Accounting Information Systems

Accounting Information System
Tutorial 3 Answers
5.4

Environmental, institutional, or individual pressures and opportune situations, which are present to some degree in all companies, motivate individuals and companies to engage in fraudulent financial reporting. Fraud prevention and detection require that pressures and opportunities be identified and evaluated in terms of the risks they pose to a company.
Adapted from the CMA Examination.
a.

Identify two company pressures that would increase the likelihood of fraudulent financial reporting.














b.

Sudden deceases in revenue or market share
Financial pressure from bonus plans that depend on short-term economic performance Intense pressure to meet/exceed earnings expectations or improve reported performance Significant cash flow problems; unusual difficulty collecting receivables or paying payables
Heavy losses, high or undiversified risk, high dependence on debt, or unduly restrictive debt covenants
Heavy dependence on new or unproven product lines
Severe inventory obsolescence or excessive inventory buildup
Highly unfavorable economic conditions (inflation, recession)
Litigation, especially management vs. shareholders
Impending business failure or bankruptcy
Problems with regulatory agencies
Unusual spikes in interest rates
Poor or deteriorating financial position

Identify three corporate opportunities that make fraud easier to commit and detection less likely.











Weak or nonexistent internal controls
Failure to enforce/monitor internal controls
Management not involved in control system or overriding controls
Unusual or complex transactions such as the consolidation of two companies
Accounting estimates requiring significant subjective judgment by management
Managerial carelessness, inattention to details
Dominant and unchallenged management
Ineffective oversight by board of directors
Nonexistent or ineffective internal auditing staff
Insufficient separation of authorization, custody, and record-keeping duties
6-1

Accounting Information Systems










Inadequate supervision or too much trust in key employees
Unclear lines of authority
Lack of proper authorization procedures
No independent checks on performance or infrequent third-party reviews
Inadequate documents and records
Inadequate system for safeguarding assets
No physical or logical security system
No audit trails

The list show here can be augmented by the items in Table 5-4 listed in the Other
Factors column.
c. For each of the following, identify the external environmental factors that should

be considered in assessing the risk of fraudulent financial reporting.


The company’s industry o Specific industry trends such as overall demand for the industry's products, economic events affecting the industry, and whether the industry is expanding or declining. o Whether the industry is currently in a state of transition affecting management's ability to control company operations.



The company’s business environment o The continued viability of the company's products in the marketplace. o Sensitivity of the company's operations and profits to economic and political factors. 

The company’s legal and regulatory environment o The status of the company's business licenses or agreements, especially in light of the company's record of compliance with regulatory requirements. o The existence of significant litigation.

d.

What can top management do to reduce the possibility of fraudulent financial reporting? 



Set the proper tone to establish a corporate environment contributing to the integrity of the financial reporting process.
Identify and understand the factors that can lead to fraudulent financial reporting.
Assess the risk of fraudulent financial reporting that these factors can cause within the company.
6-2

Accounting Information Systems




Design and implement internal controls that provide reasonable assurance that fraudulent financial reporting is prevented, such as establishing an Internal Audit
Department that reports to the Audit Committee of the Board of Directors.
Enforce the internal controls
NOTE: Most fraudulent financial reporting fraud is perpetrated by top management, often by overriding internal controls. While some of the above controls in part d are more likely to prevent misappropriation of assets, they can still be useful for preventing or deterring fraudulent financial reporting.

6-3

Accounting Information Systems

5.6

An insurance company in Asia reported profit of $100 million for the financial year through the news-dissemination system of the stock exchange. Its stock price jumped by several times, as the announced profit was 10 times more than the previous year’s.
A few days later, the company announced a mistake in the released financial result, and stated that the correct profit should be $9.5 million. Regulatory bodies were asked to investigate if it was a trick used to manipulate stock prices. It was not clear who should be held responsible: the management, the accounting system or the auditor? a.

Is it an example of fraudulent financial reporting?
Answers will vary.

b.

What procedures could reduce the occurrence of such “mistakes”?

The Treadway Commission recommended four actions to reduce fraudulent financial reporting: 1. Establish an organizational environment that contributes to the integrity of the financial reporting process.
2. Identify and understand the factors that lead to fraudulent financial reporting.
3. Assess the risk of fraudulent financial reporting within the company.
4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting.

6-4

Accounting Information Systems
5.7

A bank auditor met with the senior operations manager to discuss a customer’s complaint that an auto loan payment was not credited on time. The customer said the payment was made on May 5, its due date, at a teller’s window using a check drawn on an account in the bank. On May 10, when the customer called for a loan pay-off balance so he could sell the car, he learned that the payment had not been credited to the loan. On May 12, the customer went to the bank to inquire about the payment and meet with the manager. The manager said the payment had been made on May
11. The customer was satisfied because no late charge would have been assessed until
May 15. The manager asked whether the auditor was comfortable with this situation.
The auditor located the customer’s paid check and found that it had cleared on May
5. The auditor traced the item back through the computer records and found that the teller had processed the check as being cashed. The auditor traced the payment through the entry records of May 11 and found that the payment had been made with cash instead of a check.
What type of embezzlement scheme is this, and how does it work?
Adapted from the CIA Examination
The circumstances are symptomatic of lapping, which is a common form of embezzlement by lower-level employees in positions that handle cash receipts.
In a lapping scheme, the perpetrator steals cash, such as a payment on accounts receivable by customer A. Funds received at a later date from customer B are used to pay off customer A's balance. Even later, funds from customer C are used to pay off B, and so forth. Since the time between the theft of cash and the subsequent recording of a payment is usually short the theft can be effectively hidden. However, the cover-up must continue indefinitely unless the money is replaced, since the theft would be uncovered if the scheme is stopped.

6-5

Accounting Information Systems

6.1

A few years ago, news began circulating about a computer virus named Michelangelo that was set to “ignite” on March 6, the birthday of the famous Italian artist. The virus attached itself to the computer’s operating system boot sector. On the magical date, the virus would release itself, destroying all of the computer’s data. When
March 6 arrived, the virus did minimal damage. Preventive techniques limited the damage to isolated personal and business computers. Though the excitement surrounding the virus was largely illusory, Michelangelo helped the computer-using public realize its systems’ vulnerability to outside attack.
a.

What is a computer virus? Cite at least three reasons why no system is completely safe from a computer virus.
A computer virus is a segment of executable code that attaches itself to an application program or some other executable component. When the hidden program is triggered, it makes unauthorized alterations in the way a system operates.
There are a number of reasons why no one is completely safe from a virus:




Viruses can spread very quickly. In a network environment, a virus can spread to thousands of systems in a relatively short period. When the virus is confined to a single machine or to a small network, it will soon run out of computers to infect.



Many viruses lie dormant for extended periods without doing any specific damage except propagating itself. The hidden program leaves no external signs of infection while it is reproducing itself.


b.

Viruses are contagious and are easily spread from one system to another. A virus spreads when users share programs or data files, download data from the Internet, or when they access and use programs from external sources such as suppliers of free software.

Many computer viruses have long lives because they can create copies of themselves faster than the virus can be destroyed.

Why do viruses represent a serious threat to information systems? What damage can a virus do to a computer system?
Viruses are a significant threat to information systems because they make unauthorized alterations to the way a system operates and cause widespread damage by destroying or altering data or programs. If adequate backup is not maintained, viral damage may also mean permanent loss of important or unique information, or time-consuming reentry of the lost information.
A virus can cause significant damage when it takes control of the computer, destroys the hard disk's file allocation table, and makes it impossible to boot (start) the system or to access data on a hard drive. They can also intercept and change transmissions, print disruptive images or messages on the screen, or cause the screen image to disappear. As the virus spreads, it takes up space, clogs communications, and hinders system performance.
6-6

Accounting Information Systems

c.

How does a virus resemble a Trojan horse?
A virus is like a Trojan horse in that it can lie dormant for extended periods, undetected until triggered by an event or condition.

d.

What steps can be taken to prevent the spread of a computer virus?
Focus 6-1 lists the following steps individuals can take to keep their computers virus free: 

Install reputable and reliable antivirus software that scans for, identifies, and destroys viruses. Only use one antivirus program, as multiple programs conflict with each other.



Do not fall for ads touting free anti-virus software, as much of it is fake and contains malware. Some hackers create websites stuffed with content about breaking news so that the site appears on the first page of search results. Anyone clicking on the link is confronted with a pop-up with a link to fake anti-virus software. 

Do not fall for pop-up notices that warn of horrible threats and offer a free scan of your computer. Although no scan actually takes place, the program reports dozens of dangerous infections and tells you to purchase and download their fake antivirus program to clean it up.

 Make sure that the latest versions of the antivirus programs are used. National
City Bank in Cleveland, Ohio, installed some new laptops. The manufacturer and the bank checked the laptops for viruses but did not use the latest antivirus software. A virus spread from the laptop hard drives to 300 network servers and
12,000 workstations. It took the bank over two days to eradicate the virus from all bank systems.
 Scan all incoming e-mail for viruses at the server level as well as when it hits users’ desktops.


Do not download anything from an email that uses noticeably bad English, such as terrible grammar and misspelled words. Real companies hire people to produce quality writing. Many viruses come from overseas. English is obviously not their first language.



All software should be certified as virus-free before loading it into the system. Be wary of software from unknown sources, as they may be virus bait—especially if their prices or functionality sound too good to be true.

 Deal with trusted software retailers.
 Some software suppliers use electronic techniques to make tampering evident.
Ask if the software you are purchasing has such protection.
 Check new software on an isolated machine with virus detection software.
Software direct from the publisher has been known to have viruses.
6-7

Accounting Information Systems

 Have two backups of all files. Data files should be backed up separately from programs to avoid contaminating backup data.
 If you use flash drives, diskettes, or CDs, do not put them in strange machines as they may become infected. Do not let others use those storage devices on your machine. Scan all new files with antiviral software before any data or programs are copied to your machine.

6-8

Accounting Information Systems

6.2

The controller of a small business received the following e-mail with an authenticlooking e-mail address and logo:
From:
To:
Subject:

Big Bank [antifraud@bigbank.com]
Justin Lewis, Controller, Small Business USA
Official Notice for all users of Big Bank!

Due to the increased incidence of fraud and identity theft, we are asking all bank customers to verify their account information on the following Web page: www.antifraudbigbank.com Please confirm your account information as soon as possible. Failure to confirm your account information will require us to suspend your account until confirmation is made.
A week later, the following e-mail was delivered to the controller:
From:
To:
Subject:

Big Bank [antifraud@bigbank.com]
Justin Lewis, Controller, Small Business USA
Official Notice for all users of Big Bank!

Dear Client of Big Bank,
Technical services at Big Bank is currently updating our software. Therefore, we kindly ask that you access the website shown below to confirm your data. Otherwise, your access to the system may be blocked. web.da-us.bigbank.com/signin/scripts/login2/user_setup.jsp We are grateful for your cooperation.
a.

What should Justin do about these e-mails?
This is an attempt to acquire confidential information so that it can be used for illicit purposes such as identity theft. Since the email looks authentic and appears authoritative, unsuspecting and naïve employees are likely to follow the emails instructions. Justin should:


Notify all employees and management that the email is fraudulent and that no information should be entered on the indicated website.



Delete the email without responding to its sender.



Launch an education program for all employees and management about computer fraud practices that could target their business.

6-9

Accounting Information Systems


b.

Notify Big Bank regarding the email.

What should Big Bank do about these e-mails?




Establish a quick and convenient method that encourages customers and employees to notify Big Bank of suspicious emails.



The warnings received by customers and employees should be investigated and remedial actions should be taken.



Notify and cooperate with law enforcement agencies so the perpetrator can be apprehended. 

c.

Immediately alert all customers about the email and ask them to forward any suspicious email to the bank security team. But this needs to be done via the bank’s web site, not by an email message. Banks need to consistently never use email in ways similar to this type of attack.

Notify the ISP from which the email originated, demanding that the perpetrator’s account be discontinued.

Identify the computer fraud and abuse technique illustrated.
This computer fraud and abuse technique is called phishing. Its purpose is to get the information need to commit identity theft. The perpetrator probably also used brand spoofing of Big Bank’s web site.

6-10