FRAUD, ETHICS, AND INTERNAL CONTROL

THE NEED FOR A CODE OF ETHICS AND

INTERNAL CONTROLS
 A code of ethics is a set of documented guidelines
for moral and ethical behavior within the organization
.
 The COSO report defines internal control as
follows:
Process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
in the following categories:
• Effectiveness and efficiency of operations • reliability of
financial reporting
• Compliance with applicable laws and regulations.
Accounting‐Related Fraud
Fraud can be defined as the theft, concealment, and
conversion to personal gain of another’s money, physical
assets, or information. Notice that this definition includes
concealment. In most cases, a fraud includes altering
accounting records to conceal the fact that a theft occurred.
For example, an employee who steals cash from his employer
is likely to alter the cash records to cover up the theft.
Misappropriation of assets involves theft of any item of
value. It is sometimes referred to as a defalcation, or internal
theft, and the most common examples are theft of cash or
inventory. Restaurants and retail stores are especially

1
susceptible to misappropriation of assets because their assets
are readily accessible by employees.
Misstatement of financial records involves the falsification
of accounting reports. This is often referred to as earnings
management, or fraudulent financial reporting.

• Incentive to commit the fraud. Some kind of incentive or

pressure typically leads fraudsters to their deceptive acts.
Financial pressures, market pressures, job‐ related failures, or
addictive behaviors may create the incentive to commit fraud.
• Opportunity to commit the fraud. Circumstances may
provide access to the assets or records that are the objects of
fraudulent activity. Only those persons having access can pull
off the fraud. Ineffective oversight is often a contributing
factor.
• Rationalization of the fraudulent action. Fraudsters
typically justify their actions because of their lack of moral
character. They may intend to repay or make up for their
dishonest actions in the future, or they may believe that the
company owes them as a result of unfair expectations or an
inadequate pay raise.

2
Categories of Accounting‐Related Fraud

The Nature of Management Fraud

1. MANAGEMENT FRAUD, conducted by one or more
top‐level managers within the company, is usually in the form
of fraudulent financial reporting. Oftentimes, the chief
executive officer (CEO) or chief financial officer (CFO)
conducts fraud by misstating the financial statements through
elaborate schemes or complex transactions.
Management fraud may involve overstating revenues and
assets, understating expenses and liabilities, misapplying
accounting principles, or any combination of these tactics.
Managers misstate financial statements in order to receive
such indirect benefits as the following:
1. Increased stock price. Management usually owns stock in
the company, and it benefits from increased stock price.
2. Improved financial statements, which enhance the potential
for a merger or initial public offering (IPO), or prevent

3
negative consequences due to noncompliance with debt
covenants or decreased bond ratings.
3. Enhanced chances of promotion, or avoidance of firing or
demotion.
4. Increased incentive‐based compensation such as salary,
bonus, or stock options.
5. Delayed cash flow problems or bankruptcy.
These two examples illustrate that management fraud
typically
1. Is intended to enhance financial statements
2. Is conducted or encouraged by the top managers
3. Involves complex transactions, manipulations, or business
structures
4. Involves top management’s circumvention of the systems
or internal controls that are in place—known as management
override.
2. EMPLOYEE FRAUD is conducted by non-management
employees. This usually means that an employee steals cash
or assets for personal gain. While there are many different
kinds of employee fraud, some of the most common are as
follows:
1. Inventory theft. Inventory can be stolen or misdirected.
This could be merchandise, raw materials, supplies, or
finished goods inventory.

4
2. Cash receipts theft. This occurs when an employee steals
cash from the company. An example would be the theft of
checks collected from customers.
3. Accounts payable fraud. Here, the employee may submit a
false invoice, create a fictitious vendor, or collect kickbacks
from a vendor. A kickback is a cash payment that the vendor
gives the employee in exchange for the sale; it is like a
business bribe.
4. Payroll fraud. This occurs when an employee submits a
false or inflated time card.
5. Expense account fraud. This occurs when an employee
submits false travel or entertainment expenses, or charges an
expense account to cover the theft of cash.
TECHNIQUES

 Skimming where the organization’s cash is stolen

before it is entered into the accounting records.
 larceny fraudsters may also steal the company’s cash
after it has been recorded in the accounting records.
 Collusion occurs when two or more people work
together to commit a fraud.
3. CUSTOMER FRAUD occurs when a customer
improperly obtains cash or property from a company, or
avoids a liability through deception. Although customer fraud
may affect any company, it is an especially common problem
for retail firms and companies that sell goods through
Internet‐based commerce. Examples of customer fraud
include credit card fraud, check fraud, and refund fraud.

5
Credit card fraud and check fraud involve the customer’s
use of stolen or fraudulent credit cards and checks.
Refund fraud occurs when a customer tries to return stolen
goods to collect a cash refund.
4. VENDOR FRAUD occurs when vendors obtain payments
to which they are not entitled. Unethical vendors may
intentionally submit duplicate or incorrect invoices, send
shipments in which the quantities are short, or send lower‐
quality goods than ordered.
Vendor fraud may also be perpetrated through collusion. For
example, an employee of a company could make an
agreement with a vendor to continue the vendor relationship
in the future if the employee receives a kickback.
Vendor audits involve the examination of vendor records in
support of amounts charged to the company.
5. COMPUTER FRAUD organizations must also attempt to
prevent or detect fraudulent activities involving the computer.
Examples of Computer Fraud:

 Industrial espionage, the theft of proprietary company

information, by digging through the trash of
the intended target company.
 Software piracy, the unlawful copying of software
programs.
Internal Sources of Computer Fraud
When an employee of an organization attempts to conduct
fraud through the misuse of a computer‐based system, it is

6
called internal computer fraud. Internal computer fraud
concerns each of the following activities:
1. Input manipulation usually involves altering data that is
input into the computer.
2. Program manipulation occurs when a program is
altered in some fashion to commit a fraud.

3. Output manipulation user can manipulate the output of

theirs or others' powers.
Examples of Program manipulation
• Trap door alteration is a valid programming tool that is
misused to commit fraud.
• Salami technique to alter a program to slice a small amount
from several accounts and then credit those small amounts to
the perpetrator’s benefit.
• Trojan horse program is a small, unauthorized program
within a larger, legitimate program, used to manipulate the
computer system to conduct a fraud.
External sources of Computer Fraud
1. Hacking is the term commonly used for computer network
break‐ins. Hacking may be undertaken for various reasons,
including industrial espionage, credit card theft from online
databases, destruction or alteration of data, or merely thrill‐
seeking.

7
2. DoS Attacks is intended to overwhelm an intended target
computer system with so much bogus network traffic that the
system is unable to respond to valid network traffic.
3. Spoofing is the term commonly used for computer network
break‐ins. occurs when a person, through a computer system,
pretends to be someone else.
Policies to Assist in the Avoidance of Fraud and Errors
Following are three critical actions that an organization can
undertake to assist in the prevention or detection of fraud and
errors:
1. Maintain and enforce a code of ethics.
2. Maintain a system of accounting internal controls.
3. Maintain a system of information technology controls
Maintenance of a Code of Ethics
Sarbanes–Oxley Act of 2002. The Act was intended to
reform accounting, financial reporting, and auditing functions
of companies that are publicly traded in stock exchanges.
Maintenance of a Code of Ethics One requirement is that
public companies adopt and disclose a code of ethics for
directors, officers, and employees. Documenting and adhering
to a code of ethics should reduce opportunities for managers
or employees to conduct fraud.

8
Maintenance of Accounting Internal Controls
Internal control systems provide a framework for fighting
fraud. However, attempting to prevent or detect fraud is only
one of the reasons that an organization maintains a system of
internal controls Internal Controls
The objectives of an internal control system:
1. Safeguard assets (from fraud or errors).
2. Maintain the accuracy and integrity of the accounting data.
3. Promote operational efficiency
4. Ensure compliance with management directives
Three Types Of Controls

 Preventive controls are designed to avoid errors,

fraud, or events not authorized by management.
Preventive controls intend to stop undesirable acts
before they occur.
 Detective controls Detective controls help employees
to uncover or discover errors, fraud, or unauthorized
events.
 Corrective controls are those steps undertaken to
correct an error or problem uncovered via detective
controls.

9
10
Committee of Sponsoring Organizations (COSO)
Five interrelated components of internal control:
the Control Environment, Risk Assessment, Control
Activities, Information and Communication, and Monitoring.
Control Environment The control environment sets the tone
of an organization and influences the control consciousness of
its employees. The control environment is the foundation for
all other components of internal control, and it provides the
discipline and structure of all other components.
Control Environment factors include:
• The integrity and ethical values of the entity’s people
• Management’s oversight responsibility, including its
philosophy and operating style
• The way management establishes structure and assigns
authority and responsibility
• The way management develops its people and demonstrates
commitment to competence
• The board of directors demonstrates independence from
management and exercises oversight of internal control
• The organization holds individuals accountable for their
internal control responsibilities.
Risk assessment To help prevent or detect fraud and errors.
In order for management to maintain control over these
threats to its business.
1. Specify the relevant objectives to enable the identification
and assessment of risks relating to objectives

11
 2. Identify the risks (both internal and external, and due to
both fraud or error), and determine how the risks should be
managed.
3. Consider the potential for fraud in assessing risks.
4. Identify and assess changes that could significantly affect
the system of internal control.
Control Activities The COSO report identifies control
activities as the policies and procedures that help ensure that
management directives are carried out and that management
objectives are achieved.
• Develop control activities that contribute to the mitigation of
risks.
• Develop general controls over technology (this concept is
discussed in Chapter 4).
• Deploy control activities through policies that establish
expectations and procedures to put those policies into action.
The control activities includes:
1. Authorization of transactions
2. Segregation of duties
3. Adequate records and documents
4. Security of assets and documents
5. Independent checks and reconciliations
Authorization of Transactions In any organization, it is
important to try to ensure that only authorized transactions are

12
carried out. Authorization refers to an approval, or
endorsement, from a responsible person or department in the
organization that has been sanctioned by top management.
General authorization is a set of guidelines that allows
transactions to be completed as long as they fall within
established parameters. Specific authorization means that
explicit approval is needed for a transaction to be completed.
Segregation of Duties When management delegates authority
and develops guide- lines as to the use of that authority, it
must assure that the authorization is separated from other
duties.
Adequate Records and Documents Accounting documents
and records are important, because they provide evidence and
establish responsibility.
Security of Assets and Documents Organizations should
establish control activities to safeguard their assets,
documents, and records.
Independent Checks and Reconciliation. Independent
checks - serve as a method to confirm the accuracy and
completeness of data in the accounting system.
Reconciliation - is a procedure that compares records from
different sources.
INFORMATION AND COMMUNICATION
To assess, manage, and control the efficiency and
effectiveness of operations of an organization, management
MONITORING Any system of control must be constantly
monitored to assure that it continues to be effective.

13
Monitoring involves the ongoing review and evaluation of the
system.
Reasonable Assurance of Internal Controls
Reasonable assurance means that the controls achieve a
sensible balance of reducing risk when compared with the
cost of the control.
There are factors that limit the effectiveness of controls
1. Flawed judgments are applied in decision making.
2. Human error exists in every organization.
3. Controls can be circumvented or ignored.
4. Controls may not be cost beneficial.
Maintenance of Information Technology Controls
Risk and controls in IT are divided into five categories:
• Security The risk related to security is unauthorized access,
which may be both physical access and logical access.
• Availability The risk related to availability is system or
subsystem failure due to hardware or software problems.
• Processing Integrity The risk related to processing
integrity could be inaccurate, incomplete, or improperly
authorized information.
• Online Privacy The risk in this area is that personal
information about customers may be used inappropriately or
accessed by those either inside or outside the company.

14
• Confidentiality The risk related to confidentiality is that
confidential information about the company or its business
partners may be subject to unauthorized access during its
transmission or storage in the IT system.
The Sarbanes–Oxley Act of 2002
Section 404—Management Assessment of Internal
Controls
An internal control report is required to accompany each
financial statement filing. The internal control report must
establish management’s responsibility for the company’s
internal controls and related financial reporting systems.
Section 406—Code of Ethics for Senior Financial Officers
The top management of the companies can be held legally
responsible to maintain, evaluate, and enforce good internal
control systems and a code of ethics.

15