Chapter 7: COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES

1. Input error correction--correct immediately. 2. Validation controls--field interrogation--limit checks. 3. Validation controls--field interrogation--validity checks. 4. Hash totals

5. Input error correction--reject the batch. 6. Output controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. If the privacy of certain types of output is violated, a firm could have its business objectives compromised, or it could even become legally exposed. 7. Some typical problems with passwords Persons trying to enter secured system by entering some alphabets, numbers, or alphanumeric digits in the password box. Computer waste is use to access firm's data files.

8. Three categories of processing controls run-to-run controls operator intervention controls audit trail controls

9. Examples of privacy exposures include the disclosure of trade secrets, patent pending, marketing researcher results, and patient medical records. 10. Four validation tests Missing data checks are used to examine the contents of a field for the presence of blank spaces. Numeric-alphabetic data checks determine whether the correct form of data is in a field. Zero-value checks are used to verify that certain fields are filled with zeros. Limit checks determine if the value in the field exceeds an authorized limit.

11. Record interrogation procedures validate the entire record by examining the interrelationship of its field values. Examples are reasonableness checks and sign checks. Reasonableness checks determine if a value in one field, which has already passed a limit check and a range check, is a reasonable when considered along with other data fields in the record. Sign checks are tests to see if the sign of a field is correct for the type of record being processed.

Chapter 8: DATA STRUCTURES AND CAATs FOR DATA EXTRACTION

1. Hashing structure works and quicker than using an index because it employs an algorithm that converts the primary key of a record directly into a storage address, and it eliminates the need for a separate index; by calculating the address, rather than reading it from an index, records can be retrieved more quickly. For example, assume an inventory file with 100 000 inventory items. The algorithm divides the inventory number into a storage location. Hashing structure has two significant disadvantages, the first one is that: it does not use storage space efficiently and the second one is collision where different record keys may generate the same residual and same address. 2. Embedded audit module is a specially programmed module embedded in a host application to capture predetermined transaction types for subsequent analysis. The disadvantages of an EAM is that it decrease operational performance and it may not be a viable audit technique in environments with a high level of program maintenance. 3. The major difference between hierarchical and network database is the degree of process integration and data showing that can be achieved. Two dimensional flat file exist as independent data structures that are not linked logically or physically to other files. 4. Update anomaly. Results from data redundancy in an unnormalized table. Any change in the suppliers name, address, or telephone number must be made to each of these records in the table. Insertion Anomaly. The organization cannot insert a new vendor to the database if they are not yet purchase from them even though they plan to do so, because the vendor does not supply the organization with any inventory items. Deletion Anomaly. It involves the unintentional deletion of data from a table. The presence of the deletion anomaly in less conspicuous, but potentially more serious than the update and insertion anomalies. 5. Embedded audit module is identifying important transactions while they are being processed and extract copies of them in real time while a generalized audit software is the most widely used CATT

for IS auditing and allows audit or to access electronically added data files and perform various operations on their contents. 6. Virtual Storage Access Method structure is use for very large files that require routine batch processing and a moderated degree of individual record processing. For instance, the customer file of a public utility company will be processed and directly accessed in response to individual customer queries. 7. Data normalization is a technical matter that is usually the responsibility of the systems professionals. Auditors need to know how the data are structured before he or she can extract data from tables to perform audit procedures. 8. User views of the data are often very different from their storage structure. Audit task of retrieving data pertaining to a complex user view such as purchase order will involve identifying and accessing several related tables.

9. 3 NF table is one which the primary key of a table wholly and uniquely defines each attributes in the table. Furthermore, none of the tables attributes other than the primary key. 10. The link table has a combined key consisting of the primary keys within either table is not possible. Neither table can donate an embedded foreign key to the other because both are on the many side of the associate. 11. The relational model specifies that the tuples of a relation have no specific order and that the tuples, in turn, impose no order on the attributes. Applications access data by specifying queries, which use operations such as select to identify tuples, project to identify attributes, and join to combine relations. Relations can be modified using the insert, delete, and update operators. New tuples can supply explicit values or be derived from a query. Similarly, queries identify tuples for updating or deleting. It is necessary for each tuple of a relation to be uniquely identifiable by some combination (one or more) of its attribute values. This combination is referred to as the primary key. 12. 1:1 association exists between tables, either primary keys maybe embedded as foreign keys in the related table. On the other hand, when the lower cardinality value is zero (1:0,1) a more efficient table structure can be achieved by placing one side (1;) tables primary key in the zero-or-one table as foreign key. 13. Normalized tables have eliminated the three anomalies. First, the update anomaly is resolved because new vendors can be added to the supplier table even if they are not currently supplying the organization with inventory; finally, the deletion anomaly is deleted.

14. In data modeling, the cardinality of one data table with respect to another data table is a critical aspect of database design. Relationships between data tables define cardinality when explaining how each table links to another. In the relational model, tables can be related as any of: many-to-many, many-to-one (rev. one-tomany), or one-to-one. This is said to be the cardinality of a given table in relation to another. For example, consider a database designed to keep track of hospital records. Such a database could have many tables like:

a Doctor table full of doctor information a Patient table with patient information And a Department table with an entry for each department of the hospital.

In that model: There is a many-to-many relationship between the records in the doctor table and records in the patient table (Doctors have many patients, and a patient could have several doctors); A one-to-many relation between the department table and the doctor table (each doctor works for one department, but one department could have many doctors). One-to-one relationship is mostly used to split a table in two in order to optimize access or limit the visibility of some information. In the hospital example, such a relationship could be used to keep apart doctor's personal or administrative information. In data modeling, collections of data elements are grouped into data tables. The data tables contain groups of data field names (known in the science world as database attributes). Tables are linked by key fields. A primary key assigns that field's special order to a table: for example, the DoctorLastName field might be assigned as the primary key of the Doctor table (#correction: PK is supposed to be unique. People can have same last name. Maybe introduce a new field called Doctored). A table can also have a foreign key which indicates that that field is linked to the primary key of another table. 15. Physical address pointer contains the actual disk storage location needed by the disk controller. This physical address allows the system to access the record directly without obtaining further information. - Relative address pointer contains the relative position of a record in the file. - Logical key pointer contains the primary key of the related record. 16. The widespread popularity of GAS is due to four factors: (1) GAS language are easy to use and require little computer background on the part of the auditor; (2) many GAS products can be used on both mainframe and pc systems; (3) auditors can perform their tests independent of the clients computer service; and (4) GAS can be used to audit the data stored in most file structures and formats.

17. Gaining access to complex structures, such as hashed files and other form of random file, may pose a problem for the auditor. Not all GAS products on the market may be capable of accessing even type of file structure. 18. ACL, formerly known as Audit Command Language, is a data extraction and analysis software used for fraud detection and prevention. By sampling large data sets, ACL is used to find irregularities or patterns in transactions that could indicate control weaknesses or fraud. 19. ACL is used to view, explore, and analyze data efficiently and cost-effective. ACL enables accessibility of data in diverse formats and on various types of storage devices. With ACL, our auditors, accountants can effectively conduct a variety of analysis on systems, including payroll, employee expense accounts, accounts payable, and accounts receivable. We have found this tool extremely valuable in enabling audit teams to mine large volumes of data conclusions that never could have been reached through traditional manual approaches. 20. ACL provides powerful options for filtering data that support various audit tests. Filter is expressions that search for records that meet the filter criteria. 21. Record sampling is used when records in a file are fairly distributed. MUS, across strata, auditor may want an unbiased sample and will thus choose the record approach, on the other hand if the file is heavily skewed with large value items, the auditor may select, MUS which will produce a sample that includes all the larger dollar amount.

Chapter 9: AUDITING THE REVENUE CYCLE

1. The sales department receives order and gives authority to ship the items to the customer. The billing department is responsible for giving the bill of the customers account. The AR department records the sales transaction that occurs. 2. With the mailroom procedure, the mailroom employee opens the envelope containing the customers payments and remittance advice. The risk associated here is that the employee may be tempted to misappropriate the cash and the audit procedures may not trace this. 3. The employee may misuse the cash by using it for personal expenses. 4. The AR clerk receives and reconciles the remittance advices and remittance list. Via terminal, the clerk creates the cash receipts transaction file based on the individual remittance advices. The clerk then files the remittance advices and the remittance list.

5. Access control over revenue cycle documents is as important as the physical control devices over cash and inventory because these source documents are important audit trails for the procedures that will be used by the auditors. 6. The AR update program posts to accounts receivable by sequentially matching the Account Number key in each sales order record with the corresponding AR-SUB master file. This procedure creates a new AR-SUB master file that incorporates all changes to the customer accounts that are affected by transaction records. 7. The use of magnetic tapes has declined in the recent years because of inefficiency. They must be physically mounted on tape drives and dismounted when job ends. Today, tapes are used primarily as backup devices and for storing archive data. 8. a. b. c. d. The following are the benefits of the use of real-time processing of data: It greatly shortens the cash cycle of the firm. It can give a firm a competitive advantage in the marketplace. It reduces clerical errors. It reduced the amount of paper documents in the system.

9. Positive confirmations are useful when the auditor suspects that a large number of accounts are in dispute. They are also used when confirming unusual or large balances or when a large proportion of total accounts receivable arise from a small number of significant customers. Negative confirmation requests the recipients to respond only if they disagree with the amount shown in the letter. This is used when accounts receivable consists of a large number of low-value balances and the control risk of misstatement is considered to be low. 10. Analytical review allows the auditor to understand the nature of business of the client. 11. Open invoice system records invoices individually rather than being summarizes or grouped by creditor. Under such circumstances, the confirmation processes would be ineffective. 12. Allowance for bad debts may be inaccurate when the company inconsistently applied their credit policy. 13. a. The cash receipts clerk prepares a three-part deposit slip for the total amount of the cash received. b. Batch program summarizes the sales and cash receipts journal, prepares a journal voucher, and posts to the general ledger accounts. c. Armed guards escort the funds to the bank depository.

14. The POS systems exchange goods directly for cash in transaction that is consummated at the point of sale. It does not maintain accounts receivable account. 15. The use of the scanner updates real time.

CHAPTER 10: AUDITING THE EXPENDITURE CYCLE

1. The job ticket is used to allocate each labor hour of work to specific WIP accounts. These job tickets are very important for cost accounting. The job tickets are completed by production workers as they capture the total amount of time that they spend on each production job. Upon completion, they route these to the cost accountants who use them to post the labor costs to specific WIP accounts such as direct labor, indirect labor and overhead. The cost accountant prepares a labor distribution summary which contains the information for the general ledger clerk to make the necessary entries to the general ledger accounts. 2. The three documents which must accompany the payment of an invoice are the purchase requisition, purchase order, and receiving report (in addition to the invoice itself). The purchase requisition originates from inventory control and represents the inventory requirements. The purchase order originates from the purchasing department and represents an order placed. The receiving report originates from the receiving department and represents the quantity and types of goods received. Thus, the accounts payable must determine 1) that the goods ordered were requested by some department (i.e. inventory control) other than purchasing, 2) that purchasing ordered the goods from a valid vendor, and 3) that the goods were actually received. If all three of the conditions are met, then and only then should the invoice be paid. Further, only those goods received in good shape should be paid. 3. Purchasing starts when it is decided that inventory needs replenishment. Then the purchasing department are actually place the order, after receiving the goods, accounts payable department is responsible for the validation of vendors and payment of these goods. Payroll systems show that general expenditure procedures that apply to all vendors will not apply to employees and these are designed to accommodate relatively smooth flow of transactions. 4. The receiving clerks have access to many of the firm's assets: their inventory. Two exposures potentially exist: 1) the clerk failing to perform his/her duty and 2) the clerk pilfering or stealing the inventory. Thus, the copy of the purchase order which they use for this inspection should have the quantities and amounts covered so that they may not be read. If the quantity is printed on the receiving clerk's copy of the purchase order, he or she may be tempted to skip the physical inspection and the company may be paying for inventory it did not receive or is damaged. A supervisor is

necessary to remove the packing slip which contains quantity information and to make sure the receiving clerks actually inspect the goods. If the value of the inventory is listed, the employee may be tempted to steal some of the inventory. Close supervision should deter employees from stealing. 5. A system which employs real-time data entry of sales will have the inventory levels updated more frequently. Thus, when a sale depletes the inventory level to the reorder point, the system will flag it for reorder more quickly than if it had to wait for a batch update of the inventory records. The sooner the item is ordered, the sooner it will be received. With respect to the real-time receipt of inventory, the inventory will be updated immediately to show the accurate amount which is on hand. Thus, a customer wishing to know how soon they may have an item shipped will receive more accurate information regarding the status of the firm's inventory levels. Thus, the customer benefits from better stocking of inventory and better information regarding the inventory levels. The receiving departments uses real-time data entry; they enter the purchase order number and a receiving screen prompts the clerk for the quantities of goods received. This system should cause less discrepancies due to poor handwriting, carelessness, and loss of the receiving report form. 6. a) The entire inventory file would be searched at certain intervals, maybe twice a day, by the computer to identify items at or below their reorder. The computer would also check the quantity on order field to determine if an order has already been placed. If an order is needed, the computer creates an open purchase requisition record. The vendor file is also needed at this point. The purchase requisition is sent to the purchasing department to fill out a purchase order (some systems may automate this also). The purchase orders for a certain period of time, maybe daily, are accumulated and processed together in a batch and any open purchase requisitions which have a corresponding purchase order are closed by the system. The receiving reports are accumulated over a period of time and processed together, at which time the inventory is updated on a batch basis, as well as the open purchase orders. Any purchase orders which are filled are then closed. The vouchers are accumulated over time and processed together in a batch and recorded in the voucher register. b) If the system is processed with real-time data input, the inventory is automatically scanned whenever a withdrawal from an inventory account is made. If the item needs reordering, a record in the purchase requisition is entered. After a specified period of time, the purchase requisitions are consolidated according to vendor number. A valid vendor file is checked by the system, and a purchase order is created by the system. When the goods are received, the receiving report is entered into the system and the inventory account is automatically updated to reflect the new inventory items which have arrived and the logical field rec flag is set to true. When accounts payable receives the invoice, the files are scanned to match the invoice with an open purchase order, and the invoice field is set to true to indicate that the invoice has been received. The open purchase order is checked to determine if the goods have been received by checking the logical field rec flag. If no discrepancies are noted by the system, a record is created in the open accounts payable file. The system scans daily the accounts payable due dates to determine which invoices will be made. The system then prepares the checks, closes the corresponding accounts payable records and prepares a check register, and transaction listing.

7. The first control implication is that a fundamental separation between authorization and transaction processing no longer exists. The computer programs both authorize and process the orders and issue checks to the vendors. The compensating control is to provide transaction listings and summary reports to management which describe the automated activities taken by the system. In order for these controls to work, the managers must take the time to carefully review these reports. The second control implication is that the accounting records as well as the computer programs reside on magnetic disks. These disks should not be accessed by any individuals not authorized to access them in any fashion. The compensating control is to employ hardware, software and procedural controls over the data stores. 8. One example is the reduction in the time it takes to record the receipt of inventory into the inventory records which are used to inform customers whether their requested item is available. Also, the inventory levels are also reduced more quickly for those inventories which are being shipped and are a reduction in the inventory levels. With reduced time lag, the risk that an item will be promised to be shipped to another customer when it is not available is greatly reduced. Further, the automated system will be less likely to pay an invoice too early, while at the same time not missing the discount period. Thus, cash management is improved. 9. The exact structure of the job ticket will vary, depending on the type of goods or services required. For example, the landlord may open a job ticket in response to the request of to have a room in his or her apartment repainted. The landlord will prepare the ticket in a manner that documents the task to be completed, the materials necessary to accomplish the job, the amount of time needed to manage the repainting, and the expense involved in successfully executing the task. In this application, the job ticket essentially functions as not only a record of the customer request, but also as the escalation list of the steps necessary to complete the job, and a record of how much it will cost the landlord to comply with the request. 10. Sequential files are appropriate because most if not all payroll records on the master payroll file are updated during the payroll processing run.

CHAPTER 11: ENTERPRISE RESOURCE PLANNING SYSTEM

1. Online transaction processing ( OLTP ) is a process consisting of large numbers of relatively simple transactions while Online analytical processing ( OLAP ) is a branch of ERP that includes decision support, modeling, information retrieval, ad hoc reporting/analysis, and what-if analysis.

2. In a two-tier model, the server handles both application and database while three-tier model, the database and application functions are separated. 3. Many organizations have found that ERP software alone cannot drive all the processes of the company. These firms use a variety of bolt-on software that third-party vendors provide. 4. The least risky approach is to choose a bolt-on that is endorsed by the ERP vendor. 5. Because of the vast size of a data warehouse, such inefficiency can be devastating. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. 6. Once loaded into the warehouse, data are accessible via various query and analysis tools that are used for data mining. Data mining is the process of selecting, exploring, and modeling large amounts of data to uncover relationships and patterns that exist in large databases but are hidden among the vast number of facts. This involves sophisticated techniques that use database queries and artificial intelligence to model real-world phenomena from data collected from the warehouse. 7. Wherever possible, therefore, normalized tables pertaining to selected events may be consolidated into denormalized tables. 8. Data cleansing involves filtering out or repairing invalid data prior to being stored in the warehouse. 9. A data warehouse that contains the most frequently requested summary views of data can reduce the amount of processing time during analysis. Unlike, operational views, which are virtual in nature with underlying base tables, data warehouse views are physical tables. 10. Drill-down capability is an OLAP feature of data mining tools available to the user. Tools for data mining are evolving rapidly to satisfy the decision makers need to understand the business units behavior in relation to key entities including customers, suppliers, employees, and products. 11. Most ERP implementation failures are the result of cultural problems within the firm that stand in opposition to the objective of process reengineering. 12. Because ERP systems are prefabricated systems users need to determine whether a particular ERP fits their organizations culture and its business processes. 13. Size with no other changes to the system, if database size increases by a factor of x, then query response time will increase by no more than a factor of x in a scalable system. Speed an increase in hardware capacity by a factor of x will decrease query response time by no less than a factor of x in a scalable system.

Workload if workload in a scalable system is increased by a factor of x, then response time, or throughput, can be maintained by increasing hardware capacity by a factor of no more than x. Transaction cost in a scalable system, increases in workload do not increase transaction cost. Therefore, an organization should not need to increase system capacity faster than demand. 14. SAP software was the leading ERP software, providing comprehensive functions that integrate virtually all major business processes within the enterprise. 15. Centralized organizations with highly integrated business units may need a single global ERP system that is accessed via the internet or private lines from around the world to consolidate data from subsidiary systems. A server failure under this model could leave the entire organization unable to process transactions. To control against this, two linked servers may be connected in redundant backup mode. All production processing is done on one server. If it fails, processing is automatically transferred to the other server. Organizations that want more security and resilience may arrange servers in a cluster of three or more that dynamically share the workload. Processing can be redistributed if one or more of the servers in the cluster fail. 16. Decentralized organizations whose organizational units are autonomous and do not share common customers, suppliers, or product lines often choose to install regional servers. This approach permits independent processing and spreads the risk associated with server failure. 17. Most OLAP software will, however, permit the user to construct virtual views from detail when one does not already exist. While drill-down analysis begins with the summary views of data described previously. When anomalies or interesting trends are observed, the user drills down to lower-level views and ultimately into the underlying detail data. 18. Slicing and dicing is the process that enables the user to examine data from different viewpoint. 19. An oft-cited problem in ERP environment is that roles tend to proliferate to a point at which their numbers actually exceed the number of employees in the organization. 20. Access privileges (permissions) should be granted on a need-to-know basis only. Nevertheless, ERP users tend to accumulate unneeded permissions over time. This is often due to two problems: 1. Managers fail to exercise adequate care in assigning permissions as part of their role-granting authority. Because managers are not always experts in internal controls they may not recognize when excessive permissions are awarded to an individual. 2. Managers tend to be better at issuing privileges than removing them. As a result, an individual may retain unneeded access privileges from a previous job assignment that creates a segregation of duties violation when combined with a newly assigned role 21. 1. View the current and historical inventory of roles, permissions granted and the individuals assigned to roles.

2. Identify unnecessary or inappropriate access entitlements and segregation-of-duties violations. 3. Verify that changes to roles and entitlements have been successfully implemented.

CHAPTER 12: BUSINESS ETHICS, FRAUD , AND FRAUD DETECTION

1. Legal issues have a specific law behind them, which will result in legal consequences if you don't obey it. Ethical issues on the other hand, have no force of law, but are of a nature that affects the society around you, or has consequences for the people involved. 2. Corporate involvement in socially responsible behavior may require costs necessary for the profitability of the organization. Although these costs may place the latter at a disadvantage in a competitive market, it can be a source of long-term health for the organization. 3. The company should not tolerate this kind of unethical business practice. John, the operationslevel manager, should report it directly to the concerned upper-level management so that these ethical violations meet disciplinary measures. 4. Strong internal control structure does not totally eliminate fraud; it can only minimize the presence of fraud. It is still up to the people in the organization if they will obey the ethics schema implemented. 5. Employee fraud or fraud by non-management employees is generally designed to directly convert cash or other assets to the employees personal benefit while management fraud is more insidious than the former because it often escapes detection until the organization suffered irreparable damage or loss. 6. Computer fraud is hard to be detected and prevented because it is not easily traceable and that this kind of fraud is not well defined. Computer fraud includes the following: The theft, misuse, or misappropriation of assets by altering computer-readable records and files. The theft, misuse, or misappropriation of assets by altering the logic of computer software. The theft or illegal use of computer-readable information. The theft, corruption, illegal copying, or intentional destruction of computer software. The theft, misuse, or misappropriation of computer hardware.

7. SOX require all audit committee members to be independent and require the audit committee to hire and oversee the external auditors. Two significant provisions of the act relate to corporate governance: The public companies are prohibited from making loans to executive officers and directors and, The act requires attorneys to report evidence of a material violation of securities laws or breaches of fiduciary duty to the CEO, CFO, or the PCAOB.

8. Exposure is the disclosure of something secret and firms may tolerate this exposure to unmask an impostor or a fraud or a scandal especially about public figures. 9. Detective controls are only designed to identify and expose undesirable events and errors. Corrective controls are necessary to reverse the effects of errors detected in the previous step. 10. Non accounting services that external auditors are not permitted to render to audit clients: Bookkeeping or other services related to the accounting records or financial statements. Financial information systems design and implementation. Appraisal or valuation services, fairness opinions, or contribution-in-kind reports. Actuarial services. Internal audit outsourcing services. Management functions or human resources. Broker or dealer, investment adviser, or investment banking services. Legal services and expert services unrelated to the audit. Any other service that the PCAOB determines is impermissible.

11. A firm with only few employees should rely on general authority since specific authority is applicable to a firm with a greater number of employees. 12. Reporting directly to the controller of the internal auditing function is an effective control mechanism in evaluating the organizations internal control structure because it will minimize fraud. 13. Paycheck preparation and distribution to employees must be segregated because if not, it will lead to a fraudulent act. For example, a supervisor keeps an employee on the payroll that has left the organization. Each week, the supervisor continues to submit time cards to the payroll department as if the employee was still working for the victim organization, and the supervisor is the one who also distributes paychecks to the employees.

14. Fraud must be proved by showing that the defendant's actions involved five separate conditions: a false statement of a material fact, knowledge on the part of the defendant that the statement is untrue, intent on the part of the defendant to deceive the alleged victim, justifiable reliance by the alleged victim on the statement, and Injury to the alleged victim as a result.

15. Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome) while Exposure is the probability or threat of a damage, injury, liability, loss, or other negative occurrence that is caused by external or internal vulnerabilities, and that may be neutralized through preemptive action. 16. Characteristics of management fraud: The fraud is perpetrated at levels of management above the one to which internal control structures generally relate. The fraud frequently involves using the financial statements to create an illusion that an entity is healthier and more prosperous than, in fact, it is. If the fraud involves misappropriation of assets, it frequently is shrouded in a maze of complex business transactions, often involving related third parties.

17. Personal traits of managers and other employees that might help uncover fraudulent activity: Integrity. It is regarded as the honesty and truthfulness or accuracy of one's actions. Objectivity. Just, unbiased and not influenced by emotions or personal prejudices. Independent. Not influenced or controlled by others in matters of opinion or conduct.

18. Two examples of employee fraud: Lapping. The cash receipts clerk first steals and cashes a check from customer A. to conceal the accounting imbalance caused by the loss of the asset, customer As account is not credited. Later, the employee uses a check received from customer B and applies it to As account. Funds received in the next period from customer C are then applied to the account of customer B, and so on. Fictitious expenses. A company salesman files false expense reports, claiming meals, lodging, and travel that never occurred.

19. Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. Illegal gratuity involves giving, receiving, offering, or soliciting something of value because of an official act that has been taken. Economic extortion is the use of force by an individual or organization to obtain something of value. 20. Three forms of computer fraud: Masquerading. Involves a perpetrator gaining access to the system from a remote site by pretending to be an authorized user. Piggybacking. A technique in which the perpetrator at a remote site taps into the telecommunications lines and batches onto an authorized user who is logging into the system. Eavesdropping. Involves listening to output transmission lines.

21. Skimming involves stealing cash from an organization before it is recorded on the organizations books and records while Cash Larceny involves schemes where cash receipts are stolen from an organization after they have been recorded in the organizations books and records. 22. A shell company fraud first requires that the perpetrator establish a false supplier on the books of the victim company while a pass-through fraud is similar to the former except that a transaction actually takes place. 23. Computer ethics issues of privacy, security, and property ownership of interest because the use of information technology in business is of concerned to accountants and computers are susceptible of computer crimes. 24. In terms of gender, women are not fundamentally more honest than men, but men occupy high corporate positions in greater numbers than women. This affords men greater access to assets. In terms of education, generally those with more education occupy higher positions in the organizations and therefore have greater access to company funds and other assets. 25. Collusion between employees and management in the commission of a fraud is difficult to both prevent and detect because when management, whom relied upon to prevent and detect fraud among their subordinates, participate in fraud with the employees over whom they are supposed to provide oversight, the organizations control structure is weakened and the company becomes more vulnerable to losses.

26. Fraudulent statement itself must bring direct or indirect financial benefit to the perpetrator. For example, understating liabilities to present a more favorable financial picture of the organization to drive up stock prices. 27. Lack of Auditor Independence. The firms are essentially auditing their own work. The risk is that as auditors, they will not bring to managements attention detected problems that may adversely affect their consulting fees. For example, Enrons auditors, Arthur Andersen, were also their internal auditors and their management consultant. 28. Lack of Director Independence. Many Board of Directors are composed of individuals who are not independent. Examples are directors who have a personal relationship by serving on the boards of other directors companies; have a business trading relationship as key customers suppliers of the company; or have a financial relationship as primary stockholder or have received personal loans from the company. 29. Questionable Executive Compensation Scheme. A Thomsons Financial Survey revealed the strong belief that executives have abused stockbased compensation. The consensus is that fewer stock options should be offered than currently is the practice. Excessive use of short term stock options to compensate directors and executives may result in short term thinking and strategies aimed at driving up stock prices at the expense of the firms long term health. 30. Inappropriate Accounting Practices. A characteristic common to many financial statement fraud scheme. For example, Enron made elaborate use of special purpose entities to hide liabilities through off-balance sheet accounting. 31. The Public Company Accounting Oversight Board (PCAOB) is a private-sector, non-profit corporation created by the SarbanesOxley Act, a 2002 United States federal law, to oversee the auditors of public companies. Its stated purpose is to "protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports". 32. An audit committee typically serves as the liaison among the board of directors, external auditors, internal auditors, and financial management. Generally, the audit committee's purpose is to assist the board in overseeing the: Reliability of the entity s financial statements and disclosures. Effectiveness of the entity s internal control and risk management systems.

Compliance with the entitys code of business conduct, and legal and regulatory requirements. Independence, qualifications, and performance of the external auditors and the performance of the internal audit activity.

33. Issuer and Management Disclosure. Public companies must report all off-balance-sheet transactions. Annual reports filed with the SEC must include a statement by management, asserting that it is responsible for creating and maintaining adequate internal controls and asserting to the effectiveness of the control. Officers must certify that the companys accounts fairly present the firms financial condition and results of operations. Knowingly filing a false certification is a criminal offense.

34. Physical or human controls are prone to errors and thus must be of concerned to accountants.