CHAPTER III: INTODUCTION TO THE NEEED FOR A
CODE OF ETHICS AND INTERNAL CONTROL
STEWARDSHIP - is the careful and responsible oversight and use
of the assets entrusted to management. This requires that management
maintain systems which allow it to demonstrate that it has
appropriately used these funds and assets.
ACCOUNTING-RELATED FRAUD
FRAUD - can be defined as the theft, concealment, and conversion to
personal gain of another’s money, physical assets, or information.
❖ In fraud, there is a distinction between misappropriation
of assets and misstatement of financial records.
➢ Misappropriation of assets involves theft of any item
of value. It is sometimes referred to as a defalcation, or
internal theft, and the most common examples are
theft of cash or inventory.
➢ Misstatement of financial records involves the
falsification of accounting reports. This is often
referred to as earnings management, or fraudulent
financial reporting.
FRAUD TRIANGLE
Incentive
(Pressure)
Opportunity
Rationalization
(Attitude)
❖ Incentive to commit the fraud. Some kind of incentive or pressure
typically leads fraudsters to their deceptive acts. Financial
pressures, market pressures, job‐related failures, or addictive
behaviors may create the incentive to commit fraud.
❖ Opportunity to commit the fraud. Circumstances may provide
access to the assets or records that are the objects of fraudulent
activity. Only those persons having access can pull off the
fraud. Ineffective oversight is often a contributing factor.
❖ Rationalization of the fraudulent action. Fraudsters typically
justify their actions because of their lack of moral character. They
may intend to repay or make up for their dishonest actions in the
future, or they may believe that the company owes them as a
result of unfair expectations or an inadequate pay raise.
THE NATURE OF MANAGEMENT FRAUD
❖ Management fraud, conducted by one or more top‐level
managers within the company, is usually in the form of fraudulent
financial reporting. Oftentimes, the chief executive officer (CEO) or
chief financial officer (CFO) conducts fraud by misstating the
financial statements through elaborate schemes or complex
transactions.
❖ Managers misstate financial statements in order to receive
such indirect benefits as the following:
1. Increased stock price
2. Improved financial statements.
3. Enhanced chances of promotion, or avoidance of firing
or demotion.
4. Increased incentive‐based compensation
5. Delayed cash flow problems or bankruptcy.
THE NATURE OF EMPLOYEE FRAUD
❖ Employee fraud is conducted by non management
employees. This usually means that an employee steals cash
or assets for personal gain.
KINDS OF EMPLOYEE FRAUD
1. Inventory theft. Inventory can be stolen or misdirected.
This could be merchandise, raw materials, supplies, or
finished goods inventory.
2. Cash receipts theft. This occurs when an employee steals cash
from the company. An example would be the theft of checks
collected from customers.
3. Accounts payable fraud. Here, the employee may submit a
false invoice, create a fictitious vendor, or collect kickbacks from
a vendor. A kickback is a cash payment that the vendor gives
the employee in exchange for the sale; it is like a business bribe.
4. Payroll fraud. This occurs when an employee submits a false
or inflated timecard.
5. Expense account fraud. This occurs when an employee submits
false travel or entertainment expenses or charges an expense
account to cover the theft of cash.
SKIMMING
➢ where the organization’s cash is stolen before it is entered into the
accounting records
LARCENY
➢ Stealing the company’s cash after it has been
recorded in the accounting records.
COLLUSION
➢ occurs when two or more people work together to
commit a fraud.
THE NATURE OF CUSTOMER FRAUD
❖ Customer fraud occurs when a customer improperly obtains cash
or property from a company or avoids a liability through
deception. Although customer fraud may affect any company, it
is an especially common problem for retail firms and companies
that sell goods through Internet‐based commerce.
EXAMPLES OF CUSTOMER FRAUD
1. Credit card fraud and check fraud involve the
customer’s use of stolen or fraudulent credit cards and
checks.
2. Refund fraud occurs when a customer tries to return
stolen goods to collect a cash refund.
THE NATURE OF VENDOR FRAUD
❖ Vendor fraud occurs when vendors obtain payments to which
they are not entitled. Unethical vendors may
Page | 1
 intentionally submit duplicate or incorrect invoices, send shipments
in which the quantities are short, or send lower‐ quality goods than
ordered. Vendor fraud may also be perpetrated through collusion.
VENDOR AUDITS involve the examination of vendor records in
support of amounts charged to the company.
THE NATURE OF COMPUTER FRAUD
❖ Computer fraud is the use of computers, the Internet, Internet
devices, and Internet services to defraud people or organizations
of resources.
Industrial Espionage - the theft of proprietary company information, by
digging through the trash of the
intended target company.
➢ Email Spoofing is to the direct financial interests of
most business organizations, it is nevertheless a
source of irritation and inconvenience at the
workplace.
POLICIES TO ASSIST IN THE AVOIDANCE OF FRAUD
AND ERRORS
Concepts in a Code of Ethics
Following are three critical actions that an organization can
undertake to assist in the prevention or detection of fraud and
errors:
1. Maintain and enforce a code of ethics.
2. Maintain a system of accounting internal controls.
3. Maintain a system of information technology controls.

Software Piracy - the unlawful copying of software programs.
INTERNAL SOURCES OF INTERNAL FRAUD
❖ When an employee of an organization attempts to
conduct fraud through the misuse of a computer‐ based
system, it is called internal computer fraud.
Internal computer fraud concerns each of the following activities:
1. Input manipulation - usually involves altering data that is input
into the computer.
2. Program manipulation - occurs when a program is
altered in some fashion to commit a fraud.
3. Output manipulation - if a person alters the system’s checks
or reports.
EXAMPLES OF PROGRAM MANIPULATION
1. Salami Technique - to alter a program to slice a small
amount from several accounts and then credit those small
amounts to the perpetrator’s benefit.
2. Trojan Horse Program - is a small, unauthorized
program within a larger, legitimate program, used to
manipulate the computer system to conduct a fraud.
3. Trap Door Alteration - is a valid programming tool that is
misused to commit fraud. As programmers write software
applications, they may allow for unusual or unique ways to
enter the program to test small portions, or modules, of the
system.
EXTERNAL SOURCES OF COMPUTER FRAUD
❖ External computer frauds are conducted by
someone outside the company who has gained
unauthorized access to the computer.
MAINTENANCE OF A CODE OFETHICS
Establishing and maintaining a culture where ethical conduct is
recognized, valued, and exemplified by all employees. This includes:
• Obeying applicable laws and regulations that govern
business.
• Conducting business in a manner that is honest, fair, and
trustworthy.
• Avoiding all conflicts of interest
• Creating and maintaining a safe work environment
• Protecting the environment
MAINTENANCE OF ACCOUNTING INTERNAL
CONTROLS
Attempting to prevent or detect fraud is only one of the
reasons that an organization maintains a system of internal
controls.
The objectives of an internal control system are as follows:
• Safeguard assets (from fraud or errors).
• Maintain the accuracy and integrity of the
accounting data.
• Promote operational efficiency.
• Ensure compliance with management directives.
CONTROL ENVIRONMENT sets the tone of an organization
and influences the control consciousness of its employees.
RISK ASSESSMENT considers existing threats and the potential
for additional risks and
stands ready to respond should these events occur.

TWO COMMON TYPES OF EXTERNAL FRAUD

1. Hacking is the term commonly used for computer network

break‐ins. Hacking may be undertaken for various reasons,
including industrial espionage, credit card theft from online
databases, destruction or alteration of data, or merely thrill‐
seeking.
➢ [DOS Attack] A denial of service attack is
intended to overwhelm an intended target computer
system with so much bogus network traffic that the
system is unable to respond to valid network traffic.

2. Spoofing occurs when a person, through a computer system,

pretends to be someone else.
➢ Internet Spoofing is the most dangerous to the
accounting and control systems, because a spoofer
fools a computer into thinking that the network traffic
arriving is from a trusted source.

Page | 2
CONTROL ACTIVITIES policies and procedures that help extensive framework of information technology controls, entitled
ensure that management directives are carried out and that COBIT, for Control Objectives for Information Technology
management objectives are achieved.
Trust Service Principles.10 This guidance addresses risks and
The control activities include a range of actions that should opportunities of information technology, and the most recent
be deployed through the company’s policies and procedures. version became effective in 2006. The Trust Services Principles
These activities can be divided into the following categories: set forth guidance for CPAs who provide assurance services for
1. Authorization of transactions organizations.
2. Segregation of duties
3. Adequate records and documents Risk and controls in IT are divided into five categories in
4. Security of assets and documents the Trust Services
5. Independent checks and reconciliations Principles, as follows:
1. security
AUTHORIZATION refers to an approval, or endorsement, from a 2. availability
responsible person or department in the organization that has been 3. processing integrity
sanctioned by top management. 4. online privacy
5. confidentiality
When management delegates authority and develops guide- lines as to
the use of that authority, it must assure that the authorization is
separated from other duties. This separation of related duties is called THE SARBANES–OXLEY ACT OF 2002
SEGREGATION OF DUTIES. The Sarbanes–Oxley Act was signed into law on July 30, 2002, for
the purpose of
improving financial reporting and reinforcing the importance of corporate
ethics.

SEGREGATION OF DUTIES.
• AUTHORIZATION SECTION 404—MANAGEMENT ASSESSMENT OF
• RECORDING INTERNAL CONTROLS
• CUSTODY An internal control report is required to accompany each
financial statement filing. The internal control report must establish
management’s responsibility for the company’s internal controls
and related financial reporting systems.

SECTION 406—CODE OF ETHICS FOR SENIOR

ADEQUATE RECORDS AND DOCUMENT is management is
conscientious and thorough about preparing and retaining
documentation in support of its accounting transactions, internal
controls are strengthened.
SECURITY OF ASSETS AND DOCUMENTS Organizations
should establish control activities to safeguard their assets, documents,
and records.
FINANCIAL OFFICERS
The Act requires all public companies to have in place a code of ethics
covering its
CFO and other key accounting officers. The code must include principles
that advocate honesty and moral conduct, fairness in financial
reporting, and compliance with applicable governmental rules and
regulations.

INDEPENDENT CHECKS AND RECONCILIATION, Group 3:

Independent checks on performance are an Janoden, Faisa
important aspect of control activities. INDEPENDENT CHECKS serve Baunto, Shairah
as a method to confirm the accuracy and completeness of data in the
accounting system. A RECONCILIATION is a procedure that
Abdullah, Hafsa
compares records from different sources. Solaiman, Abdulmoin
Japar, Janifah
Monitoring involves the ongoing review and evaluation of the Junaid, Johanie
system. Hadji Hassan, Johanisah
Goling, Jehan
Reasonable assurance means that the controls achieve a sensible Cali, Hakima
balance of reducing risk when compared with the cost of the control. Guba, Aina

MAINTENANCE OF A INFORMATION TECHNOLOGY

CONTROLS

➢ Information technology plays such an important role in

organizations that any failure in these systems can halt
such ongoing operations as sales, manufacturing, or
purchasing. IT systems have become the lifeblood of
operations for most companies.

In response to this need, the Information Systems Audit and

Control Association (ISACA) developed an
Page | 3