Transcript CIS-496 / I.S. Auditing - University of South Florida St
Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong.
Business Ethics
How do managers decide on what is right in conducting business?
Once managers have recognized what is right, how to they achieve it? The necessity to have an articulate foundation for ethics and a consistent application of the ethical standards.
IT Auditing & Assurance, 2e, Hall & Singleton
Basis of Ethical Standards Religious Philosophical Historical IBM combination of all three
Ethical Issues in Business [Table 11-1]
Equity Exec. salaries Pricing Rights Health (screening) Privacy Sexual harassment Equal opportunity Whistleblowing Honesty Conflicts of interest Security of data & records Foreign practices [FCPA] Accurate F/S reporting Exercise of Corp. Power PAC, and politics Workplace safety Downsizing, closures IT Auditing & Assurance, 2e, Hall & Singleton
1990 Business Roundtable
Greater commitment of top management Written codes (policy) that clearly communicate standards and expectations Programs to implement ethical guidelines Techniques to monitor compliance
Boeing
Uses line managers to lead ethics training Toll-free number to report violations
General Mills
Published guidelines with vendors,
competitors
, customers
Johnson & Johnson
Creed integral to its culture Uses surveys to ascertain compliance
SAIC
Toll-free number, required training, separate dept.
IT Auditing & Assurance, 2e, Hall & Singleton
Role of Management
Create and maintain appropriate ethical atmosphere Limit the opportunity and temptation for unethical behavior Management needs a methodology for including lower-level managers and employees in the ethics schema Many times, lower-level managers responsible to uphold ethical standards Poor ethical standards among employees are a root cause of employee fraud and abuses Managers and employees both should be made aware of firm’s code of ethics
What if management is unethical? e.g., Enron
IT Auditing & Assurance, 2e, Hall & Singleton
Reported Abuses
Typically junior employees (Wall Street Journal) Half of American workers believe the best way to get ahead is politics and cheating One-third of a group of 9,175 surveyed had stolen property and supplies from employers Ethics Resource Center: 1994 study 41% falsified reports 35% committed theft
Ethical Development
Most people develop a personal code of ethics from family, formal education, and personal experience Go through stages of moral evolution [Figure 11-2] IT Auditing & Assurance, 2e, Hall & Singleton
Making Ethical Decisions
Business schools can and should be involved in ethical development of future managers Business programs can teach students analytical techniques to use in trying to understand and properly handle a firm’s conflicting responsibilities to its employees, shareholders, customers, and the public Every ethical decision has risks and benefits. Balancing them is the manager’s ethical responsibility:
Ethical Principles
Proportionality
: Benefits of a decision must outweigh the risks. Choose least risky option.
Justice
risk : Distribute benefits of decision fairly to those who share risks. Those who do not benefit should not carry any
Minimize Risk
: Minimize all risks.
IT Auditing & Assurance, 2e, Hall & Singleton
The analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology.
Levels of Computer Ethics POP
: the exposure to stories and reports in popular media
PARA
: taking a real interest in computer ethics cases and acquiring some level of skill and knowledge
THEORETICAL
: multi-disciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science, intending to bring some new understanding to the field. That is, ethics research.
IT Auditing & Assurance, 2e, Hall & Singleton
A new problem or just a new twist to an old problem?
Although computer programs are a new type of asset, many believe that they should not be considered as different form other forms of property; i.e., intellectual property is the same as real property and the rights associated with real property.
IT Auditing & Assurance, 2e, Hall & Singleton
1.
2.
3.
4.
Privacy:
Ownership of personal information Policies
Security
: Systems attempt to prevent fraud and abuse of computer systems, furthering the legitimate interests of firm Shared databases have potential to disseminate inaccurate info to authorized users
Ownership of Property:
Federal copyright laws
Race:
African-Americans and Hispanics constitute 20% of population but 7% of MIS professionals IT Auditing & Assurance, 2e, Hall & Singleton
5.
Equity in Access:
Some barriers are avoidable, some are not Factors: economic status, affluence of firm, documentation language, cultural limitations
6.
Environmental Issues
: Should firms limit non-essential hard copies?
What is non-essential?
Disposal of equipment and supplies (toner)
7.
Artificial Intelligence:
Who is responsible for faulty decisions from an Expert System?
What is the extent of AI/ES in decision-making processes?
IT Auditing & Assurance, 2e, Hall & Singleton
8.
Unemployment & Displacement:
Computers and technology sometimes replace jobs (catch-22, productivity) Some people unable to change with IT, get displaced and find it difficult to obtain new job
9.
Misuse of Computer
: Copying proprietary software Using a firm’s computers for personal benefit Snooping through firm’s files
10.
Internal Control Responsibility:
Unreliable information leads to bad decision, possible financial distress Management must establish and maintain a system of appropriate internal controls to ensure integrity and reliability of data (antithetical) IS professionals and accountants are central to adequate internal controls IT Auditing & Assurance, 2e, Hall & Singleton
The lack of ethical standards* is fundamental to the occurrence of business fraud.
No major aspect of the independent auditor’s role has caused more difficulty for public accounting than the responsibility for detection of fraud during an audit. [article] This issue has gathered momentum outside the accounting profession to the point where the profession faces a crisis in public confidence in its ability to perform independent attest functions. [SAS 82]
Fraud denotes a false representation of a material fact made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his/her detriment, i.e., his/her injury or loss.
Synonyms: White-collar crime, defalcation, embezzlement, irregularities.
IT Auditing & Assurance, 2e, Hall & Singleton
A fraudulent act must meet the following 5 conditions:
1.
2.
3.
4.
5.
False representation Material fact Intent Justifiable reliance Injury or loss IT Auditing & Assurance, 2e, Hall & Singleton
Asset misappropriation fraud 1.
Stealing something of value – usually cash or inventory (i.e., asset theft) 2.
3.
4.
Converting asset to usable form Concealing the crime to avoid detection Usually, perpetrator is an employee Financial fraud 1.
Does not involve direct theft of assets 2.
3.
4.
5.
Often objective is to obtain higher stock price (i.e., financial fraud) Typically involves misstating financial data to gain additional compensation, promotion, or escape penalty for poor performance Often escapes detection until irreparable harm has been done Usually, perpetrator is executive management Corruption fraud 1.
Bribery, etc.
IT Auditing & Assurance, 2e, Hall & Singleton
Fraudulent financial statements {5%} Corruption {10%} Bribery Illegal gratuities Conflicts of interest Economic extortion Asset misappropriation {85%} Charges to expense accounts Lapping Kiting Transaction fraud IT Auditing & Assurance, 2e, Hall & Singleton
Employee Theft 1) Theft of asset 2) Conversion of asset (to cash, to fraudster) 3) Concealment of fraud
IT Auditing & Assurance, 2e, Hall & Singleton
Special Characteristics: 1.
2.
Perpetrated at levels of management above the one where internal controls relate Frequently involves using the financial statements to create false image of corporate financial health 3.
If fraud involves misappropriation of assets, it frequently is shrouded in a complex maze of business transactions, and often involves third parties. [e.g., ZZZZ Best fraud] IT Auditing & Assurance, 2e, Hall & Singleton
People engage in fraudulent activities as a result of forces within the individual (their ethical system) and without (from temptation and/or stress from the external environment) 1. Situational Pressures 2. Opportunity 3. Rationalization A person with a high level of personal ethics and limited pressure and opportunity to commit fraud is most likely to behave honestly [Figure 11-2] A person with low level of integrity, and moderate to high pressures, and moderate to high opportunity is most likely to commit fraud Auditors can develop a “red flag” checklist to detect possible fraudulent activity A questionnaire approach could be used to help auditors uncover motivations for fraud IT Auditing & Assurance, 2e, Hall & Singleton
Do key executives have unusually high personal debt?
Do key executives appear to be living beyond their means?
Do key executives engage in habitual gambling?
Do key executives appear to abuse alcohol or drugs?
Do key executives appear to lack personal codes of ethics?
Do key executives appear to be unstable (e.g., frequent job or residence changes, mental or emotional problems)?
Are economic conditions unfavorable within the company’s industry?
Does the company use several different banks, none of which sees the company’s entire financial picture?
Do key executives have close associations with suppliers?
Do key executives have close associations with members of the Audit Committee or Board?
Is the company experiencing a rapid turnover of key employees, either through quitting or being fired?
Do one or two individuals dominate the company?
Does anyone never take a vacation?
IT Auditing & Assurance, 2e, Hall & Singleton
1996, 2002, and 2004 study by Association of CFE (“Report to the Nation”) estimated losses from fraud and abuse at 6% of annual revenues! Based on GDP in 2002, that would be $600B, and in 2004 $660B in losses.
Actual cost is difficult to quantify because: 1.
All fraud is not detected 2.
3.
Of ones detected, not all are reported In many cases, incomplete information is gathered 4.
Information is not properly distributed to management or law enforcement authorities 5.
Too often, business organizations decide to take no civil or criminal action against the perpetrator of fraud Organizations with 100 or fewer employees were the most vulnerable to fraud SEC fraud violations reported in COSO “Landmark Study” 1998 IT Auditing & Assurance, 2e, Hall & Singleton
Profile of perpetrator: By position – Table 11-3 By gender – Table 11-5 By age – Table 11-6 By Education – Table 11-7
Conclusions about profile?
Fraudsters do not look like crooks!
Collusion – Table 11-4 1.
2.
Significant reason to adhere to segregation of duties Risks associated with a key position held by a trusted employee who unknowingly has weak ethics IT Auditing & Assurance, 2e, Hall & Singleton
Lack of auditor independence
Lack of director independence
Questionable executive compensation schemes
Inappropriate accounting practices
IT Auditing & Assurance, 2e, Hall & Singleton
PCAOB
Auditor independence
List of services considered non independent
Corporate governance
Issuer and management disclosure
Fraud and criminal penalties
IT Auditing & Assurance, 2e, Hall & Singleton
Fraud auditors Forensic accountants Association of Certified Fraud Examiners Certified Fraud Examiner certification – http://www.acfe.org
Forensic Accounting Investigation Evidence for court Litigation CFE – Association of Certified Fraud Examiners See newsletter sample at ACFE web site IT Auditing & Assurance, 2e, Hall & Singleton
Professor’s Note: I have incorporated material from other sources into this presentation to include ethical issues.
IT Auditing & Assurance, 2e, Hall & Singleton
Culture Helps Determine Laws and Ethical Standards
Chapter 15 IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 27
Ethical Principles
•
Golden rule:
Do unto others as you would have them do unto you
•
Immanuel Kant’s categorical imperative:
If an action is not right for everyone to take, then it is not right for anyone
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 28
Ethical Principles
•
Descartes’ rule of change:
If an action cannot be taken repeatedly, then it is not right to be taken at any time
•
Utilitarian principle:
Put values in rank order and understand consequences of various courses of action
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 29
Ethical Principles
•
Risk aversion principle:
Take the action that produces the least harm or incurs the least cost
•
Ethical “no free lunch” rule:
All tangible and intangible objects are owned by creator who wants compensation for the work
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 30
Information Rights: Privacy and Freedom in the Internet Age
•
Privacy:
Claim of individuals to be left alone, free from surveillance or interference from other individuals, organizations, or the state
•
Fair information practices:
Set of principles governing the collection and use of information on the basis of U.S. and European privacy laws
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 31
U.S. Federal Privacy Laws
• • • • • •
General Federal Privacy Laws
Freedom of Information Act, 1968 Privacy Act of 1974 Electronic Communications Privacy Act of 1986 Computer Matching and Privacy Protection Act of 1988 Computer Security Act of 1987 Federal Managers Financial Integrity Act of 1982
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 32
Communications with Children
Children’s Online Privacy Protection Act of 1998 (COPPA) ◦ Provides restrictions on data collection that must be followed by electronic commerce sites aimed at children ◦ Requires schools that receive federal funds to install filtering software on computers IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 33
Sanrio’s Approach to COPPA Compliance
Chapter 15 IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 34
Ethical Issues (continued)
◦ ◦ ◦ ◦ Principles for handling customer data Use data collected to provide improved customer service Do not share customer data with others outside your company without the customer’s permission Tell customers what data you are collecting and what you are doing with it Give customers the right to have you delete any of the data you have collected about them IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 35
Chapter 15 IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 36
Ethical Issues
Under what conditions should the privacy of others be invaded? What legitimaizes intruding into others’ lives through unobtrusive surveillance, through market research, or by whatever means? IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 37 Chapter 15
Ethical Issues
Do we have to inform people that we are eavesdropping? Do we have to inform people that we are using credit history information for employment screening purposes?
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 38 Chapter 15
Property Rights: Intellectual Property
Intellectual property: Intangible creations protected by law Trade secret: Intellectual work or product belonging to business, not in public domain IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 39 Chapter 15
Property Rights: Intellectual Property
Copyright: Statutory grant protecting intellectual property from getting copied for 28 years Patents: Legal document granting the owner an exclusive monopoly on the ideas behind an invention for 20 years IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 40 Chapter 15
Web Site Content Issues
Fair use of a copyrighted work ◦ Includes copying it for use in criticism, comment, news reporting, teaching, or research Vicarious copyright infringement ◦ Entity becomes liable if It is capable of supervising infringing activity Obtains financial benefit from infringing activity IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 41
Domain Names, Cybersquatting, and Name Stealing (continued)
U.S. Anticybersquatting Consumer Protection Act (ACPA) ◦ Protects trademarked names from being registered as domain names by other parties ◦ Parties found guilty of cybersquatting can be held liable for damages of up to $100,000 per trademark IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 42
Defamation
◦ Defamatory statement Statement that is false and injures the reputation of another person or company Product disparagement ◦ ◦ If a defamatory statement injures the reputation of a product or service instead of a person Per se defamation Court deems some types of statements to be so negative that injury is assumed IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 43
Deceptive Trade Practices
◦ ◦ ◦ ◦ Federal Trade Commission Regulates advertising in the United States Publishes regulations and investigates claims of false advertising Provides policy statements Policies cover specific areas such as Bait advertising Consumer lending and leasing Endorsements and testimonials IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 44
Federal Statutes Related to Cybercrimes 18 U.S.C. 1029 Fraud and Related Activity in Connection with Access Devices 18 U.S.C. 1030 Fraud and Related Activity in Connection with Computers 18 U.S.C. 2701 Unlawful Access to Stored Communications
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 45
USA Patriot Act of 2001
The USA Patriot Act has strengthened U.S. cyber laws and expanded cybercrime definitions. Under the Act, an activity covered by the law is considered a crime if it causes a loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety.
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 46 Chapter 15
USA Patriot Act of 2001
Amendments made by the Act make it easier for an Internet service provider (ISP) to make disclosures about unlawful customer actions without the threat of civil liability to the ISP.
Another revision made by the Act provides that victims of hackers can request law enforcement help in monitoring trespassers on their computer systems.
IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton Chapter 15 47
Chapter 15 IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 48
Chapter 15 IT Auditing & Assurance, 2e, Hall & Forensic and Investigative Accounting Singleton 49
Controlling the Assault of Non-Solicited Pornography and Marketing Act Establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them.
IT Auditing & Assurance, 2e, Hall & Singleton
It bans false or misleading header information. It prohibits deceptive subject lines. It requires that your email give recipients an opt-out method. It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. Report Violations to 1-877-FTC-HELP IT Auditing & Assurance, 2e, Hall & Singleton
IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton