ACCOUNTING INFORMATION SYSTEMS SYSTEMS CONTROLS AND PROCESSES TURNER / WEICKGENANNT CHAPTER 3: Fraud, Ethics, and Internal Control TEST BANK – CHAPTER 3 – TRUE / FALSE F ALSE 1. When management management does not act ethically, ethically, fraud is more likely to occur. 2. In the Phar-Mor fraud fraud case, management management did not write write or adopt a code of ethics. ethics. 3. Maintaining high ethics ethics can help prevent prevent fraud but will not help to detect fraud. 4. Due to management’s management’s responsibility to monitor monitor operations by examining reports that summarize the results of operations, it is necessary that the system provide timely and accurate information. 5. In order to fulfill the obligations obligations of stewardship and and reporting, management management has to create create a code of ethics. 6. In most cases, a fraud will include altering altering accounting records records to conceal the fact that a theft theft has occurred. 7. According to the 2004 2004 Report to the Nation Nation by the Association Association of Certified Fraud Examiners, Examiners, the estimate of losses due to fraud would total approximately $2,800 per employee. 8. The most common method for detecting occupational fraud is a tip – from an employee, employee, a customer, vendor, or anonymous source. 9. Defalcation and internal internal theft are names that refer refer to the misstatement misstatement of financial records. records. 10. The three conditions that make up up the fraud triangle are theft, concealment, concealment, and conversion. conversion. 11. A good set of internal controls controls may not be as effective in reducing reducing the chance of management management fraud as it would be in reducing the change of fraud committed by an employee. 12. The most effective measure measure to prevent prevent management fraud is to establish establish a professional internal audit staff that periodically checks up on management and reports directly to the audit committee of the board of directors. 13. Collusion between employees employees is one of the the easiest frauds frauds to detect and prevent. prevent. 14. Collusion can make it much easier to to commit and conceal conceal a fraud or theft, theft, even when proper internal controls are in place. 15. Customer fraud fraud is a common common problem for companies that that sell merchandise merchandise online.
16. Collusion can occur only only when two employees employees who work for the same firm conspire to circumvent the internal controls to commit fraud or theft. 17. A vendor audit occurs when when a vendor examines examines the books and records of a customer. customer. 18. Industrial espionage espionage can occur occur with or without the use of a computer. 19. It is necessary necessary to use a computer to accomplish software software piracy. 20. A hacker is someone who who has gained unauthorized unauthorized access access to the computer computer and must be someone outside the organization. 21. If an organization organization has the policy of allowing allowing employees to work from home via telecommunications, telecommunications, they could be opening themselves up to an opportunity for a hacker to break-in to their network. 22. E-mail spoofing is more of an irritation to an organization that a fraud fraud threat. 23. In order for a code of ethics ethics to reduce opportunities opportunities for managers managers and employees to commit commit fraud, it is necessary that management emphasizes emphasizes this code. Punishment related to violations vio lations of the code are not necessary. 24. It is not always possible to to avoid all mistakes and frauds because because there will always be human error, human nature, and it is not always cost-effective to close all the holes. 25. The risk assessment assessment is the foundation foundation for all other components components of internal internal control and provides the discipline and structure of all other components. 26. Companies that reward management management with incentives incentives to achieve a growth growth in earnings is running the risk that management will also have more motivation and pressure to falsify the financial statements to show the higher amounts. 27. The tone at the the top of the organization organization tends to flow through through the entire entire organization and affects behavior at all levels. 28. A poor control environment can be overcome if the the remaining components components of internal internal control are strong. 29. The difference between between a general authorization authorization and a specific authorization authorization is that with a general authorization, a transaction is allowed if it falls within specified parameters, whereas with a specific authorization, explicit authorization is needed for that singe transaction to be completed. 30. When safeguarding safeguarding assets, there is no no trade-off between between access and efficiency. 31. Independent checks checks can serve as a preventive control in that they uncover uncover problems in the data or the processing.
32. Feedback needed by management management to assess, assess, manage, and control the the efficiency efficiency and and effectiveness of the operations of an organization relates to both financial fi nancial and operational information. 33. A sophisticated accounting accounting system will provide the necessary accurate and effective effective feedback needed by management to assess, manage and control the operations of an organization. 34. Auditing, a monitoring monitoring activity, takes takes place only only on a periodic periodic basis. 35. It is not possible to have have an internal control control system that will provide absolute assurance. assurance. 36. Computer systems systems increase the the efficiency and effectiveness effectiveness of an organization organization but also increases their vulnerability. 37. The risks related to computerized computerized systems systems are adequately adequately covered by the COSO COSO internal control report. 38. The acronym COBIT COBIT stands for Control Control Objectives for Information Information Technology, an extensive framework of information technology controls developed by Information Systems Audit and Control Association. 39. The AICPA and the the Canadian Institute Institute of Chartered Chartered Accountants worked together to develop develop IT guidelines, commonly referred to as COBIT. 40. The risk related related to confidentiality confidentiality category of Trust Trust Principles is that confidential confidential information about the company or its business partners may be subject to unauthorized access during its transmission or storage in the IT system. ANSWERS TO TEST BANK - CHAPTER 3 – TRUE TRUE / FALSE: 1. 2. 3. 4. 5. 6. 7. 8.
T F F T F T F T
9. 10. 11. 12. 13. 14. 15. 16.
F F T T F T T F
17. 18. 19. 20. 21. 22. 23. 24.
F T T F T T F T
25. 26. 27. 28. 29. 30. 31. 32.
F T T F T F F T
33. 34. 35. 36. 37. 38. 39. 40.
F F T T F T F T
TEST BANK – CHAPTER 3 – MULTIPLE CHOICE 41. The A. B. C. D.
chance for fraud or ethical ethical lapses will not be reduced reduced if management: management: Emphasizes ethical ethical behavior. Models ethical behavior. Hires ethical employees. Is unethical.
42. The A. B. C. D.
Phar-Mor Phar-Mor fraud began when when management: management: Forgot to change the budgeted figures that that had been incorrectly computed. Attempted to make make the actual actual net income match the budgeted amounts. Overstated their their expenses to cover amounts amounts embezzled embezzled from the company. Understated the the revenue in order to reduce reduce the tax tax payable to the IRS.
43. Each of the following companies companies was involved in fraudulent financial financial reporting during 2001 2001 and 2002, except: A. Adelphia Communications Communications Corporation. B. Microsoft Corporation. C. Enron Corporation. D. Xerox Corporation. 44. In addition to ethical practices, practices, management management has an obligation to maintain a set of processes processes and procedures to assure accurate financial reporting and protection of company assets. This obligation arises because: A. Many groups have expectations of management. management. B. Management has a stewardship obligation to investors. C. Management has an obligation obligation to provide accurate reports reports to non-investors. non-investors. D. All of the above are reasons for the obligation. obligation. 45. The careful and responsible responsible oversight and and use of the assets assets entrusted entrusted to management management is referred to as: A. Ethics. B. Internal Control. C. Stewardship. D. Confidentiality.
46. A process, effected by an entity’s board of directors, management, management, and other personnel, personnel, designed to provide reasonable assurance regarding the achievement of objectives related to the effectiveness and efficiency of operations, reliability of financial f inancial reporting, and compliance with applicable laws and regulations is: A. COSO’s definition of internal control. B. AICPA’s definition of stewardship. C. ACFE’s definition of confidentiality. D. IMA’s definition of competency.
47. If an organization’s IT systems systems are not properly properly controlled, they may may become exposed to to the risks of: A. Unauthorized access. access. B. Erroneous processing. C. Service interruption. D. All of the above. 48. A set of documented documented guidelines for moral and and ethical behavior within within an organization organization is termed a(n): A. Accounting Information System. B. Code of Ethics. C. Internal Control. D. Sarbannes-Oxley. 49. Which individual or group has the responsibility responsibility to establish, enforce, and exemplify the principles of ethical conduct within an organization? A. Board of Directors B. Securities and Exchange Commission C. Management D. Audit Committee 50. The theft, concealment, concealment, and conversion conversion of personal gain of another’s money, money, physical assets, assets, or information is termed: A. Defalcation. B. Skimming. C. Larceny. D. Fraud. 51. An example example of concealment would include: include: A. Changing the payee payee on a check check improperly paid by the organization. organization. B. Selling a piece of inventory inventory that that has been stolen. stolen. C. Stealing money from an organization before before the related sale and cash receipt receipt has been recorded. D. All of the above above are examples of concealment. concealment. 52. Changing the accounting records records to hide the existence of a fraud is termed: A. Theft. B. Conversion. C. Collusion. D. Concealment. 53. The A. B. C. D.
definition of fraud includes the theft theft of: Assets. Money. Information. All of the above.
54. The theft of any any item of value value is referred to as: A. Fraudulent financial reporting. reporting. B. Misappropriation of assets. C. Misstatement of financial records. D. Earnings management. management. 55. Financial pressures, pressures, market pressures, job-related job-related failures, and addictive behaviors behaviors are all examples of which condition of the Fraud Triangle? A. Opportunity B. Conversion C. Incentive D. Rationalization 56. Circumstances that provide access to the assets assets or records that are the objects of the fraudulent activity describes which condition of the Fraud Triangle? A. Rationalization B. Incentive C. Concealment D. Opportunity 57. Fraudsters typically try to to justify their behavior by telling telling themselves that that they intend intend to repay the amount stolen or that they believe the organization owes them the amount stolen. This justification is referred referred to as: A. Opportunity. B. Rationalization. C. Incentive. D. Concealment. 58. According to the authors authors of this textbook, which which of the following is not not one of general categories of people who commit fraud? A. Employees B. Government Agencies C. Customers D. Management 59. The A. B. C. D.
falsification of accounting reports is referred to as: Defalcation. Internal Theft. Misappropriation of Assets. Earnings Management. Management.
60. Management fraud may involve: A. Overstating expenses. expenses. B. Understating assets. C. Overstating revenues. D. Overstating liabilities.
61. Management misstatement misstatement of financial statements statements often often occurs occurs in order to to receive receive indirect indirect benefits such as: A. Decreased income taxes. taxes. B. Delayed cash flows. C. Increased stock prices. D. Increased dividends. 62. Management circumvention circumvention of systems or internal controls that are in place is termed: A. Management override. B. Management collusion. C. Management stewardship. D. Management manipulations. 63. The A. B. C. D.
theft of assets by a non-management non-management employee employee is termed: termed: Inventory theft. Employee fraud. Expense account fraud. Skimming.
64. A situation where the organization’s organization’s cash is stolen before it is entered in the accounting accounting records is termed: A. Kickback. B. Larceny. C. Collusion. D. Skimming. 65. A situation where the organization’s organization’s cash is stolen after it is entered entered in the accounting accounting records is termed: A. Kickback. B. Larceny. C. Collusion. D. Skimming. 66. A cash payment made made by a vendor to an organization’s employee in exchange exchange for a sale to the the organization by the vendor is termed: A. Bribery. B. Collusion. C. Kickback. D. Payment Fraud. 67. When two or more people work together to to commit a fraud, it is called: A. Collusion. B. Larceny. C. Skimming. D. Override.
68. Jamie Stark, Stark, a sales employee, employee, stole stole merchandise merchandise from her employer employer and Frank Adams, Adams, the accounting clerk, covered it up by altering the inventory records. This is an example of: A. Inventory theft. B. Financial journal fraud. C. Skimming. D. Collusion. 69. When a customer customer improperly obtains cash or property from a company, or avoids liability through deception, it is termed: A. Check fraud. B. Customer fraud. C. Credit card fraud. D. Refund fraud. 70. Which of the the following would be considered a vendor fraud? A. The submission of duplicate or incorrect invoices. invoices. B. A customer tries tries to return stolen goods to collect a cash refund. refund. C. The use use of stolen or fraudulent credit cards. cards. D. Inflating hours worked. 71. The A. B. C. D.
theft of proprietary company information information is called: Vendor fraud. Customer fraud. Espionage. Management fraud.
72. Which of the the following is a characteristic characteristic of computer fraud? A. A computer is used in some cases to conduct a fraud more quickly and efficiently. B. Computer fraud fraud can be conducted by employees employees within the organization. organization. C. Computer fraud can be conducted conducted by users users outside an organization. organization. D. All of the above are are characteristics characteristics 73. A fraudster uses this this to alter a program to slice a small amount amount from several accounts, accounts, crediting those small amounts to the perpetrator’s benefit. A. Trap door alteration alteration B. Salami technique C. Trojan horse program D. Input manipulation 74. A small, unauthorized unauthorized program within a larger legitimate program, used to manipulate manipulate the computer system to conduct a fraud is referred to as a(n): A. Trap door alteration. alteration. B. Salami technique. C. Trojan horse program. D. Input manipulation.
75. When a person alters alters a system’s checks or reports to commit commit fraud it is referred to to as: A. Input manipulation. B. Output manipulation. C. Program manipulation. D. Collusion. 76. This type of external external computer fraud is intended intended to overwhelm an intended target target computer system with so much bogus network traffic so that the system is unable to respond to valid traffic. A. DoS Attack B. Hacking C. Spoofing D. Phishing 77. When a person, using a computer system, pretends to be someone else, it is termed: A. DoS Attack. B. Hacking. C. Spoofing. D. Phishing. 78. Which of the following is not not one of the three three critical actions that that a company can undertake to assist with fraud prevention and fraud detection? A. Maintain and enforce enforce a cost of ethics. ethics. B. Maintain an accounting accounting information system. C. Maintain a system system of accounting internal controls. D. Maintain a system system of information technology controls. 79. The Sarbanes-Oxley Sarbanes-Oxley act was passed passed in 2002 as a Congress’s response response to the many situations of fraudulent financial reporting discovered during 2001. The intention of the Act was: A. Police the accounting accounting firms responsible for auditing auditing the corporations. corporations. B. Punish the companies that had had been involved in the the cases of fraudulent fraudulent financial reporting. C. Establish accounting accounting standards standards that that all companies companies are to follow. D. Reform accounting, accounting, financial reporting, reporting, and auditing auditing functions of companies that that are publicly traded. 80. The A. B. C. D.
types of concepts commonly commonly found in a code of ethics ethics would not include: Obeying applicable laws and and regulations that govern business. business. Avoiding all conflicts of interest. Operating at at a profit in all reporting periods. Creating and maintaining maintaining a safe work environment. environment.
81. The A. B. C. D.
objectives of an internal control system system include all all of the following except: Maintain ongoing education. education. Safeguard assets. Maintain accuracy and integrity integrity of accounting data. Ensure compliance with management management directives.
82. The authors authors presented presented their their “picture” “picture” of internal control as a series of umbrellas umbrellas which represent different types of controls. Which of the following is not one of those types of controls? A. Prevention B. Investigation C. Detection D. Correction 83. This type of control is designed to avoid errors, errors, fraud, or events not authorized by management. A. Prevention B. Judicial C. Detection D. Correction 84. This type of control is included included in the internal internal control system because because it is not always always possible to prevent all frauds. They help employees to discover or uncover errors, fraud, or unauthorized events. A. Investigation B. Judicial C. Detection D. Correction 85. The accounting profession profession has accepted accepted this report as the the standard definition and description of internal control. A. Sarbanes-Oxley Report B. FCPA Report C. ERI Report D. COSO Report 86. According to the COSO COSO report, there are are five different interrelated interrelated components of internal internal control. Which of the following is not one of those five components? A. Code of Ethics B. Control Environment C. Information and Communication D. Monitoring 87. The component of internal internal control, identified in the COSO report, report, that sets the tome of an organization and includes the consciousness of its employees is: A. Risk Assessment. B. Control Activities. C. Control Environment. D. Information and Communication.
88. The control environment component of internal control was identified to have a number of different factors. Which of the following is not one of those factors? A. Management’s philosophy and operating style B. The identification identification of sources sources of risk C. The integrity, ethical values, and competence competence of the entity’s people people D. The attention attention and direction provided by the board of directors 89. One of the components of internal control identified by COSO required that management must be considering threats and the potential for risks, and stand ready to respond should these events occur. This component is referred to as: A. Control Environment. Environment. B. Control Activities. C. Risk Assessment. D. Communication. 90. The process of risk assessment would include all of the following actions, except: A. Identify sources of risk. B. Determine the impacts of identified identified risks. C. Estimate the chance chance of such risks risks occurring. occurring. D. Report the risks to the audit audit committee. committee. 91. The COSO report identified a component of internal control as the policies and procedures that help ensure that management directives are carried out and that management directives are achieved The component is: A. Control activities. B. Risk assessment. assessment. C. Monitoring. D. Information and communication. 92. The range of activities that make up the component of internal control referred to as control activities includes each of the following, except: A. Segregation of duties. duties. B. Risk assessment. assessment. C. Independent checks and reconciliations. D. Authorization of transactions. 93. The approval or endorsement from a responsible person or department of an organization that has been sanctioned by top management is the process of: A. Securing assets. assets. B. Segregating duties. C. Authorizing transactions. D. Adequate recording.
94. The category of control activities referred to as segregation of duties requires that certain activities should be the responsibility of different person or department. The three duties that are to be separated are: A. Authorizing, recording, and paying. B. Recording, custody, and disposition. C. Authorizing, paying, and custody. D. Authorizing, recording, and custody. 95. If an accounting supervisor were allowed to hire employees, approve the hours worked, prepare the paychecks, and deliver the paychecks, which of the categories of control activities would be violated? A. Adequate records B. Segregation of duties C. Authorization of transactions D. Independent checks 96. A good system of internal control includes many types of documentation. Which of the following types of documentation is not part of the adequate records and documents category of internal control? A. Schedules and analyses of financial financial information B. Supporting document for all significant transactions C. Accounting cycle reports D. All of the following are types types of documentation 97. The existence of verifiable information about the accuracy of accounting records is called a(n): A. Audit trail. B. Internal control. C. Risk assessment. assessment. D. Supporting documentation. 98. When discussing the security of assets and documents, there are many actions that can be taken. Which of the following would not be related to this category of internal control? A. Securing the assets assets and records so that they are not misused or stolen. stolen. B. Limiting access to certain assets assets to the extent that is practical. practical. C. Identifying sources of risk and estimating the the possibility of that risk. D. Enacting physical safeguards, such as security cameras, cameras, to protect some assets. assets. 99. Independent checks on the performance of others is one of the categories of internal control. These independent checks checks would include all of the following, except: A. Reviewing batch totals. totals. B. Reconciliation. C. Comparison of physical physical assets assets with records. records. D. Use of appropriate ID to enter restricted restricted areas.
100. Which of the following objectives were not identified as necessary to be provided by an effective accounting system? A. Prepare the appropriate appropriate documents B. Identify all relevant relevant financial events C. Capture the important data D. Proper recording recording and processing of the data 101. The ongoing review and evaluation of a system of internal control is referred to as: A. Risk assessment. assessment. B. Monitoring. C. Segregating. D. Communication. 102. This level of assurance means that controls achieve a sensible balance of reducing risk when compared with the cost of the control. A. Absolute assurance assurance B. Probable assurance C. Reasonable assurance D. Convincing assurance 103. Factors that limit the effectiveness of internal controls include all of the following except: A. Flawed judgment applied applied in decision making. B. Human error. C. Controls can be circumvented circumvented or ignored. ignored. D. All of the above are factors that limit the the effectiveness of internal controls. controls. 104. In order to have the segregation of duties recommended by COSO, it would be necessary for a small organization to hire two additional individuals. At this time, there is not enough work for the one office employee to stay busy. The reason for not hiring the additional people would have to do with: A. Human error. B. Cost versus benefit. C. Collusion. D. Authorization. 105. In response to the need for internal controls above and beyond what was described by COSO, the Information Systems Audit and Control Association developed an extensive framework of IT controls entitled: A. Trust Principles. B. Control Objectives Objectives for Information Technology (COBIT). C. Control Instrument Instrument for Certified Certified Accountants Accountants (CICA). (CICA). D. American Internal Control Practice Association (AICPA).
106. The Trust Principles document divided the risks and controls in IT into five categories. Which of the following is not one of those categories? A. Certification B. Security C. Processing Integrity D. Confidentiality 107. The A. B. C. D.
main risk related related to this category category of Trust Principles is unauthorized access. access. Online privacy Confidentiality Processing integrity Security
108. The risk related to to this category of Trust Trust Principles could be inaccurate, inaccurate, incomplete, incomplete, or improperly authorized information. A. Online privacy B. Confidentiality C. Processing integrity D. Security 109. The risk related to this category of Trust Principles is that personal information about customers may be used inappropriately or accessed by those either inside or outside the company. A. Confidentiality B. Online privacy C. Security D. Availability 110. The risk related to this category of Trust Principles is system or subsystem failure due to hardware or software problems. A. Availability B. Security C. Integrity D. Confidentiality
ANSWERS TO TEST BANK BANK - CHAPTER 3 - MULTIPLE MULTIPLE CHOICE: 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54.
D B B D C A D B C D A D D B
55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68.
C D B B D C C A B D B C A D
69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82.
B A C D B C B A C B D C A B
83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95. 96.
A C D A C B C D A B C D B D
97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110.
A C D A B C D B B A D C B A
TEXTBOOK – CHAPTER 3 – END OF CHAPTER QUESTIONS 111. The careful and responsible oversight and use of the assets entrusted to management is called: A. Control environment. environment. B. Stewardship. C. Preventive control. D. Security. 112. Which of the following is not a condition in the fraud triangle? A. Rationalization B. Incentive C. Conversion D. Opportunity 113. There are many possible indirect benefits to management when management management fraud occurs. Which of the following in not an indirect benefit of management fraud? A. Delayed exercise of stock options. options. B. Delayed cash flow problems. C. Enhanced promotion opportunities. D. Increased incentive-based compensation. 114. Which of the following is not an example of employee fraud? A. Skimming B. Larceny C. Kickbacks D. Earnings management
115. Which of the following is not a common form of employee fraud? A. Inventory theft B. Expense account fraud C. Payroll fraud D. Refund fraud 116. Segregation of duties is a fundamental concept in an effective system of internal controls. Nevertheless, the effectiveness of this control can be compromised through which situation? A. A lack of employee training B. Collusion among employees C. Irregular employee reviews D. The absence absence of an internal internal audit audit function 117. The most difficult type of misstatement to discover is fraud that is concealed by: A. Over-recording the transactions. transactions. B. Nonrecorded transactions. C. Recording the the transactions transactions in subsidiary subsidiary records. D. Related parties. 118. The review of amounts charged to the company from a seller that is purchased from is called a: A. Vendor audit. B. Seller review. C. Collusion. D. Customer review. 119. Which of the following fol lowing is generally an external computer fraud, rather than an internal computer fraud? A. Spoofing B. Input manipulation C. Program manipulation D. Output manipulation 120. Which control activity is intended to serve as a method to confirm the accuracy or completeness of data in the accounting system? A. Authorization B. Segregation of duties C. Security of assets D. Independent checks and reconciliations 121. COSO describes five components of internal control. Which of the following terms is best described as “policies and procedures that help ensure management directives are carried out and management objectives are achieved”? A. Risk assessment assessment B. Information and communication C. Control activities D. Control environment
122. Proper segregation of functional responsibilities calls for separation of the functions of: A. Authorization, execution, execution, and payment. payment. B. Authorization, recording, and custody. C. Custody, execution, and reporting. D. Authorization, payment, and recording. 123. AICPA Trust Principles identify five categories of risks and controls. Which category is best described by the statement, “Information process could be inaccurate, incomplete, or not properly authorized”? A. Security B. Availability C. Processing integrity D. Confidentiality 124. A company’s cash custody function should be separated from the related cash recordkeeping function in order to: A. Physically safeguard the the cash. B. Establish accountability for the the cash. C. Prevent the payment of cash cash disbursements disbursements from cash cash receipts. D. Minimize opportunities for misappropriations misappropriations of cash. cash. ANSWERS TO TEXTBOOK TEXTBOOK – CHAPTER 13 13 – END OF CHAPTER CHAPTER QUESTIONS 111. B 112. C 113. A
114. D 115. D 116. B
117. B 118. A 119. A
120. D 121. C 122. B
123. C 124. D
TEXTBOOK – CHAPTER 3 – SHORT ANSWER QUESTIONS 125. Management is held accountable to various parties, both internal and external to the business organization. To whom does management have a stewardship obligation and to whom does it have reporting responsibilities? Answer: Management Management has a stewardship stewardship obligation to the the shareholders, investors, and creditors creditors of the company, i.e., any parties who have provided funds or invested in the company. Management has a reporting responsibility to business organizations and governmental governmental units with whom the company interacts. 126. If an employee made a mistake that resulted in a loss of company funds and misstated financial reports, would the employee be guilty of fraud? Discuss. Answer: No, a mistake, or unintentional error, error, does not constitute constitute fraud. In this situation, there there is no theft or concealment, so fraud does not exist.
127. Do you think it is possible that a business manager may perpetrate perpetrate fraud and still have the company’s best interest in mind? Discuss. Answer: Student responses may may vary. Those agreeing that it is possible may may refer to the fraud fraud triangle and note that the incentive may be job-related (such as opportunities to produce enhanced financial statements, which may increase the company’s stock price, increase compensation, avoid firings, enhance promotions, and delay bankruptcy) and the rationalization may involve plans to make restitution. On the other hand, some students may reject the notion that management fraud could be in a company’s best interest, as it puts the company at great risk. Hen frauds are discovered, they are often devastating as a result of the financial restatements and loss of trust. 128. Distinguish between internal and external sources of computer fraud. Answer: Employees are the source of internal internal computer fraud. fraud. When employees misuse the computer system to commit fraud (through manipulation of inputs, programs, or outputs), this is known as internal computer fraud. On the other hand, external sources of computer fraud are people outside the company or employees of the company who conduct computer network breakins. When an unauthorized party gains access to the computer system to conduct hacking or spoofing, this is known as external computer fraud. 129. Identify and explain the three types of internal source computer fraud. Answer: The three types of internal source source computer fraud are input manipulation, manipulation, program manipulation, and output manipulation. Input manipulation involves altering data that is input into the computer. Program manipulation involves altering a computer program through the use of a salami technique, Trojan horse program, trap door alteration, etc. Output manipulation involves altering reports or other documents generated from the computer system. 130. Describe three popular program manipulation techniques. Answer: The salami salami technique accomplishes accomplishes a fraud by altering altering small “slices” of computer computer information. These slices of fraud are difficult to detect because they are so small, but they may accumulate to a considerable amount if they are carried out consistently across many accounts. This is often accomplished by rounding or applying minor adjustments. The perpetrator typically steals the amounts represented by these slices or uses them to his or her benefit. A Trojan horse program is a small, unauthorized unauthorized program within a larger, legitimate legitimate program, used to manipulate the computer system to conduct a fraud. For example, a customer account may be automatically written off upon the processing of a new batch of transactions. A trap door alteration involves misuse of a valid programming programming tool, a trap door, to to commit fraud. Trap doors are unique hidden entrances to computer programs that are written into the software applications to provide a manner of testing the systems. Although they should be removed prior to implementation, they may remain to provide a tool for misusing the system to perpetrating fraud.
131. Distinguish between Internet spoofing and e-mail spoofing. Answer: Internet spoofing involves a person working through the the Internet to access access a computer network while pretending to be a trusted source. The packet of data containing the Internet protocol (IP) address contains malicious data such as viruses or programs that capture passwords and log-in names. E-mail spoofing bombards employee e-mail accounts with junk mail intended to scam the recipients. 132. What are the objectives of a system of internal control? Answer: The objectives of an internal control control system are as follows: To safeguard assets from fraud or errors To maintain accuracy and integrity of accounting data To promote operational efficiency To ensure compliance with management directives • • • •
133. Name and distinguish among the three types of internal controls. Answer: The three types of internal controls controls are preventative preventative controls, detective controls, and corrective controls. Preventative controls are designed to avoid fraud and errors by stopping any undesired acts before they occur. Detective controls help employees uncover or discover problems that may exist. Corrective controls involve steps undertaken to correct existing problems. 134. Identify the COSO report’s five interrelated components of internal controls. Answer: According to the COSO COSO report, there there are five interrelated interrelated components of internal internal control: the control environment, risk assessment, control activities, information and communication, and monitoring. 135. Name the COSO report’s five internal controls activities. Answer: According to the COSO COSO report, there there are five internal internal control activities: authorization authorization of transactions, segregation of duties, adequate records and documents, security of records and documents, and independent checks and reconciliations. 136. Distinguish between general and specific authorization. Answer: General authorization authorization is a set set of guidelines that allows allows transactions to be completed as long as they fall within established parameters. Specific authorization means that explicit authorization is needed for that single transaction to be completed. 137. Due to cost/benefit considerations, many business organizations are unable to achieve complete segregation of duties. What else could they do to minimize risks? Answer: Close supervision supervision may serve as a compensating control control to lessen the the risk of negative effects when other controls, especially segregation of duties, are lacking. 138. Why is a policies and procedures manual considered an element of internal control? Answer: Formally written and thorough documentation documentation on policies and and procedures should should provide clarity and promote compliance within a business organization, thus providing an important element of internal control. The policies and procedures should include both manual and automated processes and control measures, and should be communicated to all responsible parties within the company.
139. Why does a company need to be concerned with controlling access to its records? Answer: Securing and and protecting company company records is important to ensure that they are not misused or stolen. Unauthorized access or use of records and documents allows the easy manipulation of those records and documents, which can result in fraud or a concealment of fraud. 140. Many companies have mandatory vacation and periodic job rotation policies. Discuss how these practices can be useful in strengthening internal internal controls. Answer: Mandatory vacations vacations and periodic job rotation rotation policies provide for independent independent monitoring of the internal control systems. Internal control responsibilities can be rotated so that someone is monitoring the procedures performed by someone else, which enhances their effectiveness. 141. Name the objectives of an effective accounting system. Answer: An effective accounting accounting system must must accomplish the the following four objectives: Identify all relevant financial transactions of the organization. Capture the important data of these transactions. Record and process the data through appropriate classification, summarization, summarization, and aggregation. Report the summarized and aggregated information to managers. • • •
•
142. What does it mean when information flows “down, across, and up the organization”? Answer: A business organization must must implement procedures procedures to assure that its information and reports are communicated to the appropriate management level. This communication is described by COSO as “flowing down, across, and up that organization”. Such a communication flow assists management in properly assessing operations and making changes to operations as necessary. 143. Provide examples of continuous monitoring and periodic monitoring. Answer: Any ongoing review activity activity may be an example example of continuous monitoring, such as a supervisor’s examination of financial reports and a computer system’s review modules. An example of periodic monitoring is am annual audit performed by a CPA firm fi rm or a cyclical review performed by internal auditors. 144. What are the factors that limit the effectiveness of internal controls? Answer: It is not possible possible for an internal control control system to provide absolute absolute assurance assurance because of the following factors that limit the effectiveness of internal controls: Flawed judgments Human error Circumventing or ignoring established controls In addition, excessive costs may prevent the implementation of some controls. • • •
145. Identify and describe the five categories of the AICPA Trust Services Principles. Answer: The AICPA Trust Trust Services Principles are divided into the following five five categories of risks and controls: Security. Security is concerned with the risk ri sk of unauthorized physical and logical access, such as breaking into the company’s facilities or computer network. Availability. Availability is concerned with the risk of system system interruptions or failures due to hardware of software problems such as a virus. Processing integrity. Processing integrity is concerned with the risk of inaccurate, i naccurate, incomplete, or improperly authorized information due to error or fraud. Online privacy. Online privacy is concerned with the risk of inappropriate i nappropriate access or use of a customer’s personal information. Confidentiality. Confidentiality is concerned with the risk of inappropriate access or use of company information. •
•
•
•
•
146. Distinguish between the Trust Services Principles of privacy and confidentiality. Answer: Both privacy and and confidentiality are concerned concerned with the risk of in appropriate access access or use of information. However, privacy is focused on protecting the privacy of a customer’s personal information; whereas confidentiality is focused private information about the company itself and its business partners. 147. Identify the four domains of high-level internal control. Answer: As set forth in Appendix B, COBIT COBIT establishes four domains of high level control control objectives. These include planning and organization, acquisition and implementation, delivery and support, and monitoring. TEXTBOOK – CHAPTER 3 – SHORT ESSAY 148. What possible motivation might a business manager have for perpetrating fraud? Answer: Management Management might be motivated motivated to perpetrate fraud in order to improve the the financial statements, which may have the result of increasing the company’s stock price and increasing incentive-based compensation. Altered financial information might also have the effect of delaying cash flow problems and/or bankruptcy, as well as improving the potential for business transactions such as mergers, borrowing, stock offerings, etc. 149. Discuss whether any of the following foll owing can be examples of customer fraud: An employee billed a customer customer twice for the the same transaction. transaction. Answer: This is not an example of customer customer fraud; rather, rather, the customer is being defrauded in this this scenario. On the other hand, this is an example of employee fraud (assuming that the doublebilling was intentional and the resulting cash receipts are stolen by employees. A customer remitted remitted payment in the the wrong amount. Answer: This may be an an example of customer customer fraud, assuming assuming that the payment was made made as a deceptive tactic to avoid the full amount of the customer’s liability. A customer received merchandise merchandise in error, error, but failed to return return it or notify the sender. sender. Answer: Although this this scenario involves a customer’s improperly receipt receipt of goods, it would not be considered customer fraud because it was the result of an error. Regardless of whether the error was committed by the company or the customer, deception is a required element of fraud. •
•
•
150. Explain the relationship between computer hacking and industrial espionage. Give a few additional examples of how hacking could cause damage in a business. Answer: Computer hacking is the term term commonly used for computer computer network break-ins. break-ins. Hacking may be undertaken for various purposes, including theft of proprietary information, credit card theft, destruction or alteration of data, or merely thrill-seeking. Industrial espionage is the term used for theft of proprietary company information. Although computer hacking provides one method of conducting industrial espionage, a computer is not always required to steal company information. Fraudsters trying to conduct industrial espionage may also resort to digging through the trash in order to gain information about a target company. 151. What are some ways in which a business could promote its code of ethics? Answer: The best way way for a company to promote promote its code of ethics is for its top managers managers to live by it on a day-to-day basis. If the code is well documented and adhered adhered to by management, others in the organization are likely to recognize its importance. Furthermore, if disciplines and/or discharges are applied to those who violate the code, this will also serve as a strong message regarding the importance of the ethics code. 152. Describe why the control environment is regarded as the foundation of a business’ system of internal control. Answer: The control environment environment is regarded regarded as the foundation foundation of a system of internal internal controls because it sets the tone of an organization and influences the control consciousness of its employees. Thus, the tone at the top flows through the whole business organization and affects behavior at every level. It also provides the discipline and structure of all other components of internal control. COSO identifies the tone set by management as the most important factor related to providing accurate and complete financial reports. 153. Think of a job you have held, and consider whether the control environment was was risky or conservative. Describe which you chose and why. Answer: Student responses will vary. Characteristics Characteristics of a risky control environment include absence of a code or ethics or lack l ack of enforcement of a code of ethics, aggressive management management philosophy and operating style, overlapping duties and vague lines of authority, lack of employee training, and an inactive board of directors. On the other hand, a conservative control environment is characterized by a rigidly enforced code of ethics, a conservative management philosophy and operating style, clearly established job descriptions and lines of authority, a focus on employee training and organizational development, and an accountable and attentive board of directors.
154. Identify the steps involved in risk assessment. Do you think it would be effective for an organization to hire external consultants to develop its risk assessment plan? Answer: The steps involved in risk assessment assessment include: Identification of the sources of risk, both internal and external. Determination of the impact of such risks in terms of finances and reputation. Estimation of the likelihood of such risks occurring. Development of an action plan to reduce the impact and probability of these risks. Execution of the action plan on an ongoing basis. It would not likely be effective for an organization to hire consultants to develop its risk assessment plan because company-specific experience and expertise are needed in order to do this work effectively. For instance, members of management who are actively involved in day-today operations and reporting will likely have the best ability to identify risks, determine the impact of those risks, and estimate the likelihood of occurrence of such risks. Although a consultant may be useful in assisting with the development and implementation of the action plan, pl an, the first three steps of the risk assessment process would likely depend upon the working knowledge of members of the company’s management. management. • • • • •
155. Discuss the accuracy of the following f ollowing statements regarding internal control: The more computerized applications within a company’s accounting system, the lower the risk will be that fraud or errors will occur. Answer: It is not necessarily necessarily true that that extensive computerized computerized application will lower a company’s company’s risk of fraud. This is because computerized systems also increase vulnerabilities such as unauthorized access, business interruptions, and inaccuracies. The technological complexities that accompany sophisticated computer applications call attention to the need for extensive internal controls to reduce the risk of fraud and errors. The more involved top management is in the day-to-day operations of the business, the lower the risk will be that fraud or errors will occur. Answer: It is certainly true true that the tone tone at the top (the (the tone set by top management) management) is the most important factor of internal control. Accordingly, it can be implied that involved managers would promote strong internal controls. However, although this is often true, it will be true only when top management acts with integrity, exemplifying and enforcing its code of ethics, maintaining a conservative approach to operations and financial reporting, and cultivating clear communications and responsibilities. •
•
TEXTBOOK – CHAPTER 3 – PROBLEMS 156. Identify whether each of the following fol lowing accounting positions or duties involves authorization, recording, or custody: cashier Answer: Custody payroll processor Answer: Recording credit clerk Answer: Authorization mailroom clerk Answer: Custody data entry clerk Answer: Recording deliver paychecks •
•
•
•
•
•
Answer: Custody deliver the bank deposit Answer: Custody prepare the bank reconciliation Answer: Recording check signer Answer: Authorization inventory warehouse supervisor Answer: Custody staff accountant Answer: Recording •
•
•
•
•
157. Identify whether each of the following f ollowing activities represents preventative controls, detective controls, or corrective controls: Job rotation – Answer: Detective Preparation of a bank reconciliation – Answer: Corrective Segregation of duties – Answer: Preventative Recalculating totals on computer reports – Answer: Detective Use of passwords – Answer: Preventative Preparing batch totals for check processing – Answer: Detective Establishing a code of ethics – Answer: Preventative Use of a security guard – Answer: Preventative Verifying source documents documents before recording transactions transactions – Answer: Preventative Matching supporting documents before paying an invoice Answer: Preventative Independent review of accounting reports – Answer: Detective Performing comparisons of financial statement items – Answer: Detective •
•
•
•
•
•
•
•
•
•
•
•
158. Shown is a list of selected sources of internal control guidelines, given in order of issuance, followed by a list of primary purposes. Match each guideline with its primary purpose. Foreign Corrupt Practices Act – Answer: B. Prevented Prevented bribery and established established internal control control guidelines. COSO – Answer: A. Established internal control concepts concepts based on comprehensive comprehensive study. SAS 99 – Answer: A. Required auditors to focus on risks and and controls and to conduct conduct audits with skepticism. Sarbanes-Oxley Act – Answer: C. Curbed fraud fraud by requiring additional additional internal control reporting reporting within annual annual reports. •
•
•
•
Trust Services Principles – Answer: E. Established Established essential criteria for evaluating reliability of business business systems. systems. •
A. B. C. D. E.
Required auditors to focus on risks and controls and to conduct audits with skepticism. Prevented bribery and established internal control guidelines. Curbed fraud by requiring additional internal control reporting within annual reports. Established internal control concepts based on comprehensive study. Established essential criteria for evaluating reliability of business systems.