Ethics, Fraud, and Internal Control:Ethical Issues in Business
This chapter examines three closely related areas of concern, which are specifically addressed by the Sarbanes-Oxley Act (SOX) and are important to accountants and management. These are ethics, fraud, and internal control. We begin the chapter by surveying ethical issues that highlight the organization’s conflicting responsi- bilities to its employees, shareholders, customers, and the general public. Organization managers have an ethical responsibility to seek a balance between the risks and benefits to these constituents that result from their decisions. Management and accountants must recognize the new implications of information technologies for such historic issues as working conditions, the right to privacy, and the potential for fraud. The section concludes with a review of the code of ethics requirements that SOX mandates.
The second section is devoted to the subject of fraud and its implications for accountants. Although the term fraud is very familiar in today’s financial press, it is not always clear what constitutes fraud. In this section, we discuss the nature and meaning of fraud, differentiate between employee fraud and management fraud, explain fraud-motivating forces, review some common fraud techniques, and outline the key elements of the reform framework that SOX legislates to remedy these problems.
The final section in the chapter examines the subject of internal control. Both managers and accountants should be concerned about the adequacy of the organization’s internal control structure as a means of deterring fraud and prevent- ing errors. In this section, internal control issues are first presented on a conceptual level. We then discuss internal control within the context of the Statement on Auditing Standards no. 78/ Committee of Sponsoring Organizations of the Treadway Commission (SAS 78/COSO) framework recommended for SOX compliance.
Ethical Issues in Business
Ethical standards are derived from societal mores and deep-rooted personal beliefs about issues of right and wrong that are not universally agreed upon. It is quite possible for two individuals, both of whom consider themselves to be acting ethically, to be on opposite sides of an issue. Often, we confuse ethical issues with legal issues. When the Honorable Gentleman from the state of——, who is charged with ethical misconduct, stands before Congress and proclaims that he is ‘‘guilty of no wrongdoing,’’ is he really saying that he did not break the law?
We have been inundated with scandals in the stock market, stories of computer crimes and viruses, and almost obscene charges of impropriety and illegalities by corporate executives. Using covert compen- sation schemes, Enron’s Chief Financial Officer (CFO) Andy Fastow managed to improve his personal wealth by approximately $40 million. Similarly, Dennis Kozowski of Tyco, Richard Scrushy of Health- South, and Bernie Ebbers of WorldCom all became wealthy beyond imagination while driving their com- panies into the ground. Indeed, during the period from early 1999 to May 2002, the executives of 25 companies extracted $25 billion worth of special compensation, stock options, and private loans from their organizations while their companies’ stock plummeted 75 percent or more.1
A thorough treatment of ethics issues is impossible within this chapter section. Instead, the objective of this section is to heighten the reader’s awareness of ethical concerns relating to business, information systems, and computer technology.
BUSINESS ETHICS
Ethics pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. More specifically, business ethics involves finding the answers to two questions: (1) How do managers decide what is right in conducting their business? and (2) Once managers have recognized what is right, how do they achieve it?
Ethical issues in business can be divided into four areas: equity, rights, honesty, and the exercise of corporate power. Table 3-1 identifies some of the business practices and decisions in each of these areas that have ethical implications.
Making Ethical Decisions
Business organizations have conflicting responsibilities to their employees, shareholders, customers, and the public. Every major decision has consequences that potentially harm or benefit these constituents. For example, implementing a new computer information system within an organization may cause some employees to lose their jobs, while those who remain enjoy the benefit of improved working conditions. Seeking a balance between these consequences is the managers’ ethical responsibility. The following ethical principles provide some guidance in the discharge of this responsibility.2
PROPORTIONALITY. The benefit from a decision must outweigh the risks. Furthermore, there must be no alternative decision that provides the same or greater benefit with less risk.
Justice. The benefits of the decision should be distributed fairly to those who share the risks. Those who do not benefit should not carry the burden of risk.
Minimize risk. Even if judged acceptable by the principles, the decision should be implemented so as to minimize all of the risks and avoid any unnecessary risks.
COMPUTER ETHICS
The use of information technology in business has had a major impact on society and thus raises significant ethical issues regarding computer crime, working conditions, privacy, and more. Computer ethics is ‘‘the
analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology.… [This includes] concerns about software as well as hardware and concerns about networks connecting computers as well as computers themselves.’’3
One researcher has defined three levels of computer ethics: pop, para, and theoretical.4 Pop computer ethics is simply the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. Society at large needs to be aware of such things as computer viruses and computer systems designed to aid handicapped persons. Para computer ethics involves taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. All systems professio- nals need to reach this level of competency so they can do their jobs effectively. Students of accounting information systems should also achieve this level of ethical understanding. The third level, theoretical computer ethics, is of interest to multidisciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science with the goal of bringing some new understanding to the field.
A New Problem or Just a New Twist on an Old Problem?
Some argue that all pertinent ethical issues have already been examined in some other domain. For example, the issue of property rights has been explored and has resulted in copyright, trade secret, and patent laws. Although computer programs are a new type of asset, many believe that these programs should be considered no differently from other forms of property. A fundamental question arising from such debate is whether computers present new ethical problems or just create new twists on old problems. Where the latter is the case, we need only to understand the generic values that are at stake and the principles that should then apply.5 However, a large contingent vociferously disagree with the premise that computers are no different from other technology. For example, many reject the notion of intellectual property being the same as real property. There is, as yet, no consensus on this matter.
Several issues of concern for students of accounting information systems are discussed in the following section. This list is not exhaustive, and a full discussion of each of the issues is beyond the scope of this chapter. Instead, the issues are briefly defined, and several trigger questions are provided. Hopefully, these questions will provoke thought and discussion in the classroom.
Privacy
People desire to be in full control of what and how much information about themselves is available to others, and to whom it is available. This is the issue of privacy. The creation and maintenance of huge, shared databases make it necessary to protect people from the potential misuse of data. This raises the issue of ownership in the personal information industry.6 Should the privacy of individuals be protected through policies and systems? What information about oneself does the individual own? Should firms that are unrelated to individuals buy and sell information about these individuals without their permission?
Security (Accuracy and Confidentiality)
Computer security is an attempt to avoid such undesirable events as a loss of confidentiality or data integrity. Security systems attempt to prevent fraud and other misuse of computer systems; they act to protect and further the legitimate interests of the system’s constituencies. The ethical issues involving security arise from the emergence of shared, computerized databases that have the potential to cause irreparable harm to individuals by disseminating inaccurate information to authorized users, such as through incorrect credit reporting.7 There is a similar danger in disseminating accurate information to persons unauthorized to receive it. However, increasing security can actually cause other problems. For example, security can be used both to protect personal property and to undermine freedom of access to data, which may have an injurious effect on some individuals. Which is the more important goal? Automated monitoring can be used to detect intruders or other misuse, yet it can also be used to spy on legitimate users, thus diminishing their privacy. Where is the line to be drawn? What is an appropriate use and level of security? Which is most important: security, accuracy, or confidentiality?
Ownership of Property
Laws designed to preserve real property rights have been extended to cover what is referred to as intellectual property, that is, software. The question here becomes what an individual (or organization) can own. Ideas? Media? Source code? Object code? A related question is whether owners and users should be con- strained in their use or access. Copyright laws have been invoked in an attempt to protect those who develop software from having it copied. Unquestionably, the hundreds of thousands of program development hours should be protected from piracy. However, many believe the copyright laws can cause more harm than good. For example, should the look and feel of a software package be granted copyright protection? Some argue that this flies in the face of the original intent of the law. Whereas the purpose of copyrights is to promote the progress of science and the useful arts, allowing a user interface the protection of copyright may do just the opposite. The best interest of computer users is served when industry standards emerge; copyright laws work against this. Part of the problem lies in the uniqueness of
5 G. Johnson, ‘‘A Framework for Thinking about Computer Ethics,’’ in J. Robinette and R. Barquin (eds.), Computers and Ethics: A Sourcebook for Discussions (Brooklyn: Polytechnic Press, 1989): 26–31.
6 W. Ware, ‘‘Contemporary Privacy Issues’’ (Working paper for the National Conference on Computing and Human Values, August 1991).
7 K. C. Laudon, ‘‘Data Quality and Due Process in Large Interorganizational Record Systems,’’ Communications of the ACM (1986): 4–11.
software, its ease of dissemination, and the possibility of exact replication. Does software fit with the cur- rent categories and conventions regarding ownership?
Equity in Access
Some barriers to access are intrinsic to the technology of information systems, but some are avoidable through careful system design. Several factors, some of which are not unique to information systems, can limit access to computing technology. The economic status of the individual or the affluence of an organization will determine the ability to obtain information technology. Culture also limits access, for example, when documentation is prepared in only one language or is poorly translated. Safety features, or the lack thereof, have limited access to pregnant women, for example. How can hardware and software be designed with consideration for differences in physical and cognitive skills? What is the cost of providing equity in access? For what groups of society should equity in access become a priority?
Environmental Issues
Computers with high-speed printers allow for the production of printed documents faster than ever before. It is probably easier just to print a document than to consider whether it should be printed and how many copies really need to be made. It may be more efficient or more comforting to have a hard copy in addition to the electronic version. However, paper comes from trees, a precious natural resource, and ends up in landfills if not properly recycled. Should organizations limit nonessential hard copies? Can nonessential be defined? Who can and should define it? Should proper recycling be required? How can it be enforced?
Artificial Intelligence
A new set of social and ethical issues has arisen out of the popularity of expert systems. Because of the way these systems have been marketed—that is, as decision makers or replacements for experts—some people rely on them significantly. Therefore, both knowledge engineers (those who write the programs) and domain experts (those who provide the knowledge about the task being automated) must be concerned about their responsibility for faulty decisions, incomplete or inaccurate knowledge bases, and the role given to computers in the decision-making process.8 Further, because expert systems attempt to clone a manager’s decision-making style, an individual’s prejudices may implicitly or explicitly be included in the knowledge base. Some of the questions that need to be explored are: Who is responsible for the com- pleteness and appropriateness of the knowledge base? Who is responsible for a decision made by an expert system that causes harm when implemented? Who owns the expertise once it is coded into a knowledge base?
Unemployment and Displacement
Many jobs have been and are being changed as a result of the availability of computer technology. People unable or unprepared to change are displaced. Should employers be responsible for retraining workers who are displaced as a result of the computerization of their functions?
Misuse of Computers
Computers can be misused in many ways. Copying proprietary software, using a company’s computer for personal benefit, and snooping through other people’s files are just a few obvious examples.9 Although copying proprietary software (except to make a personal backup copy) is clearly illegal, it is commonly done. Why do people think that it is not necessary to obey this law? Are there any good arguments for trying to change this law? What harm is done to the software developer when people make unauthorized copies? A computer is not an item that deteriorates with use, so is there any harm to the employer if it is used for an employee’s personal benefit? Does it matter if the computer is used during company time or outside of work hours? Is there a difference if some profit-making activity takes place rather than, for example, using the computer to write a personal letter? Does it make a difference if a profit-making activity takes place during or outside working hours? Is it okay to look through paper files that clearly belong to someone else? Is there any difference between paper files and computer files?
SARBANES-OXLEY ACT AND ETHICAL ISSUES
Public outcry surrounding ethical misconduct and fraudulent acts by executives of Enron, Global Crossing, Tyco, Adelphia, WorldCom, and others spurred Congress into passing the American Competitive- ness and Corporate Accountability Act of 2002. This wide-sweeping legislation, more commonly known as the Sarbanes-Oxley Act (SOX), is the most significant securities law since the Securities and Exchange Commission (SEC) Acts of 1933 and 1934. SOX has many provisions designed to deal with specific problems relating to capital markets, corporate governance, and the auditing profession. Several of these are discussed later in the chapter. At this point, we are concerned primarily with Section 406 of the act, which pertains to ethical issues.
Section 406—Code of Ethics for Senior Financial Officers
Section 406 of SOX requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organization’s chief executive officer (CEO), CFO, controller, or persons per- forming similar functions. If the company has not adopted such a code, it must explain why. A public company may disclose its code of ethics in several ways: (1) included as an exhibit to its annual report, (2) as a posting to its Web site, or (3) by agreeing to provide copies of the code upon request.
Whereas Section 406 applies specifically to executive and financial officers of a company, a company’s code of ethics should apply equally to all employees. Top management’s attitude toward ethics sets the tone for business practice, but it is also the responsibility of lower-level managers and nonmanagers to uphold a firm’s ethical standards. Ethical violations can occur throughout an organization from the boardroom to the receiving dock. Methods must therefore be developed for including all management and employees in the firm’s ethics schema. The SEC has ruled that compliance with Section 406 necessitates a written code of ethics that addresses the following ethical issues.
CONFLICTS OF INTEREST. The company’s code of ethics should outline procedures for dealing with actual or apparent conflicts of interest between personal and professional relationships. Note that the issue here is in dealing with conflicts of interest, not prohibiting them. Whereas avoidance is the best pol- icy, sometimes conflicts are unavoidable. Thus, one’s handling and full disclosure of the matter become the ethical concern. Managers and employees alike should be made aware of the firm’s code of ethics, be given decision models, and participate in training programs that explore conflict of interest issues.
FULL AND FAIR DISCLOSURES. This provision states that the organization should provide full, fair, accurate, timely, and understandable disclosures in the documents, reports, and financial statements that it submits to the SEC and to the public. Overly complex and misleading accounting techniques were used to camouflage questionable activities that lie at the heart of many recent financial scandals. The objective of this rule is to ensure that future disclosures are candid, open, truthful, and void of such deceptions.
LEGAL COMPLIANCE. Codes of ethics should require employees to follow applicable governmental laws, rules, and regulations. As stated previously, we must not confuse ethical issues with legal issues. Nevertheless, doing the right thing requires sensitivity to laws, rules, regulations, and societal expectations. To accomplish this, organizations must provide employees with training and guidance.
INTERNAL REPORTING OF CODE VIOLATIONS. The code of ethics must provide a mechanism to permit prompt internal reporting of ethics violations. This provision is similar in nature to Sections 301 and 806, which were designed to encourage and protect whistle-blowers. Employee ethics hotlines are emerging as the mechanism for dealing with these related requirements. Because SOX requires this function to be confidential, many companies are outsourcing their employee hotline service to independent vendors.
ACCOUNTABILITY. An effective ethics program must take appropriate action when code violations occur. This will include various disciplinary measures, including dismissal. Employees must see an employee hotline as credible, or they will not use it. Section 301 directs the organization’s audit committee to establish procedures for receiving, retaining, and treating such complaints about accounting procedures and internal control violations. Audit committees will also play an important role in the oversight of ethics enforcement activities.
Comments
Post a Comment