day-7 internal control system, ethics, fraud and controls for ais pdf

PEMP-ACF501

Day 7Internal Control System, Ethics,

Fraud and Controls for AISFraud and Controls for AIS

Session SpeakerpMs. Shubha P.

M.S.Ramaiah School of Advanced Studies - Bangalore 1

PEMP-ACF501

Session ObjectivesSession ObjectivesAt the end of this session students will be able to

understand:understand:• The internal control concept• The environment and structure of internal control• The environment and structure of internal control• The internal controlling activities • Th i k t• The risk assessment• The controlling activities in the revenue and

expenditureexpenditure• The activities on the internal control on general ledger


PEMP-ACF501

Session ObjectivesSession Objectives

At the end of the session students will be able toAt the end of the session students will be able to understand:

• Meaning of Business ethics and computer ethics• Process of fraud.• Factors that contribute to Fraud.• Computer fraud and its schemes• Computer Fraud in Accounting

IT C t l t f d• IT Control on computer fraud• Approaches and techniques to commit computer fraud

3M.S.Ramaiah School of Advanced Studies ‐ Bangalore3

PEMP-ACF501

Session ContentsSession Contents

• Internal ControlInternal Control• Concepts of internal control• Internal control structure and its environmentInternal control structure and its environment• Controlling activities and its risk• Control problems caused by computers• Control problems caused by computers• Controls on revenue, expenditure and general ledger


PEMP-ACF501

Session contentSession content

• Introduction to ethicsIntroduction to ethics• Meaning of Business ethics and computer ethics• Fraud and its processFraud and its process• Factors that contribute to Fraud.• Computer fraud and its schemes• Computer fraud and its schemes• Computer Fraud in Accounting• IT C t l t f d• IT Control on computer fraud• Approaches and techniques to commit computer

fraud


fraud

PEMP-ACF501

Internal ControlInternal Control

“Internal control is defined as a process effectedInternal control is defined as a process effected by an organisation's structure, work and authority flows, people and Accounting information systems, , p p g y ,designed to help the organisation accomplish specific goals or objectives”“Internal Control is a state that management strives to achieve to provide reasonable assurance that the fi ’ bj i ill b hi d”firm’s objectives will be achieved”


PEMP-ACF501

Importance of Internal ControlImportance of Internal ControlIt plays an important role in preventing and detectingIt plays an important role in preventing and detecting fraud Protecting the organisation's resources, g g ,

both physical (e.g., machinery and property)intangible (e g reputation or intellectual propertyintangible (e.g., reputation or intellectual property such as trademarks).

Internal control objectives relate to the reliability of e co o objec ves e e o e e b y ofinancial reporting


PEMP-ACF501

Importance of Internal ControlImportance of Internal ControlTimely feedback on the achievement of operational or Strategic goals and compliance with laws andStrategic goals, and compliance with laws and regulations.Internal control refers to the actions taken to achieveInternal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organisation's payments to third parties are for valid g p y pservices rendered.)Internal control procedures reduce process variation, p p ,leading to more predictable outcomes.


PEMP-ACF501

Control ConceptsControl ConceptsInternal Control systems comprises policies, practices and procedures employed by the organisation to achieve 4 broad objectives.

1. To safeguard assets of the firm2. To ensure the accuracy and reliability of accounting

d d i f irecords and information.3. To promote efficiency in the firm’s operation.4. To measure compliance with management’s

prescribed policies and procedures.


PEMP-ACF501

Control ConceptsControl ConceptsInherent to these control objectives are four

d f h d d dmodifying assumptions that guide designers and auditors of internal control:

1 M t ibilit E t bli h t d1. Management responsibility: Establishment and maintenance of a system of internal control is a management responsibilitymanagement responsibility.

2. Reasonable Assurance: Internal Control system should provide reasonable assurance that theshould provide reasonable assurance that the objectives are met in a cost effective manner.


PEMP-ACF501

Control ConceptsControl Concepts

3. Methods of Data processing: IC should achieve3. Methods of Data processing: IC should achieve objectives regardless of the data processing method used.

4. The control framework is called the Internal Control Structure.


PEMP-ACF501Components and Major

Considerations of the IC Structure


PEMP-ACF501

Control EnvironmentControl EnvironmentThe Control Environment Control Environment establishes the tone of a company influencing the control consciousness of itscompany, influencing the control consciousness of its employees.It is comprised of eight components:p f g p

1. Management philosophy and operating style2. Integrity and ethical values3 C it t t t3. Commitment to competence4. The Board of Directors and the Audit Committee5. Organisational Structureg6. Assignment of authority and responsibility7. Human resources policies and practices8. External Influences


PEMP-ACF501

Internal EnvironmentInternal Environment

Management Philosophy and Operating Style:Management Philosophy and Operating Style:Management emphasises short-term profits and operating goals over long-term goals

d i d bManagement dominated by one or a few individualsType of business risks does management take andType of business risks does management take and the risk.Management conservative or aggressive toward

l ti f il bl lt ti tiselecting from available alternative accounting principles


PEMP-ACF501


Organisation Structure:Organisation Structure:• An up-to-date organisation chart prepared,

showing the names of key personnel• The information systems function

separated from incompatible functions• The accounting department is organised• The internal audit function separate and distinct

from accountingfrom accounting• Subordinate managers report to more than one

supervisorsupe v so


PEMP-ACF501


Assignment of Authority and ResponsibilityAssignment of Authority and Responsibility• The company prepare written employee job

descriptions defining specific duties and reporting relationshipsrelationships

• Written approval required for changes made to information systemsy

• The company clearly delineate employees and managers the boundaries of authority responsibility relationshipsresponsibility relationships

• The company properly delegate authority to employees and departments


PEMP-ACF501

Internal EnvironmentInternal EnvironmentHuman Resource Policies and Practices:

N l i d t i t d ith t t I t l• New personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct

• Grievance Procedures to manage conflict in force• The company maintains a sound employee relations

program• Employees work in a safe and healthy environment• Counseling Programs are available to employees• Proper Separation Programs in force for employees who

leave the firm• Critical employees linking


PEMP-ACF501

Control ActivityControl Activity

Control activities may also be explained by the typeControl activities may also be explained by the type or nature of activity. These include:

• Segregation of duties - separating authorisation, custody, and record keeping roles to limit risk of y, p gfraud or error by one person.

• Authorisation of transactions - review of particular transactions by an appropriate person.


PEMP-ACF501


• Top-level reviews/analysis of actual results versusTop level reviews/analysis of actual results versus organisational goals or plans, periodic and regular operational reviews, metrics, and other Key Performance Indicators (KPI’s).

• Retention of records - maintaining documentation to substantiate transactions.

• Supervision or monitoring of operations -observation or review of ongoing operational activity.


PEMP-ACF501


IT S it f d l t t• IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorised personnel.

• Top level reviews Management review of reports• Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives.and established objectives.

• Controls over information processing- A variety of control activities are used in information processing.p g


PEMP-ACF501

RiskRisk

Business firms face risks that reduce the chances ofBusiness firms face risks that reduce the chances of achieving their control objectives.Risk exposures arise from internal sources, such as p ,employees, as well as external sources, such as computer hackers.Risk assessment consists of identifying relevant risks, analysing the extent of exposure to those risks, and managing risks by proposing effective control procedures.


PEMP-ACF501

Risk AssessmentRisk Assessment1. Top management must be directly involved in

Business Risk Assessment.2. This involves the identification and analysis of

relevant risks that may prevent the attainment of Company-wide Objectives

3 Obj i f i i l U i3. Objectives of organisational Units 4. The formation of a plan 5. To determine how to manage the risks.


PEMP-ACF501

Information & CommunicationInformation & Communication

All Transactions entered for processing are Valid and p gAuthorisedAll valid transactions are captured and entered for processing on a Timely Basis and in Sufficient Detailprocessing on a Timely Basis and in Sufficient Detail to permit the proper Classification of TransactionsThe input data of all entered transactions are Accurate

d C l t ith th t ti b i dand Complete, with the transactions being expressed in proper Monetary termsAll transactions are recorded in the proper s c o s e eco ded e p opeAccounting Period


PEMP-ACF501

I f i & C i iInformation & Communication

All d i d lAll entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data setsyAll required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable InformationInformation


PEMP-ACF501

MonitoringMonitoring

A Internal control system requires on-goingA Internal control system requires on going monitoring. The aim is to check its relevance and appropriateness pp pto the company’s objectives.Monitoring principally comprises the analysis of the g p p y p ymain incidents that have been recorded, the result of the controls performed, together with the work carried out by the internal audit team.


PEMP-ACF501

MonitoringMonitoring

Monitoring also takes into consideration theMonitoring also takes into consideration the observations made by the statutory auditors Monitoring tools can be useful to keep an active g pwatch on internal control best practices.Monitoring together with the best practices watch, g g p ,culminate, where required, in the implementation of corrective actions and adjustments of internal control system.


PEMP-ACF501

Threats in information systemThreats in information systemi. Due to flaws in the operating system that are

exploited either accidentally or intentionallyexploited either accidentally or intentionallyii. Accidental threats include hardware failures that

cause the operating system to crashcause the operating system to crash.iii. Errors in user application program which the

operating system cannot interpretoperating system cannot interpretiv. Intentional threats to the operating system are most

commonly attempts to illegally access data orcommonly attempts to illegally access data or violate user privacy for financial gain.


PEMP-ACF501

Examples of Threats

Theft of Computer Hardware & SoftwareUn authorised Use of Computer Facilities forUn-authorised Use of Computer Facilities for Personal UseFraudulent Modification or Use of Data orFraudulent Modification or Use of Data or Programs


PEMP-ACF501Reasons Why Computers Cause

Control Problems1. Processing is Concentratedg2. Audit Trails may be Undermined3. Human Judgment is bypassed4 D t t d i D i O i t d th th H4. Data are stored in Device-Oriented rather than Human-

Oriented forms• Invisible Data• Stored data are Erasable• Data are stored in a Compressed form• Stored data are relatively accessible

5. Computer Equipment is Powerful but Complex and Vulnerable


PEMP-ACF501

Control on RevenueControl on RevenueTransaction Authorisation - Only the valid transactionTransaction Authorisation Only the valid transaction needs to be processed.Proper application of the firm’s credit policies.p pp pVerify the customer’s check and remittances advices match in amount.Segregation duties ensures that no single individual or department processes a transaction in its entirety.


PEMP-ACF501

Control on RevenueControl on Revenue

Supervision provides control in systems that are p p yproperly segregated.Audit trail Audit trail on the accounting records can discover where an error occurred.Access controls prevent and detect un-authorised and illegal access to the firm’s assets.Independent verification is to verify the accuracy and completeness of tasks performed.


PEMP-ACF501

Control on ExpenditureControl on Expenditure

The inventory control function continually monitorsThe inventory control function continually monitors inventory levels.The authorisation process promotes efficient p pinventory management and ensures the legitimacy of purchases transaction.AP function authorises cash disbursements to provide effective control over the flow of cash from the firm.


PEMP-ACF501

Control on ExpenditureControl on Expenditure

An auditor should be able to reconcile inventoryAn auditor should be able to reconcile inventory records to the physical inventory.Supervision in the receiving department is very p g p yessential.Inspecting and counting the items received protects p g g pthe firm from the incomplete orders and damaged goods.


PEMP-ACF501

C l E diControl on ExpenditureAuditor’s concern in the expenditure cycle is thatAuditor’s concern in the expenditure cycle is that obligations may be materially understated on the financial statements because of unrecordedfinancial statements because of unrecorded transaction.In expenditure cycle a firm must control access to p yphysical assets such as cash and inventory.AP functions plays a vital role in the verification of p ythe work done by others in this system.


PEMP-ACF501

General ledgerGeneral ledgerIt is the main accounting record of a business which uses double entry bookkeepinguses double-entry bookkeepingIt usually includes accounts for such items as current assets fixed assets liabilities revenue and expenseassets, fixed assets, liabilities, revenue and expense items, gains and losses.The left hand side lists debit transactions and theThe left hand side lists debit transactions and the right hand side lists credit transactions.The general ledger is a collection of the group ofThe general ledger is a collection of the group of accounts that supports the value items shown in the major financial statements


PEMP-ACF501

General LedgerGeneral LedgerThe general ledger includes the date, description and b l l f hbalance or total amount for each accountIt is usually divided into at least seven main

t icategories. These categories generally include assets, liabilities, owner's equity revenue expenses gains and lossesowner's equity, revenue, expenses, gains and losses.The main categories of the general ledger may be further subdivided into sub ledgers to includefurther subdivided into sub-ledgers to include additional details of such accounts as AP/AR & cash.


PEMP-ACF501

EthicsEthicsEach society establishes rules and limits on acceptable behaviouracceptable behaviourThese rules form a moral codeS ti th l fli tSometimes the rules conflictIn general they are beliefs or conventions on good

d il d b d d t j ti d i j tiand evil, good or bad conduct, justice and injusticeThe rules sometimes do not cover new situation


PEMP-ACF501

Business EthicsBusiness Ethics

Business ethics (also known as Corporate ethics) is aBusiness ethics (also known as Corporate ethics) is a form of applied ethics or professional ethics that examines ethical principles and moral or ethical problems that arise in a business environment.It applies to all aspects of business conduct and is relevant to the conduct of individuals and business organisations as a whole.


PEMP-ACF501

Business EthicsBusiness Ethics

Business Ethics involves findings of two questions:Business Ethics involves findings of two questions:1. How do managers decide on what is right in

conducting their business?g2. Once managers have recognised what is right, how

do they achieve it?y


PEMP-ACF501

Ethical Issues in BusinessEthical Issues in Business

EquityExecutive SalariesComparable WorthProduct Pricingoduc c g

Rights

Corporate Due ProcessEmployee Health ScreeningEmployee PrivacyRights p y ySexual HarassmentDiversity

Employee and mgmt Conflicts of Interest

Honestyp y g

Security of Organization Data and recordsMisleading AdvertisingAccurate Reporting of Shareholder Interests.

Exercise of Corporate Power

Political Action CommitteesWorkplace SafetyProduct Safety


PEMP-ACF501

Computer EthicsComputer Ethics

• Computer Ethics is a branch of practical philosophyComputer Ethics is a branch of practical philosophy which deals with how computing professionals should make decisions regarding professional and social conduct.

• Computer ethics is set of moral principles that regulate the use of computers.

• Some common issues of computer ethics include intellectual property rights (such as copyrighted electronic content), privacy concerns, and how computers affect society

41

computers affect society.

M.S.Ramaiah School of Advanced Studies ‐ Bangalore41

PEMP-ACF501

C E hiComputer Ethics

• For example, while it is easy to duplicate copyrighted electronic (or digital) content, computer ethics would ( g ) psuggest that it is wrong to do so without the author's approval.

• And while it may be possible to access someone's personal information on a computer system, computer thi ld d i th t h ti i thi lethics would advise that such an action is unethical.


PEMP-ACF501

The Fraud ProcessThe Fraud Process

Most frauds involve three stepsMost frauds involve three steps

The theft ofsomething

Th iThe conversionto cash

Theconcealment


PEMP-ACF501

FraudFraud

• What is a common way to hide a theft?What is a common way to hide a theft?– to charge the stolen item to an expense account

• What is a payroll example?What is a payroll example?– to add a fictitious name to the company’s payroll


PEMP-ACF501

FraudFraud

Why Fraud Occurs?Why Fraud Occurs?Researchers have compared the psychological and demographic characteristics

of three groups of people:

White-collarcriminals

Generalpublic

Significant differences

Few Differences

Violentcriminals


PEMP-ACF501

F dFraudFive conditions of Fraud:Five conditions of Fraud:1. False representation-False Statement non-disclosure2 Material Fact -substantial fact inducing someone to2. Material Fact.-substantial fact inducing someone to

act.3. Intent-knowledge that one’s statement is false3. Intent knowledge that one s statement is false

4. Justifiable reliance- Misrepresentation

5 I j L j l5. Injury or Loss-Injury or loss


PEMP-ACF501

F h ib F dFactors that contribute to Fraud

• Situational Pressure• Opportunities• Opportunities• Personal Characteristics.


PEMP-ACF501


PEMP-ACF501

Computer FraudComputer Fraud

• Computer fraud is rampant, as the use of computers becomes part of our daily lives, with greater and

t fgreater frequency.• The definition of what constitutes computer fraud

b l ith th i it fbecomes ever more complex with the ingenuity of people who intend to deceive, misrepresent, destroy, steal information or cause harm to others bysteal information, or cause harm to others by accessing information through deceptive and illegal means.


PEMP-ACF501

Computer FraudComputer Fraud

Fraud by computer manipulationFraud by computer manipulation• Input manipulation• Program or data manipulationProgram or data manipulation• Output manipulation


PEMP-ACF501

Computer Fraud SchemesComputer Fraud Schemes

Common internal computer fraud schemes:Common internal computer fraud schemes:• Billing schemes• Inventory fraud• Inventory fraud• Payroll fraud

Ski i• Skimming• Check tampering

R i h• Register schemes


PEMP-ACF501


Fraud by damage to or modification of computer dataFraud by damage to or modification of computer data or programs:

• Economic advantage over a competitorg p• Theft of data or programs• Holding data for ransomHolding data for ransom• Sabotage


PEMP-ACF501


Common external computer fraud schemesCommon external computer fraud schemes• Telecommunications fraud• HackingHacking• Internet fraud• Software piracy• Software piracy


PEMP-ACF501

Computer Fraud in AccountingComputer Fraud in AccountingFraud is known to have occurred in the areas of petty cash purchasing and accounts payable invoicing andcash, purchasing and accounts payable, invoicing and accounts receivable, personnel and payroll, lapping on cash collections, inventory manipulation andon cash collections, inventory manipulation and abuse, or simply kickbacks of various kindsA number of cases in banks deal with tampering with p gdata and files by tellers or branch supervisors who withdrew money from customer accounts. Still others achieved their goal by entering deposits manually in the customer's savings book and

54

pocketing the cash received.M.S.Ramaiah School of Advanced Studies ‐ Bangalore

54

PEMP-ACF501Approaches and Techniques to pp q

commit computer Fraud.Common techniques to commit computer fraud

– Cracking– Data diddling– Data leakage– Denial of service attack– Eavesdropping– E-mail forgery and threats


PEMP-ACF501Approaches and Techniques to commit computer Fraud.

– HackingHacking– Internet misinformation and terrorism– Logic time bombLogic time bomb– Masquerading or impersonation

Password cracking– Password cracking– Piggybacking

R d d– Round-down– Salami technique


PEMP-ACF501

Approaches and Techniques toApproaches and Techniques to commit computer Fraud.

– Software piracy– Scavenging– Social engineering– Super zappingp pp g– Trap door– Trojan horseTrojan horse– Virus – Worm

57

Worm

M.S.Ramaiah School of Advanced Studies ‐ Bangalore57

PEMP-ACF501

P i C F dPreventing Computer Fraud

What are some measures that can decrease the potential of fraud?1 Make fraud less likely to occur.2 Increase the difficulty of committing fraud.3 Improve detection methods.4 Reduce fraud losses.5 Prosecute and incarcerate fraud perpetrators.


PEMP-ACF501

P i C F dPreventing Computer Fraud

1 Make fraud less likely to occur– Use proper hiring and firing practices.– Manage disgruntled employees.– Train employees in security and fraud prevention.– Manage and track software licenses.– Require signed confidentiality agreements– Identify risky areas – Effectively supervise employees


PEMP-ACF501

Preventing Computer Fraud

2 Increase the difficulty of committing fraud– Develop a strong system of internal controls.Develop a strong system of internal controls.– Segregate duties.– Require vacations and rotate duties.q– Restrict access to computer equipment and data

files.– Encrypt data and programs.


PEMP-ACF501

Preventing and Detecting ComputerPreventing and Detecting Computer Fraud

3 Improve detection methods– Protect telephone lines and the system from viruses– Protect telephone lines and the system from viruses.– Control sensitive data.

Control laptop computers– Control laptop computers.– Monitor hacker information.


PEMP-ACF501


4 Reduce fraud losses– Maintain adequate insurance.q– Store backup copies of programs and data files in

a secure, off-site location. ,– Develop a contingency plan for fraud occurrences.– Use software to monitor system activity and Use so w e o o o sys e c v y d

recover from fraud.


PEMP-ACF501


5 Prosecute and incarcerate fraud perpetrators– Most fraud cases go unreported and unprotected.

Why?• Many cases of computer fraud are as yet

undetected.• Companies are reluctant to report computer

crimes.


PEMP-ACF501

Session conclusionSession conclusion

• The concept of internal control was discussedThe concept of internal control was discussed• The world of internal control environment and its

structure were explainedp• The internal controlling activities were discussed• The activities of communication monitoring andThe activities of communication, monitoring and

threats were explained• Controlling activities in General Ledger were Co o g c v es Ge e edge we e

discussed


PEMP-ACF501

Session conclusionSession conclusion

• Business ethics/corporate ethics was explained• Fraud/computer fraud/schemes were discussed• Computer fraud in accounting was explained• Approaches and techniques were explained• Preventing fraud was discussed


day-7 internal control system, ethics, fraud and controls for ais pdf

Documents