PowerPoint Presentation

Chapter 10Chapter 10

Fraud & Internal ControlFraud & Internal Control

ACCOUNTING INFORMATION SYSTEMSACCOUNTING INFORMATION SYSTEMS

The Crossroads of Accounting & ITThe Crossroads of Accounting & IT

Why Does Fraud Occur?

Top two reasons given for why executive fraud occurs:

1. Pressure to meet goals: 81%

2. Personal gain: 72%

Fraud: What Will I Tell my MOM?

Sarbanes-Oxley Act of 2002

Section 404. Management Assessment of Internal Controls. The publicaccounting firm that audits the financial statements of the company must issuean attestation report regarding the effectiveness of the company’s internalcontrol.

Section 302. Corporate Responsibility for Financial Reports. Section 302requires the chief executive officer and chief financial officer to certify in eachannual or quarterly report that the signing officer reviewed the report and thatthe report does not contain any untrue or omission of material fact that makethe statements misleading.

Sarbanes-Oxley Act of 2002

Section 806. Protection for Employees of Publicly Traded CompaniesWho Provide Evidence of Fraud. Known as Whistleblower Protection forEmployees of Publicly Traded Companies. Section 806 provides for protectionagainst retaliation for employees, such as company accountants, who provideinformation in fraud cases of publicly traded companies.

Section 906. Corporate Responsibility for Financial Reports. Section 906requires corporate management to certify reports filed with the SEC, such asthe annual 10-K and quarterly 10-Q. Provides for criminal penalties of up to $5million or 20 years imprisonment.

Audit & Internal Control

Types of Audits:

Audit of internal control: tests of controls to obtain evidence that internalcontrol over financial reporting has operated effectively.

Audit of financial statements: tests of controls to assess control risk.Substantive procedures collect evidence regarding accuracy, completeness,and validity of data produced by the accounting system.

IT audit: tests of IT to understand how IT affects internal control overfinancial reporting. PCAOB expects auditors to understand how IT affects theaudit and integrate IT into the audit.

Integrated audit: required by Auditing Standard No. 5, integrates the auditof internal control with the audit of financial statements.

Controls Over Financial Reporting

Preventive controls: The objective of preventive controls is to preventerrors or fraud that could result in a misstatement of the financial statements.

Detective controls: The objective of detective controls is to detect errors orfraud that has occurred and that could result in a misstatement of thefinancial statements.

Corrective controls: The objective of corrective controls is to remedyproblems that have occurred by identifying the cause, correcting theresulting errors and modifying the system to prevent future problems of thissort.

Effective System of Internal Controls

An effective system of internal controls should exist in allorganizations to:

•Help them achieve their missions and goals.

•Minimize surprises.

COBIT

Control Objectives for Information & Related Technology

Enterprise Goals Drive IT Goals

COBIT IT Related Goals

Alignment of IT and business strategy

Compliance with external laws and regulations

Managed IT related business risk

Realized benefits from IT investments, while being transparent about thoseinvestments and related risks

IT services are in-line with business requirements, and enable and support thebusiness processes through the use of IT

IT investments deliver benefits on-time and on-budget

IT assets, processing and information are secure

Reliable and useful information for decision-making is available where andwhen needed

IT Controls

Purchasing Cycle: Application Control Objectives

Sales Cycle: Application Control Objectives

Payroll Cycle: Application Control Objectives

Banking/Cash: Application Control Objectives

Financial Cycle: Application Control Objectives

Reporting Control Objectives

Managing the Risk of Fraud

Five principles for establishing an environment to effectively manage fraud risk:

Principle 1: Fraud Risk Governance. There should be a written policy toconvey the expectation of the board of directors and top managementregarding managing fraud risk.

Principle 2: Fraud Risk Assessment. Fraud risk exposure should beassessed periodically to identify potential events the organization shouldmitigate.

Principle 3: Fraud Prevention. Prevention techniques should beestablished to avoid fraud risk events and mitigate impact on the organization.

Principle 4: Fraud Detection. Detection techniques should be establishedto uncover fraud events when preventive measures fail or unmitigated risks arerealized.

Principle 5: Fraud Investigation and Corrective Action. A reportingprocess should be in place to solicit input on potential fraud. Take correctiveaction including identify the cause, correct the resulting errors and modify thesystem to prevent future similar problems.