Chapter 3: Ethics, Fraud, and Internal Control
managers’ ethical responsibility
Ethical standards – derived from societal mores and
deep-rooted personal beliefs about issues of right and
wrong that are not universally agreed upon
Enron’s Chief Financial Officer (CFO) Andy Fastow –
managed to improve his personal wealth by
approximately $40 million
Dennis Kozowski of Tyco, Richard Scrushy of Health-
South, and Bernie Ebbers of WorldCom – became
wealthy beyond imagination while driving their
companies into the ground
1999 – May 2002, executives of 25 companies extracted
$25 billion worth of special compensation, stock
options, and private loans from their organizations
while their companies’ stock plummeted 75% more
Ethics – principles of conduct that individuals use in
making choices and guiding their behavior in situations
that involve the concepts of right and wrong
Business ethics – involves finding answers to two
questions:
1. How do managers decide what is right in
conducting their business?
2. Once managers have considered what is right,
how do they achieve it?
FOUR ARES:
a. Equity
b. Rights
c. Honesty
d. Exercise of corporate power
Making Ethical Decisions
Every major decision has consequences that
potentially harm or benefit these constituents.
Ex. Implementing a new computer information system
within an organization may cause some employees to
lose their jobs, while those who remain enjoy benefit of
improved working conditions
Seeking a balance between these consequences is the
Proportionality – benefit from decision must outweight
the risks
 Must be no alternative decision that provides
the same or greater benefit with less risk
a. Justice – benefits of decision should be
distributed fairly to those who share risks
 Those who do not benefit should not carry the
burden of rippsk
b. Minimize risk – decision should be
implemented so as to minimize all of risks
and avoid any unnecessary risks
Computer ethics – analysis of nature and social impact
of computer technology and the corresponding
formulation and justification of policies for the ethical
use of such technology
 Includes concern about software as well as
hardware and concerns about networks
connecting computers and computer
themselves
THREE LEVELS:
1. Pop – exposure to stories and reports found in
popular media regarding the good or bad
ramifications of computer technology
Note: society at large needs to be aware as
computer viruses and computer systems designed
to aid handicapped persons
2. Para – taking a real interest in computer ethics
cases and acquiring some level of competency
so they can do their jobs effectively
3. Theoretical – interest to multidisciplinary
researchers who apply the theories of
philosophy, sociology, and psychology to
computer science with goal of bringing some
new understanding to the field
A New Problem or Just a New Twist on an Old Problem?
All pertinent ethical issues have already been
examined in some other domain.
1
Ex. Issue of property rights has been explored and
resulted in copyright, trade secret, & patent laws
Privacy – people desire to be in full control of what and
how much information about themselves is available to
others, and to whom it is available
Ownership – creation and maintenance of huge, shared
databases make it necessary to protect people from the
potential misuse of data
Computer security – attempt to avoid such undesirable
events as a loss of confidentiality or data integrity
Security systems – attempt to prevent fraud and other
misuse of computer systems
 They act to protect and further the legitimate
interests of the system’s constituencies
Ethical issues involving security arise from emergence of
shared, computerized databases that have potential to
cause irreparable harm to individuals by disseminating
inaccurate information to authorized user, through
incorrect credit reporting
Ownership of Property
Intellectual property = software
Copyright laws – have been invoked in an attempt to
protect those who develop software from having it
copied
 Cause more harm than good
Best interest of computer users is served when industry
standards emerge
Knowledge engineers – those who write the programs
Domain experts – those who provide knowledge about
the task being automated
Both must be concerned about their responsibility for
faulty decisions, incomplete or inaccurate knowledge
bases, and role given to computers in decision-making
process.
Misuse of computers: copying of proprietary software,
using a company’s computer for personal benefit, and
snooping other people’s files
SARBANES-OXLEY ACT AND ETHICAL ISSUES
Sarbanes-Oxley Act – wide-sweeping legislation
 Most significant securities law since the SEC
Acts of 1993 and 1934
 - has many provisions designed to deal with
specific problems relating to capital markets,
corporate governance, and auditing profession
Section 406 – Code of Ethics for Senior Financial Officers
 Requires public companies to disclose to SEC
whether they have adopted a code of ethics
that applies to organization’s chief executive
officer (CEO), CFO, controller, or persons
performing similar actions
Applies specifically to executive and financial
officers of company, company’s code of ethics
should apply equally to all employees.
 Top management’s attitude toward ethics sets
the tone for business practice, but it also
responsibility of lower-level managers and non-
managers to uphold a firm’s ethical standards.
A public company may disclose its code of ethics in
several ways:
1. By including the code as an exhibit to its annual
report
2. By posting the code to the company website
3. By agreeing to provide copies of code upon
request
ETHICAL ISSUES:
1. Conflicts of interest – the issue here is in dealing
with conflicts of interest, not prohibiting them
 Avoidance is not the best policy, sometimes
conflicts are unavoidable
2. Full and fair disclosures – objective is to ensure
that future disclosures are candid, open,
truthful, and void of such deceptions
2
 3. Legal compliance – code of ethics should
require employees to follow applicable
government laws, rules, and regulations
 To accomplish, organization must provide
employees with training and guidance
4. Internal reporting of code violations – code of
ethics must provide mechanism to permit
prompt internal reporting of ethics violations
 Similar to section 301 & 806 (designed to
encourage and protect whistle-blowers
5. Accountability – section 301 (directs
organization’s audit committee to establish
procedures for receiving, retaining, and treating
such complaints about accounting procedures
and internal control violations
FRAUD AND ACCOUNTANTS
U.S. financial reporting system – object of scrutiny
Statement on Auditing Standards (SAS) No. 99,
Consideration of Fraud in a Financial Statement Audit –
objective is to seamlessly blend auditor’s consideration
of fraud into all phases of audit process.
 Requires auditor to perform new steps such as
brainstorming during audit planning to assess
potential risk of material misstatement of
financial statements from fraud schemes
Fraud: Bankruptcies and business failures – fraud is
result of poor management decisions or adverse
business conditions
Fraud: business environment – intentional deception,
misappropriation of assets, or manipulation of
company’s financial data to advantage of perpetrator.
Fraud: accounting literature – also known as white-
collar crime, defalcation, embezzlement, irregularities
Fraud – denotes false representation of material fact
made by one party to another party with intent to
deceive and induce other party to justifiably rely on fact
to his or her detriment.
Fraudulent act must meet ff. conditions:
1. False representation – false statement or
nondisclosure
2. Material fact – fact must be substantial factor in
inducing someone to act
3. Intent – intent to deceive or knowledge one’s
statement is false
4. Justifiable reliance – misrepresentation must
have been substantial factor on which injured
party relied
5. Injury or loss – deception must have caused
injury or loss to victim of fraud
Two levels of fraud:
1. Employee fraud – designed to directly convert
cash or other assets to employee’s personal
benefit.
If company has effective internal control,
defalcations or embezzlements can usually be
prevented or detected.
Three steps:
 Stealing something of value (asset)
 Converting asset to usable form (cash)
 Concealing the crime to avoid detection
2. Management fraud – more insidious and often
escapes detection until organization suffered
irreparable damage or loss.
Top management – fraudulent activities to drive up
market price of company’s stocks (involves deceptive
practices to inflate earnings or to forestall recognition of
either insolvency or decline in earnings
Lower-level management – involves materially
misstating financial data and internal reports to gain
additional compensation, to garner promotion, or to
escape penalty for poor performance.
Three characteristics:
1. Fraud is perpetrated at levels of management
above one to which internal control structures
generally relate
2. Fraud frequently involves using financial
statements to create illusion that entity is
healthier and more prosperous than it is
3
 3. Fraud involves misappropriation of assets,
frequently shrouded in maze of complex
business transactions, often involving related
third parties
FRAUD TRIANGLE
Three (3) factors:
1. Situational pressure – personal or job-related
stresses that could coerce an individual to act
dishonestly
2. Opportunity – direct access to assets and/or
access to information that control assets
3. Ethics – pertains to one’s character and degree
of moral opposition of acts of dishonesty
FIANCIAL LOSSES FROM FRAUD
Association of Certified Fraud Examiners (ACFE) in
2010 estimated losses from fraud 5% of annual
revenues.
Actual cost of fraud, difficult to quantify for a
number of reasons:
1. Not all fraud is detected
2. Of that detected, not all is reported
3. In many fraud cases, incomplete information is
gathered
4. Information is not properly distributed to
management or law enforcement authorities
5. Too often, business organizations decide to take
no civil or criminal action against perpetrators of
fraud.
Indirect cost: reduced productivity, cost of legal action,
increased unemployment, business disruption due to
investigation of fraud, need to be considered.
Demographic categories presented in the ACFE study:
 Position – beyond internal control structure and
have the greatest access to company funds and
assets
 Gender – affords men greater access to assets
 Age – older employees tend to occupy higher-
ranking positions
 Education – with more education occupy higher
positions in organization and therefore have
greater access to company funds and other
assets.
 Collusion – when individuals in critical positions
collude, they create opportunities to control or
gain access to assets that otherwise would not
exist
FRAUD SCHEMES:
1. Fraudulent statements (7.6)
2. Corruption (33.4)
3. Asset misappropriation (86.7)
Fraudulent statements – associated with management
fraud. Must itself bring direct or indirect financial
benefit to perpetrator
Misstating cash account balance to cover theft of cash is
not financial statement fraud. Understating liabilities to
present favorable picture of organization, to drive up
stock prices.
THE UNDERLYING PROBLEMS.
1. Lack of Auditor Independence – firms essentially
auditing their own work. Risk is that as auditors
they will not bring to management’s attention
the detected problems that may adversely affect
their consulting fees.
Arthur Andersen – Enron auditors – were also
their internal auditor and management
consultants.
2. Lack of Director Independence
 directors who have personal relationship by
serving on boards of other director’s
companies;
 have business trading relationship as key
customers or suppliers of company;
 have financial relationship as primary
stockholders or have received personal
loans from company;
 have an operational relationship as
employees of company
Example of corporate inbreeding – Adelphia
Communications – founded in 1952, went
public in 1986. Became sixth largest cable
provider in United States before accounting
scandal came to light. Founding family (John
4
 Rigas – CEO and chairman of the
board;Timothy Rigas – CFO, chief
administrative officer, & chairman of audit
committee; Michael Rigas – vice president of
operation; JP Rigas – vice president for strategic
planning) perpetrated the fraud. Between 1998
and May 2002, engaged in embezzlement
resulted in loss of more than $60 billion to
shareholders.
Popular wisdom suggests that healthier board
of directors is one in which majority of directors
are independent outsiders, with integrity and
qualifications to understand the company and
objectively plan its course.
3. Questionable Executive Compensation Schemes
– Thomson Financial survey revealed: executives
have abused stock-based compensation.
Consensus is that fewer stock options should be
offered than currently is the practice.
4. Inappropriate Accounting Practices – use of
inappropriate techniques is characteristic
common to many financial statement fraud
schemes.
Special-purpose entities are legal, but their
application in this case was clearly intended to
deceive the market.
WorldCom – April 2001, WorldCom
management decided to transfer transmission
line costs from current expense accounts to
capital accounts.
SARBANES-OXLEY ACT AND FRAUD
Sarbanes-Oxley – this landmark legislation was written
to deal with problems related to capital markets,
corporate governance, and auditing profession, and has
fundamentally changed the way public companies do
business and how accounting profession performs its
attest function.
- The act establishes a framework to modernize
and reform the oversight and regulation of
public company auditing. Its principal reforms
pertain to:
1. Creation of an accounting oversight board
2. Auditor independence
3. Corporate governance and responsibility
4. Disclosure requirements
5. Penalties for fraud and other violations
Public Company Oversight Accounting Board (PCAOB) –
empowered to set auditing, quality control, and ethics
standards to inspect registered accounting firms; to
conduct investigations; to take disciplinary actions.
Auditor Independence is intended to specify categories
of services that public accounting firm cannot perform
for its client. these include the ff. nine functions:
1. Bookkeeping or other related services to
accounting records or financial statement
2. Financial information systems design and
implementation
3. Appraisal or valuation services, fairness
opinions, or contribution-in-kind reports
4. Actuarial services
5. Internal auditing outsourcing services
6. Management functions or human resources
7. Broker or dealer, investment adviser, or
investment banking services
8. Legal services and expert services unrelated to
audit
9. Any other service that PCAOB determines is
impermissible
SOX prohibits auditor from providing these
services to their audit clients, they are not
prohibited from performing such services for
nonaudit clients or privately held companies.
Corporate Governance and Responsibility – the act
requires all audit committee members to be
independent and requires audit committee to hire and
oversee the external auditors.
- This provision is consistent with many investors
who consider board composition to be critical
investment factor.
5
 Thomson Financial survey revealed most
institutional investors want corporate boards to
be composed of at least 75% independent
directors.
Two other significant provisions:
1. Public companies are prohibited from making
loans to executive officers and directors
2. Act requires attorneys to report evidence of
material violation of securities laws or breaches
of fiduciary duty to CEO, CFO, or PCAOB.
SOX imposes new corporate disclosure requirements,
including:
1. Public companies must report all off balance
sheet transaction
2. Annual reports filed with SEC must include
statement by management asserting that it’s
responsible for creating and maintaining
adequate internal controls and asserting to
effectiveness of those controls
3. Officers must certify that company’s accounts
“fairly present” firm’s financial condition and
results of operations
4. Knowingly filing false certification is criminal
offense
Corruption – involves an executive, manager, or
employee of organization in collusion with an outsider.
10% of occupational fraud cases.
Four (4) principal types:
1. Bribery
2. Illegal gratuities
3. Conflicts of interest
4. Economic exertion
Bribery – giving, offering, soliciting, or receiving things
of value to influence an official in performance of his or
her lawful duties
- Defrauds the entity of the right to honest and
loyal services from those employed by it.
Illegal gratuity – giving, receiving, offering, or soliciting
something of value because of an official act that has
been taken. Similar to bribe, but the transaction occurs
after the fact.
Conflict of interest – occurs when an employee acts on
behalf of third party during discharge of his or her
duties or has self-interest in activity being performed
When employee’s conflict of interest is unknown to
employer and results in financial loss, fraud has
occurred.
Economic extortion – use (or threat) of force (including
economic sanctions) by an individual or organization to
obtain something of value
Asset Misappropriation – assets are either directly or
indirectly diverted to perpetrator’s benefit. Almost 90%
of frauds included in ACFE study fall in this category.
Transactions involving:
 Cash
 Checking accounts
 Inventory
 Supplies
 Equipment
 Information
Are most vulnerable to abuse.
Skimming (14.6%) – stealing cash from organization
before it is recorded on organization’s books and
records.
Ex. Mail room fraud – an employee opening mail steals
customer’s check and destroys the associated
remittance advice
Cash larceny (11%) – schemes in which cash receipts are
stolen from an organization after they have been
recorded in organization’s books and records
Ex. Lapping – cash receipts clerk first steals and cashes
check from customer A, to conceal the payment of
customer B will be credited to A’s account.
- Employees involved in this sort of fraud often
rationalize that they are simply borrowing cash
and plan to repay it at some future date.
6
Billing schemes (vendor fraud) (24.9%) – perpetrated by
employees who cause their employer to issue a
payment to false supplier by submitting invoices for
fictitious goods or services, inflated invoices, or invoices
for personal purchases.
Three (3) examples:
1. Shell company fraud – first requires perpetrator
to establish false supplier on books of victim
company.
2. Pass through fraud – similar to shell company
with exception that a transaction actually takes
place
3. Pay-and-return fraud – involves clerk with
check-writing authority who intentionally pays a
vendor twice for the same invoice for purchase
on inventory or supplies.
Check tampering (11.9%) – forging or changing in some
material way a check that the organization has written
to legitimate payee.
Example is an employee who steals an outgoing check
to a vendor, forges the payee signature, and cashes the
check.
Payroll fraud (9.3%) – distribution of fraudulent
paycheck to existent and/or nonexistent employees.
The fraud works best in organizations in which
supervisor is responsible for distributing
paychecks to employees.
Expense reimbursement frauds (14.5%) – employee
makes claim for reimbursement of fictitious or inflated
business expenses.
Ex. A company salesperson files false expense reports
that never occurred.
Theft of cash (11.8%) – direct theft of cash on hand in
organization.
Ex. An employee who makes false entries on
cash register, such as voiding sale, to conceal
fraudulent removal of cash. An employee who
steals cash from the vault.
Non-cash misappropriations (17.2%) – theft or misuse of
victim organization’s non-cash assets.
Ex. A warehouse clerk who steals inventory from a
warehouse or storeroom. Customer services clerk who
sells confidential customer information to third party.
INTERNAL CONTROL CONCEPTS AND TECHNIQUES
Internal control system – comprises policies, practices,
and procedures employed by organization to achieve
four broad objectives:
1. To safeguard assets of firm
2. To ensure accuracy and reliability of accounting
records and information
3. To promote efficiency in firm’s operations
4. To measure compliance with management’s
prescribed policies and procedures
Internal control system – shield that protects firm’s
assets from numerous undesirable events that bombard
the organization. These include:
 Unauthorized access to firm’s assets
 Fraud perpetrated by persons both inside and
outside firm
 Errors due to employee incompetence
 Faulty computer programs and corrupted input
data
 Mischievous acts (unauthorized access by
computer hackers and threats from computer
viruses that destroy programs and databases
Four (4) modifying assumptions that guide designers
and auditors of internal controls:
1. Management responsibility – this concept holds
that establishment and maintenance of system
of internal control
2. Reasonable assurance – cost-effective manner;
no system of internal control is perfect and cost
of achieving improved control should not
outweigh its benefits.
3. Methods of data processing
4. Limitations:
 Possibility of error – no system is
perfect
7
  Circumvention – personnel may
circumvent system through collusion or
other
 Management override – management is
in position to override control
procedure by personally distorting
transactions or by directing subordinate
to do so
 Changing conditions – conditions may
change over time and render existing
controls ineffective
EXPOSURE AND RISK
Exposure – absence or weakness of internal control;
increase firm’s risk to financial loss or injury from
undesirable events.
1. Destruction of assets
2. Theft of assets
3. Corruption of information of information system
4. Disruption of information system
Internal control shield composed of three levels of
control:
1. Preventive controls
2. Detective controls
3. Corrective controls
Prevention – first line of defense in control structure.
Preventive controls – passive techniques designed to
reduce frequency of occurrence of undesirable events
- Force compliance with prescribed or desired
actions and thus screen out aberrant events
When designing internal control, ounce of
prevention is most certainly worth pound of
cure. Preventing errors and fraud is far more
cost-effective than detecting and correcting
problems after they occur.
Ex. Well-designed source document
Detective controls – devices, techniques, and
procedures designed to identify and expose undesirable
events that elude preventive controls
- Identify anomalies and draw attention to them
- Reveal specific types of errors by comparing
actual occurrences to pre-established standards
When detective control identifies a departure
from standards, it sounds an alarm to attract
attention to the problem.
Corrective controls – actions taken to reverse effects of
error detected in previous step
- Actually fix the problem
Statement on Auditing Standards (SAS) No. 109 –
current authoritative document for specifying internal
control objectives and techniques which is based on
COSO framework
Sarbanes-Oxley legislation – requires management of
public companies to implement adequate system of
internal controls over their financial reporting process
- Include controls over transaction processing
systems that feed data to financial reporting
systems
Section 302 of SOX – requires that corporate
management certify the organization’s internal controls
on quarterly and annual basis
Section 404 of SOX – requires management of public
companies to assess the effectiveness of organization’s
internal controls. Entails providing annual report
addressing ff. points:
1. Statement of management’s responsibility for
establishing and maintaining adequate internal
control
2. Assessment of effectiveness of company’s
internal controls over financial reporting
3. Statement that organization’s external auditors
have issued attestation report on management’s
assessment of company’s internal control
4. Explicit written conclusion as to effectiveness of
internal control over financial reporting
5. Statement identifying framework used
assessment of internal control
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) – basis for SAS 109.
8
SAS 109 – developed for auditors and describes the
complex relationship between firm’s internal controls,
auditor’s assessment of risk, and planning of audit
procedures
- Requires auditors obtain sufficient knowledge to
assess attitude and awareness of organization’s
management, board of directors, and owners
regarding internal control.
(PAGE 117)
COSO INTERNAL CONTROL FRAMEWORK
Consist of five components:
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
Control environment – foundation; sets the tone for
organization and influences control awareness of its
management and employees
Important elements:
 Integrity and ethical values of
management
 Structure of organization
 Participation of organization’s board of
directors and audit committee, if one
exist
 Management’s philosophy and
operating style
 External influences (examination by
regulatory agencies)
 Organization’s policies and practices for
managing its human resources
Risk assessment – to identify, analyze, and manage risks
relevant to financial reporting
(PAGE 118)
Accounting information system – consists of records and
methods used to initiate, identify, analyze, classify, and
record organization’s transactions and to account for
related assets and liabilities
(PAGE 118)
Monitoring – process by which quality of internal
control design and operation can be assessed
Ongoing monitoring – may be achieved by integrating
special computer modules into information system that
capture key data and/or permit tests of controls to be
conducted as part of routine operations
Embedded modules – allow management and auditors
to maintain constant surveillance over functioning of
internal controls
PAGE 119 - last paragraph of monitoring
Control activities – policies and procedures used to
ensure that appropriate actions are taken to deal with
the organization’s identified risks
Two categories:
1. IT controls
2. Physical controls
IT controls – relate specifically to computer
environment.
Two groups:
1. General controls
2. Application controls
General controls – entity-wide IT concerns such as:
 Controls over data center
 Organization databases
 Network security
 Systems development
 Program maintenance
Application controls – integrity of specific computer
systems such as:
 Sales order processing
 Accounts payable
 Payroll applications
Physical controls – class of controls relates to human
activities employed in accounting systems
- May be purely manual such as:
9
  Physical custody of assets
 May involve physical use of computers
to record transactions or update
accounts
- Do not relate to computer logic that actually
performs accounting tasks
- They relate to human activities that trigger
those tasks or utilize the results of those tasks
Six categories:
1. Transaction authorization
2. Segregation of duties
3. Supervision
4. Accounting records
5. Access control
6. Independent verification
Transaction authorization – purpose is to ensure that all
material transactions processed by information system
are valid and in accordance with management’s
objectives.
General authority – granted to operations personnel to
perform day-to-day operations
Ex. Procedure to authorize purchase of inventories form
designated vendor only when inventory level falls
Programmed procedure – decision rules are specified in
advance, and no additional approvals are required
Specific authority – usually management’s responsibility
- Case-by-case decisions associated with
nonroutine transactions
Ex. Decision to extend particular customer’s
credit limit beyond normal amount
Segregation of duties – to minimize incompatible
functions
(page 120)
Supervision (compensating control) – underlying
assumption: firm employs competent and trustworthy
personnel
- Takes place while activity is being performed by
supervisor with direct responsibility for the task
Accounting records – these records capture the
economic essence of transactions and provide an audit
trail of economic events
Organization must maintain audit trail for:
1. Information is needed for conducting day to day
operations
2. Audit trail plays essential role in financial audit
of the firm
Access control – purpose is to ensure only authorized
personnel have access to firm’s assets.
- play important role in safeguarding the assets
Indirect access to assets – achieved by gaining access to
records and documents that control the use, ownership,
and disposition of the asset
- accomplished by controlling use of documents
and records by segregating duties of those who
must access and process these records
Verification procedure – independent checks of
accounting system to identify errors and
misrepresentations
- takes place after the fact, by an individual who
is not directly involved with transaction or task
being verified
through independent verification procedures,
management can assess:
1. performance of individuals
2. integrity of transaction processing system
3. correctness of data contained in accounting
records
Examples of independent verification:
1. reconciling batch totals @ point during
transaction processing
2. comparing physical assets with accounting
records
3. reconciling subsidiary accounts with control
accounts
4. reviewing management report that summarizes
business activity
10
IT APPLICATION CONTROLS
Application controls are associated w/ specific
applications, such as:
 payroll
 purchases
 cash disbursement systems
and fall into three categories:
1. input controls
2. processing controls
3. output controls
Input controls (edits) – programmed procedures which
perform tests on transaction data to ensure they are
free from errors
Edit controls in real-time systems – placed at data
collection stage to monitor data as they are entered
from terminals
Batch systems – collect data in transaction files, where
they are temporarily held for subsequent processing
1) Check digit – control digit that is added to data code
when it is originally assigned. Allows integrity of
code to be established during subsequent
processing
Simplest form: sum digits in code
Transcription errors:
1. addition errors – extra digit or character is
added to code
2. truncation errors – a digit or character is
removed from end of code
3. substitution errors – replacement of one digit in
code with another
transposition errors:
1. single transposition – two adjacent digits are
reversed
2. multiple transposition – nonadjacent digits are
transposed
2.) Missing data check – this edit identifies blank or
incomplete input fields that should contain data that are
required to process transaction
3.) Numeric-alphabetic check – identifies when data in
particular fields are in wrong form
4.) Limit check – used to identify field values that exceed
an authorize limit
5.) Range check – upper and lower limits to their
acceptable values
- purpose is to detect keystroke errors by data entry
clerks
6.) Reasonableness check – may be detected by test that
determines if value in one field, has already passed a
limit check and range check, is reasonable when
considered along with data in other fields of records
7.) Validity check – compares actual field values against
known acceptable values.
- used to verify such things as transaction codes, state
abbreviations, or employee job skill codes.
Processing controls – programmed procedures to ensure
that an application’s logic is functioning properly
Batch controls – used to manage flow of high volumes
of transaction through batch processing systems
- objective is to reconcile system output with
input originally entered into system
PAGE 124
Run-to-run controls – use values in batch control record
to monitor batch as it moves from one programmed
procedure (run) to another
Page 125
Hash total – summation of nonfinancial field to keep
track of the records in batch
Audit trail controls – ensure that every transaction can
be traced through each stage of processing from its
economic source to its presentation in financial
statements.
11
EXAMPLES:

Transaction logs – permanent record of transactions,

although input transaction file is typically temporary file

- contains only successful transactions

Transaction log and error files combined should
account for all transactions in batch.

Log of automatic transactions – system triggers some

transactions internally

To maintain an audit trail of these activities, all

internally generated transactions must be placed in
transaction log.

Grandfather-father-son (GFS) backup – use sequential

master files (tape or disk) employ a backup technique
which is an integral part of master file update process.

Page 127

Destructive update approach – leaves no backup copy of

original master file. Only current value is available to
user

Output controls – combination of programmed routines

and other procedures to ensure that system output is
not lost, misdirected, or corrupted and that privacy is
not violated

Spooling – applications designed to direct their output

to magnetic disk rather than print it directly

Page 130

Print programs – often complex systems that require

operator intervention

Page 131

Waste – potential source of exposure

- also source of passwords that perpetrator may

use to access firm’s computer system

Report distribution – primary risks include being lost,

stolen, or misdirected in transit to user.

12