Chapter 3 AIS
Chapter 3 AIS
Management obligations:
► Stewardship
Stewardship: You take care of the assets that you are entrused with (you try to use the funds you are
entrusted with in a deligent way).
The fraud triangle is based on pyschology: if one element is absent then the fraud cannot occur.
Cookie jar reserves: you create a jar of profits, you put a lot of liabilities and expenses that will occur
next year then next year you change your mind, and you make a recovery over those allowances. Cookie
jar reserves refer to a company's practice of storing away excess reserves from good financial periods by
overestimating future liabilities and expenses, which can later be reversed to boost profits as needed.
The Nature of Employee Fraud
Employee Fraud usually means that an employee steals cash or assets for personal gain.
1. Inventory theft : An employee in a clothing store might ring up a purchase for a friend or
family member, but pocket the cash instead of putting it in the register.
2. Cash receipts theft : A waiter or waitress at a restaurant might void out bills for
customers they know, and keep the cash payment for themselves.
4. Payroll fraud : An employee in the human resources department might submit fake
timecards for themselves or for employees who are no longer with the company, and
collect the unearned wages.
5. Expense account fraud : An employee might submit false or inflated expense reports for
personal expenses, such as meals or travel, and get reimbursed by their employer.
Kickback: A kickback is a bribe or illegal payment made in exchange for a favor or special treatment. For
example, a company executive might give a kickback to a government official in order to win a contract.
Collusion: Collusion is an agreement between two or more people to act in a way that harms others. For
example, two companies might collude to fix prices, which means that they agree to charge the same
high price for their products, even though they could charge less if they competed with each other.
For cash theft there are two cases : Larceny and skimming
Skimming : cash is stolen before it is recorded (skimming expl : in a movie theater the ticket seller can
take the money from you and let you in without providing a ticket and he keeps the money for himself)
1. Credit card fraud : someone uses a stolen credit card number to make unauthorized purchases
online.
2. Check fraud : omeone writes a check on a closed account or forges a signature on a check.
3. Refund fraud : someone buys an item, uses it, and then returns it for a refund even though they
are not eligible for one.
The Nature of Vendor Fraud
Vendor Fraud occurs when vendors obtain payments to which they are not entitled.
Vendors may:
1. Submit duplicate or incorrect invoices.
2. Send shipments in which the quantities are short.
3. Send lower-quality goods than ordered.
1. Industrial espionage : This refers to the illegal stealing of trade secrets or other
confidential business information. An example of this would be a hacker stealing a
company's product designs or manufacturing processes.
2. Software piracy : This refers to the illegal copying or distribution of copyrighted
software.
1. Input manipulation : you alter the information when you input it.
2. Program manipulation :
a) Salami technique: companies that work with interest rates are exposed to
salami technique. Any digits from that result from rounding down due to
computing with interest rates (very small amounts) accumulate in the account of
the fraudster.
b) Trojan horse programs : a legitimate program that contains a virus that executes
fraudulent activities.
c) Trap door alterations : a programming tool that enables the programmer to
enter the software that he creates. (Trap doors are normal during the
development of the software but when the software is sold to a company for
example, there must be no trap doors that the programmer can exploit)
3. Output manipulation: Output manipulation in internal computer fraud involves insiders altering
or falsifying computer-generated data or reports to benefit illicitly or conceal unauthorized
activities.
In most cases conducted by someone outside the company who has gained unauthorized access to the
computer.
1. Hacking : Denial of Service attack (DoS): refers to a hacker gaining unauthorized access to a computer
system and disrupting its normal operations, typically by overwhelming it with requests.
2. Spoofing: when you receive an email that pretends to be sent by a trusted source (junk mail).
Internet spoofing is more serious than email spoofing.
• Preventive controls: controls designed to avoid errors, fraud or events not authorized by
management; preventive controls intend to stop undesirable events before they occur.
• Corrective controls: steps undertaken to correct an error or recover from a problem uncovered
via detective controls.
COSO Framework (committee of sponsoring organizations) : The COSO framework is widely recognized
and used as a leading framework for designing, implementing, and assessing the effectiveness of internal
control and for managing and mitigating risks in organizations. It provides a structured approach to help
organizations ensure that they achieve their objectives related to operations, reporting, and compliance.
These 5 institutions play a crucial role in shaping, promoting, and supporting the COSO
framework. They act as bridges connecting the framework with professionals and organizations
worldwide, ensuring its continued relevance and impact on improving internal control practices.
COSO Report - 5 components of internal control:
The internal control (COSO) is seen as a system and depends on the 5 internal control activities (control
environment, risk management..) These activities are not equally important
2. Identify the sources of risks and determine the impact of such risks in terms of finances and
reputation.
4. Develop and execute an action plan to reduce the impact and probability of these risks.
Risk = expected risk at a certain probability. Risk = Impact x probability (materiality threshold)
Control Activities :
1. Authorization of transactions
2. Segregation of duties
3. Adequate records and documents : adequate document is the fact of capturing relevant info
1) Authorization of transactions
a. General authorization : Most of the transactions occur withing the General authorization (normal
processes) (eg : completing a sale / purchasing supplies)
b. Specific authorization : occurs when within a normal process there is an additional risk.
(eg: A cashier scans the products and you pay for the products, this is general authorization but if
for example after paying you decide to cancel the sale in this situation another agent with more
authority needs to intervene, this is specific authorization)
Most operations don’t need specific authorization from another level of management
2) Segregation of Duties : basic key control against fraud
c. Accounting cycle reports : These are reports that are generated at various stages of the
accounting cycle. For example, a trial balance is a report that lists all of the accounts in the
general ledger and their balances at a particular point in time.
d. Audit Trail : This is a record of the steps that were taken to process a transaction. The audit trail
allows auditors to trace a transaction from its origin to its final destination in the accounting
records.
4) Security of Assets and documents :
a. Protecting physical assets : Measures taken to safeguard property and equipment from loss,
damage, or theft.
Procedures:
I. Reconciliation : when you compare information from two different sources that must give me
the same result.
II. Comparison of physical assets with records
III. Recalculation of amounts
IV. Analysis of reports
V. Review of batch totals
3. Record and process the data through appropriate classification, summarization, and
aggregation.
4. Communicate this summarized and aggregated information as needed for internal and
external purposes.
Monitoring :
1. Any system of control must be constantly monitored to assure that it continues to be
effective: continuous monitoring
2. Monitoring such as internal and external audits occurs on a regular periodic basis: periodic
monitoring
Reasonable Assurance of Internal Controls:
Controls achieve a sensible balance of reducing risk when compared with the cost of the control.