19

CHAPTER 2

FRAUD PREVENTION AND DETECTIONCredit hours – 4 Hours Prerequisites – NoneLevel – BasicCategory subjects – Accounting and Auditing

Course instructions – Review all material, and complete practice tests at the end of each section. A subject index and bibliography are included on page 50.

You then must complete the fi nal examination questions located at the end of the course. Choose the correct answer for the questions, and then proceed to www.elitecme.com to complete your fi nal examination online.

Upon passing with a 70 percent or better, you will then be asked to fi ll in your information and can print your certifi cate of completion for your records.

Course expiration date: You must complete your fi nal examination before the course expiration date of May 1, 2012.

The purpose of this course is to help CPAs comply with continuing professional education credit hours in accounting and auditing.

Learning objectivesAfter completing this course, you will be able to:

Appraise internal control environments and determine fraud

exposures.Detect behaviors indicative of some fraud schemes.

Associate process-independent internal controls and process-specifi c

internal controls with applicable fraud risks (and error).Apply the elements of the Committee of Sponsoring Organizations

(COSO) internal controls framework in practical settings.

Table of ContentsSection One - Introduction.............................................................. 19Section Two - Fraud Overview........................................................ 19Fraud defi ned...................................................................................... 19Other fraud schemes........................................................................... 21Fraud red fl ags.................................................................................... 24Section Two, Practice Test, Part 1................................................... 27Fraud Cases........................................................................................ 28Section Two, Practice Test, Part 2.................................................. 32Section Three - Internal Controls Overview.................................. 33Internal controls defi ned.................................................................... 33Fraud prevention and detection......................................................... 34COSO Framework: Elements of Internal Controls............................ 34Control environment.......................................................................... 35Section Three, Practice Test............................................................ 36Section Four - COSO Framework: Elements of Internal Controls............................................................................................. 37Risk assessment.................................................................................. 37Information systems and communication........................................... 38Control activities................................................................................ 40Monitoring of internal controls.......................................................... 40The Sarbanes-Oxley Act..................................................................... 41Section Four, Practice Test ............................................................. 42Section Five – Course Conclusion.................................................. 43Answer Key Practice Test, Section Two Part 1.................................. 43Answer Key Practice Test, Section Two Part 2.................................. 44Answer Key Practice Test, Section Three.......................................... 45Answer Key Practice Test, Section Four............................................ 46Final Examination Questions.......................................................... 48Index.................................................................................................. 50Bibliography..................................................................................... 50

Section One – Course introductionThis course is designed for professionals who are in a position to prevent or detect fraud, including accountants, business owners, executives and IT professionals. The purpose of this course is to provide a summary of fraud and facilitate an understanding of internal controls that may prevent or detect fraud.

The subsequent sections before your fi nal exam constitute your preparation for the fi nal exam. The second section presents background information about fraud, including types, schemes and red fl ags. The third section provides background and fundamental information about internal control systems. The fourth section discusses the importance of well-designed internal controls. The fi fth section presents information about process-specifi c internal controls. The sixth section presents information about process-independent internal controls. The seventh section describes policies that may promote fraud detection, as well as ethical responsibilities that follow fraud detection (your organization may include some of the same responsibilities in its code of conduct).

A practice exam and a fi nal exam follow these materials. The practice exam will allow you to test your knowledge before the fi nal exam; the answer keys for the practice exams will allow you to understand why each answer is either right or wrong because it provides an explanation as to why each option is correct or incorrect.

In addition to the aforementioned materials, this course also includes an index and a bibliography section. The index provides an alphabetical listing of important topics discussed in this course, and allows readers to quickly locate topics of interest. The bibliography provides reference information about sources used to generate this course. Also, it should be noted that the references used include professional auditing standards; these standards are used because they provide guidance about fraud that can be applied to many business settings, not just auditing and fi nancial accounting.

Section Two – Fraud overview

Major subjects:Fraud defi ned.

Precursors to becoming a fraudster.

Types of fraud.

Fraud schemes.

Fraud red fl ags.

Consequences of fraud.

Fraud cases.

Fraud defi nedFraud is a very general term that can mean different things not only to different people, but also in different circumstances. Therefore, it becomes necessary to defi ne fraud as it will be used in this course. Fraud is an intentional action undertaken with the explicit purpose of achieving fi nancial gain and/or harming another party. Fraud in business settings also typically results in, either directly or indirectly, material misstatements in the company’s fi nancial statements.

The goal of the fraudster is to commit fraud and get away with it. The goal of this course is to prepare you to prevent and detect fraud. In this light, it is important to understand that it is impossible to eliminate the risk of fraud, but it is possible to improve your chances of preventing and detecting fraud.

To improve your chances of preventing and detecting fraud, this course opens with background information about fraud, including a description of fraud schemes, red fl ags (warning signs) of fraud, and consequences of fraud. This section also examines real fraud cases, such as Enron , Crazy Eddie, Adelphi and WorldCom . In addition to describing the fraudulent activities that were perpetrated in these cases, this course will use these fraud cases as valuable sources of information and lessons that can promote fraud prevention and detection through internal controls, other policies and general awareness of fraud schemes and how they have been carried out in the past.

20

Precursors to becoming a fraudsterMost people do not wake up one morning and simply decide that they will commit fraud that day. In fact, the decision to commit fraud is not that simple for many fraudsters. An important factor in the ability to prevent and detect fraud is the ability to recognize conditions that may lead to fraud. This subsection will describe four precursors that can lead to fraud, including incentive, opportunity, rationalization and capability. Often, at least one of these conditions is present before fraud occurs.

Incentive refers to anything that creates a reason to commit fraud. Incentives can come in many forms. Corporate incentives can arise from pressure to meet a benchmark, such as the consensus analyst EPS forecast, making a profi t, or requirements of debt covenants.

Incentives can arise from the promise of compensation beyond an individual’s normal salary and wages. Such personal incentives include bonuses and stock grants that are provided only if the company meets a certain benchmark. Other incentives can arise due to pressures to succeed, fulfi ll specifi c ambitions such as achieving a certain position, and to please family members and friends. Ultimately, all of these incentives can create pressure to commit fraud because the individual becomes more driven to meet a certain goal, perhaps by any means necessary.

This is not to say that incentives are inherently bad, as they can motivate people to work more effectively and effi ciently. However, the presence of incentives creates pressures to commit fraud because incentives create pressure.

Opportunity refers to the presence of favorable circumstances for committing fraud. Opportunity to commit fraud is created when internal controls are weak, do not exist or can be overridden. Typically, the higher a person is ranked in an organization, the easier it is to commit fraud because higher-ranked individuals have more power. For instance, it is much easier for an executive to override an internal control than for a clerk to override an internal control. Consider the cash disbursement process. Assume that company policy requires all checks for more than $20,000 to be signed by two managers. The CEO signs it and tells the payment clerk that no more signatures are needed. Can the clerk really stand up to the CEO and demand that someone else sign the check?

Now consider the reconciliation of the cash account to the bank account. Assume that the reconciliation cannot be performed by the payment clerk (because the clerk has access to the checks) and the controller is responsible for performing the reconciliation. It is highly unlikely that the clerk will be able to persuade the controller to allow the clerk, or anyone else for that matter, to perform the reconciliation.

This example illustrates that it is easier for higher-ranking executives to commit fraud than lower-level employees. Executives also tend to have access to more corporate resources than most employees. Therefore, as an individual attains a higher rank in the organization, the individual not only has greater opportunity to commit fraud, but also greater opportunity to commit a larger fraud.

Rationalization refers to the ability to justify fraud. For some, rationalization is easier than for others. Consider an example. Someone committing tax evasion can justify his/her actions perhaps through a belief that the government does not deserve to profi t from business ventures because the government does not assist (directly) in generating the revenues. Once this rationalization is completely accepted, it is not so large a step to begin skimming cash off the top of sales.

For many people, however, rationalization to commit fraud is diffi cult and requires time to evolve. Clearly, the stronger an individual’s ethical code, the more diffi cult it is to rationalize fraud. However, an otherwise law-abiding and decent person can commit fraud under the right circumstances. For example, assume that a certain CFO, who has a decent enough moral compass, has lived with chronic anxiety for months because of concerns about the company’s ability to meet the EPS forecast, which ultimately will allow the company’s stock price to

increase. Finally, this CFO yields to the pressure. The CFO decides to falsify the accounting disclosures in such a way that the company is able to record suffi cient profi t to exceed the EPS forecast.

Our CFO has just committed fraudulent fi nancial reporting , which of course is one type of fraud. How did the CFO rationalize this action? Maybe the CFO believed the means justifi ed the ends; the company will exceed the forecast, which will lead to a higher stock price, stronger market capitalization and a stronger company. In other words, the CFO’s actions can be rationalized by the goal of maximizing shareholder wealth, a goal that is shared by most companies. Or maybe the CFO simply thought about colleagues and other employees who might face a layoff if the company’s fortunes diminished. On the other hand, the CFO could have been thinking about how the other executives had praised the company’s ability to meet earnings forecasts in prior periods, which had fi lled the CFO with ambition to continue this impressive track record that had occurred on the CFO’s watch.

This example illustrates a couple of key concepts about the relationships between incentive , opportunity and rationalization. First, the greater an individual’s power (which tends to come with higher rank) within an organization, the greater the opportunity to commit fraud. Do you think a shipping clerk could have committed the same level of fraud so easily? Second, as incentives increase, so does the ability to rationalize fraud.

Capability refers to the psychological characteristics that are necessary in order to commit fraud, which include intelligence, confi dence, persuasiveness/coerciveness, the ability to lie and the ability to handle stress. The next few paragraphs discuss these characteristics as described by Wolfe and Hermanson (2004).

The fi rst psychological characteristic relating to fraud is intelligence. The fraudster must possess suffi cient intelligence to plan, execute and conceal the fraud for as long as possible. A person who does not understand business processes and practices will have great diffi culty perpetrating fraud. A person who does not understand the internal controls over a given business process will be unable to circumvent those internal controls. Think about the fraudsters and Enron or any other high-profi le fraud case. These frauds have at least one thing in common: the people behind the frauds were very intelligent.

The second psychological characteristic relating to fraud is confi dence. The fraudster must possess a certain level of confi dence that she/he can outwit others. Fraudsters have to believe that they can pull one over on internal auditors, external auditors, fellow employees, friends, family members, regulators, stock analysts, media members (an investigative reporter helped unravel the fraud at Enron [McLean and Elkind 2003]), and others who follow a given company and its performance.

The fraudster must also have confi dence that her/his schemes will return a large enough payoff that the actions will be worth whatever stress and potential scorn the fraud generates. Why commit a fraud if you believe it will not create a certain level of excitement and/or fi nancial return?

The third psychological characteristic relating to fraud is persuasiveness/coerciveness. An effective fraudster must be able to persuade others that he/she is not committing a fraud, and may also need to persuade others not to perform certain actions (such as internal controls) that may uncover fraud. Sometimes mere persuasion is not enough, and the fraudster must coerce others through pressure, threats and other intimidation tactics. Interestingly, fraudsters are sometimes nice to people who may uncover frauds. Kindness is a powerful persuasion tool if it convinces the target that the fraudster is a good person. How can someone we like, a good person, commit a heinous fraud? Stop for a moment to think about that. Just because someone is nice does not mean he or she cannot commit a fraud.

The fourth psychological characteristic relating to fraud is the ability to lie and to sustain the lie indefi nitely. Fraud involves either explicit or implicit lies. Fudging account balances, falsifying the mileage a person turns in on an expense report or hacking into a system involve lies. The

21

CFO lies about the proper fi nancial balance. The employee lies about the number of miles from point A to point B. The hacker is an unauthorized systems user who is posing as an authorized user.

Not only must fraudsters have the ability to lie, but they also must be able to sustain the lie indefi nitely. It can take months or years for a fraud to be uncovered. During that time, the fraudster must sustain the lie or it will fall apart and the fraudster probably will be caught. The longer the fraud and the accompanying lies must be sustained, the greater the stress the fraudster will be under.

The fi fth psychological characteristic relating to fraud is the ability to handle stress. It would be unrealistic to believe that fraudsters do not experience stress because they can rationalize their actions to some degree. Committing fraud induces stress because of the consequences of fraud. Every day fraudsters know that someone may catch them that day, and if that happens, they will face embarrassment and punishment, often in the forms of fi nes and prison sentences. This constant threat of detection creates a stressful environment. In order for the fraudster to maintain the fraud for any length of time, he/she must be able to not crack under the stress of maintaining a fraud, because many frauds get bigger and bigger every day, and more actions are needed to conceal fraud as time passes.

In summary, there are four precursors that lead to fraud. All four are not necessary for fraud to occur, but usually at least one of these precursors is present in fraud cases. The fraudster must have incentive to commit fraud, the opportunity to commit fraud, the ability to rationalize the fraud, and the capability to commit the fraud.

Types of fraudAs previously discussed, fraud is a very general term that describes a multitude of intentional actions that are undertaken for the purpose of the fraudster’s own gain and/or infl icting harm on another. We can classify fraud into two primary types: fraudulent fi nancial reporting and misappropriation of assets. Other frauds are classifi ed here as miscellaneous fraud.

Fraudulent fi nancial reporting refers to intentional falsifi cation or omission of fi nancial data. From an accounting standpoint, the consequences of fraudulent fi nancial reporting are refl ected in many places, including account balances and fi nancial statements. An important distinction is made between falsifi cation and omission of fi nancial data. The previous example of the CFO fudging account balances to meet a benchmark such as the EPS forecast is an example of the falsifi cation of fi nancial data. To put it simply, falsifi cation involves fraudulently changing fi nancial balances and misleading investors, creditors and other users of fi nancial information.

Omission of fi nancial data is equally as serious as falsifi cation. Imagine that a company did not report its net income. How could an investor analyze the stock and make informed investing decisions? How could a banker decide whether to extend credit to the company? Obviously, this example is too simple – even fraudulent companies report net income. But other accounts, or more likely, certain transactions, can be omitted. What if a company omitted a journal entry that should have resulted in an expense and the reduction of an asset? The consequences are overstated net income and overstated total assets, which will paint an overly optimistic picture to investors and creditors, who may purchase stock or lend funds that they otherwise would not have.

Fraudulent fi nancial reporting is often diffi cult to prevent or detect because it typically does not occur where fi nancial accounting principles provide specifi c guidance. In other words, most fraud does not involve traceable revenues or expenses. The majority of fraudulent fi nancial reporting occurs in the gray areas of accounting principles where specifi c instructions are lacking. For instance, public companies are required to reserve an allowance to write off a reasonable amount of credit accounts receivable because not all customers who purchase on credit will ultimately pay what they owe the company. The problem is that there is no foolproof solution to the question, “what is reasonable?” Fraudsters

can manipulate such subjective areas of fi nancial reporting principles to commit fraudulent fi nancial reporting. Such cases are diffi cult to prevent and detect because it is not clear when the line is crossed between normal uncertainty regarding estimates and fraud.

Fraudulent fi nancial reporting is usually perpetrated by employees, but also can be perpetrated by external parties. For example, a hacker can gain access to a company’s accounting system and change transactions and account balances.

Misappropriation of assets refers to the theft of assets. Professional auditing standards note that from an accounting point of view, misappropriation of assets becomes fraudulent when the fi nancial statements are misstated (AICPA 2002), but we take a broader view of misappropriation of assets. We consider misappropriation of assets fraud even if no material misstatements ensue. It is fraud because, while possibly on a small scale, the organization is harmed. Even if someone commits a relatively minor offense, such as stealing offi ce supplies for personal use, the organization is still harmed because it will have to purchase more supplies than it should for business uses.

Misappropriation of assets sometimes involves fraudulent fi nancial reporting . A person who steals company assets likely will record false journal entries to conceal the theft. Assume a company sells computers and related hardware. An employee who steals some of the items likely will make false journal entries to conceal the theft. The fraudster may record journal entries that indicate the items were returned to the supplier because they were damaged, or perhaps that the items were sold, to conceal the theft. Consequently, the fi nancial statements would be intentionally falsifi ed. Even when the fi nancial statements are not affected by theft, the fraudster may need to falsify other records such as insurance contracts, purchase orders and shipping documents.

Like fraudulent fi nancial reporting , misappropriation of assets also may be perpetrated by both employees and people who are not affi liated with the organization. However, it is probably more likely that outsiders may be involved in misappropriation of assets than fraudulent fi nancial reporting. While a hacker could gain access to an accounting system and falsify fi nancial balances and accounts, committing this fraud requires a certain level of technical expertise that most thieves do not possess. It is easier to steal physical assets such as equipment, vehicles and supplies than to hack into a protected system. Therefore, it is reasonable to assume that misappropriation of assets will be more likely to involve parties who are external to the organization than fraudulent fi nancial reporting.

In summary, fraudulent fi nancial reporting involves the intentional falsifi cation or omission of account balances and fi nancial statements. Misappropriation of assets involves the theft of assets, and is sometimes accompanied by fraudulent fi nancial reporting .

Other fraud schemesSome fraud schemes, such as the use of fi ctitious employees to obtain unearned paychecks, are clearly fraudulent. Other fraud schemes, such as the so-called big bath , are not so cut and dried. These subjective schemes could be viewed as fraud, or they could be the result of the fact that accounting principles cannot provide defi nitive guidance for every business event. This gray area in accounting principles allows room for doubt that some schemes are necessarily fraudulent, but this course will describe schemes that take advantage of subjectivity in the accounting rules because they could be used to commit fraud.

A big bath refers to a large expense that a company incurs in one fi scal period to avoid recognizing expenses in subsequent fi scal periods. To illustrate the benefi ts of a big bath , consider depreciation. Capitalized expenses, or fi xed assets, are required to be depreciated, amortized or depleted (with the exception of land) over their useful life. If a company purchases a truck, it must depreciate, or expense the cost of acquiring the truck, over the life of the truck because accounting principles require matching costs to the period in which they are incurred. If the company could just expense the truck up front, it would avoid having

22

this recurring expense in subsequent accounting periods. While the big bath does not apply to the costs to purchase a truck (because accounting principles are very clear in such a case), you probably get the idea of how the big bath works.

The advantage of the big bath is that a one-time charge does not appear as troubling to investors and creditors as a series of regular expenses. So when do companies take big baths? A big bath is often taken when the company restructures its operations. The expected costs of restructuring are of such magnitude that companies estimate these costs and report them as expenses in the current period. Essentially, these are the costs of eliminating ineffi ciencies in operations, which should require a healthy investment. The company can spin the loss as one-time and necessary to ensure future profi tability. So investors and creditors can rest assured that while the current performance is not great, things are defi nitely looking up.

Now fast forward to the end of the corporate restructuring. The company has made itself more profi table and more effi cient, and it managed to do so at a lower cost than what it had expected. Therefore, part of the expenses recognized in the big bath can be reversed, which means increasing current earnings. Somehow, this reversal usually occurs in a down period when the company is having trouble meeting its earnings goals (Levitt 1998).

A variant of the big bath involves accounting for business acquisitions. When a company acquires another entity, it must account for this purchase. While accounting principles provide some guidance for mergers and acquisitions, there is still some subjectivity to the process, which allows fraudsters to make their move.

Fraudulent accounting for acquisitions involves classifying some percent of the acquisition price as research and development expenses, which can be written off in a one-time charge. The advantage to the fraudster is that no additional expenses are incurred in future accounting periods and the fraudster can point to the acquisition as evidence of the company’s growth and note that one-time costs to the acquisitions should not refl ect poorly on the company.

The creation of cookie jar reserves involves infl ating estimates for: (1) liabilities such as sales returns, warranty costs and loan losses; and (2) contra assets such as inventory obsolescence and the allowance for uncollectible accounts receivable (Levitt 1998). Financial accounting principles require companies to estimate these liabilities, contra assets and the accompanying expenses using reasonable methods. While that sounds good, the problem is that there is no defi nitive explanation of reasonable. A fraudster can justify the estimate used as reasonable, and use it to overstate earnings in future periods when the company is in danger of missing the EPS forecast or other benchmarks.

Let’s assume that a fraudster estimates the allowance for uncollectible accounts receivable at $100,000 for three consecutive accounting periods. During these periods, the company is having no trouble meeting any of its performance benchmarks and things are generally going smoothly. Then in the fourth period, the company struggles somewhat, and it becomes clear that it will not meet its benchmarks through the results of its operations. The fraudster steps in and notices this nice reserve of uncollectible accounts. The fraudster decides that $100,000 per year is too much, and reduces the balance in the contra asset, which means that the associated expense account (bad debts in this case) is also reduced. As you know, a reduction of expenses means that earnings are increased. Just like magic, without a single change in operations, the company is able to meet its benchmarks.

Another fraud scheme is taking advantage of materiality by using immaterial journal entries to overstate earnings (Levitt 1998). In fi nancial accounting and auditing, materiality refers to the signifi cance of a given amount to users such as investors and creditors. An amount is material if, by itself, it is large enough to matter – in the sense that it might change the investment, lending and other decisions of a reasonable user. Auditors are trained to focus on material amounts, and fraudsters are aware of this practice.

Levitt (1998) explains that a fraudster can take advantage of materiality by deliberately booking errors that are immaterial (small enough to be less than the materiality threshold). The perpetrator is aware that auditors are less likely to catch and propose adjustments for immaterial amounts because these immaterial misstatements are not large enough, by themselves, to affect users’ decisions. But if you take them together, they inevitably result in a material misstatement, and one that usually overstates current earnings.

Revenue recognition is a fraud scheme that involves overstating earnings by manipulating the rules concerning recognizing revenues from operations. Accounting rules provide fairly specifi c guidance about when a company can record revenues. Usually, revenues should not be recognized until all activities required to fi nalize the sale (i.e., delivering goods; rendering a service) are complete. While this principle is fairly clear, fraudsters have managed to take advantage of revenue recognition.

Consider a company that sells widgets. Accounting principles require that this company recognize revenues when it delivers the widgets to its customers. This company has had something of a down year, and now it is late in December and the company’s earnings have slipped just under its earnings forecast. The company makes a large shipment of widgets during the last week of the month, but they will not be delivered until the following week, which happens to fall in the next accounting period. The company’s executives then succumb to the incentive to commit fraud and go ahead and recognize the revenues in the current period. They decide to record the revenues, allowing them to meet the earnings forecast.

What is wrong with these actions? No one appears to be harmed. So they recognized the revenues a few days too soon. The customer still received the goods on time. There are at least two problems with the executives’ actions. First, they violated the fi nancial reporting rules that apply to all public companies and committed fraudulent fi nancial reporting . Second, they deceived investors, creditors and other users by creating the false impression that their operating performance was better than what it was.

Another fraud scheme involves hiding expenses and liabilities in special purpose entities and subsidiaries (SEC v. Lay et al. 2004). Under the rules of consolidation accounting, the transactions of the special purpose entities and subsidiaries should be combined with those of the parent company when preparing the consolidated fi nancial statements. Therefore, intracompany profi ts (or losses) are eliminated and investors and creditors can evaluate the company’s operations as they pertain to transactions with external entities. Fraudsters such as the Enron executives, however, have violated accounting principles concerning consolidation by treating special purpose entities as independent entities and not eliminating the effects of intracompany transactions.

An effective fraudster can create a web of special purpose entities and subsidiaries and use this network to funnel losses and liabilities off the parent company’s fi nancial statements. As a result, the parent appears more profi table and in better fi nancial standing than it actually is. This scheme has attracted much attention as one of the fraud schemes used by the Enron executives. Interestingly, Enron executives were audacious enough to give its special purpose entities and subsidiaries preposterous nicknames such as Jedi, providing evidence that many fraudsters are confi dent they can fool anyone (SEC v. Lay et al. 2004).

The omission of liabilities and expenses is another scheme that has been used in fraudulent fi nancial reporting . Under double-entry accounting rules, every transaction involves at least two fi nancial statement accounts. When a liability is increased, the complementary entry often is to increase expenses. For example, when a company records salaries and wages payable, it simultaneously records salaries and wages expenses. If a company omits a given liability from its books, it can also omit the accompanying expenses. Therefore, both earnings and net assets are overstated.

Fraud also can be committed through the failure to record sales returns. When a customer returns an item that was previously purchased, fi nancial accounting principles require that the company reduce net sales revenue, which reduces earnings. However, fraudsters can overstate

23

earnings by not recording the returned merchandise. The fraudster can also place the returned items, which may be defective, back into merchandise inventory and possibly sell the same items twice. In this manner, fraudsters can use sales returns to overstate earnings in multiple ways during the same fi scal period.

Lapping is a fraud scheme that occurs before cash payments from customers are recorded. In a lapping scheme, the perpetrator steals a customer’s payment then applies payments from other customers to conceal the embezzlement. The lapping fraudster must continually move customer payments from account to account to conceal the embezzlement, causing the scheme to become more involved over time.

Kiting is a fraud scheme that occurs after cash payments from customers are recorded. In a kiting scheme, the fraudster embezzles funds from the company’s bank account. The perpetrator then moves money from different bank accounts into the account from which the cash was stolen to cover the fraud. The kiting fraudster must continually move funds from account to account to conceal the embezzlement. Like lapping, kiting is a good example of an instance in which the fraud must get bigger and bigger as time passes.

In addition to providing evidence that fraud typically gets harder and harder to perpetrate and conceal as time passes, lapping and kiting provide another lesson about internal controls and how they can be used to prevent and detect fraud. No employee, regardless of position, should have both custody and record-keeping authorities for physical assets such as cash. Management should monitor employees by randomly working in each position periodically; this helps the manager be aware of all changes within the company and stay on top of the responsibilities assigned to each employee. If the manager is not able to fulfi ll the position, cross-train employees to cover positions for each other so that no one employee is responsible for one area. This also helps to avoid problems such as lapping in accounts receivable.

Romney identifi es fi ve computer fraud schemes : altering data and fi les, copying data and fi les, theft of computer time, stealing software and misuse of output devices. Altering data and fi les is a serious offense because the organization may lose data that is vital to various business processes, and employees are forced to spend additional time and other resources restoring the lost or modifi ed data and fi les. Furthermore, altered data may result in fraudulent cash disbursements.

An example of a scheme that involves fraudulent data altering is the creation of fi ctitious vendors. Faking vendors is a scheme in which the fraudster adds fi ctitious vendors to the organization’s authorized vendors list and collects any payments sent to those fi ctitious vendors. In this scheme, the perpetrator must have access, either authorized or unauthorized, to vendor data and must be able to manipulate that data. This scheme involves both misappropriation of assets and fraudulent fi nancial reporting , because the accounting records will refl ect the payments sent to the fi ctitious vendors.

When the fraudster is an authorized user, this scheme is usually perpetrated by an individual in the purchasing department. A purchasing agent needs to access the vendor data because it would be diffi cult to acquire items without contact information, such as phone numbers and e-mail addresses. Normally, such data is stored in a vendor table in the company’s database system. The fraudulent purchasing agent can simply add a fi ctitious vendor, add it to the authorized vendor list (if such a list exists), and act as though a purchase was made from the vendor. The perpetrator will likely list the payment address for this fi ctitious vendor as a post offi ce box, which in reality is owned by the fraudster or a cohort. When the organization submits payments, the fraudster collects the money from the post offi ce box.

When the fraudster is an unauthorized user, the fake vendors scheme does not have to be carried out by an employee (but an employee who is an unauthorized user can perpetrate this scheme), and often the perpetrator is not an employee. An unauthorized user must hack into the

organization’s vendor data to carry out this scheme, and the steps would be similar to those involving employees.

A similar fraud tactic involving altering data for cash disbursement is the creation of fi ctitious employees. Fake employees is a scheme in which the fraudster adds fi ctitious employees to the organization’s payroll list and collects any payments sent to those fi ctitious employees. This scheme is similar to fake vendors in that it involves the creation of a fi ctitious entity and collection of payments, processed by the organization, to the fi ctitious entity. In this scheme, the fraudster must have access, either authorized or unauthorized, to employee data and must be able to manipulate that data. The fake employee scheme involves both fraudulent fi nancial reporting and misappropriation of assets .

This scheme requires access to and the ability to create and modify records within employee data. Normally, such data is stored in the employee table of the organization’s database system. The perpetrator must add a fi ctitious employee to the employee listing and include either an address where paychecks can be mailed or a bank account for direct deposit of paychecks. In either case, the paycheck ultimately ends up in the hands of the fraudster or a cohort. In this scheme, the perpetrator is paid twice if he/she is an employee. If the fraudster is not an employee, he/she receives wages without any service to the organization. Either way, misappropriation of assets and fraudulent fi nancial reporting occur because the fi nancial accounting records will refl ect the fraudulent wages.

Another payroll scheme involves claiming false overtime hours. In this case, the perpetrator claims to have worked overtime, which usually results in a higher hourly pay rate than regular hours.

Other fraud schemes involve the use of computers and systems. Davis and Braun (2004) explain that while the introduction of automated processes and electronic tools into the business world has improved operational effectiveness and effi ciency, these changes have given fraudsters new opportunities to commit fraud. They also note that both unauthorized users, such as hackers, and authorized users, such as employees, of an organization’s systems have perpetrated computer fraud. While internal controls are designed to protect the organizations systems, fi les and data, internal controls cannot eliminate computer fraud.

Copying data and fi les without modifying them is also serious. Consider the anxiety that a restaurant chain’s executives would experience if a hacker was able to copy the fi les that contained the company’s secret recipes for its specialty items. The executives would be under constant fear that the hacker would sell these trade secrets to their competitors in the restaurant industry.

Theft of computer time refers to not using corporate computer resources for business purposes. Using the offi ce computer to check personal e-mail, track personal investments, follow a sports team or surf the web for birthday presents are examples of activities that constitute theft of computer time when they are done while individuals should be fulfi lling their duties to their employing organization. Theft of computer time results in the organization funding the personal interests of its employees.

Stealing software is another computer fraud scheme. Individuals may steal software for various reasons, such as getting help with personal taxes or using bookkeeping software packages to set up budgets and balance checkbooks. Stealing software is an unauthorized use of the organization’s purchased rights to utilize a given software package. This fraud scheme also harms the software vendor because the fraudster is using the vendor’s product without paying for the right to access that software for personal uses.

Misuse of output devices refers to using output devices, such as printers, copiers and fax machines, for personal use. In this case, the fraudster uses organizational resources (the output device and accessories such as toner and paper) for personal benefi t. Perhaps the fraudster needs to make copies of an important personal document and would prefer to use the employer’s copier rather than pay for the use of public copiers in a store.

24

Fraud red fl ags Red fl ags are warning signals that fraud may be occurring because they create incentive s, opportunities or provide rationalization for fraud. The discussion of red fl ags does not include capability because the capability to commit fraud for a given individual is either present or not, and you can measure capability by looking at the characteristics described earlier in this section (such as intelligence; confi dence; the ability to consistently lie). The presence of red fl ags does not guarantee that a fraudster is currently at work, but provides evidence that fraud may be transpiring. In other words, the more red fl ags present in a given situation, the stronger the likelihood that a fraud is being perpetrated. Therefore, red fl ags are indicative of the fraud risk, not fraud.

Recall that the majority of fraud either results in fraudulent fi nancial reporting or misappropriation of assets, and sometimes both. To better describe red fl ags (i.e., fraud risk factors), this course uses the taxonomy provided by Statement on Auditing Standard (SAS) 99. Specifi cally, fraud risk factors are classifi ed as increasing the risk of fraudulent fi nancial reporting or misappropriation of assets.

While these red fl ags were initially listed with auditors in mind, they are relevant for anyone with a responsibility for detecting and preventing fraud. Auditors, executives, IT professionals and others should be aware of the potential for fraud in their organizations and ready to follow up on red fl ags because all corporate offi cers have responsibilities to investors, creditors and other stakeholders.

SAS 99 identifi es the following red fl ags that may be indicative of fraudulent fi nancial reporting because they create incentives and pressures to falsify accounting records:

Increasing competition.

Declining market share.

Technological changes that can result in inventory obsolescence.

Diminishing customer demand.

Recessions.

Poor operating performance.

The threat of hostile takeovers.

Abnormal profi ts relative to similar companies in the industry.

New regulations.

New accounting principles.

Analysts’ forecasts.

The necessity of debt and equity fi nancing.

Requirements of debt covenants.

Incentive-based compensation.

Pressure to meet fi nancial targets.

This course will describe how these red fl ags create incentives for fraudsters.

Increasing competition, diminishing customer demand and declining market share create incentives to falsify accounting for normal operations. If competitors are able to carve out a market niche and draw customers away from a company, the company’s operating performance will decline. The company’s executives likely will feel pressure to maintain the growth and profi ts the company had experienced before it lost market share. Such changes in the business create incentives to overstate earnings so that the company will appear positively to investors and creditors.

Technological changes create incentive s concerning accounting for inventory obsolescence. If a company’s competitors have introduced technologically superior products, then the company’s now old items probably will not produce the same sales volume as before the competitor’s products hit the market. This situation creates incentives to not write down as much inventory as the company should, which means the company would not record as large as an expense as it should. The company would be under pressure to design and produce new products as well as to delay writing off its older inventory.

Recessions create incentive s to overstate earnings. Recessions are an interesting source of pressure because they do not come about directly through the actions of a given company or its competitors. This incentive

can lead to highly effective rationalization because the company’s executives can reasonably conclude that their decline in sales is not their fault or the consequence of competitors’ actions.

Poor operating performance creates incentive s to overstate earnings. Unlike a recession, poor operating performance can be directly linked to the company’s actions. For some reason, such as a failure to respond to innovations by competitors, the company is no longer performing very well. Rationalization occurs when the executives convince themselves that it is not their fault, that they have simply experienced a run of bad luck, and that they must overstate earnings to maximize shareholder wealth.

The threat of hostile takeovers is a red fl ag because executives will be desperate to increase the company’s stock price, making it more diffi cult for others to take a controlling interest. Executives under threat of hostile takeover have incentive to use any means necessary to overstate earnings in the name of “saving the company.”

Abnormal profi ts relative to similar companies in the industry is a red fl ag because it is indicative of an exception. Anytime an exception occurs, it should be investigated. Consider a company that consistently returns a profi t margin around 20 percent when the industry average for profi t margin is 6 percent. The company’s executives are not necessarily committing fraudulent fi nancial reporting , but as you have probably heard, where there is smoke, there is often fi re.

New regulations and new accounting principles create incentives for fraudulent fi nancial reporting for two primary reasons. First, new regulations and rules usually come about to address a problem that has occurred in the past, to close some loophole. Fraudsters may be able to fi nd other loopholes that the regulators and standards-setters did not consider. They may be able to follow the new rules but commit similar types of fraud that skirt the new rules. Second, fraudsters can claim that they did not understand the new rules or did not realize that the new rules applied to their company. While it seems this defense would not stand in legal settings, recall that fraudsters must be effective liars and have strong abilities to persuade others of their innocence.

Analysts’ forecasts create incentives to overstate earnings to equal or exceed the forecasts. The consensus analyst earnings per share forecast is a benchmark that investors and creditors frequently use to evaluate public companies. Almost always, when a company fails to at least equal its EPS forecast, investors sell shares of the company’s stock, which leads to a decline in stock price and market capitalization. The decline in stock price leads to capital losses for investors who hold the stock and personal losses for executives who hold stock options and stock shares. The presence of analyst forecasts is one of the largest sources of incentives to commit fraudulent fi nancial reporting .

The necessity of debt and equity fi nancing is a major concern for corporations because fi nancing is critical for staying competitive. Companies need resources to develop new products and continue returning profi ts. When operating performance is strong, obtaining debt and equity fi nancing is often relatively easy. However, when operating performance is weak, executives have incentive to paint an overly optimistic picture of operations to ensure that the company can sell stock and obtain loans.

Requirements of debt covenants create incentives because ordinarily, the ability of the borrower to obtain additional funds is based on its ability to meet certain benchmarks. Given the necessity of fi nancing, executives have incentive to ensure that the company can obtain loans. Therefore, executives have incentives to overstate operating performance and earnings so that lenders will not believe the company is too great a credit risk.

Incentive-based compensation creates a personal incentive for executives to commit fraudulent fi nancial reporting . Executives have a corporate incentive to maintain the company’s stock price because the company can continue to obtain fi nancing, gain market capitalization and attract qualifi ed employees. Executives also have a personal incentive to maintain operating performance and stock price if some portion of their

25

compensation is based on the performance of the company. For instance, managers may receive a bonus if the EPS forecast is exceeded. Or managers may be granted stock options, which increase in value as the company’s stock price increases.

Pressure to meet fi nancial targets can come from external sources, such as analysts, or internal sources, such as the board of directors. As previously discussed, the consensus analyst EPS forecast creates a signifi cant incentive to commit fraud. Insiders can also create incentives for fraudulent fi nancial reporting by emphasizing benchmarks. If the board of directors pressures the company’s executives to meet certain benchmarks (i.e., 7 percent earnings growth), the executives will feel pressure to meet these benchmarks, creating incentives to falsify accounting records.

SAS 99 identifi es the following red fl ags that may be indicative of fraudulent fi nancial reporting because they create opportunities to falsify accounting records (AICPA 2002):

Transactions with related parties.

Complex transactions.

A complex organizational structure, such as subsidiaries.

Industry domination.

Subjectivity in accounting.

Off-shore operations that do not have a clearly defi ned business purpose. Management is dominated by one individual or a small group.

The board of directors and audit committee have little control over

management.High turnover of executives and accounting personnel.

Inadequate internal controls.

This course will describe how these opportunities allow fraudsters to deceive others.

Transactions with related parties such as subsidiaries create opportunities for fraudulent fi nancial reporting because the liabilities and expenses of the parent company can be removed from its books and transferred to related parties. While the rule of consolidation accounting requires companies to eliminate the effects of intracompany transactions when preparing the parent company’s consolidated fi nancial statements, fraudsters such as those at Enron have used this technique.

A related issue is complex transactions and the presence of complex organizational structure. Complex transactions can involve economic events that are diffi cult to account for, and can include the use of derivatives, hedge instruments or fi nancing arrangements that blur the line between liabilities and equity. The organizational structure becomes more complex as the company adds more subsidiaries and special purpose entities. As the organization becomes more complex and/or the company is involved in more complicated transactions, it becomes more diffi cult to detect and prevent fraud because a more specialized understanding of fi nancial accounting rules is needed to catch fraudsters.

Industry domination creates opportunities for fraud because the company begins to gain signifi cant clout with auditors, regulators, employees, customers and others who have an interest in preventing and detecting fraud. Assume that a company controls over 80 percent of the market in its industry. The executives of this company know that they have a lot of power and that consumers depend almost entirely on them to provide a product. If the executives commit fraudulent fi nancial reporting , they can use their considerable power to persuade others that they have not committed fraud or use coercion to reduce the negative consequences of any fraud they may have committed.

Subjectivity in accounting also creates the opportunity for fraud. There are several accounts for which the valuation is subjective because of the nature of these accounts, which also means that fi nancial accounting principles cannot provide defi nitive valuation guidance for these accounts. Such accounts include allowances for uncollectible accounts and inventory obsolescence; contingent liabilities, such as those that may arise from legal actions; and warranty liabilities. These accounts cannot

be valued with certainty, and there may be reasonable disagreement concerning the appropriate estimate for these accounts. This subjectivity provides fraudsters an opportunity to manipulate the account balances in a way that allows them to achieve their objectives.

Off-shore operations that do not have a clearly defi ned business purpose provide an opportunity to commit fraud. These off-shore operations are typically located in a place that is not under the authority of domestic tax agencies and are used as tax havens. There is no legitimate reason for a U.S. company to establish accounts in off-shore locales when all of its business operations are domestic.

When a company’s management is dominated by a one individual or a small group, that person or group has considerable infl uence over the company’s accounting practices. For public companies, corporate governance structures are set up in such a way that management is accountable to the board of directors and audit committee. However, if a single person or small group dominates management and can dominate the directors and audit committee, that person or group essentially has no limits to power and authority. The powerful can overstate earnings, and no person inside the organization is likely to call them out for committing fraud.

Similarly, if the board of directors and the audit committee has little control over management, executives probably will have multiple opportunities to commit fraud. One situation in which the board and audit committee can lack control is when management is dominated by an individual or a small group. The board and audit committee also can lack control over management if the directors and audit committee members do not possess suffi cient understanding of the company’s operations and industry, or they do not understand fi nancial accounting principles. In such conditions, fraudsters can take advantage of the directors and audit committee members’ ignorance of business and accounting practices.

High turnover of executives and accounting personnel creates the opportunity to commit fraud because such turnover is accompanied by the employment of persons who lack experience – and the understanding that accompanies experience – with the company’s business practices and accounting. In such a setting, a fraudster is more likely to be able to pass fraudulent fi nancial reporting off as legitimate actions than if the executives and accounting personnel possessed more experience with the company and its accounting practices. Note that when there is high turnover among executives and accounting personnel, misstatements due to errors are also more likely to occur.

Finally, inadequate internal controls create opportunities to commit fraudulent fi nancial reporting because the purpose of internal controls is to prevent and detect misstatements, including those initiated by fraudsters. You will read more about internal controls in the following sections, but for now, consider this example: Assume there is an internal control over payroll processing that produces a list of all employees who were paid overtime and includes the number of overtime hours each employee worked. This overtime list is sorted by department. Each department manager receives a list of employees in his/her department who received overtime pay and how many overtime hours they worked. If an employee deceitfully claimed overtime that he/she did not work, the department manager would be able to detect this fraud by comparing the overtime list to the information that the manager submitted to payroll. Now assume that no such internal control is in place. How much easier is it to falsely claim overtime without this or similar internal controls?

SAS 99 identifi es the following red fl ags that may be indicative of fraudulent fi nancial reporting because they foster the ability to rationalize the falsifi cation of accounting records (AICPA 2002):

The lack of a clearly stated corporate ethical code.

Non-accountant executives’ interference in the accounting process.

Setting aggressive earnings goals.

Attitudes toward paying taxes.

History of breaking accounting rules.

History of failures to correct known misstatements.

26

History of abusing materiality.

This course will describe how fraudsters can rationalize using these components of the business environment to perpetrate fraud.

The lack of a clearly stated corporate ethical code enhances the fraudster’s rationalization because the fraudulent actions can be viewed as not violating any corporate ethical standards. The fraud certainly involves violations of fi nancial accounting principles and probably federal law, but the fraudster can still use the lack of explicit corporate ethics to rationalize fraudulent fi nancial reporting .

Non-accountant executives’ interference in the accounting process gives fraudsters the ability to rationalize their actions. If these executives discount the seriousness of following accounting principles or attempt to make accounting principles seen as guidelines rather than rules, it becomes easier for a potential fraudster to rationalize fraudulent fi nancial reporting . The fraudster can view it as following the advice of the non-accountant executives and believe he/she is pleasing the bosses.

Setting aggressive earnings goals creates the rationale for fraud. You have already seen how the desire to achieve objectives and meet benchmarks creates incentives for fraudulent fi nancial reporting . The rationalization process is closely linked to these incentives. Fraudsters can convince themselves that committing fraud is acceptable because it will allow the company to meet goals and benefi t stakeholders such as investors and employees. Just the presence of these incentives provides rationale, and if management is aggressive in setting goals for the company, the additional rationale of pleasing the executives is added.

Attitudes toward paying taxes can also be used to rationalize fraudulent fi nancial reporting . You have just read that companies sometimes commit tax evasion by establishing off-shore subsidiaries that have no legitimate business purpose. Such actions are a red fl ag for fraudulent fi nancial reporting and are rooted in the executives’ attitude toward paying taxes. Fraudsters can rationalize their actions by believing that they have worked hard for their company, and the government does not deserve to tax its earnings and merchandise inventory. Such rationale usually leads to understatements of earnings and/or inventory. This often leads to IRS audits and government reviews of accounting records.

Finally, history can contribute to rationalizing fraudulent fi nancial reporting . The executives’ history of breaking accounting rules, history of failures to correct known misstatements, and history of abusing materiality can all play a role in rationalization. If management has a history of breaking fi nancial accounting principles and not correcting known misstatements, it becomes easier to rationalize the same actions in the current period. The attitude is “We’ve done it before, why not do it again?” If management has a history of stretching accounting principles by abusing materiality, it becomes easier and easier to rationalize committing fraud by taking advantage of materiality thresholds in the current period. At some point, fraudsters often start believing that their actions are not inappropriate because they have committed the same violations in the past. Therefore, a history of fraudulent fi nancial reporting can be used to rationalize fraud in the current accounting period.

Lets examine red fl ags for misappropriation of assets. This course uses the term misappropriation to refer to theft, although the word embezzlement is often used when cash is the stolen asset. SAS 99 identifi es two red fl ags that create incentive to misappropriate assets (AICPA 2002):

An individual’s troubles with personal fi nances.

Adverse relationships between individuals and their

employing organization.

An individual who is in trouble with his/her personal fi nances is more likely to steal cash and other resources than an individual who is in good fi nancial standing. The desire to fi nd solutions for one’s fi nancial diffi culties provides a strong incentive to embezzle corporate funds or steal other assets that could be sold to generate cash.

Adverse relationships between employees and their organization also create incentives to misappropriate assets. Adverse relationships often arise when employees feel slighted in some way, perhaps because they anticipate layoffs, feel they deserved a better raise or bonus, or expect some reduction in benefi ts such as health insurance coverage. When employees feel slighted, they have incentive to gain a sense of recourse by stealing cash or other assets with the intention of claiming what they believe they should have earned or attempting to repay the organization for the harm they believe the organization has rendered them.

SAS 99 identifi es the following red fl ags that create opportunities for the misappropriation of assets:

The organization keeps a signifi cant amount of cash on hand.

Merchandise inventory consists of small and highly valued items.

Internal controls over them do not provide adequate protection of

assets.

This course will describe how these opportunities give fraudsters the chance to steal.

If an organization keeps a lot of cash on hand, it is easier for fraudsters to steal the cash. If a lot cash is moving in and out of the organization on a regular basis, it becomes diffi cult to control and account for all of the cash. Therefore, it is easier for a fraudster to not only gain access to the cash, but also remove it from the premises without detection.

Another setting in which fraudsters have opportunities to misappropriate assets is when a company’s merchandise inventory consists of small items that have signifi cant value. A good example is jewelry. Most jewelry items are very small and very high in value. Such items could be easy to steal because they usually can be easily concealed. Compare the thought of stealing a necklace to stealing a computer monitor. Furthermore, there is a large, ready demand for jewelry, which makes it even more tempting to steal because the fraudster could quickly convert the stolen merchandise into cash.

The lack of adequate internal controls over the security of assets also increases fraudsters’ opportunities to misappropriate assets. This course will discuss what it means to have adequate controls in later sections. For now, it will suffi ce for you to understand that internal controls have two primary purposes: (1) to prevent and detect material misstatements; and (2) to safeguard assets. If internal controls cannot effectively safeguard assets, fraudsters have greater opportunity to steal assets without detection.

Finally, SAS 99 identifi es the following red fl ags concerning the rationalization for the misappropriation of assets:

Disregard for internal controls designed to safeguard assets.

Employees who are dissatisfi ed with the way in which the company

has treated them.Signifi cant changes in an employee’s lifestyle without signifi cant

changes in the person’s income.This course will describe how these attitudes and actions either foster, or provide evidence about, fraudsters’ abilities to rationalize stealing from others.

As you have read, one purpose of internal controls is to safeguard a company’s assets. An employee who displays a disregard for internal controls that are designed to safeguard assets is not far from rationalizing fraud. In this case, the fraudster may believe that because the internal controls have little value, the company does not place much value in the assets associated with the internal controls. The fraudster then comes to the conclusion that theft is acceptable because the company does not value the assets.

Recall that employees who are dismayed with their employing organization have incentive to commit fraud. Such employees may be disillusioned because they believe the organization owes them a bigger raise, a better promotion or perhaps a more extensive benefi ts package. In these cases, fraudsters can rationalize their actions by focusing on these perceived slights from the organization. The fraudster tends to think that the company is evil,

27

and his/her actions somehow justly punish the company for the harms it has rendered on the fraudster and on fellow employees.

Finally, when an employee displays signifi cant changes in lifestyle without accompanying increases in income, a red fl ag for the misappropriation of assets is present. This case is different in the sense that the rationalization has already occurred. However, it is still something that you should look for when evaluating whether a fraud has occurred. When an entry-level clerk who has driven an old car for years drives into the parking lot in a high-priced sports car, there is reason to suspect that the clerk has been embezzling funds from the company or stealing assets and converting them into cash to support his/her new lifestyle.

Section Two, Practice Test, Part 1

Please take the time to complete the following practice exam. The test consists of fi ve questions that will address the information you have read thus far. Be sure to compare your answers to the answer key and explanations provided on the pages just prior to the fi nal examination. Remember, your score on the practice exam does not count towards your fi nal grade. Only your score on the fi nal exam will count for credit.

Which employee has the greatest opportunity to commit fraud in the 1. accounts payable department?

The accounts payable clerk.a. The accounts payable manager.b. The controller.c. The chief fi nancial offi cer. d.

Fraudulent fi nancial reporting would be most likely in which of the 2. following transactions?

Fixed asset acquisitions.a. Salary expense.b. Warranty expense.c. Accounts receivable factoring.d.

An accounts receivable clerk is in the midst of a lapping scheme that 3. has been ongoing for several months. Which of the following would most likely catch the fraud?

Monthly account balances sent to the customers.a. Requiring a manager to confi rm the receipt of all material checks.b. Requiring periodic employee position changes and random c. management review. Examining the accounts receivable aging report each month.d.

Which of the following creates an opportunity for fraudulent 4. fi nancial reporting ?

A company’s board of directors and the audit committee have a. signifi cant infl uence on management.A company is operating in a declining market.b. A company operates in an industry that has several material c. subjective accounts.A company requires continuous fi nancing to stay competitive.d.

Which of the following red fl ags creates an opportunity for 5. misappropriation of assets?

Attitudes toward paying taxes.a. Merchandise inventory consists of small and highly valued b. items.Technological changes. c. Recessions.d.

Consequences of fraud Fraud usually has much more extensive consequences than what most fraudsters ever anticipate when they carry out their schemes. One impact of fraud, specifi cally fraudulent fi nancial reporting , is that the company’s fi nancial statements are materially misstated. Even if the fraud scheme involves relatively small amounts, fraud will always result in material misstatements because all fraud is material. There is no reason to commit fraud if it does not have an impact on users. Even misappropriation of

assets is material because the user (theft) must believe he/she will derive a benefi t from stealing the assets and risking the loss of employment, salary and benefi ts. Moreover, detected fraud is typically an indication that the internal control system has been operating ineffectively in at least one area. That is, absent collusion, fraud signals to the auditor and to management that it is possible for an employee to circumvent the intended purpose and design of an internal control.

Another reason fraud is always material is that at least one user group always makes fl awed decisions because of fraud. Whether the fraud results in paying an employee for services that were not rendered or in investors purchasing a stock they otherwise would not have purchased, fraud is always material because users’ decisions and actions would have been different if the fraud had not occurred.

The economic consequences of fraud can be massive and diffi cult to grasp because of their scope. WorldCom overstated its earnings by a staggering amount, somewhere between $5 billion to $9 billion (SEC v. WorldCom 2003). Enron executives attained hundreds of millions of dollars in personal profi ts by infl ating the company’s stock price through fraudulent fi nancial reporting (SEC v. Lay et al. 2004). The Enron executives manipulated the accounting disclosures to encourage investors to purchase the stock, and later sold their own stock shares and options at enormous profi ts. Adelphia settled out of court with the U.S. Department of Justice and agreed to pay more than $700 million in cash and stock shares to compensate parties that were harmed by its fraudulent fi nancial reporting . It is obvious that the monetary consequences of fraud can be staggering (SEC 2008).

The consequences of fraud can affect all stakeholders of an organization. Investors are harmed because they may invest additional funds based on the belief that the company’s fi nancial statements accurately refl ect the results of its operations. Investors normally have no reason to suspect fraud from a given company, so investors usually proceed with their investment decisions under the assumption that no fraudulent fi nancial reporting has occurred.

Similarly, the economic decisions of creditors are also adversely impacted by fraud. While creditors have a better opportunity to detect fraud because they are given more access to corporate offi cers and records, creditors are external to the company and have little chance of uncovering schemes that the fraudster is attempting to conceal. Similar to investors, creditors make their lending decisions based on the assumption that the organization seeking credit has not manipulated its accounting disclosures.

An individual’s fraudulent actions also harm fellow employees. It is not unexpected that colleagues will feel shock about the fraud and anger toward the fraudster for harming their organization. Employees who worked closely with the fraudster may experience doubts concerning the extent that they can trust others within the company. The company’s executives may experience guilt for hiring the fraudster and for not implementing internal controls that could have prevented or detected the fraud. The executives may also experience anger and implement stricter policies that apply to all employees, which could have an adverse impact on the morale of the workforce.

Fraud also touches the lives of family members and individuals in the local community. Suppose a fraudster is caught and must now explain the situation to his/her family members. Consider the strain that would be placed on familial relationships and the emotional consequences of perpetrating a fraud. While it may be diffi cult to place fraudsters in the context of a family unit because they are generally viewed as devious scoundrels, the fraudsters often have spouses, children and are involved in local charitable organizations.

In addition to the emotional toil experienced by the fraudster’s family members, individuals in the local community also suffer from the effects of fraud. Friendships are often ruined. The owners of local businesses that relied heavily on legitimate dealings with the fraudster’s company now face the anxiety of not knowing what fate will fall on that company

28

and whether their businesses can survive if one of their best customers suffers from the effects of fraud.

Fraud can also have far-reaching consequences on taxpayers who live across the country from the location in which the fraud occurred. The government can spend signifi cant amounts of taxpayer money preparing a case and pursuing legal actions against the fraudster. If the fraudster is convicted and sentenced to prison, taxpayer funding is again used, this time to provide food, housing and necessities for the convicted fraudster.

Fraud casesIn the last component of this section, you will read about several fraud cases. These cases effectively illustrate some of the ways in which fraudulent fi nancial reporting and misappropriation of assets have been carried out in actual settings. These cases also highlight red fl ags that can help you detect fraud and provide evidence concerning the extensive consequences of fraudulent activities. Finally, these cases provide lessons that can improve your ability to prevent and detect fraud.

Therefore, this course will summarize the fraudulent fi nancial reporting that occurred in these fraud cases with two objectives. First, you will gain an understanding of some internal controls that might have helped prevent or detect these fraud schemes. Second, you will see examples of red fl ags of fraud that were present at these companies but were either not noticed or ignored. The ability to identify both internal controls that could prevent or detect fraud and red fl ags in “real world” settings will assist your endeavors to prevent and detect fraudulent fi nancial reporting and the misappropriation of assets.

Enron The Rose Bowl football game is often referred to as the granddaddy of all bowl games because of its prestige. Similarly, Enron could be considered the granddaddy of all frauds because of the magnitude of the fraud and the arrogance through which it was carried out over several years around the turn of the century (SEC v. Lay et al. 2004). The key players in the Enron fraud were Kenneth Lay (chairman of the board and later CEO during the fraud era), Jeffrey Skilling (CEO), and Andrew Fastow (CFO). Enron got its start in the natural gas industry and rapidly expanded its operations into the electricity-providing industry as well as securities trading. This growth was executed by aggressively acquiring other companies. The company needed more and more investment dollars to fuel the growth because it was not returning profi ts from its operations. Therefore, the fraudsters used deceptive means to attract investors.

Not only did the Enron executives deceive investors and creditors into believing that the company was performing well and that it was an attractive investment, but they also increased their personal wealth at investors’ expense (SEC v. Lay et al. 2004). While the company’s operating performance was actually getting worse and worse, Kenneth Lay assured investors that the company was doing fi ne. However, he and other executives were secretly selling their own shares of Enron stock and making hundreds of millions of dollars in personal profi ts. As you have seen, fraudsters tend to have strong interpersonal skills. Like many fraudsters, Lay had the ability to consistently lie and persuade others that his actions were legitimate. Consequently, Lay and the other executives attained millions of dollars, while employees and investors were left with worthless stock and creditors were faced with a bankrupt borrower.

Recall that one of the red fl ags for fraudulent fi nancial reporting was setting aggressive targets for earnings growth, which fosters the ability to rationalize fraud. Enron ‘s goals included meeting or exceeding the consensus analysts’ earnings forecasts (which is common) and reporting earnings that grew about 15 to 20 percent annually. Achieving 15 percent earnings growth indefi nitely is incredibly aggressive.

The Enron executives employed a variety of tactics to perpetrate their fraud and achieve their objectives of attaining personal wealth, aggressive corporate earnings growth, and increasing the company’s stock price through any means necessary. These fraudulent tactics were necessary because Enron’s operating activities were not suffi ciently

successful to attain its goals, and the company often experienced negative cash fl ows from operating activities. Therefore, the executives manipulated the accounting disclosures to create the façade of a fi nancially healthy company that was a great investment opportunity.

One scheme the Enron fraudsters employed was the use of special purpose entities and partnerships to manipulate its accounting data. You have already seen that organizational complexity is a red fl ag for fraud because the more complex an organization and its transactions are, the easier it is to deceive auditors, users and employees.

The Enron executives created numerous special purpose entities to remove liabilities and expenses from the company’s fi nancial statements. The executives transferred Enron’s undesirable accounts to these special purpose entities so that they could record positive cash fl ows and profi ts, and understate liabilities. The rules of consolidation accounting require that public companies eliminate the effects of intracompany transactions when preparing the consolidated fi nancial statements of the parent company. However, the Enron executives did violate accounting principles by treating the special purpose entities as independent of Enron and not including them in the consolidated fi nancial statements.

As CFO, Andrew Fastow had fi duciary duties to Enron , its board of directors, investors and other stakeholders. He had a responsibility to disclose his duties in the best interest of the company. However, the Enron board of directors approved Fastow’s request to create and operate partnerships that would fund Enron’s special purpose entities. Fastow, the board of directors, and the executives did not care that Fastow had a confl ict of interest because he was the managing partner of the partnerships that funded Enron’s special purpose entities, and he was the CFO of Enron. The fraudulent transactions between Enron and Fastow’s partnerships allowed the company to conceal its weak operating performance and move liabilities and underperforming assets off Enron’s fi nancial statements.

An example of how Fastow’s partnerships were used to commit fraud can be found in a group of special purpose entities referred to as the Raptors. The Raptors were capitalized with Enron stock, and served as intermediaries in transactions between Enron and Fastow’s partnerships. Although the stated purpose of the Raptors was to hedge Enron’s investments, they actually had no legitimate purpose. The Raptors did not represent a hedge because they were backed by Enron’s stock, meaning that if the “hedged” assets continued to perform poorly, Enron’s stock price would suffer (assuming investors found out). The Raptors did serve the Enron executives’ true purpose by allowing them to fi ctitiously claim over $1 billion in fi ctitious earnings.

Fastow also used the special purpose entities and his partnerships to personally profi t from the Enron fraud. 2004). The Enron executives used the Raptors to funnel investments, which were decreasing in value, off Enron’s books. The transactions represented violations of accounting principles because the Raptors were not independent from Enron. Fastow’s partnerships received over $10 million in illicit profi ts from their dealings with the Raptors.

The Enron case provides more evidence that fraudsters can effectively lie and persuade others. Enron had an investment in Nigerian power barges that were used to generate electricity. Enron sold these Nigerian power barges to one of its investment bankers, Merrill Lynch, so that it could meet earnings targets. Since no other electricity-provider would purchase the barges, Enron convinced Merrill Lynch to buy them. Enron persuaded Merrill Lynch with a promise that it would profi t from the investment in the barges and receive an agreed-upon cash settlement from Enron in the near future. This “sale” represented a violation of accounting principles. It was not a sale because Merrill Lynch incurred no risk. Therefore, Enron should not have recorded earnings. Again, it is clear that having aggressive earnings targets creates rationalization for fraudulent fi nancial reporting .

You have already read that accounts that are valued through subjective estimates leave the door open for fraud because accounting principles cannot provide defi nitive guidance for these accounts. Enron provides

29

an excellent example of this abuse of accounting principles. While the majority of Enron’s operations failed, there was one unit within Enron that continued to make profi ts: trading on energy prices. Enron’s traders were able to prey upon the rising costs of energy in California to return billions of dollars in profi ts from speculating on energy prices. These activities should have been disclosed to market participants, who would have realized that Enron was now a highly risky company because its only real source of income was derived from speculative trading on electricity prices. The Enron executives fraudulently used reserves to hide millions of dollars earned from its trading activities rather than report the profi ts to investors and creditors. The executives then used this reserve to counter the losses from the majority of its operations and report operating profi ts.

Another deceptive tactic used by Enron was lying to stock analysts. Jeffrey Skilling and other executives consistently lied to analysts about the performance of various projects Enron had undertaken. For example, Enron entered the broadband service venture and touted this project as the leading provider of broadband. Skilling made false claims in conference calls with analysts. He said that Enron’s broadband service was the market leader and already had its network in place. In actuality, Enron did not have the network in place and did not have the technological resources to run such a network. Skilling continued to deceive analysts in this fashion over several quarters, even while the company laid off employees because of the failure of its broadband venture.

Not only did Enron lie to stock analysts, but also to the entire fi nancial market. Many of Enron’s SEC fi lings were fraudulent during 1999-2001 (SEC v. Lay et al. 2004). These fi lings are used by investors, creditors and regulators when evaluating companies.

In summary, the Enron fraud highlights three characteristics of fraudsters. First, fraudsters are effective liars and can continue their lies over time. Second, fraudsters can use corporate objectives, especially aggressive goals, to rationalize their actions. Third, fraudsters are usually of above average intelligence. Enron weaved a web of special purpose entities and partnerships owned by its CFO to transfer liabilities, expenses and underperforming assets off the company’s books and record profi ts. Such an intricate system of entities and transactions could not have been developed by people who lack understanding of accounting and economics.

The Enron fraud offers lessons for individuals with responsibilities to prevent and detect fraud. First, the board of directors and audit committee essentially functions as an internal control. These individuals should not allow management free reign to do whatever management pleases, but should step in and prevent management from engaging in questionable and fraudulent activities.

Second, organizations should have specifi c accounting policies in place that reinforce the company’s attitude of following accounting principles. These policies should note that while accounting principles do not always provide specifi c guidance, executives and accountants are responsible for adhering to the spirit of accounting principles.

Third, if an organization establishes aggressive goals concerning earnings, sales growth, acquisitions and so on, members of the organization should be wary of the incentives and rationalizations that these goals create for fraudulent fi nancial reporting . Certain individuals are responsible for evaluating the means through which such goals are attained.

Fourth, the integrity of management is an important predictor of fraud. The Enron executives clearly lacked suffi cient integrity to fulfi ll their duties to Enron’s stakeholders. If the executives are lacking in their moral compasses, it becomes easy for them to commit fraud. The integrity of management is something that should be evaluated when considering the possibility of fraud. In general, the greater management’s integrity, the less likely it is that they will perpetrate, or allow, fraudulent fi nancial reporting .

WorldCom The key players in the WorldCom fraud were David Myers (controller), Buford Yates (director of general accounting), Betty Vinson (accountant)

and Troy Normand (accountant) (SEC v. WorldCom 2003). The WorldCom fraud is notable because of the magnitude of the settlement the SEC pursued against WorldCom – the company was eventually ordered to pay a settlement of more than $2.2 billion.

The SEC had two goals in pursuing such a large settlement. First, it wanted to recover investment and credit resources that WorldCom had fraudulently acquired from users (SEC v. WorldCom 2003). WorldCom’s investors and creditors lost large amounts of investment and loan dollars in the aftermath of the fraud and subsequent restatements of fi nancial statements, and the SEC hoped to remunerate these stakeholders.

Second, the SEC desired to use WorldCom as an example that would deter future fraudsters. WorldCom’s crime was fraudulently overstating its revenues by nearly $4 billion while violating securities laws and accounting principles. However, the effectiveness of using one case to make an example can be debated, because fraudsters tend to be very confi dent people and probably do not think anyone will be able to catch them.

During the course of its fraud, WorldCom deceived its investors and creditors by using improper accounting practices to overstate earnings by billions of dollars during the 2001 and 2002 fi scal years. At this point in the course, you have read several large fi gures involving frauds. Take a moment to consider this overstatement and the amount that Enron overstated its earnings: These frauds alone produced billions and billions of dollars of earnings overstatements, which had an avalanche effect on economic resources in terms of the investors and creditors who extended their resources to these companies in the hopes of earning positive returns. While these accounting frauds were massive in scope, the same practices could be used to perpetrate fraudulent fi nancial reporting on smaller levels. Do not fall into the trap of thinking that some companies are immune to fraud because of their size.

Recall that the Enron executives’ rationale to commit fraud was to attain its corporate goals for growth and earnings. Enron was failing as a business entity but managed to post consistently growing profi ts through deceitful accounting. The situation was somewhat different at WorldCom . One of the red fl ags for fraud is an economic downturn, which creates an inventive for fraudulent fi nancial reporting . WorldCom experienced diminishing profi ts in 2001 because of a recession in the domestic economy, making it diffi cult for the company to meet its earnings goals during this period.

The fraudsters at WorldCom took advantage of the accounting line that divides expenses from assets to fraudulently overstate its earnings. This scheme was to capitalize operating costs that should have been expensed and recorded on the income statement (SEC v. Myers 2002). All costs that a company incurs should either be recorded on the income statement as expenses or losses, or be capitalized (recorded as an asset) and expensed over time. The advantage of capitalized costs is that they have a smaller impact on current earnings than expensed costs because only a portion of capitalized costs are expensed in the current period. On the other hand, 100 percent of an expensed cost reduces earnings in the current period.

As an operator in the telecommunications industry, one of WorldCom ’s largest costs was line costs, or the cost of purchasing rights to communications networks (SEC v. Myers 2002). Accounting principles view these line costs as part of the normal course of doing business, and do not consider line costs assets. Therefore, WorldCom was required to expense these costs, which the company refused to do during the 2001 economic recession. WorldCom signifi cantly reduced its reported expenses by capitalizing the line costs as assets. Consequently, WorldCom’s annual fi nancial statements for 2001 and its fi rst quarter 2001 fi nancial statements were materially misstated.

It is no surprise that these material understatements of current operating expenses allowed WorldCom to meet the consensus analysts’ forecast (SEC v. Myers 2002). In this manner, the company was able to deceive investors and creditors by creating a myth that the company was continuing to experience strong operating performance and earnings

30

growth. In actuality, if WorldCom had employed proper accounting practices and expensed the line costs during 2001, not only would it have missed the analysts’ earnings forecasts, but it would have recorded a net loss instead of a net profi t.

Like the Enron fraud, the WorldCom fraud offers lessons on how internal controls can be used to prevent and detect fraud. First, fraudsters do not have to employ a variety of fraud schemes; Enron’s executives used several fraud schemes, while WorldCom’s executives focused on a single tactic.

Second, a basic internal control is to have an individual or group of employees who have a prescribed responsibility to review the company’s accounting practices. These individuals should be independent of the accounting process. Usually, this internal control is carried out by the internal audit function. For this internal control to be effective, the internal audit function should be both competent and objective. You can check the degrees and certifi cations held by internal auditors to assess their competency, and you can evaluate the authority that internal auditors have over the accounting process and to whom they report to assess their objectivity. Ideally, the internal auditors should report to the audit committee, not the controller, CFO or anyone else who can record accounting journal entries.

Adelphia In 2000, Adelphia was one of the largest cable television and telecommunications providers in the country (SEC 2008). Adelphia’s growth was fueled by aggressive acquisition of competitors, which is a fraud risk factor because it is diffi cult for executives to retain operational and accounting control when a company experiences rapid growth.

An informed observer of this fraud will be able to identify other red fl ags of fraud that were present at Adelphia (SEC 2008). First, Adelphia operated in a volatile industry, which creates incentive for fraud because the industry is subject to dramatic upward and downward swings in operating performance and earnings. Second, Adelphia become a very complex organization, which makes it diffi cult to properly account for all the transactions conducted by the parent company and its subsidiaries and special purpose entities. Third, Adelphia had incentive to commit fraud because it relied heavily on debt fi nancing and had diffi culty complying with the requirements of its debt covenants. The company had extensively relied on borrowing to fi nance its aggressive acquisitions of other organizations. Fourth, a small group of individuals dominated the company’s management, giving these people too much control of accounting and other practices. Finally, these domineering individuals did not have suffi cient accounting expertise to make judgments regarding accounting principles and treatment.

The key players in the Adelphia fraud were the small group of people who dominated the company’s management (SEC 2008). These individuals primarily consisted of members of the Rigas family, who had originally founded the company. While Adelphia was a public company, the Rigas family maintained dominance within the company through its exclusive ownership of a certain class of the company’s stock.

Similar to Enron , Adelphia had a complex organizational structure through which transactions were conducted with related parties (SEC 2008). The Rigas family owned private enterprises that profi ted through the use of Adelphia’s technical and human resources, although Adelphia did receive fees for the use of these resources.

Adelphia employed several schemes to perpetrate its fraud. One scheme involved the netting of accounts receivable and accounts payable to related parties owned by the Rigas family (SEC 2008). Rather than separately listing the accounts payable as liabilities and the accounts receivable as assets, the company used the larger accounts receivable to offset the accounts payable, and reported net accounts receivable from the related parties.

This scheme allowed Adelphia to conceal amounts that it owed to related parties, which benefi ted the company by reducing its reported total liabilities. This scheme also allowed the company to appear less risky by reducing its reported related-party receivables. Such receivables are inherently risky because the ability of the company to collect on related-

party receivables, unlike receivables owed by independent customers, is directly linked to the fi nancial well-being of the company.

The amounts involved in the related-party receivables and payables were massive. By the end of the fi scal year 2000, Adelphia actually owed more than $1 billion in related-party payables and could claim over $1 billion in related-party receivables (SEC 2008). On its 2000 balance sheet, however, Adelphia reported only about $3 million in net-related party receivables. This fraud scheme allowed the company to remove billions of dollars in liabilities and risky assets and disclose a relatively small amount.

The practice of netting related-party receivables and payables is not allowed under accounting principles (SEC 2008). Accounting principles require such related-party transactions to be independently recorded and presented in the fi nancial statements. In other words, Adelphia should have prepared its fi nancial statements in such a way as to disclose the entire amounts of both related-party receivables and related-party payables.

Another scheme used in the Adelphia fraud case was inappropriate debt reclassifi cation (SEC 2008). During 2000, accountants at Adelphia transferred nearly $300 million of liabilities to the fi nancial records of some Rigas enterprises, which were subsidiaries of Adelphia, to satisfy some receivables it claimed on the Rigas enterprises. In this case, the fraudsters did record the debts in the fi nancial statements of the subsidiaries. However, these actions were inconsistent with relevant accounting principles.

In order for a company to remove liabilities from its fi nancial statements, the company must properly extinguish the debts involved. Financial accounting principles state that a liability can only be removed (i.e., extinguished) if the debtor pays the balance on the debt and is removed from obligation to the creditor, or if the creditor releases the debtor from obligations under the terms of the liability (FASB 1996). Because neither Adelphia nor the subsidiaries paid off the debt nor were released from obligations by the creditor, Adelphia violated accounting principles and disclosed materially misstated fi nancial statements when it discontinued reporting these liabilities (SEC 2008). Essentially, the company had transferred liabilities to subsidiaries and removed the debt from its balance sheet even though the creditor did not receive payments and did not remove the company from its obligations.

The Adelphia fraud can teach valuable lessons about fraud detection and prevention. First, it stands with Enron as a reminder that a complex organizational structure can serve as a playground for fraudsters by providing opportunities for sham transactions.

Second, internal controls could have been employed to prevent the fraudulent fi nancial reporting that occurred at Adelphia . A standard accounting control is to review the application of accounting principles to individual accounting treatment, especially when complex issues are involved. If an accountant had reviewed Adelphia’s transactions concerning the debt reclassifi cation and compared Adelphia’s accounting treatment with the relevant accounting principles, he/she likely would have concluded that the company was in violation of accounting principles. Even if individuals feel they do not have suffi cient expertise to evaluate such situations, they can seek the advice of colleagues who can assist them.

Third, when one individual or a small group dominates management and the board of directors, employees should be wary of the possibility of fraudulent fi nancial reporting . Boards of directors and audit committees serve as internal controls that limit management’s authority over both operations and accounting treatments. In the Adelphia case, the Rigas family could do whatever they wanted because they controlled the management of the company and the board would not stand up to them.

As an exercise, assume that you acquired the minutes to a board of directors meeting at a company who is dominated by a single person, Terry. Terry and the directors are discussing whether the valuation of the company’s allowance for uncollectible accounts is appropriate. This account requires subjective valuation and consequently, is susceptible to fraudulent fi nancial reporting . By reading the minutes of the board meeting, you are able

31

to follow the conversation as Terry persuades the board to accept the accounting treatment concerning the valuation of the allowance account:

Terry: “Let’s discuss the allowance for uncollectible accounts receivable. I hope that you have approved the accounting treatment I’ve proposed.”

Board member A: “To be honest, we’re not sure whether the accounting treatment is appropriate.”

Terry: “Of course it’s appropriate. All we’re doing is writing off a lower amount than normal. I think it’s reasonable. These allowance accounts are estimates, so we have some room for our own judgment. I know my business well enough to make these judgments.”

Board member B: “Maybe, but perhaps we should call in an expert. I’m sure that we can fi nd someone who has experience with accounting in our industry.”

Terry: “We don’t need an expert. If I did not understand how this company works, I wouldn’t be running our operations. Trust me, it’s reasonable. I’m sure that any expert would see it my way. Don’t forget that none of you would be here, receiving directors’ fees, if I hadn’t selected you and kept you around.”

Board member C: “Go ahead with your adjustment.”

Terry: “Thank you.”

While this example is probably too simplistic, it effectively makes the point. If one person, or a small group, dominates management and the board of directors, it is diffi cult for others to prevent illicit accounting practices. A person who dominates a company has power over everyone else in the company, which increases his/her ability to persuade others. Recall that the ability to persuade is a characteristic of many fraudsters.

Note that just because an individual or group dominates an organization’s management and accounting practices does not mean that fraudulent fi nancial reporting is occurring. However, such individuals should be monitored so that fraud does not occur, and if it does occur, can be detected. Furthermore, dominant individuals also pose a threat for fraud because they can override internal controls. Internal controls should be designed and executed in such a way that they cannot be overridden, even by high-ranking corporate offi cers. You will read more about this principle later in the course.

Crazy Eddie At this point, you have read about fraudsters who have taken advantage of organizational complexity, subsidiaries, special purpose entities, capitalization of expenses, and dominance of management and operations to commit their crimes. Now you will read about group of fraudsters who used different techniques.

The Crazy Eddie fraud primarily involved the company’s merchandise inventory, sales process and operating cash fl ows. Crazy Eddie was at one time a rapidly growing electronics retailer in the New York City area, and the executives perpetrated massive fraudulent fi nancial reporting to attract investors and increase their personal wealth. The key players in the Crazy Eddie fraud were Eddie Antar (CEO) and Sam E. Antar (CFO) (Antar 2008). You will notice that the references in this subsection carry the same name as the fraudsters. Sam E. Antar has provided an in-depth description of the fraud; he claims his objective is to educate others about the risks and warning signs of fraud.

One of the fraud schemes used at Crazy Eddie was skimming (Antar 2008). When the company would sell merchandise for cash, the executives often pocketed some of the proceeds for themselves, and did not record the full amount of the sales. These stolen funds were usually placed in foreign bank accounts.

Antar (2008) explains that the fraudsters gained two advantages from skimming. First, their personal wealth increased. Second, skimming results in understated revenues, and understated earnings. Skimming

millions of dollars (in 1970s and early 1980s monetary values) allowed Crazy Eddie to pay lower income taxes than what the company should have paid based on its operations. Therefore, the executives’ practice of skimming off the top of cash sales allowed them to commit tax fraud.

Retail stores are always vulnerable to skimming because many customers use cash to purchase their items. Some internal controls that can help prevent or detect skimming include using security cameras, limiting the amount of cash that is kept at cash registers, having managers frequently pull the cash out of clerks’ registers for deposit at fi nancial institutions, and running background checks on individuals who will be handling cash before they are employed or placed into such positions.

After the company became publicly traded, skimming was no longer advantageous because Crazy Eddie needed to report revenues and earnings that would be suffi ciently large to attract investors. To overstate earnings, the company’s executives created fi ctitious sales. The executives used over a million dollars in cash that they had stolen through skimming and deposited in foreign fi nancial institutions to create the fi ctitious sales. The executives moved the money out of the foreign bank accounts, divided the cash into smaller amounts, and deposited the money back into some of the stores. To provide the accounting illusion that these cash increases at various retail outlets were legitimate, the company recorded sales revenues.

An internal control that could have detected this scheme is the bank reconciliation. An accountant who does not have access to cash should perform regular bank reconciliations. The reconciliations would have revealed abnormal and sizeable movements of funds within the bank accounts (Antar 2008).

The Crazy Eddie fraud also involved intentional overstatements of the value of the company’s merchandise inventory (Antar 2008). The fraudsters gained access to the external auditors’ plans concerning which warehouses would be targeted for inventory counts. They would then fi ll these warehouses with inventory taken from other stores. The auditors believed that these warehouses were representative of all of the company’s storage locations. The fraudsters also modifi ed the auditors’ test counts by increasing the quantities of items that the auditors had observed when they were at the warehouses.

Such an inventory scheme would have been diffi cult to detect by a member of the organization since it was carried out as a collusive scheme by high-ranking company offi cials. But employees should have noticed a large-scale transfer of inventory during the audit period, which should have appeared as suspicious behavior. You will read later in the course about encouraging employees to blow the whistle – an underappreciated tool for preventing and detecting fraud – to both auditors and company executives.

The Crazy Eddie fraud can teach and reinforce lessons concerning fraud. First, fraudsters are confi dent, and probably arrogant, when it comes to their ability to commit and conceal their deceitful activities. These fraudsters carried out their fraud under the noses of both external auditors and their employees, and did not appear to think that anyone would be intelligent enough to catch and stop them. Therefore, it is reasonable to conclude that one of the risk factors for fraudulent fi nancial reporting is disregard for external auditors.

Second, part of the rationalization for committing fraud can be to test the system. Antar (2008) explaind that the Crazy Eddie fraudsters certainly had incentive and opportunity to commit fraud. Furthermore, it is clear from their actions that they had the psychological capabilities to commit fraud. This case also demonstrates that the desire to cheat the system is a form of rationalization. This form of rationalization is similar to the notion that some people have a “chip on their shoulder” and need to prove something to the world.

Third, internal controls can never be completely effective in preventing and detecting fraud, especially when collusion is involved. Collusion refers to situations in which multiple people are working together to commit and fraud. Although there may be a certain point at which having

32

too many people involved will lead to discovery, usually collusion decreases the probability that fraud will be detected or prevented.

Some internal controls, like bank reconciliations, require one individual to check the work of another employee. These internal controls will not be effective when the person responsible for the reconciliation is in cahoots with the person that the internal controls are designed to monitor.

For instance, if the employee responsible for conducting monthly bank reconciliation is working with the employee who is fraudulently withdrawing funds from the company’s bank accounts, this internal control will not be effective, and it will become more diffi cult for others in the organization to become aware of the fraud.

Finally, the Crazy Eddie fraud provides a valuable lesson concerning incentives of fraudsters. It is easy to assume that when fraudulent fi nancial reporting is perpetrated by the executives of a company whose personal wealth is usually directly linked to the performance of the company, that these executives have an incentive to falsify accounting disclosures by materially overstating revenues and earnings.

However, the Crazy Eddie fraud documents show that fraudulent executives do not always have incentive to overstate earnings. Before Crazy Eddie became a public company, the executives’ fraudulent objectives were to skim cash from legitimate sales, which resulted in lower earnings and lower organizational income taxes. Therefore, if you are ever suspicious of potentially fraudulent activity, do not make the mistake of assuming that fraud is not being perpetrated if the result of the fraud is to decrease revenues and earnings.

ZZZZ Best ZZZZ Best was originally a small-time carpet cleaning company founded in the early 1980s (Naff 1995; Shutiak 2002). This small operation expanded into a multimillion dollar publicly traded company through the fraudulent fi nancial reporting carried out by two principle fraudsters, Barry Minkow (founder and CEO) and Mark Morze (CFO). Their fraudulent activities deceived investors to the extent that at its height, ZZZZ Best had a market capitalization of $240 million. Of course, that amount would be a lot greater in today’s dollars.

From the start, ZZZZ Best was not profi table; Minkow was constantly seeking fi nancing and many fi nancial institutions turned him down. As you could imagine, Minkow probably grew increasingly frustrated at his inability to both make a profi t and obtain fi nancing.

Minkow caught a break when he met Morze, who had connections and experience in the fi nancial services industry (Naff 1995). Through Morze, Minkow obtained the necessary debt funding to keep his struggling operation alive.

However, ZZZZ Best ‘s fortunes did not improve following the debt arrangements he made through Morze. At some point during this time, Minkow violated accounting principles by overstating accounts receivables. ZZZZ Best reported several accounts receivable for cleaning contracts that in reality did not exist (Naff 1995). This deception allowed the company to record fi ctitious revenues and appear as if it was in a position to receive cash infl ows from routine operations, which would appeal to both creditors and potential investors.

During this time, Morze helped Minkow take the company public, even though he was aware of Minkow’s fraudulent fi nancial reporting . The ZZZZ Best fraud was now being perpetrated on a massive scale because the company was attracting investors as a public company. ZZZZ Best, now publicly traded, continued to overstate revenues and accounts receivable by claiming it had made contractual agreements for various fi ctitious cleaning projects.

The scheme used to perpetrate the ZZZZ Best fraud was very simple compared to the tactics used in later frauds such Enron . Therefore, there is reason to wonder how the ZZZZ Best executives were able to fool the

external auditors. The answer to this question represents an important lesson that can be drawn from the ZZZZ Best fraud.

ZZZZ Best fooled the auditors, convincing them that their fi ctitious cleaning contracts were real, through kindness and fl attery. Minkow spent lavishly to entertain the auditors and present them with gifts. He also fl attered the auditors. He indirectly complimented the auditors by asking their advice on important business matters. These questions represented compliments because if someone is asked a question, it gives the impression that the person asking the question values the other person’s opinions and expertise concerning the matter.

These actions fostered an environment in which the auditors liked the ZZZZ Best executives, and they did not maintain their professional skepticism regarding this client. Therefore, one lesson that can be taken from this fraud is that people who are nice and welcoming can be fraudsters who use their interpersonal skills to make others believe they could not be deceptive fraudsters. Remember that fraudsters are effective liars, and persuading others that they are upstanding, decent people is simply another tool of con artists.

As with the Crazy Eddie fraud, the ZZZZ Best fraud also teaches an observant reader that fraud can be diffi cult to detect. This case involved collusion at the highest level within the company. As you have read in the context of the Crazy Eddie fraud, collusion makes fraud diffi cult to detect. Furthermore, these two fraud cases also indicate that fraudsters with signifi cant power and authority (and usually with a higher rank) within a company can more easily perpetrate and conceal fraud than individuals who do not have signifi cant authority within an organization.

Finally, the ZZZZ Best case serves as another reminder of the importance of whistle-blowing. For now, simply understand that our culture frowns on whistle-blowing. All too frequently, whistle-blowers are derogatorily referred to as tattles and snitches. However, there should be no repercussions to whistle-blowers. It would be diffi cult to conclude that no one at ZZZZ Best, other than Minkow and Morze, was aware of the fraudulent fi nancial reporting . Your organization should encourage whistle-blowing and provide anonymous channels for the protection of whistle-blowers. This course will discuss whistle-blowing as a means of fraud detection in greater detail in Section Seven.

As a fi nal note on ZZZZ Best , and one that is similar to the Enron fraud, you may be interested to know that it was the work of a reporter that brought the ZZZZ Best fraud to light. Reporters must obtain information from sources. Therefore, because investigative reporting relies on a form of whistle-blowing, it is reasonable to expand the view of whistle-blowing and acknowledge that whistle-blowers can contact third parties.

Section Two, Practice Test, Part 2

Please take the time to complete the following practice exam. The test consists of fi ve questions that will address the information you have read in the last section. Be sure to compare your answers to the answer key and explanations provided on the pages just before the fi nal examination. Remember, your score on the practice exam does not count towards your fi nal grade. Only your score on the fi nal exam will count for credit.

Tom Downs, the manager of a production line for General Tire, has 1. the authority to order and receive replacement parts for all machinery on his production line. The auditor received an anonymous tip alleging that Tom purchases materials from a cousin who distributes parts, and orders substantially more parts than are necessary. The whistle-blower also explained that the extra parts were never received. Instead, the whistle-blower contends that Tom falsifi ed receiving documents and charged the parts to maintenance accounts. The payments for the undelivered parts were sent to the supplier (Tom’s cousin), and the money was divided between Tom and the cousin.

Which of the following internal controls would have most likely prevented this fraud from occurring?

33

Establishing predefi ned spending levels for all vendors during a. the bidding process.Segregating the receiving function from the authorization of b. parts purchases.Comparing the bill of lading for replacement parts to the c. approved purchase order.Using the company’s inventory system to match quantities d. requested with quantities received.

Which one of the following accounts is most susceptible to fraud?2. Utilities expense.a. Notes payable.b. Bad-debt write-off.c. Unearned rent revenue.d.

At a recent meeting, General Tire’s internal audit function committee 3. met to evaluate its objectivity. In which of the following situations would the auditor appear to have impaired objectivity?

An auditor reviews the procedures for a soon-to-be-installed a. computer system that will allow General Tire to connect to a major customer.A former inventory manager performs a review of internal b. controls over the warehouse three months after being transferred to the intern audit department.An auditor recommends internal controls concerning a contract c. with an outside agency that will process General Tire’s payroll and employee benefi ts.The internal audit function committee consists of a member from d. each of the company’s departments who is not involved with the accounting practices, three members of the company’s board and an outside certifi ed public accountant.

Executives with stock options in a company that is on track to post a 4. net loss on the year are examples of what fraud component?

Capabilitya. .Incentive. b. Rationalization.c. Opportunity.d.

A basic internal control is to have an individual or group of 5. employees who have a prescribed responsibility to review the company’s accounting practices and are knowledgeable and involved with the company’s accounting process.

TrueA. FalseB.

Section Three – Internal controls overview

Major subjectsInternal controls defi ned. Design and operation.

Fraud prevention and detection.

Historical development of internal controls.

Committee of Sponsoring Organizations (COSO) Framework: Elements of Internal Controls.The Sarbanes-Oxley Act .

Internal controls defi ned Internal controls are a collection of processes intended to provide reasonable assurance concerning an organization’s ability to meet three types of objectives: (1) Operational effi ciency and effectiveness; (2) reliability of fi nancial reporting; and (3) compliance with any regulations and laws to which the organization is subject.

Although effective internal controls facilitate the achievement of goals concerning operations, fi nancial reporting and compliance, this course focuses on internal controls in the context of fraud detection and prevention, which encompasses each of the three objectives mentioned above. Fraud impedes organizational effi ciency and effectiveness,

the reliability of fi nancial reporting, and compliance with legal and regulatory requirements.

Internal controls infl uence the daily work of most employees within an organization. According to the Sarbanes Oxley Act, a company’s management is primarily responsible for the effective design and operation of internal controls. However, the importance of the role of IT professionals in the design and implementation of internal controls cannot be understated given the role of modern automated information systems in processing corporate data.

Internal controls are a collection of processes. Although internal controls involve manuals, narratives, fl owcharts, diagrams and other forms of documents that describe the design and operation the processes involved, the Committee of Sponsoring Organizations (COSO) stresses that there are always people involved with internal controls.

Different individuals are responsible for different elements of internal controls, including design and implementation. In order for internal controls to effectively prevent and detect fraud, these individuals must value internal controls and possess suffi cient technical expertise to carry out their responsibilities. Furthermore, employees who are responsible for designing and executing various internal controls must be aware of their responsibilities concerning those controls (COSO 1994). A component of designing effective internal controls is ensuring that employees know which tasks they are supposed to perform, when they are supposed to carry out their tasks, and what procedures to follow if the internal control results in exceptions (i.e., problems).

Internal controls are not intended to completely eliminate the risk of defi ciencies concerning these objectives because no internal control, no matter how well it is designed or executed, can be completely effective in preventing and detecting fraud, errors, and other problems.

The COSO’s (2005) statement concerning reasonable assurance is indicative of the inherent limitations of internal controls. It is impossible to monitor all activities at all times given constraints on human, fi nancial and technological resources. Some specifi c limitations inherent to most internal controls include management override, collusion and the fact that humans are involved and mistakes will inevitably occur.

Accordingly, most internal controls are implemented using a cost-benefi t approach (Bagranoff et al. 2008). The quantitative costs (such as hours spent developing an IT control) and qualitative costs (such as potential morale decrease from changes in work habits) of implementing controls must be weighed against the benefi ts of the controls (a 10 percent increase in operational effi ciency; 50 percent decrease in the probability of misstatements).

Finally, the work of external auditors is heavily involved in assessing the effectiveness of their clients’ internal controls. The reason for requiring auditors to evaluate internal controls is that if internal controls are working properly, there is a smaller likelihood that material misstatements will occur. Accordingly, a signifi cant portion of the professional auditing literature is devoted to internal controls. Therefore, this course includes citations from auditing standards because these standards can provide lessons for auditors, fi nancial accountants, executives and IT professionals concerning internal controls.

Design and operationThe Public Company Accounting Oversight Board (PCAOB) is a private-sector, nonprofi t corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. Its stated purpose is to “protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.” Although a private entity, the PCAOB has many government-like regulatory functions, making it in some ways similar to the private self-regulatory organizations (SROs) that regulate stock markets and other aspects of the fi nancial markets in the United States.

34

An effective internal control is both well-designed and properly executed (PCAOB). Therefore, during the course of implementing internal controls or evaluating existing internal controls, you must consider both design and operational effectiveness. If an internal control is poorly designed, it is unlikely to be effective when it operates. Alternatively, an internal control that is well-designed may be unable to prevent or detect fraud if it is not properly executed.

To determine whether an existing internal control is well-designed, you should evaluate whether the individuals involved in executing the control have suffi cient capabilities (i.e., technical knowledge; authority to correct problems detected by the control) to properly perform the control (PCAOB 2007). You should also evaluate whether the individual(s) who designed the internal control possessed suffi cient technical expertise to consider all aspects of the business process for which the internal control was designed. You can also perform the internal control and attempt to determine whether design changes would improve the effi ciency and effectiveness of the internal control. Section Four of this course will discuss the importance of well-designed internal controls in greater detail.

To determine whether an existing internal control is operating effectively, you can observe the performance of the internal control, review documentation concerning the procedures that constitute the internal control (i.e., checklists that describe the actions performed at each step), and talk to the individuals who are responsible for executing the control (PCAOB 2007). You can also perform the internal control to determine whether your results are similar to those of prior executions carried out during the normal course of operations.

Fraud prevention and detectionInternal controls should be designed and operated in such a manner that they can prevent and detect operational ineffi ciencies, fi nancial reporting irregularities and obstacles to complying with applicable laws and regulations. In terms of fi nancial reporting, internal controls should be designed and executed to prevent and detect material misstatements due to error and fraud. Your goal is to design and evaluate internal controls’ ability to prevent and detect fraudulent fi nancial reporting and the misappropriation of assets.

Certain internal controls should be designed and executed to prevent fraud. Preventive internal controls typically are executed before data is processed. Understanding fraud schemes and fraud cases is an important precursor to implementing internal controls that can effectively prevent fraud. If an individual does not understand how fraud may be carried out in a given organizational process, it will be diffi cult for that individual to implement internal controls that can prevent fraud in that process (Bagranoff et al. 2008). The descriptions of fraud schemes and cases provided in Section Two of this course and the descriptions of internal controls in subsequent sections should assist you in considering ways in which fraudsters may manipulate processes to commit fraud.

To properly design preventive internal controls , the planner should gain an understanding of the business process at hand. This understanding can be acquired through several means, including documentation such as fl owcharts and descriptions, (Bagranoff et al. 2008), prior personal experience, and discussions with employees who perform the process. It is important to not underestimate the input provided by trustworthy individuals who perform processes because they have an intimate understanding of how the process is performed.

Examples of preventive internal controls include providing continuous training programs, rotation of duties, segregation of duties, requiring user names and passwords to access data, using sequentially pre-numbered documents, and data input controls such as edit tests (Bagranoff et al. 2008). Sections Five and Six of this course provide more complete descriptions of various internal controls.

Other internal controls should be designed and executed to detect fraud. Detective internal controls typically are executed during or following data processing. The purpose of detective controls is to alert

the appropriate individuals that fraud has occurred (Bagranoff et al. 2008). Following detection, these individuals can take action to ensure that the implications of the fraud have been corrected. The responsible individuals also can begin to pursue corrective actions concerning the fraudster, including the termination of employment and benefi ts, and the consideration of legal actions against the perpetrator.

Examples of detective internal controls include performing account reconciliations, comparing current fi nancial statement balances to balances recorded in prior periods (including the day before), and using security cameras (Bagranoff et al. 2008). Sections Five and Six of this course provide more complete descriptions of specifi c internal controls.

Historical development of internal controlsInternal controls are typically established and evaluated using a standard framework. A very common framework used in developing and evaluating internal controls is provided by the COSO . The remainder of this section mostly describes the COSO framework, but fi rst you will read about the development of this framework.

The public accounting profession began to consider the role of internal controls in fi nancial reporting in the 1940s (COSO 1994). However, the evolution of internal controls to the forefront of fi nancial reporting concerns did not begin until the 1970s. While recent shifts toward focusing on internal controls have been prompted by accounting scandals, it was the Watergate scandal that originally pushed internal controls into the forefront of corporate governance. The Watergate hearings called to attention the fact that internal controls could help prevent and detect fraudulent activities.

In the aftermath of the Watergate scandal, the U.S. Congress passed the Foreign Corrupt Practices Act (COSO 1994). The act required corporations to accurately and fairly capture the effects of transactions in their fi nancial statements. Furthermore, the act required corporations to develop and continually evaluate internal controls.

Also during the 1970s, the American Institute of Public Accountants (AICPA) created the Cohen Commission , which was instructed to evaluate auditors’ responsibilities (COSO 1994). The Cohen Commission examined the role of internal controls in fi nancial reporting, and recommended that corporations disclose a critical assessment of its internal controls. The Cohen Commission also recommended that auditors attest to this internal control assessment provided by management.

During the 1980s, a series of business failures and accounting scandals shifted attention back on internal controls (COSO 1994). This renewed focus on internal controls led to the creation of the Treadway Commission, which was sponsored by several organizations, including the AICPA and the Institute of Management Accountants. These organizations were collectively referred to as the Committee of Sponsoring Organizations, or COSO.

The Treadway Commission examined the causes of fraud and offered recommendations for reducing organizations’ exposure to fraud risk (COSO 1994). These recommendations (i.e., the importance of the control environment) were directed at auditors, corporations and regulatory bodies such as the SEC. The recommendations offered by the Treadway Commission led to the COSO Framework.

The COSO framework serves as a useful tool in the development and continual evaluation of internal controls. The next subsection provides a detailed description of the fi ve elements of the COSO framework.

COSO Framework: Elements of Internal ControlsThe COSO Framework is a commonly used tool for establishing and ongoing evaluation of internal control systems. Although this framework was developed several years ago, it is widely applied today. Textbooks for modern accounting information systems (i.e., Bagranoff et al. 2008) and auditing courses (i.e., Messier et al. 2008) continue to develop their discussion of internal controls around the COSO Framework.

35

The COSO Framework for internal controls consists of fi ve elements: control environment, risk assessment procedures, information system and communications, control activities, and monitoring of internal controls (COSO 1994). Implementing these elements of internal controls is the responsibility of the organization’s management; the responsibility for internal controls does not lie with auditors, regulators or other parties.

These fi ve elements of internal controls are intricately linked. For instance, the control environment fosters a culture in which the other elements are carried out, while information and communication links the different elements of internal controls (COSO 1994). Figure 1 presents the pyramid provided in the 1994 COSO report that is intended to depict the interrelationships among the fi ve elements of internal controls. Each of these elements plays a role in attaining the objectives of internal controls, and defi ciencies in one of the fi ve elements can inhibit the effectiveness of the organization’s entire internal control structure.

Figure OneRelationships Between Internal Control Elements (COSO 1994)

Control environment The control environment establishes the foundation for all other elements of internal controls and sets the tone at which the other elements are carried out. Internal control weaknesses can be often be traced to problems with the control environment. If an organization is not committed to internal controls or is operated by executives who are lacking in integrity, the organization likely will not have strong internal controls.

In addition to infl uencing internal control planning, the control environment will infl uence the daily life of employees who are responsible for executing control activities, monitoring internal controls and communicating information about internal controls to the appropriate individuals (COSO 1994). A stronger internal control structure typically requires more thorough execution than weaker internal controls structures. Accordingly, individuals with prescribed responsibilities to design, execute and evaluate internal controls will have to devote more time to internal controls when the control environment is stronger.

The control environment consists of several components, including integrity and ethical values, management philosophy, board of directors, organizational structure, prescribed responsibility and human resource policies. Underlying all of these components of the control environment is the tone at the top. The attitude that an organization’s executives have toward internal controls is directly related to the effectiveness of internal controls. As with most aspects of corporate performance, the effectiveness of internal controls starts at the top. The importance of the tone at the top in designing effective internal controls is discussed in Section Three of this course.

Integrity and ethical values are a complex set of philosophies and beliefs that guide standards of behavior within organizations, and ultimately affect the extent that organizational objectives are achieved. Integrity and ethical values also affect whether the internal control structure can accomplish its objectives, including preventing and detecting fraud.

It is easy to simply say that executives should be ethical, and if they are, effective internal controls will follow. However, the situation is very complex. To critically evaluate the integrity and ethics of an organization’s executives, you must fi rst consider the parties to whom those executives are accountable. There are many stakeholders of corporate bodies, including investors, creditors, employees, customers, suppliers and the local community. Each of these stakeholder groups has a unique interest in the well-being and profi tability of the corporation. Therefore, ethics cannot simply be defi ned in terms of doing what is best for any one stakeholder group. In actuality, ethical executives should consider the interests of each of these stakeholders when making decisions, for example, when designing and evaluating internal controls.

A sound corporate ethical code can also be diffi cult to establish. Many corporations have branches far from headquarters, and variations in the corporate ethical code can manifest depending on the personality and experiences of individuals in those branches.

Given that there are inherent diffi culties in establishing and evaluating sound corporate integrity and ethics, individuals within organizations can promote practices that can lead to the establishment of standards of integrity and ethics that are generally viewed positively. For instance, managing with integrity means making decisions that are in the long-term best interest of the organization. Another practice that enhances integrity is to encourage sales personnel to avoid both pressuring customers and using hard-line negotiation tactics. Such activities can alienate customers because they may appear unprofessional. Finally, treating employees, including low-level workers, in a courteous manner promotes integrity and can lead to more productive employees.

Not only should an organization’s managers strive to set practices that promote integrity and ethical values, but managers should communicate the organization’s ethical code to employees. Internal controls would not benefi t from having the most ethical managers in the industry if these managers do not promote integrity and ethics in all aspects of the company’s operations, which are executed by the employees.

In the current business environment, there are more ways to communicate information, including information about integrity and ethics, than in any other era in history. Modern organizations can use electronic media such as e-mails and videos to promote ethics. They also can use traditional means such as presentations and forums. The goal of all communications concerning ethics and integrity should be to educate employees about the importance of behaving in a way that refl ects well on the organization and promotes the long-term well-being of the organization and its stakeholders.

Another way through which an organization can communicate its ethical values is by providing employees written codes of conduct (COSO 1994). While written codes of conduct will not stop a dedicated fraudster, they can serve as useful tools for educating employees and providing the basis for penalties for departures from ethical conduct.

While communication tools such e-mails and codes of conduct should be considered when promoting organizational ethics and integrity, the most effective means of conveying ethical principles is by example (COSO 1994). If employees are aware that their executives attempt to behave ethically and with integrity when making diffi cult decisions as well as dealing with customers, board members, employees and other stakeholders, they are more likely to apply similar ethical principles to their own actions.

Consider the Enron case. The Enron employees observed the CFO, Fastow, taking advantage of his position to enjoy enormous personal

36

profi ts through Enron’s dealings with his private ventures (McLean and Elkin 2003). The employees also observed Skilling and other executives aggressively push the company to meet EPS forecasts. Therefore, employees at Enron probably got the message that it was acceptable in that environment to perpetrate fraud as long as it promoted the short-term interests of the company.

Management philosophy is the foundation for the manner in which the organization is managed and operated on a daily basis . Management philosophy will have an impact on the way in which internal controls are designed and executed. For example, the more that management desires structure and formality and in operations, the more emphasis it will place on codifi cation of internal controls through the use of checklists, reports and other recorded means. Typically, larger organizations rely on more formal management practices, and consequently, have more formal internal control procedures.

Another component of management philosophy is its attitude toward accounting practices. There is a fair amount of room for interpretation within fi nancial accounting principles because defi nitive guidance cannot be given for all situations that all organizations will encounter. Therefore, variation exists in management’s attitude toward accounting practices that ranges from very conservative to very aggressive (COSO 1994). To encourage a strong control environment, management should err on the side of conservatism in fi nancial reporting unless it can ethically support its treatment using accounting principles. A loose attitude toward fi nancial reporting will hinder the development of strong internal controls.

The board of directors and the audit committee (which is a subset of the board of directors) should help establish a strong tone at the top that will infl uence the control environment (COSO 1994). The board of directors is charged with oversight of executives to promote the interests of the organization’s stakeholders. The audit committee is a subcommittee within the board that is charged with retaining external auditors and ensuring that auditor recommendations are carried out by management. In this capacity, the audit committee has a vested interest in promoting internal controls so that the fi nancial statement audit will run more effi ciently.

Senior management and the board of directors work together to establish a risk tolerance (e.g., the amount of risk that the company is willing to accept). Senior management then applies that risk tolerance to specifi c situations. For example, when faced with how to handle an identifi ed risk, senior management will choose one of four options. Specifi cally, they can (1) control for the risk (implement an internal control to mitigate the risk), (2) accept the risk (do nothing about the risk – often done when the impact is small), (3) transfer the risk (i.e., through purchasing insurance), or (4) avoid the risk (i.e., discontinue a product line that is susceptible to litigation).

An active board of directors encourages a strong control environment because of the infl uence it has over management (COSO 1994). The board can fi re executives, and typically requires management to provide regular reports on the organization’s activities, including those concerning internal controls. Similar to the idea that management can communicate integrity to employees by example, the board can convey ethical values that will enhance the control environment by example in its dealings with executives.

Organizational structure is the framework in which the entity is organized. Organization plays a role in the control environment largely through its infl uence on daily activities and formality. Typically, larger organizations have a more complex structure, which is often accompanied by a more codifi ed system of internal controls that requires more documentation than that required by less complex organizations (COSO 1994). As an example, consider the business processes and structure of a Fortune 500 company relative to that of a locally owned small business. Also, global companies tend to require more documentation as a way of standardizing procedures executed by individuals with different cultural backgrounds and different ways of conducting business operations.

Organizational structure should be considered when designing, executing and evaluating internal controls. An internal control environment that is ideal for a global corporation may not be effective in smaller organizations, and vice versa.

An important component of the control environment is ensuring that employees are aware of their responsibilities and authority concerning fraud detection and prevention (COSO 1994). A basic internal control is that purchasing agents should only acquire items from suppliers on a pre-approved authorized vendors list. This internal control will be ineffective if the purchasing employees are collectively instructed to be sure that someone verifi es that all purchases are made from authorized vendors before the purchase order is submitted. In this case, there is a strong possibility that each individual purchasing agent will assume someone else will execute this internal control. This internal control is much more likely to be effective if a specifi c individual, preferably the purchasing manager, is instructed to approve each purchase, and match the vendor to the authorized vendor list.

Therefore, the design of internal controls should include identifi cation of the employee(s) responsible for executing the control. The design process also should specify the authority that these employees have for correcting and reporting fraud and errors. Therefore, the control environment should include provisions for prescribed responsibility and authority concerning the execution of internal controls. Similarly, it is important for organizational managers to ensure that employees are suffi ciently competent to perform their duties; the COSO (1994) refers to this practice as a commitment to competence.

Human resource policies constitute the fi nal component of the control environment. Human resource policies should ensure that competent, ethical individuals are hired, and that these employees receive ongoing training to maintain the ability to execute their responsibilities, including internal control procedures.

Human resource policies are another way in which organizational managers can convey their ethical principles and integrity to employees by example. An effective control environment includes rigorous background checks before individuals are hired, substantive interviewing of applicants, and competitive salary and benefi ts packages. These human resource policies promote the retention of qualifi ed individuals whose ethical values are consistent with those of the organization.

Human resource policies also serve the control environment if they are utilized to maintain employee morale. As discussed in the previous section, content employees are less likely to perpetrate fraud than unsatisfi ed employees. Human resources can serve employee morale by providing objective means for performance evaluations and promotions and offering employees the opportunity to rotate to new functions to increase their expertise (COSO 1994). Finally, human resource policies can contribute to an effective control environment by providing a fair process for disciplinary proceedings.

Section Three, Practice Test

Please take the time to complete the following practice exam. The test consists of fi ve questions that will address the information you have read in the last section. Be sure to compare your answers to the answer key and explanations provided on the pages just prior to the fi nal examination. Remember, your score on the practice exam does not count towards your fi nal grade. Only your score on the fi nal exam will count for credit.

If a company’s internal audit found that the company’s internal 1. controls over accounts receivables are NOT designed properly, who is ultimately responsible for the control designing failure?

The accounts receivable clerk whose job it was to perform the control.a. The accounts receivable manager. b. Company management.c. The board of directors.d.

37

Which of the following internal controls would prevent the ordering 2. of too much inventory?

Review of all purchase requisitions by a supervisor in the user a. department when submitting them to the purchasing department.Automatic reorder by the purchasing department when low b. inventory level is indicated by the system.A policy requiring review of the purchase order before receiving c. a new shipment.A policy requiring agreement of the receiving report and packing d. slip before storage of new receipts.

Management that focuses heavily on hitting earnings benchmarks 3. at any cost most likely negatively impacts which of the following COSO framework components?

Control environment.a. Risk assessment.b. Pressure.c. Control activities.d.

Which of the following would most likely contribute to promoting 4. an effective control environment?

Confi rming accounts receivables balances with high-balance a. customers.Assigning upper level managers to perform risk assessments of b. their respective departments.Establishing a review schedule to test the operating effectiveness c. of controls.Instructing an accounts payables clerk concerning her d. responsibilities to detect fi ctitious invoices.

Providing objective means of how employees will be evaluated 5. facilitates an effective control environment.

True a. Falseb.

Section Four: COSO Framework: Elements of Internal Controls

Risk assessment Risk assessment is the process through which risks are identifi ed and studied so that the organization can manage risks and achieve its objectives (COSO 1994). Essentially, risk assessment involves identifying factors that could hinder the organization’s ability to achieve its objectives, then taking steps to eliminate or reduce the effects of those risks. Risks cannot be eliminated, but an effective internal control system must include an effective risk assessment process.

Risks arise from various circumstances, including legal, regulatory, industry and general economic changes. Identifying and reacting to these risks is an integral component of an effective internal control system because these risks hinder the ability of the internal control system to achieve its objectives (e.g., fraud detection and prevention). Therefore, an organization’s ability to achieve its objectives is directly related to its ability to identify relevant risks.

When designing and improving an internal control system, it is important to consider relevant objectives because of this relationship between risk assessment and objectives. The COSO (1994) explains that objectives must be established before risks can be assessed so that the organization can understand specifi c risks that threaten the accomplishment of its objectives. Therefore, this course will fi rst describe effective objective-setting practices before discussing ways to improve the risk assessment process.

You have already read that the control environment can vary in its formality based on management philosophy, organizational complexity and other factors. Similarly, the objective-setting and risk-assessment processes can range from very structured to very informal. Objectives may be formally stated, such as in vision statements, mission statements or operational directives. Objectives also may be implied. For example, it is implied that an objective of every for-profi t organization is to make a

profi t. It is important that employees understand organizational objectives because they are a component of the organization’s overall mission.

Objectives should be established using a top-down approach COSO (1994). Executives should fi rst defi ne the organization’s vision and strategic plan. At this level, objectives are very general and have little impact on many employees’ daily responsibilities.

Assume that the leaders of Company A have decided that the company’s highest priority is to become the industry leader in earnings growth. This objective probably would not be effective without lower-level, more specifi c objectives for individual employees. To attain this objective, the company offers additional incentives for sales personnel to attract new customers and increase sales volume with existing customers. At this more specifi c level, the objectives have an impact on employee’s daily life.

In addition to starting with overall objectives, another point about setting objectives is that objectives at middle and lower levels of the organization should be set to follow the overall objective. These operational objectives should encourage employees to adjust their daily routine and performance in a manner that support the overall, corporate-level objectives such as becoming the market leader in the industry.

Objectives should be challenging but attainable, and clear performance rewards should be established for attaining objectives. Objectives should not be so diffi cult to attain so that employees are discouraged from even attempting to make changes to allow the organization to achieve its objective. But they should be challenging so the employees will feel personally rewarded from achieving goals that require hard work. Clear rewards should be established to encourage employees to achieve operational-level objectives that allow the organization to achieve corporate-level objectives. If an organization’s objective is to have the highest level of earnings in the industry, employees should be encouraged to attain this diffi cult goal. Sales personnel should be offered commissions, bonuses, extra time off or some incentive that will encourage them to increase sales volume. Other employees can also be provided incentives. For example, purchasing agents could be rewarded in some manner for reducing costs while still acquiring quality products from suppliers.

In general, there are three types of objectives. All organizations should have operational objectives, fi nancial reporting objectives and compliance objectives (COSO 1994). The nature of these objectives will vary depending on the type of organization and the industry in which it operates, but they should be present in some form.

Operational objectives refer to the effi ciency and effectiveness of operations (COSO 1994). Operational objectives include attaining profi ts, equaling or exceeding analysts’ EPS forecasts, occupational safety goals and the protection of assets. These objectives should clearly provide a blueprint for successfully attaining such goals.

Financial reporting objectives refer to the reliability of fi nancial reporting (COSO 1994). All fi nancial reporting should be prepared in such a manner that it is accurate, unbiased and informative to all of the organization’s stakeholders. Financial reporting is a body of work that includes annual and quarterly fi nancial statements, earnings press releases and fi lings with regulatory agencies such as the SEC and IRS.

“Reliability ” is a very general term that can have different meanings in different contexts. In terms of fi nancial reporting, reliable fi nancial statements have several characteristics (COSO 1994). Reliable fi nancial disclosures are prepared in adherence to applicable and appropriate accounting principles, are informative to users of the fi nancial information, are reasonably categorized (i.e., assets are presented separately from liabilities), and accurately represent the economic events that underlie the account balances.

Compliance objectives refer to activities that are undertaken to ensure that the organization acts in conformity with all relevant laws and regulations (COSO 1994). Compliance objectives include complying

38

with rules pertaining to taxes, consumer safety, employee safety, interstate commerce and international commerce.

The nature of the organization infl uences which laws and regulations with which it must comply. For example, public companies must comply with the regulations of the SEC and PCAOB. On the other hand, some private organizations such as charities operate under very specifi c guidelines established by the IRS.

These three objectives are not independent of one another (COSO 1994). Consider the objective that this course promotes, preventing and detecting fraud. Fraud can affect operational, fi nancial reporting and regulatory objectives. The theft of assets results in: (1) operational ineffi ciencies because the stolen resources must be replaced and legal costs may be incurred; (2) fi nancial reporting problems because the perpetrator is unlikely to make correct journal entries to record the theft; and (3) potential compliance problems if the stolen assets enabled the organization to comply with regulatory requirements, perhaps those concerning consumer safety.

Similarly, fraudulent fi nancial reporting adversely impacts: (1) operational effectiveness because restated fi nancial statements must eventually be prepared and disclosed; (2) fi nancial reporting effectiveness because intentionally misstated fi nancial disclosures are disclosed; and (3) compliance effectiveness because producing fraudulent fi nancial reporting violates SEC rules, accounting principles and probably other regulatory requirements (i.e., debt covenants).

As previously mentioned, a strong direct link exists between organizational objectives and risks, and all objectives should be linked together through a top-down objective-setting process. Similarly, a top-down approach should be applied to the risk assessment process.

The fi rst step toward improving the internal control system through the risk assessment process is to identify organizational-level risks (COSO 1994). Organizational-level risks are pervasive to most operations, can threaten the viability of the organization and arise from both internal and external factors.

There are many external organizational-level risks that you should be prepared to identify (COSO 1994). New advances in technology can make existing resources, merchandise inventories and methods of operating obsolete. Also, changes in customer demand can arise as customer preferences and tastes change over time for both products and customer service. A common external threat is increases in competition as more organizations enter an industry, or existing organizations improve their operations. New legislation can result in changes in operations and compliance requirements that cause organizations to devote additional resources to various objectives. Finally, disasters such as terrorist attacks and natural catastrophes can disrupt operations and result in the loss of critical data.

Internal control systems also should be responsive to internal organizational-level risks including disruptions in information systems, changes in employees’ competency and motivation, changes in objectives, susceptibility of assets to theft, and the declines in the effectiveness of the board of directors and the audit committee (COSO 1994).

An effective internal control system includes means to identify both internal and external risk factors (COSO 1994). General and industry-specifi c economic changes can be identifi ed by comparing the organization’s operating performance (i.e., sales; earnings) with similar companies both inside and outside the industry, and with the industry averages. Large variances in account balances from month-to-month should be identifi ed and investigated. The defi nition of large variances will differ by organization, but it should be established by a reasonable means such as a percentage of total assets or net income. The organization can engage consulting experts to improve operational effi ciency, product design and other objectives.

The risks identifi ed at the entity-level often produce operational-level risks, but operational-level risks can exist and not be evident at the

entity-level. Therefore, risks also should be identifi ed at the operational-level (COSO 1994). Operational-level risks include poor performance by individual employees, failures to perform internal controls such as account reconciliations and safety inspections, and purchasing items from costly sources.

Risk analysis follows risk identifi cation (COSO 1994). The organization does not benefi t if risks are ignored following identifi cation. Risk analysis can be formal or informal, but usually consists of three steps in some form. First, the signifi cance of the risk is evaluated. Risk is always present, but varies in its level of signifi cance.

Consider an operational manager who must select one of two investment alternatives for his/her division. Both projects have the same expected profi t and the same likelihood of failure. However, the risk for Project A involves a 10 percent chance that the company will lose a contract with a major customer because of changes in customer service that accompany the project, while the risk for Project B involves a 10 percent chance that the company will lose a minor customer because of changes in customer service that accompany the project. The manager should select Project B because the projects have the same expected profi tability and the same likelihood of a negative outcome (e.g., risk), but the negative outcome for Project B is less signifi cant than that of Project A.

Now consider another operational manager who must select one of two investment alternatives for his/her division. Both investments have the same expected profi t and will result in the same amount of negative impact if the projects fail. Now assume that Project 1 carries a 3 percent chance that it will not succeed due to potential technological change, and Project 2 carries a 5 percent chance that it will not succeed due to potential regulatory change.

The decision should be to select Project 1 because it carries a lower risk than a project that offers the same expected profi tability and would have the same overall impact on the organization (e.g., the same signifi cance) as Project 2. This example illustrates that risk analysis should account for the likelihood that the risk will result in negative consequences for the organization.

Finally, risk analysis should account for the way in which risks will be managed; the organization should be prepared to take action to address risks as they are identifi ed (COSO 1994). If a risk has a low likelihood of occurrence and will have a minimal impact on the organization, serious action is not always required to address the risk, although the organization may consider taking action. If a risk has a high likelihood of occurrence and will have a large impact on the organization, action is required to address the risk.

Therefore, the risk assessment process includes a cost-benefi t element. The costs of reducing the organization’s exposure to various risks should be considered in light of the benefi ts that would accrue from reducing those risks. Key questions to consider include: (1) What is the cost in terms of time, money and other resources to

reduce exposure to a given risk? (2) How signifi cant is the risk in terms of operating, fi nancial reporting

and compliance effectiveness and effi ciency?(3) What is the likelihood that the risk will affect the organization (i.e., the

likelihood that the risk factor will result in negative consequences)?

A fi nal aspect of the risk assessment process should be understood. Risk assessment is part of the internal control process. However, the actions that management and employees take to address risks are not part of the internal control process, although they may result in new internal controls or changes to existing internal controls.

Information systems and communication Data and information can be obtained from both external and internal sources (COSO 1994). An example of data that are generated internally is the hourly rate of manufacturing employees. The organization establishes the hourly pay rates, and uses this data to provide information to potential employees and the human resources department.

39

All employees and executives within an organization must have information to carry out their daily tasks and responsibilities (COSO 1994). Information is vital to the accomplishment of goals, including fraud prevention and detection. An employee’s instruction to perform an internal control that might detect fraud (i.e., account reconciliation) is a type of information. This employee also must be provided information concerning what to do following fraud detection. The employee must be told which individuals should be notifi ed in case of fraud, the extent of documentation required to provide suffi cient evidence that fraud has actually occurred, and that fraud cases should be handled with special care and confi dentiality because of potential negative repercussions to the organization.

The information system refers to the process through which data is collected, stored, processed and converted into information (Bagranoff et al. 2008). Data are raw facts that when taken individually have little meaning. Information is processed data that is useful in the decision-making process. An example of an information system is the accounting information system, which collects data regarding transactions, processes the data by recording journal entries and posting the effects of transactions to account balances, and generates information about those account balances in the form of fi nancial statements and other disclosures.

An information system does not have to be automated, although most modern information systems are at least in part automated. Many information systems require both manual and automated processes.

In the internal controls framework, information system takes on a broader context than simply the means through which the organization captures, processes and stores data to generate output. In this context, information systems refer to any means through which the organization obtains information that is relevant to achieving operational, fi nancial and compliance objectives. In this sense, the information system helps identify risks by capturing information about economic trends, changes in the industry, technological developments, supplier-driven changes and changes in customer demands. This information can be obtained through a variety of means, including mail surveys, telephone interviews, and online surveys.

Like other elements of the internal control framework, information systems can vary in the extent that they are formalized. Consider the objective of obtaining feedback from suppliers that can be used to improve the acquisition process. This information can be obtained through formal means such as sending written surveys via e-mail or mail to suppliers. This information also can be obtained through less formal means such as during routine telephone calls made by purchasing managers to suppliers. Regardless of the formality of the information system, it must be used to obtain relevant information.

Useful information is relevant to the decision that is under consideration. A purchasing manager who is attempting to improve the effi ciency of the acquisition process is not benefi ted by having information about the fi xed-asset management process. The information about the fi xed-asset management process may be entirely accurate and interesting, but it is not useful to the purchasing manager. Therefore, useful information is relevant to the current task.

Useful information must be provided in a timely fashion. An organization that implements an alarm system in its data storage facility is taking a step toward improving internal controls relating to fraud prevention and detection. However, if the alarm is programmed to alert the appropriate executives and employees two hours after a breach occurs, it is not providing information that can be used to prevent and detect fraud. The organization is not very well-served by this internal control activity because potential fraudsters would have suffi cient time to leave the premises before anyone would be aware of their presence.

Useful information must be current. One means through which fraud is carried out involves the abuse of information technology. Recall that one of the fraud schemes described in the previous section involves manipulating data to create a fi ctitious vendor and arranging for the

organization to make payments to this fi ctitious vendor, which are in reality collected by the fraudster.

There are internal controls over the processing and manipulation of data that can be used to prevent and detect this scheme. For example, all changes and additions to data should be made by authorized personnel. In addition, the system should match any additions to the authorized vendor list to the authorized vendor fi le. However, if the organization’s executives are not aware of these internal controls over information technology, they will be unable to implement these internal controls. Therefore, useful information is not out-of-date.

Useful information must be accurate. Assume that an organization has been victimized by an embezzlement scheme perpetrated by an employee. If the executives believe, based on the information obtained about the fraud, that the amount of cash stolen was relatively small, they might quietly dismiss the fraudster and not pursue legal action against the fraudster to avoid negative publicity.

However, if the information concerning the fraud was inaccurate, and the fraudster had actually embezzled a signifi cant amount of cash, the executives may have allowed the fraudster to escape with a large amount of stolen cash. In this case, the executives likely would have desired to prosecute the fraudster under the assumption that any negative publicity would be justifi ed by obtaining legal penalties, which likely would include a remuneration plan in favor of the organization.

Finally, useful information must be accessible. The account reconciliation is a basic internal control in which the organization’s cash balances obtained in its records are reconciled to its cash accounts held at fi nancial institutions. This internal control can help detect misstatements due to fraud and error, as well as embezzlement of organizational resources. If the employee responsible for performing account reconciliations cannot fi nd the fi nancial balances in the cash accounts, this employee cannot use this information to perform the reconciliations, and fraud may go undetected.

Communication is the second component of information systems and communication, and is implicit in the operation of an information system. For instance, information must be communicated on a timely basis in order for it to be effective. Useful information should be communicated to both internal and external destinations.

Internal communications is the dissemination of information to internal users. Internal communications involve at least four components. First, employees must be provided with clear instructions concerning their responsibilities for internal controls and other activities. Employees who have a prescribed responsibility for executing internal controls are much more likely to perform the tasks involved than employees who are unsure who has responsibilities for different activities. The communications concerning internal control responsibilities also should be clear. The employee performing an internal control should understand his or her own responsibility, and how the internal control is relevant to both the entire internal control system and to achieving organizational objectives.

Second, employees should have clear instructions concerning what actions to take when the internal controls discover exceptions (problems). In these cases, employees should be aware that their responsibilities do not end with the discovery of problems, but that they should investigate the problem to discover its source.

An internal control that can prevent fraud is the matching of purchase orders, vendor invoices and receiving reports before cash disbursements can be processed. If the accounts payable clerk responsible for executing this internal control discovers that an invoice is not accompanied by the other documents, the clerk should ascertain the reason for this control exception to determine whether the problem is due to error or fraud.

Third, employees should be given information that conveys how their responsibilities relate to the tasks performed by other employees). If employees do not understand the nature of tasks performed by

40

colleagues, it is diffi cult to identify questionable activities performed by fraudsters. In other words, if an employee does not understand what results constitute a departure from another employee’s responsibilities, he/she will have diffi culty identifying fraudulent activities.

Finally, internal communications also should fl ow up the organizational chart. The fi rst three components of internal communication involve downward communication that instructs employees concerning methods of detecting and responding to fraud. However, organizational managers should provide effective means for employees to communicate with superiors. Front-line employees possess a good understanding of the daily operations in their unit, and consequently have advantages in identifying fraudulent activities that may not be possessed by executives.

Encouraging upward communication, especially in fraud settings, can be diffi cult. Whistle-blowers are often looked down upon and given derogatory titles such as snitch and rat. Accordingly, the last section in this course provides suggestions for improving upward communications that can be vital in fraud detection and prevention.

External communications is the dissemination of information to external parties, who are more diverse than internal users. An example of externally provided information is the audited fi nancial statements. External users of information include customers, regulators, suppliers, investors, stock analysts and creditors. Therefore, care should be taken to ensure that information conveyed to an external party is appropriate given the nature of its relationship with the organization.

Communications with external parties are relevant to the internal control system because external parties can provide information concerning the effectiveness of internal controls. External auditors assess the effectiveness of internal controls during the fi nancial statement audit, and their fi ndings can be applied to improve the internal control system. Also, regulators (i.e., bank inspectors) examine organizational compliance with laws and regulations, and their fi ndings can also be utilized to improve the internal control system.

Information can be communicated through various channels. Internal communications can be accomplished through e-mail, memos, bulletin board messages, presentations, suggestions boxes and video media. External communication can be accomplished through fi nancial statements and other accounting disclosures, press releases, annual reports, advertisements and publications. Finally, the actions of executives can send strong messages to both internal and external parties.

Control activities Control activities are the policies and procedures undertaken to provide assurance that organizational objectives for fi nancial reporting, compliance and operations are achieved. The same control activity can relate to one of these three objectives or can be used to achieve multiple objectives.

Control activities is a broad term that encompasses many activities executed on a regular basis by employees, managers and executives, and include reconciliations, variance reports, authorizations and approvals, and the segregation of duties. Often, when individuals refer to internal controls, they are referring to these and other control activities. However, control activities are one of fi ve components of an internal control system.

As you have read, internal controls should be either preventive or detective . Preventive internal controls are designed to prevent fraud (and other problems), while detective internal controls are designed to detect fraud (and other problems).

The following sections of this course describe internal control activities in extensive detail. These sections will discuss the importance of well-designed internal controls, process-independent internal controls, and process-specifi c internal controls. You will also read about internal controls that pertain to information systems, which are designed to promote effective data input, processing and output as information. Therefore, the discussion of internal control activities in this section

will be brief, and limited to the connection between the risk assessment process and internal control activities.

Internal control activities should be linked to the risk assessment process (COSO 1994). For example, assume that an organization is located in an area that is regularly subject to hurricanes. Hurricanes are a risk for this organization because they can cause damage to buildings and result in the loss of data. Some important internal controls for this organization are to store backup data in a location that is safe from hurricanes and have a contingency plan in case the headquarters building is compromised by hurricanes. The risk assessment process identifi es potential obstacles to achieving objectives; internal control activities should be implemented to counter the threats inherent in the risks that have been identifi ed.

As another example concerning fraud prevention, consider an organization that has recently had several instances of stolen assets from its warehouse that are believed to have been perpetrated by employees. This organization identifi es an increase in the risk of operational effectiveness and effi ciency to due to misappropriation of assets, and should enhance its internal control activities to better safeguard assets in the warehouse. Some internal controls that would address this risk include the installation of security cameras, hiring guards, installing a fence around the warehouse, clearly defi ning penalties that employees will incur if they steal assets, and using access controls such as issuing authorized personnel cards with magnetic strips that must be swiped before entering the warehouse.

Monitoring of internal controls As previously discussed, it is impossible to design and execute an internal control system that eliminates all risks related to achieving operational, fi nancial reporting and compliance objectives. Inherent limitations in all internal control systems include collusion, management override of internal controls and human error (COSO 1994). Furthermore, even if a perfect internal control system could be designed and executed, such a system would soon become imperfect because technology, competition, economic forces and other business conditions are not static.

As the organization’s operating environment changes with employee turnover, technological development, new competition and other developments, the internal control system must also evolve to remain effective. The purpose of monitoring internal controls is to provide assurance that the internal control system will properly evolve as the business environment changes.

Monitoring should be applied to all internal control activities, regardless of the extent that employees and external entities (i.e., suppliers) are involved. In addition, if an organization outsources business functions (i.e., payroll processing), it should monitor the internal controls that the outsourcing agent has in place.

Monitoring is typically accomplished through continual monitoring procedures and non-routine evaluations. Even an organization that has an effective continual monitoring process should consider the use of non-routine evaluations because such evaluations often are more extensive than routine evaluations.

Continual monitoring procedures are performed on a consistent basis during the normal course of business. An example of continual monitoring procedures is that operational-level managers can submit regular reports that identify areas for improvement in existing internal controls and recommendations for new internal controls. Operational-level managers are more familiar with daily operations than most executives, and can provide valuable feedback concerning the effectiveness of the internal control system.

Another type of continual monitoring is provided by external parties. If a breakdown in the internal controls over the sales and billing functions results in overstatements in customer billing, the customer will complain to the appropriate billing personnel, who should bring the matter to the attention of the billing manager. The billing manager should initiate an investigation of the internal controls over the sales and billing functions

41

to ascertain the cause of the internal control breakdown and begin the process of solving the issue.

In addition, while all organizations that use automated systems should have internal controls over their systems, these IT controls can fail. A sound continual monitoring process is to compare systems output with the physical resource. For instance, the amount of cash or inventory that the system indicates is currently on hand should be regularly verifi ed through physical counts.

Non-routine evaluations of internal controls are specially designated monitoring practices that are not a component of normal operations. Non-routine monitoring can be conducted either by hiring external consultants, using internal auditors, or obtaining feedback from the employees responsible for executing internal controls.

Non-routine evaluations can differ in terms of scope. Sometimes, the entire internal control system is evaluated; sometimes the internal controls that pertain to a specifi c process are evaluated. Generally, large-scale, non-routine evaluations are conducted less frequently than evaluations that are more specifi c.

Typically, one of three groups or a combination of them performs a non-routine internal controls evaluation. Internal auditors are one group who can perform a non-routine evaluation. Internal auditors perform similar tasks as external auditors, except they do not issue publicly available audit opinions. Internal auditors should report to the audit committee to maintain independence of the fi nancial reporting process. Internal auditors should possess the expertise necessary to thoroughly evaluate internal controls based on their accounting education and experience with internal controls provided by their routine responsibilities. Internal auditors should focus mainly on asset misappropriation and report their fi ndings to the audit committee.

Employees also can perform non-routine internal controls monitoring. Employees can provide written or verbal feedback to managers about how they perform internal controls and what steps they take following the detection of internal control problems. They also can provide information concerning the results of operations that are intended to facilitate the attainment of operational, fi nancial reporting and compliance objectives. The information provided by employees should be compiled, summarized and analyzed to ascertain how the internal control system can be improved.

Finally, external consultants can be engaged to monitor internal controls. Consultants should possess experience in the organization’s industry and an understanding of applicable laws and regulations. The consultants can utilize many techniques to identify ways in which to improve internal controls, including the observation of employees performing internal controls, talking to employees about internal controls and reperforming internal control activities and comparing results to those obtained by employees during normal operations.

Regardless of who performs the non-routine monitoring of internal controls, the individual(s) evaluating internal controls must understand the organization’s activities and how the internal control activities relate to one another, and how the internal control activities fi t into the overall internal control system. This understanding can be gained by examining documentation for internal controls and discussing internal controls with executives and employees.

Documentation is a useful tool that can provide an understanding of the internal control system (COSO 1994). Documentation can vary in formality and quantity across different organizations, but often consists of fl owcharts, organizational charts, chart of accounts, job descriptions and data fl ow diagrams. Individuals who evaluate internal controls can develop their own documentation, which can be used to both evaluate and improve the documentation of the internal control system.

The individual(s) evaluating internal controls must understand the manner in which both the organization operates and internal controls are executed. Simply understanding the design of internal controls is

not suffi cient for the task of critically evaluating internal controls. Some controls are modifi ed once they are implemented so that they will be more effective if operational-level employees, who intimately understand the tasks involved, believe the adjustment will improve the internal control. Evaluators must understand that such changes likely improve the quality of the internal control, even when the changes are not formally documented.

Finally, the individual(s) evaluating internal controls must have a preplanned, objective means of evaluating internal controls. Monitoring internal controls requires an assessment of whether internal controls are functioning effectively. This assessment should be based on criteria that were established before the monitoring activities commenced. In other words, monitoring internal controls is not a task to be done “on the fl y,” with the evaluator making up rules as he/she proceeds.

The evaluation of internal controls likely will lead to the second aspect of monitoring, reporting defi ciencies. In the last section of this course, you will read about reporting procedures following the discovery of fraud. That section describes reporting general guidelines following the discovery of internal controls defi ciencies (e.g., departures from the manner in which the control is intended to operate). Defi ciencies in the internal control system should be reported to the appropriate individuals so that corrective action can be taken to improve the effectiveness of the internal control system.

Normally, information about internal control defi ciencies should be reported to the manger of the business process in which the defi ciencies occurred. If an employee discovers the defi ciency, he/she should report it to his/her immediate supervisor. If the problem is discovered by internal auditors or outside consultants, they should report the matter to the operational manager.

Internal control defi ciencies also should be reported to a manager or executive who is one level higher than the manager who is responsible for the operating unit in which the defi ciency occurred (COSO 1994). This guideline allows for oversight for the corrective process, and provides a safeguard against a potentially fraudulent operational manager who may not wish to take action to correct an internal control defi ciency.

In some cases, there may be no one individual who clearly has the authority and responsibility to correct internal control defi ciencies. In these cases, multiple managers and executives of suffi cient rank should be communicated to in order to ensure corrective action will take place should be informed of the control defi ciencies.

A second aspect of reporting that should be considered is the content of the information provided about the internal control defi ciency. All reports should include some basic elements, including the processes and employees involved, the cause of the defi ciency, and recommendations to correct the defi ciency and improve the effectiveness of the internal control.

The content of the report should refl ect the implications of the defi ciency in terms of organizational objectives. In other words, more severe control defi ciencies merit more extensive discussions describing the impact of the defi ciency on operational, fi nancial reporting, and compliance objectives.

The Sarbanes-Oxley Act Recall that the Cohen Commission offered two recommendations concerning disclosures of internal control effectiveness. First, the Cohen Commission recommended that public companies disclose a critical evaluation of the effectiveness of their internal controls. Second, the Cohen Commission recommended that external auditors provide an opinion concerning the quality of this assessment made by management.

These disclosure recommendations of the Cohen Commission were not adopted into law or practice (COSO 1994). However, following the series of high-profi le accounting scandals such as Enron and WorldCom in the early years of the 21st century, the recommendations were adopted. The Sarbanes-Oxley Act (SOX) requires public companies to disclose management’s assessment of its internal controls and their external auditors’ opinion of the accuracy of management’s assessment (Sarbanes and Oxley 2002). The remainder of this section describes the impact of SOX on internal controls.

42

The provisions of SOX represent legal requirements with which public companies must comply or face the consequences of violating federal law. Many private companies, however, choose to comply with the provisions of SOX that apply to their operations and governance structures. One reason that privately owned companies comply with SOX is to obtain debt fi nancing. It is much easier to be granted a loan if a company can document that it has a strong internal control system and corporate governance structure, and complying with SOX strengthens these areas. Another reason that private companies choose to comply with SOX is that they may have a desire to go public at some point. Such private companies can prepare for smoother initial public offering if they are in compliance with SOX. Finally, some private companies decide to comply with SOX to be more attractive to potential buyers. Therefore, the impact of SOX on internal controls is relevant to managers of both public and private organizations.

In an attempt to strengthen the control environment, SOX includes provisions to enhance the effectiveness of audit committees as an overseer of the fi nancial reporting process. The fi rst set of audit committee provisions concern the relationship between the audit committee and the external auditor (Sarbanes and Oxley 2002). First, SOX requires that the audit committee make decisions concerning the retention and compensation of external auditors. In addition, SOX requires auditors to report to the audit committee concerning fi nancial reporting and call to the audit committee’s attention any unresolved accounting adjustments for which the auditor and the executives could not reach agreement; the audit committee can then decide whether to accept or reject the auditors’ proposed adjustment.

The second set of SOX provisions involving the audit committee promotes the objectivity and independence of the audit committee (Sarbanes and Oxley 2002). SOX mandates that audit committee members cannot be affi liated with the organization in any way other than their capacity as audit committee and board members (i.e., the CEO cannot also be on the audit committee). SOX also states that the audit committee must have the authority to engage separate legal counsel from management; if legal problems arise, the audit committee does not have to rely on the lawyer(s) retained by the executives.

SOX also mandates responsibilities for executives that are intended to improve the effectiveness of the control environment (Sarbanes and Oxley 2002). SOX requires that the chief executive offi cer and chief fi nancial offi cer (or equivalent offi cers) certify all quarterly and annual fi nancial reports fi led with the Securities Exchange Commission. These certifi cations indicate that the signing executives have read the fi nancial disclosures and are not aware of material misstatements in the fi nancial disclosures. Furthermore, by signing off on the fi nancial disclosures, the CEO and CFO take responsibility for the design, operation and monitoring of internal controls, and must disclose signifi cant changes in the internal control system. Concerning fraud, the certifying offi cers take responsibility for reporting all instances of fraud to the audit committee.

The requirements mandated by SOX concerning audit committees and executives improve the control environment, specifi cally the tone at the top. The requirements for the audit committee improve the independence of both the audit committee and the external auditor from the organization’s management. The requirements for the CEO and CFO strongly encourage these executives to take a strong interest in internal controls, which should lead to a better tone at the top concerning internal controls.

Assuming that these requirements produce changes that lead to a more effective control environment, the other components of the internal control system should improve. Internal control activities and monitoring procedures become more effective because management must regularly evaluate internal controls and make improvements when defi ciencies are identifi ed. Communication becomes more effective because management and the audit committee convey through their actions that the organization is committed to improving internal controls.

SOX also requires that both organizational managers and the external auditor opine on the effectiveness of internal controls (Sarbanes and Oxley 2002). Management must provide an internal control report in each annual report. This internal control report must include at least two statements. First, the internal control report must state that management is responsible for developing and maintaining internal controls. Second, the internal control report must include management’s assessment of the effectiveness of internal controls.

As a safeguard against the possibility that an organization’s managers may falsely state that internal controls are operating effectively, SOX also requires the external auditor to provide an opinion concerning whether the internal controls can effectively prevent and detect material misstatements (Sarbanes and Oxley 2002). Furthermore, the external auditor must provide an opinion about management’s assessment of internal controls (i.e., state whether management’s assessment is accurate).

The provisions of SOX concerning internal controls have been costly to implement. In the fi rst year alone, which was probably the most expensive year, approximately $35 billion was spent to both improve internal controls and cover external audit fees (AEA 2005), which increased because of the additional workload SOX creates for auditors. The staggering costs of implementing SOX suggests that many organizations may not have had effective internal controls, had effective internal controls but lacked suffi cient documentation of the internal controls, or some combination of these two possibilities. SOX mandates that internal controls be both well-designed and operate effectively.

Section Four, Practice Test

Please take the time to complete the following practice exam. The test consists of fi ve questions that will address the information you have read thus far. Be sure to compare your answers to the answer key and explanations provided on the pages following the practice exam. Remember, your score on the practice exam does not count towards your fi nal grade. Only your score on the fi nal exam will count for credit.

Use the following chart to answer the question below.

Tango Sierra Corp., a publicly traded company, has the following key employees:

Employee Name Title

Todd Martin Chairman of the board

Alexander Cowen Chief executive offi cer

Keitha Kay Chief operating offi cer

Andrea Leroux Chief fi nancial offi cer

Joseph Bowen Chief audit executive

William Harper Controller

Under SOX, which employees must certify the fairness of a 1. company’s fi nancial statements by signing their name?

Todd Martin and Alexander Cowen.a. Alexander Cowen and Joseph Bowen.b. Alexander Cowen and Andrea Leroux.c. Andrea Leroux and William Harper.d.

To understand the organization’s business model, the internal auditor 2. for a pharmaceutical company started by examining recent changes in FDA regulations that might substantially affect the organization’s sales. The internal auditor is in the beginning stages of a top-down risk management approach.

Truea. Falseb.

43

In assessing risks under the COSO ERM framework, the internal 3. auditor should consider both the

potential lost revenue and increased cost of the adverse event.a. probability of the event occurring and economic impact of the b. adverse event. magnitude of the economic impact and potential cause of the c. adverse event.likelihood that the event has occurred before and probability of d. the adverse event occurring again.

The COSO Framework explains that objectives must be set before 4. risks can be assessed. There are three types of objectives, which should be attainable and challenging. The three types of objectives are

operational, fi nancial, and compliance objectives.a. ethical, functional and inventory objectives.b. technical, fi nancial and compliance objectives.c. management, communication and fi nancial objectives.d.

Which of the following is a characteristic of an improperly designed 5. monitoring activity?

Reviews of controls are conducted at random intervals a. throughout the year.The reviewer must use objective means for evaluating controls b. defi ciencies.If an employee fi nds a defi ciency, he should report it to the board c. of directors. The reviewer must have an understanding of the organization’s d. activities before reviewing any controls.

Section Five – Course conclusion

In completing the content of this course, you should meet all of the course objectives. You should be able to appraise internal control environments and determine fraud exposures. You should know and understand the defi nition of fraud, that it is an intentional action undertaken with the explicit purpose of achieving fi nancial gain and/or harming another party. You should be able to detect behaviors indicative of some fraud schemes such as skimming, rationalization, lapping and hiding expenses and liabilities in special purpose entities. It should be much easier for you to uncover an embezzlement scheme and provide evidence that will reveal the guilty party or parties involved so it can be reported to the management or to the authorities. You should feel comfortable working with management developing processes and internal controls that will help to prevent fraud or errors within your company and you should be able to apply the elements of the COSO internal controls framework in your workplace.

Answer Key Practice Test, Section Two Part 1

Which employee has the greatest opportunity to commit a fraud in 1. the accounts payable department?

The accounts payable clerk.a. The accounts payable manager.b. The controller.c. The chief fi nancial offi cer (CFO). d.

Answer a is incorrect because while the accounts payable clerk is most likely involved in the day-to-day accounts payable activities more so than any other of the positions listed, the accounts payable clerk’s opportunity to override existing controls is less than that of the other positions – especially the CFO.

Answer b is incorrect because while the accounts payable manager might have authority and more opportunity to override controls than an accounts payable clerk, he or she will still have less opportunity to override controls than a controller or CFO.

Answer c is incorrect because while the controller would have opportunity to override controls to some degree, the CFO would still have more opportunity to override the control.

Answer d is correct because of all the positions listed, the CFO would have the greatest opportunity to override controls. The ability for upper-level employees to override controls makes it easier for higher-ranking executives to commit fraud than lower-level employees.

Fraudulent fi nancial reporting would be most likely in which of the 2. following transactions?

Fixed asset acquisition.a. Salary expense.b. Warranty expense. c. Accounts receivable factoring.d.

Answer a is incorrect because fi xed asset acquisition is an objective transaction with a defi nable correct account balance. Through examination of contracts, agreements or invoices, an auditor would be able to determine the appropriate balance for a fi xed asset.

Answer b is incorrect because salary expense is an objective transaction as well. An auditor would be able to vouch a salary expense transaction back to the original source documents (i.e., a time card or employment contract) in order to determine the proper transaction amount.

Answer c is the correct answer because it is the most subjective account balance, and fraudulent fi nancial reporting most often takes place where subjectivity is allowed in the formation of a reasonable account balance. Warranty expense is typically derived from trends in prior warranty expenses and applied to the current sales amounts. Documentation of detailed warranty accounting tables are harder to track because there are direct and indirect expenses. Direct expenses are charges incurred while dealing directly with shipping, repairing/replacing or refurbishing a product. Indirect expenses are charges incurred while supporting the management of the product. Changes in product quality or other various factors could allow a fraudster the opportunity to misrepresent the correct warranty expense transaction.

Answer d is incorrect because accounts receivable factoring is also an objective transaction. To determine the appropriate amount of accounts receivable that should be factored, an auditor would need to be able to inspect the agreement between the company selling and the company purchasing the accounts receivable balances to determine the appropriate amount of the balances of the accounts receivable that should be reduced. Factoring occurs when the rate of return on the proceeds invested in production exceed the costs associated with factoring the receivables and the company sells its invoices at a discount to their face value to put cash back into the business.

An accounts receivable clerk is in the midst of a lapping scheme that 3. has been ongoing for several months. Which of the following would most likely catch the fraud?

Monthly account balances sent to the customers.a. Requiring a manager to confi rm the receipt of all material b. checks.Requiring periodic employee position changes and random c. management review. Examining the accounts receivable aging report each month.d.

Answer a is incorrect because a properly performed lapping scheme will eventually apply payment to each customer’s account. A monthly account balance would be accurate except those payments that were sent towards the end of the month, but customers would most likely overlook those delinquent balances and assume that the check sent was not processed before the report was created.

Answer b is incorrect because while having a manger confi rm and enter all large (material) checks that come in, the clerk could still steal several immaterial checks and perpetuate a fraud that would eventually become quantitatively material.

Answer c is correct because it would most likely detect the fraud. Lapping schemes get more complicated the longer they are perpetuated. By enforcing periodic employee position changes and random

44

management review, the lapping scheme would be uncovered. An employee who changes position with the regular accounts receivable clerk should come across one of the accounts that had been posted incorrectly and that payments were missing. The replacement clerk likely would apply checks to their proper accounts, thereby either causing the accounts that had been lapped to become delinquent, or might see that prior checks from a customer had been applied to the wrong invoices. This would alert the manager to review or audit all of the accounts for any additional problems.

Answer d is incorrect because an aging report would in the long run be for the most part accurate. Similar to the monthly statements, checks eventually get applied to each customer’s account, so an aging report would not necessarily indicate a lapping scheme.

Which of the following creates an opportunity for fraudulent 4. fi nancial reporting?

A company’s board of directors and the audit committee have a. signifi cant infl uence on management.A company is operating in a declining market.b. A company operates in an industry that has several material c. subjective accounts. A company requires continuous fi nancing to stay competitive.d.

Answer a is incorrect because a company’s board of directors and audit committee having infl uence on management diminishes management’s opportunity to commit fraud.

Answer b is incorrect because operating in a declining market does not create opportunity, but it does create incentive to commit fraud.

Answer c is correct because subjective accounting principles create opportunities for fraudsters to take advantage of the valuation guidance for these accounts.

Answer d is incorrect because requiring continuous fi nancing creates incentives for management to maintain books that allow for cheap cost of capital; it does not create opportunity to commit fraud.

Which of the following red fl ags creates an opportunity for 5. misappropriation of assets?

Attitudes toward paying taxes.a. Merchandise inventory consists of small and highly valued b. items. Technological changes. c. Recessions.d.

Answer a is incorrect because SAS 99 says attitudes toward paying taxes as an infl uence on person’s rationalization of fraudulent fi nancial reporting . Fraudsters can rationalize their actions by believing that they have worked hard for their company, and the government does not deserve to tax its earnings and merchandise inventory. This can lead to understatements of earnings and /or inventory.

Answer b is correct because SAS 99 says a setting in which fraudsters have opportunities to misappropriate assets is when a company’s merchandise inventory consists of small items that have signifi cant value. A good example is jewelry, which is easy to steal and conceal, and can easily be converted into cash.

Answer c is incorrect because SAS 99 says technological changes can create incentives in accounting for inventory obsolescence. If a company’s competitors have introduced technologically superior products, then the company’s now old items probably will not produce the same sales volume as before the competitor’s products hit the market.

Answer d is incorrect because SAS 99 says recessions can create incentives to overstate earnings. Recessions are source of pressure that does not come about directly because of the actions of a company or its competitors. This incentive can lead to rationalization by company’s executives that their decline in sales is not their fault or the consequence of competitor’s actions.

Answer Key Practice Test, Section Two Part 2,

Tom Downs, the manager of a production line for General Tire, has 1. the authority to order and receive replacement parts for all machinery on his production line. The auditor received an anonymous tip alleging that Tom purchases materials from a cousin who distributes parts, and orders substantially more parts than are necessary. The whistle-blower also explained that the extra parts were never received. Instead, the whistle-blower contends that Tom falsifi ed receiving documents and charged the parts to maintenance accounts. The payments for the undelivered parts were sent to the supplier (Tom’s cousin), and the money was divided between Tom and the cousin.

Which of the following internal controls would have most likely prevented this fraud from occurring?

Establishing predefi ned spending levels for all vendors during a. the bidding process.Segregating the receiving function from the authorization of b. parts purchases. Comparing the bill of lading for replacement parts to the c. approved purchase order.Using the company’s inventory system to match quantities d. requested with quantities received.

Answer a is incorrect because predefi ned spending levels (i.e., $10,000 per vendor) would probably already include the fraudulent amounts and would only limit the size of the fraud. Tom would still be able to perpetuate the fraud over time, but might be restricted in the size of each individual occurrence of fraud.

Answer b is correct because additional authorization would be the most likely choice in preventing the fraud. The additional authorization would separate the custody and authorization functions, thereby creating an effective segregation of duties environment.

Answer c is incorrect because the bill of lading would agree with the purchase order. Even if the parts were received by a third party (i.e., a shipping dock worker) and later stolen by Tom, the original bill of lading would match the approved purchase order (because Tom has the authority in the current scenario to approve the purchase order).

Answer d is incorrect because the computer matching would only verify the falsifi ed paperwork. That is, Tom’s falsifi ed receiving documents would be entered into the system and would match the number of items ordered on the purchase order. The only way this verifi cation would work is if a physical inventory count compared the inventory on hand in the inventory system to what is on the fl oor. However, this is diffi cult, given that parts ordered are replacement maintenance parts that might be frequently changed in and out of machines (making these parts harder to track than normal for-sale inventory items).

Which one of the following accounts is most susceptible to fraud?2. Utilities expense.a. Notes payable.b. Bad-debt write-off. c. Unearned rent revenue.d.

Answer a is incorrect because utilities expense is an objective determination and can be tied back to corresponding utility bills. Objectively determined account balances have less likelihood to be susceptible to fraud.

Answer b is incorrect because notes payables are typically accompanied by contractual notes that stipulate the terms of the liability. Objectively determined account balances have less likelihood to be susceptible to fraud.

Answer c is correct because bad-debt write-off is a subject determination, and accounts that are valued through subjective estimates leave the door open for fraud because accounting principles cannot provide defi nitive guidance for these accounts. It would be easier to commit fraud using this account because although there should ultimately be an account receivable to offset the debit and credit, they are

45

often very old, long-past due and have been added together with several other past-due accounts as one large bad-debt balance.

Answer d is incorrect because unearned rent revenue is often accompanied by a lease or rental agreement that will stipulate the terms of the rental. Objectively determined account balances that have a contract or agreement that can trace a payment or receivable amount back to a defi nite balance is less likely to be susceptible to fraud.

At a recent meeting, General Tire’s internal audit function committee 3. met to evaluate its objectivity. In which of the following situations would the auditor appear to have impaired objectivity?

An auditor reviews the procedures for a soon-to-be installed a. computer system that will allow General Tire to connect to a major customer.A former inventory manager performs a review of internal b. controls over the warehouse three months after being transferred to the internal audit department. An auditor recommends internal controls concerning a contract c. with an outside agency that will process General Tire’s payroll and employee benefi ts. The internal audit function committee consists of a member from d. each of the company’s departments who is not involved with the accounting practices, three members of the company’s board and an outside certifi ed public accountant.

Answer a is incorrect because internal auditors are able to review systems before they are implemented without affecting their objectivity. In fact, this function has the potential to add value to the organization by catching potential internal control issues prior to their implementation.

Answer b is correct because internal audit employees should not be assigned to audit any areas in which they have worked (or have overseen) until a reasonable “cooling off” period has occurred (typically about one year). In this case, the inventory manager could be auditing procedures for which he or she was responsible for overseeing just three months earlier as inventory manager.

Answer c is incorrect because an internal audit has the opportunity to add value to the organization by analyzing the proposed relationship between General Tire and the outside entity before the contract is signed. Specifi cally, internal audit’s objectivity should be able to identify potential risk exposures prior to the initiation of the contract.

Answer d is incorrect because these individuals should all be independent of the accounting process. For this committee to be effective, the internal audit function should be competent and objective. Ideally, the internal auditors should report to the audit committee, not the controller, CFO or anyone else who can record accounting journal entries.

Executives with stock options in a company that is on track to post a 4. net loss on the year are examples of what fraud component?

Capabilitya. .Incentive. b. Rationalization.c. Opportunity.d.

Answer a is incorrect because while capability could play a role in the current scenario, a company on track to post a net loss does not contribute to an executive’s capability (i.e., intelligence, confi dence, persuasiveness or truthfulness) to commit a fraud.

Answer b is correct because executive stock options give the executives incentive to maintain high stock prices. Net losses for a period will likely impact stock prices, which could impact the value of the fi rm’s stock. The incentive then is to continue to maintain high stock prices.

Answer c is incorrect because the scenario included no specifi c justifi cations for the executive to commit the fraud. Rationalization is typically associated with employees who perceive that a company “owes them” something. For example, employees who believe they are

underpaid often rationalize that committing the fraud is a way of making things right or balanced.

Answer d is incorrect because the presence of stock options alone, for example, does not provide opportunity to commit fraud. Opportunity in this setting would have been appropriate if the scenario described the company as very lax in regard to management override. Management override of controls provides many executives with the opportunity to circumvent the intended internal control and commit a fraud.

A basic internal control is to have an individual or group of 5. employees who have a prescribed responsibility to review the company’s accounting practices and are knowledgeable and involved with the company’s accounting process.

Truea. False b.

Answer a is incorrect because a basic internal control is to have a prescribed responsibility for each individual, but the group should not be involved with the company’s overall accounting process.

Answer b is correct because while a basic internal control may have an individual group of employees handle specifi c duties to review the auditing process, they should be independent of the overall accounting process. This internal control is carried out by the internal audit function.

Answer Key Practice Test, Section Three

If a company’s internal audit committee found that the company’s 1. internal controls over accounts receivables are NOT designed properly, who is ultimately responsible for the control design failure?

The accounts receivable clerk whose job it was to perform the a. control.The accounts receivable manager.b. Company management. c. The board of directors.d.

Answer a is incorrect because while the accounts receivable clerk is performing the internal control, management is ultimately responsible for ensuring that a control is designed properly.

Answer b is incorrect because while the accounts receivable manager oversees the control (often referred to as the risk owner), company management is responsible for the design of internal controls.

Answer c is correct because according to SOX, company management is ultimately responsible for the proper design and operation of internal controls.

Answer d is incorrect because while the board of directors (BOD) oversees company management, they are not responsible for the design and effective operations of internal controls, per SOX.

Which of the following internal controls would prevent the ordering 2. of too much inventory?

Review of all purchase requisitions by a supervisor in the a. user department when submitting them to the purchasing department. Automatic reorder by the purchasing department when low b. inventory level is indicated by the system.A policy requiring review of the purchase order before receiving c. a new shipment.A policy requiring agreement of the receiving report and packing d. slip before storage of new receipts.

Answer a is correct because supervisory review at the originating department level is one means of control over the number of items ordered (i.e., preventing too much inventory from being ordered). Specifi cally, the manager should have knowledge of the department’s needs and should be able to determine whether the quantity ordered is appropriate.

Answer b is incorrect because this procedure could lead to purchases of excess material because it does not consider future plans. This

46

answer allows for minimum reorder levels, but does not compensate for potential increased production that might happen in the future. Answer “a” allows for the manager to anticipate future needs, but a minimum reorder point does not.

Answer c is incorrect because this is a control for the risk of accepting unordered goods. This control would not help in reducing the risk of ordering too much inventory.

Answer d is incorrect because this is a control for the risk of receiving an amount other than that ordered. This control would not help reduce the risk of ordering too much inventory.

Management that focuses heavily on hitting earnings benchmarks 3. at any cost most likely negatively impacts which of the following COSO framework components?

Control environment. a. Risk assessment.b. Pressure.c. Control activities.d.

Answer a is correct because the control environment includes the attitude that management displays toward internal controls. Management that fosters an environment focused heavily on earnings benchmarks likely negatively infl uences employees’ perceptions of the importance of controls.

Answer b is incorrect because the company’s assessment of risk is a process through which risks are identifi ed and studied so that the organization can manage risks and achieve its objectives. It is not determined by whether the company management focuses on hitting earnings benchmarks; it is a tool used to identify factors that would get in the way of reaching that benchmark.

Answer c is incorrect because pressure is not a component of the COSO framework. Pressure is a component of the fraud triangle.

Answer d is incorrect because control activity effectiveness and design should not to be affected by management’s tone at the top. Control activities are the policies and procedures that provide assurance that the organizational objectives are achieved when they are executed by employees, managers and executives.

Which of the following would most likely contribute to promoting 4. an effective control environment?

Confi rming accounts receivables balances with high-balance a. customers.Assigning upper-level managers to perform risk assessments of b. their respective departments.Establishing a review schedule to test the operating effectiveness c. of controls.Instructing an accounts payable clerk concerning her d. responsibilities to detect fi ctitious invoices.

Answer a is incorrect because confi rming accounts receivables balances will ensure the existence of the assets, but will not promote an effective control environment. Organization plays a role in the control environment largely through its infl uence on daily activities and infl uence.

Answer b is incorrect because assigning upper-level managers to perform risk assessments will increase the effectiveness of the risk assessment process, but will not affect the control environment.

Answer c is incorrect because establishing a review schedule will help the monitoring process, but not affect the control environment.

Answer d is correct because an important component of the control environment is ensuring that employees are aware of their responsibilities and authority concerning fraud detection and prevention. The design of internal controls should include identifi cation of the employee(s) responsible for executing the control or “prescribed responsibilities.”

Providing objective means of how employees will be evaluated 5. facilitates an effective control environment.

Truea. Falseb.

Answer a is correct because employee morale can be sustained by providing objective means for performance evaluations and promotions. High employee morale contributes to an effective control environment by reducing the likelihood of fraud in an organization.

Answer b is incorrect because objective means of evaluation actually provides employees with a way to reach their goals, and raises morale.

Answer Key Practice Test, Section Four

Tango Sierra Corp., a publicly traded company, has the following key employees:

Employee Name Title

Todd Martin Chairman of the board

Alexander Cowen Chief executive offi cer

Keitha Kay Chief operating offi cer

Andrea Leroux Chief fi nancial offi cer

Joseph Bowen Chief audit executive

William Harper Controller

Under SOX, which employees must certify the fairness of a 1. company’s fi nancial statements by signing their names?

Todd Martin and Alexander Cowen.a. Alexander Cowen and Joseph Bowen.b. Alexander Cowen and Andrea Leroux. c. Andrea Leroux and William Harper.d.

Answer a is incorrect because while Todd Martin’s position (chairman of the board) is critical in the corporate governance process, he is not required by Sarbanes-Oxley to take personal responsibility for the fi nancial statements.

Answer b is incorrect because as Chief Audit Executive, Joseph Bowen is most likely charged with overseeing the internal audit function. To that end, Joseph Bowen cannot take responsibility for the fi nancial statements without violating the Institute of Internal Auditors’ Code of Ethics on independence and objectivity.

Answer c is correct because Sarbanes-Oxley only requires the CEO and CFO to personally certify the fairness of the company’s fi nancial statements.

Answer d is incorrect because while William Harper’s role is most likely critical in the preparation of Tango Sierra’s fi nancial statements, he is not required by Sarbanes-Oxley to personally certify the fairness of the fi nancial statements.

To understand the organization’s business model, the internal auditor 2. for a pharmaceutical company started by examining recent changes in FDA regulations that might substantially affect the organization’s sales. The internal auditor is in the beginning stages of a top-down risk management approach.

Truea. Falseb.

Answer a is correct because a top-down approach starts at the top of an organization (entity level) and works its way down through the organization to determine risks. Examining changes to FDA regulations is an example of an organizational-level risk that is pervasive to most operations and could threaten the viability of the organization.

Answer b is incorrect because answer a is a top-down risk management approach to auditing or review.

47

In assessing risks under the COSO ERM framework, the internal 3. auditor should consider both the

potential lost revenue and increased cost of the adverse event.a. probability of the event occurring and economic impact of b. the adverse event. magnitude of the economic impact and potential cause of the c. adverse event.likelihood that the event has occurred before and probability of d. the adverse event occurring again.

Answer a is incorrect because lost revenue and increased expenses are both components of the potential impact of a risk, but this answer does not account for the likelihood of an adverse event occurring. These two would both fall under the economic impact of the adverse event.

Answer b is correct because COSO suggests that companies evaluate both the likelihood of an adverse outcome and the potential impact to the organization if that risk occurs. The probability of an event occurring allows an auditor to estimate the likelihood of an adverse outcome, while the economic impact quantifi es the potential impact to the organization.

Answer c is incorrect because while it identifi es the potential impact to the organization, it does not mention the likelihood of an event occurring. Rather, the answer makes mention of the cause of the adverse event. While this information will be important during the remediation process, it is not required by the COSO risk management framework.

Answer d is incorrect because COSO makes no mention of having to evaluate the likelihood that an event has occurred in the past. Rather, during the risk assessment process, auditors ought to evaluate the current environment for risks and evaluate the likelihood of an adverse event occurring in the future. Additionally, this answer did not make any mention of evaluating the event’s impact on the organization.

The COSO Framework explains that objectives must be set before 4. risks can be assessed. There are three types of objectives, which should be attainable and challenging. The three types of objectives are

operational, fi nancial, and compliance objectives. a. ethical, functional and inventory objectives.b. technical, fi nancial and compliance objectives.c. management, communication and fi nancial objectives.d.

Answer a is correct because the COSO Framework objectives are operation, fi nancial, and compliance objectives. COSO explains that the nature of these objectives will vary depending on the type of organization and the industry in which it operates, but they should be present in some form. Operational objectives refer to the effi ciency and effectiveness of operations, including attaining profi ts, equaling or exceeding EPS forecasts, safety goals and protection of assets. Financial reporting objectives refer to the reliability of the fi nancial reporting, accuracy, bias and whether it is informative. Compliance objectives refer to activities that are undertaken to ensure that the organization acts in conformity with all relevant laws and regulations.

Answer b is incorrect because these are not the three types of objectives referred to in the COSO Framework – although being ethical is an important value to have when linking all of the elements of internal control.

Answer c is incorrect because technical objectives are not part of the COSO Framework.

Answer d is incorrect because management and communication objectives are not part of the COSO Framework; communication is one of the fi ve elements of internal control, and fi nancial reporting is an objective. Management is one of the main links between these two, but it is not an objective.

Which of the following is a characteristic of an improperly designed 5. monitoring activity?

Reviews of controls are conducted at random intervals a. throughout the year.

The reviewer must use objective means for evaluating controls b. defi ciencies.If an employee fi nds a defi ciency, he should report it to the c. board of directors. The reviewer must have an understanding of the organization’s d. activities before reviewing any controls.

Answer a is incorrect because random intervals provide a better control over the monitoring process by not allowing individuals to change their behavior before a review occurs.

Answer b is incorrect because prior-established objective determinations of control defi ciencies allow the reviewers to be more effective monitors.

Answer c is correct because normally a defi ciency should be communicated to the manager of the business process in which the defi ciency occurred. The requirements for the audit committee improve the independence of both the audit committee and the external auditor from the organization’s management. Communication is more effective because the employee reports to his manager who should report to the audit committee. This will convey through their actions that the organization is committed to improving internal controls.

Answer d is incorrect because reviewers evaluating internal controls must understand the manner in which both the organization operates and internal controls are executed.

48

FRAUD PREVENTION AND DETECTIONFINAL EXAMINATION QUESTIONS

Choose the correct answer for questions 1 through 20 and then proceed to www.elitecme.com to complete your fi nal examination.

Course expiration date: May 1, 2012

Special purpose entities are useful to fraudsters because special 1. purpose entities

facilitate manipulation of subjective account balances.a. require manual accounting systems.b. facilitate a big bathc. expense.can be used to conceal liabilities and expenses. d.

Fraudsters can abuse materiality2. thresholds to falsify accounting disclosures because

forecast analysts are unable to detect the impact of immaterial a. fraud.external auditors place signifi cant emphasis on material amounts.b. Computer-assisted audit techniques do not typically analyze c. immaterial transactions.internal audits’ materialityd. thresholds changes from year to year.

Which of the following creates incentive to commit fraud?3. A large competitor recently decided to fi le for bankruptcy.a. Market demand exceeds production capabilities.b. Liquidity minimums with outside creditors.c. Customer expansion into new regions and countries.d.

A client’s CFO and the external auditor disagree on an accounting issue; 4. however, both the CFO’s and the auditor’s treatment of the accounting issue are within generally accepted accounting principles. The auditor escalates the issue to the CEO. The CEO will have fi nal say on whether to record the transaction per the auditor’s recommendation.

Truea. Falseb.

Recently, Tango Sierra was featured on a television show that profi les 5. fast-rising companies whose stock investors should follow. Being featured on the television show increases the potential for fraud because

Tango Sierra is now known by a wider audience.a. The television show essentially endorsed Tango Sierra as a b. “buy” stock.The chances that outside investors will attempt a majority buyout c. has increased.The appearances establishes higher expectations for d. management.

An organization’s employees have recently learned that management 6. plans to lay off many employees. The employees are most likely to perpetrate which type of fraud?

Manipulating allowance accounts.a. Concealing expenses through special purpose entities.b. Capitalizing costs that should be expensed.c. Misappropriation of assets.d.

Fraud is most likely to occur in an organization in which 7. the CEO asserts signifi cant control over management and the a. board of directors. board members have no affi liation with the company except their b. responsibilities on the board. the CEO has the ability to override internal controls. c. accounting staff have an average tenure of 17 yearsd.

Which of the following represents the best key element of risk 8. assessment?

Assessment of the risk levels for future events based on the a. extent of uncertainty of those events and their impact on achieving long-term organizational goals.Assessment of inherent and control risks and their impact on the b. extent of fi nancial misstatements.Assessment of the risk levels of current and future events, c. their impact on the organization’s vision, and the potential for eliminating existing or potential risk factors.Assessment of the risk levels of current and future events, their d. effect on achievement of the organization’s objectives, and their underlying causes.

Which of the following is most likely to be considered an indicator 9. of possible fraud?

The replacement of the management team after a hostile takeover.a. In the last three years, two CFOs have accepted offers from b. other organizations.Rapid expansion into new markets.c. A government audit of the organization’s tax returns.d.

Assuming proper controls, a fraud involving several low-level 10. employees would typically be easier to detect than a fraud involving a single low-level employee.

Truea. Falseb.

Requiring accounting personnel to rotate positions (i.e., job functions 11. and responsibilities) is a preventive control.

Truea. Falseb.

A known and posted company policy that states that all high-dollar 12. inventory items will be counted and compared to the inventory accounting record on a daily basis is a

detective control.a. preventive control.b. discovery control.c. reactive control.d.

In a well-developed internal control environment, the internal audit 13. department would

report the results of an audit engagement to a line manager a. where a defi ciency is found as well as to senior management.conduct initial audits of new computer systems after they have b. begun operating.communicate mainly with senior management, minimizing c. interactions with line managers who are being audited.focus mainly on asset misappropriation and report results to the d. audit committee.

During a review of contracts, an internal auditor suspects that a 14. specifi c contractor was given an unfair advantage during the bidding process for a new building. The auditor learned that the CEO of the company is a member of the contractor’s board of directors. How should the auditor proceed?

Submit a report of fi ndings to senior management, excluding the a. CEO.Contact the organization’s external auditors and make them b. aware of the situation.Present the fi nding to the chief audit executive and then to the c. audit committee.Immediately notify the audit committee. d.

49

Because of the risk of material misstatement due to fraud, an audit of 15. fi nancial statements in accordance with standards should be planned and performed with an attitude of

objective judgment.a. independent integrity.b. professional skepticism.c. impartial conservatism.d.

The COSO Framework for internal controls consists of fi ve 16. elements. Which of the following COSO elements is not matched up to the correct component from that element in which it should be carried out?

Control environment – integrity and ethical values.a. Risk assessment procedures – identifying factors, cost, b. estimates.Information system/communications – data, including hourly c. rate of employees. Control activities – verifi cation through physical counts.d.

Which of the following statements is correct regarding the Sarbanes- 17. Oxley provisions involving the audit committee?

The audit committee must have the authority to engage separate a. legal counsel.The chief executive offi cer must serve on the audit committee.b. The chief fi nancial offi cer must serve on the audit committee.c. The board of directors must serve on the audit committee.d.

Which of the following would 18. NOT impair an audit committee member’s independence?

The member owns stock in the company.a. The member is also the CEO of the company.b. The member has been on the board for 20 years.c. A primary customer of the company is owned by the member.d.

Some companies use electronic fund transfers to pay suppliers 19. instead of issuing physical checks. With regards to the risks associated with issuing checks, which of the following risk management techniques does this represent?

Controlling risk.a. Accepting risk.b. Transferring risk.c. Avoiding risk.d.

A internal auditor is making a list of operational objectives; which 20. one of the following should NOT be on this list?

Attaining profi ts.a. Exceeding earnings per share forecasts.b. Protection of assets.c. Employee safety regulations.d.

Notes

50

IndexAAdelphia 19, 27, 30, 49Bbig bath 21, 22, 48Big bath 21CCapability 20, 33, 45Cohen Commission 34, 41Committee of Sponsoring Organizations (COSO) 19, 33Compliance objectives 37Computer fraud schemes 23Continuous monitoring 40Cookie jar reserves 22COSO 34, 35, 37COSO Framework

Monitoring of Internal Controls 40Crazy Eddie 31DDetective controls 34Detective Controls 40Documentation 41EEnron 19, 20, 22, 25, 27, 28, 29, 30, 32, 35, 41, 49FFinancial reporting objectives 37Fraud

Consequences 27Defi ned 19Red Flags 23

Fraudulent acquisitions 22fraudulent fi nancial reporting 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 38,

43, 44Fraudulent fi nancial reporting 22, 24, 27, 28, 29, 30, 31, 34, 38Iincentive 20, 22, 23, 24Information Usefulness 39Internal Controls Defi ned 33KKiting 23LLapping 23MManagement philosophy (Tone) 36materiality 22, 25, 26, 48Materiality 22Misappropriation of assets 21, 23, 26, 27, 28NNon-routine evaluations 41OOperational objectives 37Opportunity 20Organizational structure 36PPreventive controls 34, 40preventive internal controls 34Rrationalization 24, 26Red fl ags 23Reliability 37Revenue recognition 22Risk analysis 38SSAS 99 24, 25, 26, 44Special purpose entities 22TThe Sarbanes-Oxley Act 33, 41Top-down approach 37, 38WWorldCom 19, 27, 29, 30, 41, 49ZZZZZ Best 32, 49

Bibliography

American Electronics Association (AEA). 2005. Sarbanes-Oxley Section 404: The Section of Unintended Consequences and its Impact on Small Business. http://www.aeanet.org/governmentaffairs/AeASOXPaperFinal021005.asp. Retrieved 03/04/08.

American Institute of Certifi ed Public Accountants (AICPA). 1995. The private securities litigation reform act of 1995. Practice Alert No. 96-1. http://ftp.aicpa.org/public/download/members/div/secps/pracaler.pdf. Retrieved 03/11/08.

AICPA. 2002. Statement on Auditing Standards (SAS) No. 99: Consideration of Fraud in a Financial Statement Audit.

Antar, S. 2008. Crazy Eddie Fraud Summary. http://whitecollarfraud.com/947660.html. Retrieved 02/28/08.

Bagranoff, N., M. Simkin, and C. Norman. Core Concepts of Accounting Information Systems. 10th ed. New York: John Wiley & Sons.

Brennan, N., and J. Kelly. 2007. A study of whistle-blowing among trainee auditors. The British Accounting Review. 39(1): 61-87.

Cameron, L. 2008. To catch a thief: the habits of highly effective rogues. CFO Europe Magazine. March 3. http://www.cfo.com/article.cfm/10767930?f=search. Retrieved 03/11/08.

Castellano, J., and S. Lightle. 2005. Using cultural audits to assess tone at the top. The CPA Journal. 75(2): 6-11.

Coram, P., C. Ferguson, and R. Moroney. 2007. The importance of internal audit function in fraud detection. Working paper, University of Melbourne.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1994. Internal Control – An Integrated Framework. Jersey City, NJ: AICPA.

COSO. 2005. Key Concepts. http://www.coso.org/key.htm. Retrieved 02/29/08.

Curtis, M.B. 2006. Are audit-related ethical decisions dependent upon mood? Journal of Business Ethics. 68(2): 191–209.

Davis, H. and R. Braun. 2004. Computer fraud: Analyzing perpetrators and methods. The CPA Journal. 74(7): 56-59.

Financial Accounting Standards Board (FASB). 1996. Accounting for transfers and servicing of fi nancial assets and extinguishments of liabilities. SFAS 125. June.

Gerkes, J., W. Van Der Werf, and H. Van Der Wijk. 2007. Entity-level controls. The Internal Auditor. 64 (5): 50-54.

Hooks, K.L., S.E. Kaplan, and J.J. Schultz. 1994. Enhancing communication to assist in fraud prevention and detection. Auditing: A Journal of Practice and Theory. 13(2): 86-117.

Institute of Internal Auditors (IIA). 2004. What is Internal Auditing? http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077. Retrieved 03/11/08.

IIA. 2007. Managing the business risk of fraud: A practical guide. Exposure draft. http://antifraud.aicpa.org/NR/rdonlyres/297782F5-C6D3-4508-9EDC-608B9D690EDE/0/Managing_Business__Risk_Fraud_Exposure_Draft111307.pdf Retrieved 03/11/08.

Kaplan, S.E., and Whitecotton, S.M. 2001. An examination of auditors’ reporting intentions when another auditor is offered client employment. Auditing: A Journal of Practice and Theory. 20(1): 45-63.

Levitt, A. 1998. The “Numbers Game.” September. http://www.sec.gov/news/speech/speecharchive/1998/spch220.txt. Retrieved: 02/26/08.

Messier, W., S. Glover, and D. Prawitt. 2008. Auditing and Assurance Services: A Systematic Approach. 5th edition. New York: McGraw-Hill/Irwin.

McLean, B. and P. Elkind 2003. Enron : The Smartest Guys in the Room. New York: Penguin.

Naff, K. Z scam of Z century: An interview with ZZZZ Best ‘s Mark Morze. Business Credit. 96 (9): 33-35.

Public Company Accounting Oversight Board (PCAOB). 2007. Auditing Standard (AS) No. 5: An Audit of Internal Control of Financial Reporting that is Integrated with an Audit of Financial Statements.

Romney, M. 1995. Computer fraud – what can be done about it? The CPA Journal. 65(5): 30-33.

Sarbanes, P., and M. Oxley. 2002. Sarbanes-Oxley Act of 2002. Washington, D.C.: U.S.

Congress.SEC v. Myers 2002. United States Securities and Exchange Commission v. David Myers. United States District Court. Southern District of New York. http://www.sec.gov/litigation/complaints/comp17753.htm. Retrieved 02/27/08.

SEC v. WorldCom . 2003. United States Securities and Exchange Commission v. WorldCom, Inc. United States District Court. Southern District of New York. http://sec.gov/spotlight/worldcom/wcombrief060603.pdf. Retrieved 02/26/08.

SEC v. Lay et al. 2004. United States Securities and Exchange Commission v. Lay, Skilling, and Causey. United States District Court. Southern District of Texas, Houston Division. http://www.sec.gov/litigation/complaints/comp18776.pdf. Retrieved 02/26/08.

Shutiak, J. 2002. cooking the books. http.//www.eca.ca/articles/june_newsletter.htm.Retrieved 02/28/08.

Wolfe, D. and D. Hermanson. 2004. The fraud diamond: Considering the four elements of fraud. The CPA Journal. 74(12):38-42.