D217 Chapter 3 (course chatter)

Assessing the effectiveness of an organization's internal controls (Section 404 of SOX) entails providing an annual report addressing what 5 points?

1) A statement of management's responsibility for establishing and maintaining adequate internal control. 2) An assessment of the effectiveness of the company's internal controls over financial reporting. 3) A statement that the organization's external auditors have issued an attestation report on management's assessment of the company's internal controls. 4) An explicit written conclusion as to the effectiveness of internal control over financial reporting. 5) A statement identifying the framework used in the assessment of internal controls.

A public company may disclose its code of ethics in what 3 ways?

1) By including the code as an exhibit to its annual report. 2) By posting the code to the company website. 3) Be agreeing to provide copies of the code upon request.

The SEC has ruled that compliance with Section 406 necessitates a written code of ethics that addresses what 5 ethical issues?

1) Conflicts of Interest 2) Full and Fair Disclosures 3) Legal Compliance 4) Internal Reporting of Code Violations 5) Accountability

What are the 5 components of the COSO framework?

1) Control Environment 2) Risk Assessment 3) Information and Communication 4) Monitoring 5) Control Activities

Weaknesses in internal control may expose the firm to one of more of what 4 risks?

1) Destruction of assets (both physical assets and information). 2) Theft of assets. 3) Corruption of information or the information system. 4) Disruption of the information system.

Ethical issues in business can be divided into what 4 areas?

1) Equity 2) Rights 3) Honesty 4) Exercise of Corporate Power

Business ethics involves finding the answers to what 2 questions?

1) How do managers decide what is right in conducting their business? 2) Once managers have recognized what is right, how do they achieve it?

What are some conditions that could predispose the management of an organization to commit fraud? (4 examples)

1) Lack of sufficient working capital 2) Adverse industry conditions 3) Bad credit ratings 4) The existence of extremely restrictive conditions in bank or indenture agreements.

One researched defined what 3 levels of computer ethics?

1) Pop 2) Para 3) Theoretical

The internal control shield is composed of what 3 layers of control?

1) Preventive Controls 2) Detective Controls 3) Corrective Controls

Name 8 issues of concern for students of accounting information systems.

1) Privacy 2) Security (Accuracy and Confidentiality) 3) Ownership of Property 4) Equity in Access 5) Environmental Issues 6) Artificial Intelligence 7) Unemployment and Displacement 8) Misuse of Computers

Management Responsibility

Concept under which the responsibility for the establishment and maintenance of a system of internal control falls to management. *This point is made eminent in SOX legislation.

Computer Ethics

Analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. Includes details about software as well as hardware and concerns about networks connecting computers as well as computers themselves.

Reasonable Assurance

Assurance provided by the internal control system that the four broad objectives of internal control are met in a cost-effective manner. This means that no system of internal control is perfect and the cost of achieving improved control should not outweigh its benefits.

Security

Attempt to avoid such undesirable events as a loss of confidentiality or data integrity.

What is the important distinction between detective controls and corrective controls?

Detective controls identify anomalies and draw attention to them. Corrective controls actually fix the problem.

Detective controls reveal specific types of errors by comparing what 2 things?

Detective controls reveal specific types of error by comparing actual occurrences to preestablished standards.

Detective Controls

Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls.

The majority of risks can be blocked at the preventive level. True or False?

True Not all problems, however, can be anticipated and prevented.Some will elude the most comprehensive network of preventive controls.

Although computer programs are a new type of asset, many believe that these programs should be considered no differently from other forms of property. True or False?

True Some argue that all pertinent ethical issues have already been examined in some other domain. For example, the issue of property rights has been explored and has resulted in copyright, trade secret, and patent laws.

Internal controls should achieve the four broad objectives of the internal control system regardless of the data processing method used. True or False?

True The control techniques used to achieve these objectives will vary with different types of technology.

Sarbanes-Oxley legislation requires management of public companies to implement an adequate system of internal controls over their financial reporting process. True or False?

True This includes controls over transaction processing systems that feed data to the financial reporting systems. Management's responsibilities for this are codified in Sections 302 and 404 of SOX.

Equity in Access (1 of the 8 issues of concern for students of AIS) (information)

· Some barriers to access are intrinsic to the technology of information systems, but some are avoidable through careful system design. · Several factors, some of which are not unique to information systems, can limit access to computing technology. · The economic status of the individual or the affluence of an organization will determine the ability to obtain information technology. · Culture also limits access. - For example, when documentation is prepared in only one language or is poorly translated. Safety features, or the lack thereof, have limited access to pregnant women, for example.

Internal Reporting of Code Violations

· The code of ethics must provide a mechanism to permit prompt internal reporting of ethics violations. · This provision is similar in nature to Sections 301 and 806, which were designed to encourage and protect whistle-blowers. · Employee ethics hotlines are emerging as the mechanism for dealing with these related requirements. - Because SOX requires this function to be confidential, many companies are outsourcing their employee hotline service to independent vendors.

Conflicts of Interest

· The company's code of ethics should outline procedures for dealing with actual or apparent conflicts of interest between personal and professional relationships. · Note that the issue here is in dealing with conflicts of interest, not prohibiting them. · Although avoidance is the best policy, sometimes conflicts are unavoidable. · Thus, one's handling and full disclosure of the matter becomes the ethical concern. - Managers and employees alike should be made aware of the firm's code of ethics, be given decision models, and participate in training programs that explore conflict of interest issues.

Control Environment

· The foundation of internal control. · The foundation for the other four control components. - The control environment sets the tone for the organization and influences the control awareness of its management and employees.

Full and Fair Disclosures

· This provision states that the organization should provide full, fair, accurate, timely, and understandable disclosures in the documents, reports, and financial statements that it submits to the SEC and to the public. · Overly complex and misleading accounting techniques were used to camouflage questionable activities that lie at the heart of many recent financial scandals. The objective of this rule is to ensure that future disclosures are candid, open, truthful, and void of such deceptions.

Ownership of Property (1 of the 8 issues of concern for students of AIS) (trigger questions)

· What can an individual own? Ideas? Media? Source code? Object code? · Should owners and users be constrained in their use or access? · Should the look and feel of a software package be granted copyright protection? - Does software fit with the current categories and conventions regarding ownership?

Security (Accuracy and Confidentiality) (1 of the 8 issues of concern for students of AIS) (trigger questions)

· Which is the more important goal? · Automated monitoring can be used to detect intruders or other misuse, yet it can also be used to spy on legitimate users, thus diminishing their privacy. Where is the line to be drawn? · What is an appropriate use and level of security? - Which is most important: security, accuracy, or confidentiality?

Artificial Intelligence (1 of the 8 issues of concern for students of AIS) (trigger questions)

· Who is responsible for the completeness and appropriateness of the knowledge base? · Who is responsible for a decision made by an expert system that causes harm when implemented? - Who owns the expertise once it is coded into a knowledge base?

The COSO framework was the basis for SAS 109, which was developed for auditors and describes what?

It describes the complex relationship between a firm's internal controls, the auditor's assessment of risk, and then planning of audit procedures.

Control Weaknesses

It increases the firm's risk to financial loss or injury from the threats.

Name 4 risks to a firm's assets.

1. Attempts at unauthorized access to the firm's assets. 2. Attempts at fraud perpetrated by persons both inside and outside the firm. 3. Errors due to employee incompetence, faulty computer programs, and corrupted input data. 4. Malicious acts such as unauthorized access by computer hackers, malware, and computer viruses that destroy programs and databases.

Name 4 examples of techniques that may be used to obtain an understanding of the control environment.

1. Auditors should assess the integrity of the organization's management and may use investigative agencies to report on the backgrounds of key managers. 2. Auditors should be aware of conditions that would predispose the management of an organization to commit fraud. 3. Auditors should understand a client's business and industry and should be aware of conditions peculiar to the industry that may affect the audit. 4. The board of directors should adopt, as a minimum, the provisions of SOX.

Rights (1 of the 4 ethical issues areas in business) Identify 7 business practices and decisions that have ethical implications.

1. Corporate due process 2. Employee health screening 3. Employee privacy 4. Sexual harassment 5. Diversity 6. Equal employment opportunity 7. Whistle-blowing

Honesty (1 of the 4 ethical issues areas in business) Identify 5 business practices and decisions that have ethical implications.

1. Employee and management conflicts of interest 2. Security of organization data and records 3. Misleading advertising 4. Questionable business practices in foreign countries 5. Accurate reporting of shareholder interests

Equity (1 of the 4 ethical issues areas in business) Identify 3 business practices and decisions that have ethical implications.

1. Executive salaries 2. Comparable worth 3. Product pricing

Inherent in the internal control system objectives are what 4 modifying assumptions that guide designers and auditors of internal controls?

1. Management Responsibility 2. Reasonable Assurance 3. Methods of Data Processing 4. Limitations

Exercise of Corporate Power (1 of the 4 ethical issues areas in business) Identify 7 business practices and decisions that have ethical implications.

1. Political action committees 2. Workplace safety 3. Product safety 4. Environmental issues 5. Divestment of interests 6. Corporate political contributions 7. Downsizing and plant closures

Name 8 important elements of the control environment.

1. The integrity and ethical values of management. 2. The structure of the organization. 3. The participation of the organization's board of directors and the audit committee, if one exists. 4. Management's philosophy and operating style. 5. The procedures for delegating responsibility and authority. 6. Management's methods for assessing performance. 7. External influences, such as examinations by regulatory agencies. 8. The organization's policies and practices for managing its human resources.

Every system of internal control has limitations on its effectiveness. Name 4 of those limitations.

1. The possibility of error - no system is perfect. 2. Circumvention - personnel may circumvent the system through collusion or other means. 3. Management override - mgmt is in a position to override control procedures by personally distorting transactions or by directing a subordinate to do so. 4. Changing conditions conditions may change over time and render existing controls ineffective.

Which is more cost effective? A. preventing errors and fraud, or B. detecting and correcting problems after they occur?

A When designing internal control systems, an ounce of prevention is most certainly worth a pound of cure. Preventing errors and fraud is far more cost-effective than detecting and correcting problems after they occur.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

A joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

Corrective Controls

Actions taken to reverse the effects of errors detected.

Minimize Risk (in regard to proportionality)

Even if judged acceptable by the principles, the decision should be implemented so as to minimize all of the risks and avoid any unnecessary risks.

Detective controls form the third and final line of defense. True or False?

False 1st line of defense: Preventive controls 2nd line of defense: Detective controls 3rd line of defense:Corrective controls

Very few disagree with the notion that intellectual property is basically the same as real property. True or False?

False A large contingent vociferously disagrees with the premise that computers are no different from other technologies, and that intellectual property is no different than real property. There is, as yet, no consensus on this matter.

A company's code of ethics only applies to the executive and financial officers. True or False?

False Although Section 406 applies specifically to executive and financial officers of a company, a company's code of ethics should apply equally to all employees.

Ethical standards are derived from societal mores and deep-rooted personal beliefs about issues of right and wrong that are universally agreed upon. True or False?

False Ethical standards are derived from societal mores and deep-rooted personal beliefs about issues of right and wrong that are NOT universally agreed upon. It is quite possible for two individuals, both of whom consider themselves to be acting ethically, to be on opposite sides of an issue.

For any detected error, there is only one feasible corrective action. True or False?

False For any detected error, there may be more than one feasible corrective action.

SAS 102 requires that auditors obtain sufficient knowledge to assess the attitude and awareness of the organization's management, board of directors, and owners regarding internal control. True or False?

False SAS 109 (no 102) requires that auditors obtain sufficient knowledge to assess the attitude and awareness of the organization's management, board of directors, and owners regarding internal control.

The PDC (preventive-detective-corrective) control model is conceptually complete and offers practical guidance for designing specific controls. True or False?

False The PDC control model is conceptually complete but offers little practical guidance for designing specific controls. For this, we need a more precise framework.

The best course of action to correct an error is usually obvious. True or False?

False The best course of action may not always be obvious.

If a public company has not adopted a code of ethics, per Section 604 of SOX, it must explain why. True or False?

False The code of ethics for senior financial officers, and the whole company by extension, is referenced in Section 406 of SOX.

The reputation and integrity of a company's managers are minor factors in determining the auditability of an organization. True or False?

False The reputation and integrity of a company's managers are critical factors in determining the auditability of an organization.

The use of information technology in business has had a negligible impact on society. True or False?

False The use of information technology in business has had a major impact on society and thus raises significant ethical issues regarding computer crime, working conditions, privacy, and more.

Top management's attitude toward ethics sets the tone for business practice, and management alone is responsible for upholding a firm's ethical standards. True or False?

False Top management's attitude toward ethics sets the tone for business practice, but it is also the responsibility of lower-level managers and nonmanagers to uphold a firm's ethical standards.

Privacy

Full control of what and how much information about an individual is available to others and to whom it is available.

Preventive Controls

Passive techniques designed to reduce the frequency of occurrence of undesirable events.

Business Ethics

Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong.

Internal Control System

Policies a firm employs to safeguard the firm's assets, ensure accurate and reliable accounting records and information, promote efficiency, and measure compliance with established policies.

How do preventive controls screen out aberrant events?

Preventive controls force compliance with prescribed or desired actions and thus screen out aberrant events.

Ethics

Principles of conduct that individuals use in making choices that guide their behavior in situations involving the concepts of right and wrong.

Ethical Responsibility

Responsibility of organization managers to seek a balance between the risks and benefits to their constituents that result from their decisions.

What is required under Section 302 of SOX?

Section 302 requires that corporate management (including the CEO) certify the organization's internal controls on a quarterly and annual basis.

What is required under Section 404 of SOX?

Section 404 requires the management of public companies to assess the effectiveness of the organization's internal controls.

What does Section 406 of SOX require of public companies?

Section 406 - Code of Ethics for Senior Financial Officers Section 406 of SOX requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organization's chief executive officer (CEO), chief financial officer (CFO), controller, or persons performing similar functions.

Unemployment and Displacement (1 of the 8 issues of concern for students of AIS) (trigger questions)

Should employers be responsible for retraining workers who are displaced as a result of the computerization of their functions?

Ownership

State or fact of exclusive rights and control over property, which may be an object, land/real estate, intellectual property, or some other kind of property.

If cause for serious reservations comes to light about the integrity of a client, what should the auditor do?

The auditor should withdraw from the audit.

Proportionality

The benefit from a decision must outweigh the risks. Furthermore, there must be no alternative decision that provides the same or greater benefit with less risk.

Justice (in regard to proportionality)

The benefits of the decision should be distributed fairly to those who share the risks. Those who do not benefit should not carry the burden of risk.

Statement on Auditing Standards (SAS) No. 109

The current authoritative document for specifying internal control objectives and techniques. It is based on the COSO framework.

How is a well-designed source document an example of a preventive control?

The logical layout of the document into zones that contain specific data, such as customer name, address, items sold, and quantity, forces the clerk to enter the necessary data. The source documents can therefore prevent necessary data from being omitted.

Theoretical (3rd level of computer ethics)

Theoretical computer ethics is of interest to multidisciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science with the goal of bringing some new understanding to the field.

Auditors cannot function properly in an environment in which client management is deemed unethical and corrupt. True or False?

True

Ethical issues are often confused with legal issues. True or False?

True

Some of the "Big Four" public accounting firms employ former FBI agents whose primary responsibility is to perform background checks on existing prospective clients. True or False?

True

The purpose of internal control is to mitigate risk. True or False?

True

Prevention is the first line of defense in the control structure. True or False?

True 1st line of defense: Preventive controls 2nd line of defense: Detective controls 3rd line of defense:Corrective controls

Business organizations have conflicting responsibilities to their employees, shareholders, customers, and the public. True or False?

True Every major decision has consequences that potentially harm or benefit these constituents. Seeking a balance between these consequences is the managers' ethical responsibility. For example: Implementing a new computer information system within an organization may cause some employees to lose their jobs, while those who remain enjoy the benefit of improved working conditions.

Linking a corrective action to a detected error, as an automatic response, may result in an incorrect action that causes a worse problem than the original error. True or False?

True For this reason, error correction should be viewed as a separate control step that should be taken cautiously.

Both the PCAOB and the SEC have endorsed the framework put forward by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). True or False?

True Furthermore, they require that any other framework used should encompass all of COSO's general themes.

Ethical violations can occur throughout an organization from the boardroom to the receiving dock. True or False?

True Methods must therefore be developed for including all management and employees in the firm's ethics schema.

Artificial Intelligence (1 of the 8 issues of concern for students of AIS) (information)

· A new set of social and ethical issues has arisen out of the popularity of expert systems. · Because of the way these systems have been marketed—that is, as decision makers or replacements for experts—some people rely on them significantly. · Therefore, both knowledge engineers (those who write the programs) and domain experts (those who provide the knowledge about the task being automated) must be concerned about their responsibility for faulty decisions, incomplete or inaccurate knowledge bases, and the role given to computers in the decision-making process. Further, because expert systems attempt to clone a manager's decision-making style, an individual's prejudices may implicitly or explicitly be included in the knowledge base.

Accountability

· An effective ethics program must take appropriate action when code violations occur. · This will include various disciplinary measures, including dismissal. · Employees must see an employee hotline as credible, or they will not use it. · Section 301 directs the organization's audit committee to establish procedures for receiving, retaining, and treating such complaints about accounting procedures and internal control violations. - Audit committees will also play an important role in the oversight of ethics enforcement activities.

Legal Compliance

· Codes of ethics should require employees to follow applicable governmental laws, rules, and regulations. · We must not confuse ethical issues with legal issues. · Nevertheless, doing the right thing requires sensitivity to laws, rules, regulations, and societal expectations. To accomplish this, organizations must provide employees with training and guidance.

Environmental Issues (1 of the 8 issues of concern for students of AIS) (information)

· Computers with high-speed printers allow for the production of printed documents faster than ever before. · It is probably easier just to print a document than to consider whether it should be printed and how many copies really need to be made. · It may be more efficient or more comforting to have a hard copy in addition to the electronic version. - Paper, however, comes from trees, which are a precious natural resource that ends up in landfills if not properly recycled.

Misuse of Computers (1 of the 8 issues of concern for students of AIS) (information)

· Copying proprietary software, using a company's computer for personal benefit, and snooping through other people's files are just a few obvious examples of computer misuse. - Although copying proprietary software (except to make a personal backup copy) is clearly illegal, it is commonly done.

Equity in Access (1 of the 8 issues of concern for students of AIS) (trigger questions)

· How can hardware and software be designed with consideration for differences in physical and cognitive skills? · What is the cost of providing equity in access? - For what groups of society should equity in access become a priority?

Ownership of Property (1 of the 8 issues of concern for students of AIS) (information)

· Laws designed to preserve real property rights have been extended to cover what is referred to as intellectual property, that is, software. · Copyright laws have been invoked in an attempt to protect whose who develop software from having it copied. · Many believe the copyright laws can cause more harm than good. · Although the purpose of copyrights is to promote the progress of science and the useful arts, allowing a user interface the protection of copyright may do just the opposite. · The best interest of computer users is served when industry standards emerge; copyright laws work against this. Part of the problem lies in the uniqueness of software, its ease of dissemination, and the possibility of exact replication.

Unemployment and Displacement (1 of the 8 issues of concern for students of AIS) (information)

· Many jobs have been and are being changed as a result of the availability of computer technology. People unable or unprepared to change are displaced.

Sarbanes-Oxley Act (SOX)

· Most significant federal securities law, with provisions designed to deal with specific problems relating to capital markets, corporate governance, and the auditing profession. · a.k.a. the American Competitiveness and Corporate Accountability Act of 2002 - Most significant securities law since the Securities and Exchange Commission (SEC) Acts of 1933 and 1934.

Para (2nd level of computer ethics)

· Para computer ethics involves taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. · All systems professionals need to reach this level of competency so they can do their jobs effectively. Students of accounting information systems should also achieve this level of ethical understanding.

Privacy (1 of the 8 issues of concern for students of AIS) (information)

· People desire to be in full control of what and how much information about themselves is available to others, and to whom it is available. - This is the issue of privacy. · The creation and maintenance of huge, shared databases make it necessary to protect people from the potential misuse of data. This raises the issue of ownership in the personal information industry

Pop (1st level of computer ethics)

· Pop computer ethics is simply the exposure to stories and reports found in popular media regarding the good or bad ramifications of computer technology. - Society at large needs to be aware of such things as computer viruses, and computer systems designed to aid handicapped persons.

Environmental Issues (1 of the 8 issues of concern for students of AIS) (trigger questions)

· Should organizations limit nonessential hard copies? · Can nonessential be defined? · Who can and should define it? · Should proper recycling be required? - How can it be enforced?

Privacy (1 of the 8 issues of concern for students of AIS) (trigger questions)

· Should the privacy of individuals be protected through policies and systems? · What information about oneself does the individual own? - Should firms that are unrelated to individuals buy and sell information about these individuals without their permission?

Misuse of Computers (1 of the 8 issues of concern for students of AIS) (trigger questions)

· Why do people think that it is not necessary to obey the law regarding the copying of propriety software? · Are there any good arguments for trying to change the law regarding the copying of propriety software? · What harm is done to the software developer when people make unauthorized copies? · A computer is not an item that deteriorates with use, so is there any harm to the employer if it is used for an employee's personal benefit? · Does it matter if the computer is used during company time or outside of work hours? · Is there a difference if some profit-making activity takes place rather than, for example, using the computer to write a personal letter? · Does it make a difference if a profit-making activity takes place during or outside working hours? · Is it okay to look through paper files that clearly belong to someone else? - Is there any difference between paper files and computer files?

Security (Accuracy and Confidentiality) (1 of the 8 issues of concern for students of AIS) (information)

·Computer security is an attempt to avoid such risks as a loss of confidentiality or data integrity. ·Security systems attempt to prevent fraud and other misuse of computer systems; they act to protect and further the legitimate interests of the system's constituencies. ·The ethical issues involving security arise from the emergence of shared, computerized databases that have the potential to cause irreparable harm to individuals by disseminating inaccurate information to authorized users, such as through incorrect credit reporting. ·There is a similar danger in disseminating accurate information to persons unauthorized to receive it. ·Increasing security, however, can actually cause other problems. For example, security can be used both to protect personal property and to undermine freedom of access to data, which may have an injurious effect on some individuals.