO Report - 5 components of internal control:

Internal control weakness = Fraud opportunities

The internal control (COSO) is seen as a system and depends on the 5 internal control activities (control
environment, risk management..) These activities are not equally important

The control environment :

“ The control environment sets the tone

for the control”
Riskier environment  Control
environment with higher likelihood of
fraud, errors unauthorized transactions
Top management is responsible for all
the factors.
“The control environnment sets the
tone for the control”
“Tone at the top” = tone conveyed by
top managers (defined as the most
important in internal controls).

The control environment is a

foundation of Internal Controls  Risk
assessment, control activities, Info and
communication, Monitoring
Risk Assessment :
Management must develop a way to:

1. Specify the relevant objectives of the risk assessment process.

2. Identify the sources of risks and determine the impact of such risks in terms of finances and
reputation.

3. Identify and analyze significant changes in the business.

4. Develop and execute an action plan to reduce the impact and probability of these risks.

Internal controls are a risk response among all others.

Risk = expected risk at a certain probability.  Risk = Impact x probability (materiality threshold)

Risk responses Ignore the risk if its probability is low

Accept The risk

Transfer/share the risk (eg: insurance contract)

Implement control activities

 Control activities are a risk response

Control Activities :
1. Authorization of transactions

2. Segregation of duties

3. Adequate records and documents : adequate document is the fact of capturing relevant info

4. Security of assets and documents : security of the document is satefy related

5. Independent checks and reconciliation

1) Authorization of transactions

a. General authorization : Most of the transactions occur withing the General authorization (normal
processes) (eg : completing a sale / purchasing supplies)

b. Specific authorization : occurs when within a normal process there is an additional risk.

(eg: A cashier scans the products and you pay for the products, this is general authorization but if
for example after paying you decide to cancel the sale in this situation another agent with more
authority needs to intervene, this is specific authorization)

 Most operations don’t need specific authorization from another level of management
2) Segregation of Duties : basic key control against fraud

Transaction feha 3 hajet: must be authorized, it should be

recorded and custody.
Custody : handling assets like cash, inventory, fixed
assets…
Fraud : 1) Theft (or misstatement) / 2) Concealement of
theft / 3) Conversion to personal gain

(Continuing on the example of the cashier that we

mentioned above: If you remove the authorization from
the employee which means the he cannot authorize the
transaction in that particular case and therefore he is less
likely to find an opportunity to commit fraud)

 Segregation of duties depends on the size of the

company and the extent of IT enablement

If a key control is lacking there must be a compensating control.

Invoiceless system: evaluated receipt settlement (you evaluate the receipt and pay immediately without
waiting for an invoice, it is less costly and easier but it removes a key control item which is the invoice)
This system is used with suppliers that are well trusted and for transactions with the predetermined
prices (long term contracts / preestablished prices / train receipt personnel  these are compensating
controls)

3) Adequate Records and Documents :

a. Supporting documentation for all significant transactions : Proof that important financial
activities occurred, and how much they cost. Examples of supporting documentation include
invoices, receipts, contracts, and bank statements.

b. Schedules and analyses of financial information : Extra details about financial

information, beyond what main reports show. For example, a schedule of accounts receivable
might list each customer's outstanding balance, while an analysis of inventory turnover might
show how many times inventory is sold and replaced over a period of time.

c. Accounting cycle reports : These are reports that are generated at various stages of the
accounting cycle. For example, a trial balance is a report that lists all of the accounts in the
general ledger and their balances at a particular point in time.

d. Audit Trail : This is a record of the steps that were taken to process a transaction. The audit trail
allows auditors to trace a transaction from its origin to its final destination in the accounting
records.
4) Security of Assets and documents :

a. Protecting physical assets : Measures taken to safeguard property and equipment from loss,
damage, or theft.

b. Protecting information : Safeguards put in place to prevent unauthorized

access, use, disclosure, disruption, modification, or destruction of sensitive data.

c. Cost-benefit comparison : Evaluating the potential costs of implementing a control activity

against the potential benefits it provides in terms of risk mitigation.

5) Independent Checks and Reconciliation :

Procedures:

I. Reconciliation : when you compare information from two different sources that must give me
the same result.
II. Comparison of physical assets with records
III. Recalculation of amounts
IV. Analysis of reports
V. Review of batch totals

(These procedures are just an example)

Information and Communication :

An effective accounting system must:

1. Identify all relevant financial events transactions.

2. Capture the important data of these transactions.

3. Record and process the data through appropriate classification, summarization, and
aggregation.

4. Communicate this summarized and aggregated information as needed for internal and
external purposes.

Monitoring :
1. Any system of control must be constantly monitored to assure that it continues to be
effective: continuous monitoring
2. Monitoring such as internal and external audits occurs on a regular periodic basis: periodic
monitoring
Reasonable Assurance of Internal Controls:
Controls achieve a sensible balance of reducing risk when compared with the cost of the control.

Not possible to provide absolute assurance, because:

► Flawed judgments are applied in decision making.

► Human error exists in every organization.

► Controls can be circumvented or ignored.

► Controls may not be cost beneficial.

Absolute assurance against risk  Reasonable assurance of internal controls