Chapter 6

Internal Control and Risk Assessment

INTRODUCTORY SCENARIO: SUGGESTED SOLUTIONS TO QUESTIONS

1. What were some of the things that management could have done to prevent the fraudulent activity perpetrated
by Kerviel?

Answer: Management should have provided better oversight of the trading function. Management ignored
red flags, never investigated the increase in Kerviel’s salary, and never monitored Kerviel’s activities as a
trader. The general controls surrounding access to the system were lax, and management did not consider the
possibility that promoting a back office worker to a trading position would provide that person with the
opportunity to commit and conceal illegal acts (e.g., violating policies with regard to desk limits). There was
a risk-taking culture in the organization. Management did not enforce vacations and failed to follow up on
questions brought up by the Eurex Exchange. No one noticed the false trades and there was a failure to
monitor the security systems and trades.

2. Why do you think the warnings about potential problems were ignored
Answer: Because Kerviel was making money for the bank, management might have been reluctant to act on
activities that looked suspicious (such as the violations of desk limits). Since the internal environment
encouraged a risk-taking culture, lines of responsibility and authorization were blurred, and there was little if
any oversight of the trading function.

VIGNETTES: SUGGESTED SOLUTIONS TO QUESTIONS

Vignette 6.1

1. What types of controls could be implemented to reduce the number of clerical errors in this situation?

Answer: Proper oversight and review of transactions posted. A batch system with review of the proof list by
someone other than the data entry clerks may have caught some of the errors. Edit checks could be installed
to minimize input errors.

2. What are some things that the company can do to alleviate the monotonous nature of data entry?

Answer: Rotation of duties, incentives to reward low data entry error rates.

Vignette 6.2

1. How could the problem with the “phantom inventories” have been avoided?

Answer: Procedures should have been in place to require that all orders be approved before entry into the
system. In other words, the order process should have been separate from the data entry, and all orders
should have been properly authorized. Inventory management should have been maintained by the
 headquarters office, with proper documentation required before maintenance was done on any inventory
items. Physical inventory counts should be done more frequently to minimize the opportunity for losses due
to “phantom inventories” to grow.
2. What kind of incentives would have discouraged the activities discussed in this vignette?

Answer: A strong internal environment with an incentive system that would not encourage product managers
to enter fraudulent data. Proper oversight with proper authorization for orders should be required. Separation
of the record-keeping, authorization, and custody functions should be maintained. The incentive program
needs to be revised to encourage productivity, not fraudulent activity.

Vignette 6.3

1. What are the conflicting incentives that Jay Kelly was facing (e.g., shareholder incentives vs. management
incentives)?

Answer: Kelly’s incentives as a manager were to make the company look good according to the numbers.
The shareholders’ incentives relate to wanting the company to keep up with technological advances and
jump into new markets and products as technology changes. While this is risky, it reflects the notion that
shareholders have no “downside” risk, i.e., they cannot lose any more than the amount they originally
invested in the stock. They have unlimited “upside” potential, in that any successes the company has can be
shared with the stockholders through either the distribution of dividends and/or capital gains from increases
in the value of the equity.

2. What are some things that the board could have done to more effectively address the issues brought up by
Linda Lopez and the other independent board member?

Answer: As an independent board member, Lopez had every right to require a discussion of Kelly’s
performance. It would have been better if the chairman of the board had NOT been an insider. The Sarbanes-
Oxley Act requires that the Audit Committee be made up of non-insiders, including a “financial expert.” The
internal and external auditors report directly to the Audit Committee and should be allowed to independently
review the CEO’s performance BEFORE he comes under investigation for fraud.

Vignette 6.4

1. What were some of the areas of weakness in the control environment for Minichello’s firm?

Answer: No periodic review of the control system. Improper oversight of the treasury function. Duffy was
able to continue his money laundering without anyone suspecting his wrongdoing. Minichello’s attitude
about risk-taking encouraged “creative” methods for making money by her employees. She did not appear
to take the internal environment seriously, so she could not expect her employees to take it seriously either.

2. How could the embezzlement scheme have been avoided?

Answer: Periodic audits of the operational areas of the company by internal auditors and annual audits by
external auditors. Proper oversight of the treasury function through reviews and rotation of duties within the
department. Enforced vacations (assuming Duffy was the “perfect employee” who never took any time off)
would also allow for someone else to review transactions processed in the treasury department.

3. What recommendations would you make to Minichello to improve the control environment (assuming the
 firm survived the embezzlement)?

Answer: Periodic review and updates to the control system, a change in Minichello’s attitude toward the
importance of the control system, rotation of duties, proper oversight and authorization of transactions,
enforced vacations.

Vignette 6.5

1. If you were reviewing the results of the internal auditor’s interview, how would you address the problems the
junior manager points out in this vignette?

Answer: The internal environment is lax. Management does not appear to be interested in adhering to
personnel policies that encourage the hiring and retention of qualified employees. There is no formal means
of obtaining consistent and regular feedback on performance. The job posting and merit increase
procedures appear to be somewhat “informal.” Personnel do not know what they must do to be promoted or
to receive significant merit increases. Procedures should be in place to demonstrate the organization’s
commitment to the advancement of qualified personnel to higher levels of responsibility.

2. How can management improve morale and encourage excellence in its employees?

Answer: Fair and equitable policies for salaries and raises should be clearly stated and adhered to. The
evaluation process should be properly scheduled and provide an opportunity for managers and their
employees to applaud excellence in performance and provide a means for suggesting improvements.

SOLUTIONS TO DISCUSSION QUESTIONS AND PROBLEMS

1. Who is ultimately responsible for the implementation of cost-effective internal control?

Answer: B

2 The Foreign Corrupt Practices Act was an important act because it was the first to require that:

Answer: D

3. The primary objective of an external auditor in obtaining an understanding of a client’s internal control is to
provide the auditor with:

Answer: B

4. Which of the following statements about internal control is correct?

Answer: D

5. Smith, CPA, has been engaged to audit the financial statements of Reed, Inc., a publicly held retailing
company. Before assessing control risk Smith is required to obtain an understanding of Reed’s control
environment.
Required:
a. Identify the control environment factors or principles that establish the control environment.
b. For each control environment factor or principle identified in Part (a), describe what would be of interest to the
auditor.

Answer:

The internal environment factors at Reed, Inc., that Smith, CPA, must understand to perform an audit of
Reed's financial statements are listed below. Along with each factor, the components that are of interest are
discussed.

Management Philosophy and Operating Style

Management philosophy and operating style include the following: management’s behavior toward other
managers or personnel; management’s approach to business risk; management’s attitude toward accounting
functions; and management’s attitude toward information processing.

Integrity and Ethics

An organization’s integrity and ethical values affect the design, administration, and monitoring of the other
factors of the internal environment.

Commitment to Competence
Commitment to competence indicates to the auditor how competently the employees perform their jobs.

Human Resource Policies and Practices

Human resource policies and practices include the organization's policies for hiring, orienting, training,
evaluating, counseling, compensating, promoting, and remedial actions.

Board of Directors
The board of directors is a committee that primarily represents stockholders but may also represent
employees, communities, and environmental interests. The board is responsible for overseeing operations,
evaluating management's performance, and assuring that the organization is in compliance with applicable
laws and regulations. Boards set broad policies and see that they are carried out. They typically choose the
chief executive and participate in selecting other senior staffers. More specific responsibilities vary,
depending on the organization’s charter and the nature of the business. An independent board of directors
is one in which a significant number, preferably a majority, of its members are outside directors. Outside
directors are those who are neither current nor former employees of the organization.

Audit Committee
The audit committee is a standing subcommittee of the board whose main objectives are to protect against
management wrongdoing and to increase public confidence in the independent auditor’s opinion. It is an
extension of the oversight role of the board of directors and, consequently, reports directly to the board.
The audit committee is responsible for making recommendations regarding the selection of the external
auditors, reviewing financial information, directing investigations of possible fraud, seeing that effective
internal control is maintained, and serving as a communication link between the internal and external
auditors and the board of directors. An audit committee composed of independent board members can
ensure that its decisions are free from management’s influence.

Organizational Structure
A formal organizational structure provides the framework within which the organization’s activities for
achieving its objectives are planned, executed, monitored, and controlled. Limits of managerial authority,
areas of responsibility, and lines of reporting are defined. Employees know what authority and
 responsibility they have, whom they report to, and who reports to them. The organizational structure is
expressed in and documented by an organizational chart and job descriptions.

Assignment of Authority and Responsibility

Assignment of authority and responsibility includes policies and communications directed at ensuring that
all personnel understand the management objectives, know how their individual actions interrelate and
contribute to those objectives, and recognize how and for what they will be held accountable. Assignment
of authority and responsibility establishes authorization hierarchies and reporting relationships.

6. Describe the three organization objective categories in the internal control framework. How are they related
to the COSO 2013 components of internal control?

Answer: The three organization objective categories are quality of reporting (both internal and external),
effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The fivet
components of internal control–control environment, , risk assessment, control activities, information and
communication, and monitoring–can be associated with all three management objective categories. No one
component should be viewed as a singular aspect of any one objective category.

7. Below are some situations that occurred in various organizations.

Required: Discuss the deficiencies that must have existed in the control environment for these situations to
have occurred.

7. a. The company president was implicated in a case of high-level fraud, but the matter was hushed up
successfully.

Answer: To enable the president's activities to be concealed, the board of directors probably had to
cooperate. The members of the board of directors evidently did not fear civil or criminal suit for
conspiracy, or, if they did, they had some overriding interest in keeping quiet. The board may have been
composed entirely of family members or individuals who also held management positions. If any members
of the board were

independent, they were probably in a minority and may have been bribed to conceal the wrongdoing. Also,
there may have been no established audit committee with overall responsibility for control matters.

7. b. An employee expected he would be fired because of a conduct violation, but six months later he was still
on the job. Management currently was distracted by the possibility of a hostile takeover.

Answer: The company's procedures for dealing with control violations were clearly inadequate. If the
prescribed penalty for an offense is termination, that penalty should be carried out automatically regardless
of management's preoccupation with other matters.

7. c. After a new technical assistant had been on the job for three weeks, it was discovered that she had no
relevant qualifications or work experience.

Answer: Hiring policies were inadequate. The credentials of all new employees should be checked, and,
where doubts exist, a job applicant should be tested for competence.

7. d. When the internal auditors conducted an inquiry into the high incidence of errors in the accounting
department, it emerged that three clerks recently had been transferred there from other departments.
 Although the clerks had some accounting experience, none was familiar with the company’s accounting
system.

Answer: The company evidently had no formal orientation or training programs, or, if it had, orientation
and training were not required for people transferring within the organization. Orientation and training
programs should acquaint new employees or transferees with company and departmental procedures.

7. e. A customer complained about being overcharged on an invoice, and it turned out the error was deliberate.
The billing clerk, who had not benefitted personally in any way, defended himself by saying, “I thought
you would appreciate my trying to bring more money into the company.”

Answer: Presumably, the organization had no formal code of conduct regulating the manner in which
employees were to deal with customers. Also, supervision may have been inadequate; the invoice should
have been checked before being mailed.

7. f. A colleague explained to a new employee, “It doesn’t matter what you do here; just don’t get caught.”

Answer: Control consciousness seems to have been lacking. With such attitudes among employees,
management would have a hard job building effective internal control.

8. It is often said that control is achieved through people, and human resource policies and practices certainly
make an important contribution to an organization’s control environment.
Required:
Identify and discuss the main aspects of human resource policies and practices from a control standpoint.
Present your answer in the context of a large service organization, such as an insurance company.

Answer: Internal control is only as good as the people involved. The quality of these people depends
heavily on the quality of the organization's human resource policies and practices. The human resource
policies and practices should be tailored to the required skills and the sensitivity of the positions filled and
should address the needs for:

• Hiring
• Orientation
• Training
• Evaluating
• Counseling
• Compensating
• Promoting
• Remedial actions

A large insurance company would need people with special training and skills, such as actuaries,
appraisers, and information services specialists, as well as clerical, sales, and general management
personnel. Its employees would most likely be regarded as a valuable long-term resource. They would be
recruited with care and continually nurtured to maintain their effectiveness and to realize their full
potential. Suitable incentives would be needed to attract the right people, keep them with the company, and
challenge them to achieve their personal, as well as the corporate, goals. A contented, but personally and
professionally challenged, work force is a vital asset to any company; to a professional service
organization, it is essential for long-term survival and success. Such a work force is also the basis of
effective internal control.
 Before personnel are hired, their credentials should be checked to verify their suitability for employment.
New hires and transferees should be given appropriate orientation and training covering, among other
things, company policies and procedures. Periodic performance reviews should be made of performance
and constructive feedback provided to each individual. Opportunities should exist for advancement within
the organization, and a "hire-from-within" policy should be adhered to whenever feasible. Employee
frustration should carefully be avoided, and successful employees should be offered a future with the
company that provides a basis for the realization of their monetary and nonmonetary ambitions. Absence
of frustration and expectations of advancement are important elements supporting the control
consciousness.

Individuals who feel the need for a change of job should, to the extent possible, be able to move laterally in
the organization. Opportunities should also be provided for individuals who are in the process of
recovering from illness or personal problems and need to demonstrate their continued self-worth and worth
to the company. Compensation should be commensurate with the service provided to the organization.
The insurance company should establish written policies and procedures stating the disciplinary actions that
will follow violations of expected behavior. Prompt, impersonal disciplinary action sends a message that
violations will not be tolerated.

9. A corporation is seeking a listing on the New York Stock Exchange, but it does not have an audit
committee.

Required:

9. a. Why does it matter whether the corporation has an audit committee?

Answer: The objectives of an audit committee are to protect against management wrongdoing and to
increase public confidence in the independent auditor’s opinion. External auditors can communicate with
audit committees and discuss control and other issues without management being present. It is an
extension of the oversight role of the board of directors and, consequently, reports directly to the board.
The audit committee is responsible for making recommendations regarding the selection of the external
auditors, reviewing financial information, directing investigations of possible fraud, seeing that effective
internal control is maintained, and serving as a communication link between the internal and external
auditors and the board of directors. An audit committee composed of independent board members can
ensure that its decisions are free from management’s influence.

9. b. Discuss the issues the corporation must consider in creating an audit committee.

Answer: When setting up an audit committee, an organization must consider the committee's charter and
membership and also must consider the effects of the discipline that the committee will impose on upper
management. The committee's charter should spell out what its responsibilities are and what opportunities
it will be given to meet them. The committee should be made up of individuals drawn from among the
independent members of the board of directors. The selected individuals should have an interest in internal
control and, where possible, previous experience or relevant training. They must make the commitment to
acquaint themselves with details of the organization's internal environment and with the broad features of
its control activities. The committee members must commit the time necessary to provide effective
oversight and, in particular, the time that may be needed to investigate in detail certain matters of concern.
The members must be prepared for the typically unpleasant tasks of exposing high-level wrongdoing in the
organization and of carrying through whatever corrective measures are deemed necessary.

Upper management must be prepared to expose its actions to the audit committee's scrutiny. The legal and
ethical aspects of management behavior will be reviewed and also management's performance in running
 the organization. Management must be prepared to cooperate with the audit committee in any
investigations the committee chooses to pursue. Good managers will welcome this kind of oversight
because it stimulates continual improvement and enhances the organization's success. Poor managers are
likely to resent the oversight because it exposes their incompetence and possibly their own wrongdoing.

10. A company has grown from being small to being medium-sized. Top management realizes that its
organizational structure needs to be formalized to strengthen the control environment.
Required:
What must management consider when designing an appropriate organizational structure?

Answer: The formal organizational structure defines areas of responsibility, limits of managerial authority,
and lines of reporting. An organizational structure that is appropriate to an organization's mission
contributes to a strong internal environment. The structure provides the framework within which the
organization's activities for achieving its objectives are planned, executed, monitored, and controlled.
People know what authority and responsibility they have, whom they report to, and who reports to them.

The organizational structure should be designed to support the organization's mission by establishing
relationships among people and activities to facilitate decision making, preserve accountability, and
achieve teamwork and harmony. In designing an organizational structure, top management must consider
organizational goals and objectives, operating functions, and regulatory requirements. Management
decides at what level decisions can be made, the degree to which individuals and teams can use their own
initiative in addressing issues and solving problems, and what limits to put on their authority.

The type of organizational structure is influenced by the nature of an organization's activities and by its
size. A large organization may require a high degree of structure with formal areas of responsibilities,
limits of authority, and lines of reporting. On the other hand, a small organization may require a less
formal structure because of adequate direct supervision and oral communications. The organizational
structure may be centralized or decentralized. A centralized organization retains the authority for decision
making at the top levels of management while a decentralized organization delegates decision-making
authority to middle and lower managers. In decentralized organizations, significant authority may be
delegated to the managers of business units. In most cases, the larger the unit, the greater the autonomy
that is vested in the unit's manager. Business units may be distinguished by industry or product line,
geographical location, functional activity, distribution or marketing network, or a particular project.

After an appropriate organizational structure has been designed, management must adopt techniques for
communicating and maintaining the areas of responsibility, limits of authority, and lines of reporting.
Organizational charts need to be redrawn and job descriptions need to be rewritten to reflect the changes.

11. Rumors are spreading around an organization that members of top management overstate their travel
vouchers. A vice-president is alleged to have submitted a travel claim for a two-week sales trip when he
was actually on vacation. Another executive is reported to have told her secretary, “The reimbursement
rates for transportation are so low that claiming more miles is the only way to come out even.” Several
division managers are believed to make regular claims for meals provided at no charge by airlines,
conventions, or customers.
Required:
Explain the effect these rumors could have on the control environment.

Answer: Even if the rumors that members of top management overstate their travel vouchers are false, the
fact that they are spreading throughout the organization–and are believed–is a sign of poor employee
morale and a breakdown of trust. If the rumors are true, they portray a very poor account of the internal
 environment. In either case, the rumors are likely to erode morale further and to have a negative effect on
employees’ own attitudes toward integrity and ethical behavior.

Management of any organization should strive to communicate to employees the importance of integrity
and ethical behavior. Such indoctrination should be accomplished by training programs, continual
reinforcement by supervisors, a code of conduct, and prompt disciplinary action against violators.
However, employees are sensitive not only to formal indoctrination but also to subtle messages from their
superiors. If employees perceive that senior managers lack integrity and behave in an unethical manner,
the employees may be influenced to act accordingly. The employees may surmise that the indoctrination
program is a sham and conclude that integrity and ethical behavior are really not important.

12. A U.S. construction company paid a bribe to a foreign government official in an effort to land a contract in
the official’s country. When word leaked out, the U.S. company’s CEO said, “Bribery is a standard
business practice in the foreign country.”
Required:
What is your reaction to the CEO’s statement?

Answer: The defense offered by the CEO of the U.S. construction company was frequently voiced during
the Congressional hearings that led to passage of the Foreign Corrupt Practices Act of 1977. Indeed, the
offering and acceptance of bribes is common in some parts of the world, and American business people
have often complained that the act's prohibition of bribery puts them at a disadvantage relative to foreign
competitors whose societies are less squeamish about such practices. The alleged disadvantage is one of
the factors claimed to prevent U.S. companies from competing in world markets on a "level playing field."
Regardless of whether the complaints are valid, the U.S. government has concluded that bribery is
unethical and undermines the trust that should exist, not only among competitors in the market place, but
also between business and government and between business and society. Most people agree that bribery
and similar corrupt practices are not in the best long-term interests of either business organizations or the
national economy and cannot contribute to society's well-being.

13. X has been asked to serve as an outside director on Y Company’s board of directors. For this service, X
will receive an annual stipend as well as a fee and expense reimbursement for each meeting attended.

13. a. What is meant by an outside director and what contribution can an outside director make?

Answer: An outside director is a member of the board of directors of an organization and is not otherwise
involved as an employee or manager of the organization. Such a board member should also be free from
financial entanglements as a creditor or debtor of the organization. An outside director has no conflict of
interest that could interfere with his or her oversight of management's effectiveness in running the
organization. He or she is, therefore, in a favorable position to evaluate reports and presentations made to
the board by corporate management.

13. b. What will be some of X’s responsibilities as a member of the board of directors?

Answer: As a member of the board of directors, X will be expected to attend regular meetings of the board
and, if selected, to serve on standing or ad-hoc committees. X will also be expected to become acquainted
with the organization's and the industry's activities to be able to offer informed advice to other board
members and to management.

13. c. Does the promise of remuneration erode the director’s independence on the board?
 Answer: Few independent board members–or even the organization's own managers–would be prepared to
serve as directors if there were no remuneration. As long as directors' fees are not tied to the way they vote
or to the outcome of specific actions proposed by management, there is no significant erosion of
independence. An independent board member's acceptance of remuneration should be viewed in a similar
light as the acceptance of fees by an external auditor.

14. Malcolm Trenton, an ambitious senior manager, routinely took administrative work home in the evening
because he spent much of the day in conferences with other managers, subordinates, or clients. He was as
surprised as everyone else when a vice-president explained at a hurriedly called meeting that details of an
impending merger had been leaked to a corporate raider. The leak had embarrassed the company and
undermined merger negotiations. The vice-president announced that he had instructed the internal auditors
to conduct a thorough investigation into the source of the leak and that the culprit would be dealt with
severely. All company personnel, including executive-level managers, were requested to cooperate fully
with the investigation.

Two days later, Trenton’s wife left him and filed for divorce. Some time later, Trenton learned that his wife
had been seen with one of the corporate raider’s staff. She bought a condominium in a fashionable part of
town and was last seen driving an expensive automobile.

14. a. Discuss the potential dangers of taking work out of the office.

Answer: The story about Malcolm Trenton draws attention to an increasingly serious problem of protecting
the confidentiality of corporate data. Many managers take work home to do in the evenings and on
weekends. Their workload demands more time than is available during normal work hours, and, at home,
these managers can escape the continual interruptions that occur at the office. The managers can work
quietly and think more creatively. But taking work away from the office presents an internal control risk
because sensitive material may be exposed to unauthorized access.

The problem is compounded by the growing pattern of two-career families. A manager's spouse may work
for a competing organization or a third party with a potential interest in information to which the manager
may be privy. Important in this regard are documents or reports in the manager's possession, information
stored in a home computer, and information in a corporate database that is accessible via a home computer.
Most married couples reach an agreement not to discuss corporate secrets and to respect the privacy of each
other's work. However, situations can arise--particularly if experiencing marital difficulties--when one
partner may deliberately invade the other's privacy. This seems to have been the situation described in the
problem.

14. b. Much has been written in recent years about opportunities for people to work at home. Avoiding long
commuting times, safety from downtown crime, being able to care for children, and reducing the need for
expensive downtown office space have all been cited as advantages to employers as well as employees.
Dispersion of the work force is not considered a problem because technology enables people to keep in
touch 24 hours a day. Do you think that the internal control implications of working at home might be
serious enough to dissuade companies from allowing employees to work remotely?

Answer: As noted, work-at-home schemes offer many advantages in reducing operating costs and in
accommodating personal preferences for working conditions and hours. On the other hand, internal control
over access to information or even access to computer facilities are difficult to establish and enforce.
Supervisors and internal auditors are unable to monitor the treatment given to printed material or the use or
abuse of computer equipment outside the work place. Much responsibility has to be borne by individual
employees, and they may be less careful in their own homes than they would be at the office. Some
employees may actually take advantage of the lack of oversight.
 Because of potentially lax security, organizations must balance the advantages and disadvantages of work-
at-home schemes and set ground rules for situations in which it is permitted. Particularly sensitive work
should be done only at the office, and only trusted employees should be permitted to do less sensitive work
at home. In cases where off-site work is permitted, employees should be made aware of the security
problems and be trained in necessary control activities. Whether they observe the control activities remains
an open question.

15. Many organizations have policies regulating the use of controlled substances, and some require all
employees to submit to random drug testing. In some cases, safety is the main concern, and vehicle drivers
and machinery operators are the main targets of controlled-substance policies. However, education in drug
abuse and opportunities to attend rehabilitation programs are being made available to much broader
categories of employees. Certain organizations have proposed compulsory drug testing in the accounting
and information services areas.

15. a. What are the internal control implications of substance abuse in accounting and information services?

Answer: Substance abuse can have a two-fold effect on internal control. First, an abuser's work
competence and judgment are likely to be impaired. Second, the need to meet the ever increasing cost of
illegal drugs often drives abusers to steal.

15. b. Do you think that random drug testing of accounting and information services employees is justified?

Answer: Instead of drug testing, education needs to be the primary weapon to attack substance abuse. On
the other hand, random drug testing has also proved to be an effective weapon against substance abuse in
the work place. Today, many organizations require new hires to agree to random testing as a condition of
employment. While the average person views drug testing as intrusive and unpleasant, there is growing
recognition that it is a necessary evil. Few people find drug testing so unpleasant that they would turn
down an attractive job offer for this reason–unless they had something to hide.

16. Carcella Company’s board of directors instructed its audit committee to investigate an allegation that one of
the assertions in the company’s interim financial statements was fraudulent.

Required:
If you were a member of the audit committee, how would you suggest the committee proceed with such an
investigation? What resources should the audit committee have at its disposal to carry out the charge? What
action should the audit committee take if it finds that the allegation is correct? Would the committee’s
actions be the same if the fraud involved other acts, such as an illegal political contribution?

Answer: The first step in the audit committee's investigation should be to interview the board members who
made the charges to determine what evidence they had and to evaluate the seriousness of the alleged fraud.
Presumably, the matter was discussed at a board meeting, and upper management was informed of the
charges. The audit committee should give senior managers an opportunity to rebut the charges. The
committee should also approach the head of internal audit in confidence to inquire whether the latter's
department had any suspicion of fraud. The committee would likely review the findings of the most recent
external audit, particularly any observations or recommendations that may have been made concerning
internal control weaknesses.

If the audit committee was satisfied that due cause existed, it could proceed in one of two ways. The
committee could set up a task force to investigate the charges further. The task force could consist of some
or all of the audit committee members, representatives from the internal audit department, and possibly one
 or more individuals from the organization's external audit firm. The task force could schedule interviews
with senior managers, the controller, and other accounting staff. Most likely, an accounting firm had
already been selected to audit the end-of-year financial statements, and the external auditors may already
have performed initial procedures. The task force may recommend that the external auditors expand their
preliminary investigations or proceed with tests that they would otherwise have conducted later in the fiscal
year. Alternatively, the audit committee could recommend that the external auditors immediately perform
a complete financial audit of the interim statements and await the outcome before taking further action.
The full board would have to approve the retention of external auditors or the expansion of their
responsibilities.

If a senior manager confesses to the fraud or if strong evidence points to a particular manager, the manager
should be suspended immediately, and charges should be filed by the board of directors. Unless the board
takes prompt, effective legal action against the perpetrator, it too could be implicated in any future lawsuit
brought by stockholders or creditors. The board would have to take similar action to protect itself against a
possible criminal suit in the case of an illegal political contribution.

17. A former employee called a local newspaper and reported that a major company had paid bribes to foreign
governments over a period of years to obtain export contracts and had also made large contributions to
three members of a U.S. congressional committee to influence legislation leading to the Clean Air Act of
1991. The employee offered to make available to the newspaper copies of internal memos written by senior
executives proving that the activities took place.

Required:
What actions do you think this organization could have taken:

17. a. to reduce the possibility of involvement in illegal activities by high-level management?

Answer: An organization's best defense against involvement in illegal activities by high-level management
is a strong internal environment. In particular, an independent board of directors can exercise the necessary
oversight which itself is a deterrent against wrongdoing. An independent board can also take decisive
action to investigate any allegations or wrongdoing.

17. b. to encourage potential whistle-blowers to reveal their information internally instead of being forced to go
outside?

Answer: One action an organization can take to encourage potential whistle-blowers to reveal their
information internally instead of going outside is to provide a mechanism for communicating concerns to a
suitable level–the manager of internal audit, the president, or the board of directors–so whistle-blowers can
be assured of prompt responses. Simply confiding suspicions to an immediate supervisor is unlikely to be
effective. Second, the employees must be assured that they will not face recrimination (which is assured by
law in the Dodd-Franks Act). This is a crucial issue because, historically, large numbers of whistle-blowers
have been fired, demoted, transferred to a less favorable location, given demeaning work, or harassed for
their actions. A mechanism whereby employees can express concerns anonymously can help in this regard,
although anonymity creates other problems, such as irresponsible charges.

18. Mr. White serves as financial secretary and treasurer of a church in a small town. His responsibilities
include maintaining all accounting records, receiving pledge income and plate collections, and making
disbursements for all church expenses.

Mr. White, who is 71 years old, is a lifelong member of the church and is highly respected in the
community. He took over the unpaid job 15 years ago after retiring from the military and after his
predecessor died. The church officers always have been full of praise for the manner in which Mr. White
performed, but lately there has been some concern because of his failing health. No one has been found to
help Mr. White with the work.

Required:
Discuss the risks inherent in Mr. White’s position in the church.

Answer: Pertinent comments on the risks inherent in Mr. White's position are as follows:

• Mr. White could suddenly become unable to perform his duties, harming the ongoing administration of
the church. Most likely there are no written operating procedures, and a new financial secretary and/or
treasurer would have difficulty learning the job.

• The jobs of financial secretary and treasurer are incompatible duties from an internal control standpoint
and should not be held by the same individual.

• Mistakes could be made in the receipt and disbursement of church funds or in the recording of
transactions and never be detected. Mr. White's capabilities for detailed clerical work may be
declining.

• Mr. White might experience unusual financial hardship and be tempted to divert church funds to his
own use, or to "borrow" money and be unable to pay it back. If he became mentally confused, he
might not be able to properly distinguish between his own money and church funds.
19. The Arcade Co. of Orlando, Florida, has established a new division that will manage a chain of video-game
arcades in forty locations throughout several southern states. The locations will be divided into two regions,
each under a regional manager. Each location will be assigned a local manager. As many as sixty machines
will be available at certain locations, although the average at each location will be thirty-five machines.

Management intends to minimize the number of operating and accounting employees to reduce costs.
However, it plans to hire sufficient maintenance personnel to minimize downtime of machines. The local
manager will be required to collect the coins from the machines and deposit them in a local bank. Access to
the game counter and coins in each machine will be by means of a master key. Validated deposit slips are
to be mailed to the corporate office by the local manager. Bank statements are to be mailed by the bank
directly to the corporate office.

Required:
Identify the specific risks that are inherent in the operations of the new division and the risk responses for
each of those risks (avoid, reduce, share, or accept).

Answer: The risks associated with the new division of Arcade Co. of Orlando, Florida, are presented
below:

Activity Risk
Transaction Execution (a) Unauthorized
- Play of games
- Collection of coins
- Record of collection
- Deposit of coins
(b) Theft or loss of cash
Reduce or share (insurance)
Transaction Recording (a) Incorrect account
and Classification (b) Incorrect time period
(c) Incorrect amount
(d) Omitted transaction or
incomplete recording
Avoid with controls in system
Access to Assets (a) Theft of games
(b) Theft of machines
(c) Damage to machines
(d) Theft of money
(e) Loss of money
Avoid with physical controls,
surprise audits
Periodic Comparisons (a) All risks previously discussed
of Accountability may not be under adequate
control.
May be able to reduce this risk
with periodic re-evaluation of
how controls are working
20. Define IT governance and describe some “best practices” that would be expected for strong IT governance
in an organization.

Answer: IT governance focuses on handling transactions, events, and decision making responsibly; fully
disclosing the performance measures used; using independent review and practicing continuous
improvement; and adapting to the constantly changing business environment.An organization with
effective IT goverance would include the following best practices:
 Alignment of organizational values (e.g., management risk culture, risk assessment, and risk response).
 Establishment of policies and procedures (e.g., updating and reviewing policies frequently, making
procedure documentation easily accessible, and having policies relate to critical areas of organization).
 Effective organizational communications (e.g., encouraging interaction in all directions—not just
“top-down”—to promote an open culture and information accessibility).
 Strategy designed to include an IT infrastructure that supports and promotes the organization’s success.
This infrastructure should be reviewed and updated as needed, with proper documentation and
maintenance to allow the business to function effectively
 Accurately documented processes that are monitored and updated (e.g., the organization’s disaster
recovery/ business continuity plan).
 Proper asset management to include the oversight and tracking of assets within the organization (e.g.,
mobile devices and software licenses).

Spreadsheet Assignment
A type of computer fraud that has been perpetrated at several banks and financial institutions is referred to as the
salami technique, so named because it “slices” away tiny pieces of data. All calculated interest amounts are rounded
down, and the fraction of a cent shaved from each computation is transferred to an account belonging to the
perpetrator (or an accomplice) who is usually an applications developer in the information services department.

Consider the following account balances from a representative sample of one-tenth of 1 percent of the population of
accounts at the Third National Bank: (refer to information in textbook for tables

a. Prepare a spreadsheet to calculate the approximate amount stolen over the course of 1 year if the bank pays
5.5 percent annual interest, compounded monthly. Assume no additional deposits were made to the
accounts and no withdrawals of interest or principal were made.

One approach to setting up your spreadsheet is shown below for the month of January. You will need to
key in the appropriate formulas or functions to derive the amounts for the last four columns. Use the
spreadsheet’s round down function for the “Rounded Interest” column.

To calculate the data for February, copy the rows for January to the blank rows below the data for January
and label the copied data “February Data.” In the February data, delete the contents of the cells in the
“Balance” column. For the balance of account 1, enter a formula to add the January balance of account 1 to
the rounded interest amount for account 1 in January. Copy this formula to calculate the balances for
accounts 2 through 10. Also, in the February data, modify the “Cumulative Amount Transferred” in the
first row to include the total cumulative amount transferred in January.

To calculate the data for March, copy the rows for February to the blank rows below the data for February.
No changes need to be made for the March data except for the label, which should be “March Data.”
Repeat what you did for March for April through December.
Answer: The amount that could be misappropriated from the ten accounts using the salami technique is
shown below.

The data for January are in the problem.

FEBRUARY DATA:
Interest Cumulative
Monthly Rounded Amount Amount
Account Balance Interest Interest Cut Off Transferred
1 35.20 0.16133 0.16 0.00133 0.03824
2 192.53 0.88243 0.88 0.00243 0.04067
3 274.75 1.25927 1.25 0.00927 0.04994
4 303.19 1.38962 1.38 0.00962 0.05956
5 398.97 1.82861 1.82 0.00861 0.06817
6 413.90 1.89704 1.89 0.00704 0.07521
7 691.40 3.16892 3.16 0.00892 0.08413
8 1523.95 6.98477 6.98 0.00477 0.08890
9 3257.20 14.92883 14.92 0.00883 0.09773
10 10129.31 46.42600 46.42 0.00600 0.10374

MARCH DATA:
Interest Cumulative
Monthly Rounded Amount Amount
Account Balance Interest Interest Cut Off Transferred
1 35.36 0.16207 0.16 0.00207 0.10580
2 193.41 0.88646 0.88 0.00646 0.11227
3 276.00 1.26500 1.26 0.00500 0.11727




DECEMBER DATA:
Interest Cumulative
Monthly Rounded Amount Amount
Account Balance Interest Interest Cut Off Transferred
1 36.80 0.16867 0.16 0.00867 0.57214
2 201.49 0.92350 0.92 0.00350 0.57564
3 287.56 1.31798 1.31 0.00798 0.58362
4 317.32 1.45438 1.45 0.00438 0.58800
5 417.58 1.91391 1.91 0.00391 0.59191
6 433.21 1.98555 1.98 0.00555 0.59746
7 723.70 3.31696 3.31 0.00696 0.60442
8 1595.20 7.31133 7.31 0.00133 0.60575
 9 3409.55 15.62710 15.62 0.00710 0.61285
10 10603.20 48.59800 48.59 0.00800 0.62085
 The amount netted by the criminal from these ten accounts is surprisingly small. Even when the amount is
multiplied by 1,000 (10,000 total accounts / 10 accounts in sample) to estimate the defalcation for the total
population of accounts, it is still only $620.90 a year--hardly enough to compensate for the risk of
detection!

b. What changes to the facts stated in the assignment would result in larger profits to the perpetrator? Do the
sizes of the account balances influence the profitability of the scheme?

Answer: The amount stolen in Part a. would be larger if (i) there were more accounts, or (ii) interest were
compounded more frequently. Most financial institutions compound interest daily. In this case, the
defalcation could grow to approximately $19,000 a year. It should be noted that the stake does not increase
with the size of the accounts; it averages $0.005 an account, each interest date, regardless of the amount of
the balance.