Control Self-Assessment

Control Self-Assessment

Controls Assessment (Chapter 10)FrameworksPrisoner’s DilemmaWorldcom’s Prisoner’s DilemmaEthics and IT (in Hong Kong)Practicum: St James Clothiers

(IT-based vs. Manual Accounting Systems)

What is ‘Control Self-

Assessment’?

DEFINITIONControl Self-assessment (CSA) is a leading edge process

in which auditors facilitate a group of staff members

who have expertise in a specific process,

with the objective of identifying opportunities for internal control enhancement

pertaining to critical operating areas designated by management

Nascency Originally a way of measuring ‘soft controls' which

traditional auditing found difficult to measure, e.g.Management integrity, honesty, trustWillingness of employees to circumvent controlsEmployee morale

The tone and ethics of a firm are set by top management And this is a way of eliciting these

It’s become especially important post Sarbanes-Oxley

Why is CSA Important? Without commitment to good internal control

And inherent honest and ethical behavior of employees throughout the organization

Internal control systems (preventive, detective and corrective) Would quickly become the single most expensive part of the firm’s

accounting systems Internal and external audits would become prohibitively expensive Financial statements would lose their value to outside investors

Causing stock price to fallBank borrowing interest rates to riseAnd firm operations to cease being competitive

This happened in some of Arthur Andersen’s clients Where financial statements came to be known as: Andersen’s Fairy Tales

COSO Framework COSO (Committee of Sponsoring Organizations of

the Treadway Commission) Founded in aftermath of the 1977 Lockheed Scandal

Internal Control was supposed to insure:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations

COCO Framework CoCo (Criteria of Control Board)

Founded by Canadian Institute of Chartered AccountantsThe world’s premier group in setting internal auditing

standards

Internal Control was supposed to insure:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations & internal

policies

Cadbury Framework Committee of the Financial Aspects of Corporate Governance

of the Institute of Chartered Accountants in England and Wales (Cadbury Committee … you can see why they adopted the latter name) Contemporaneous with CoCo

Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of

financial information used with in the business or for publication

COBIT Framework COBIT (Control Objectives for Information and Related

Technology) Contemporaneous with CoCo and Cadbury

Internal Control was supposed to insure: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets against unauthorized use of disposition Maintenance of proper accounting records and the reliability of

financial information used with in the business or for publicationAn important difference as COBIT was directed specifically

towards Information Technology

SAC / eSAC Framework SAC (Systems Auditability and Control report)

Originally published in 1977, but updated in 1991-4 contemporaneous with CoCo and Cadbury

Internal Control insure the same things as CoCo and Cadbury But provide an extensive module-based framework

Audit & control Environment IT in Auditing Managing computer resources Managing Information and Developing System Business Systems End user and Departmental Computing Telecommunications Security Contingency Planning Emerging tech

An important difference as SAC / eSAC was directed specifically towards Information Technology, and provides more detailed direction for IT audits

SASs 55, 78 & 94 Extensions to the COSO Framework that are essentially

summarized in SAS 94 (2001)

Specific IT related Internal Control risks are targeted: Reliance on IT that is inaccurately processing data Unauthorized access to data, destruction, inaccurate recording, privacy

breach Unauthorized changes to systems Failure to make needed changes to systems Inappropriate manual intervention Potential loss of data

SAS 94 also emphasizes the importance of specialized IT Auditing skills (important for this class)

Practicum: Evaluation of Manual & IT-Based

Sales Accounting System Risks

St. James Clothiers

Prisoner's dilemma Two suspects A, B are arrested by the police. The police have insufficient evidence for a conviction, and having separated both

prisoners, visit each of them and offer the same deal: If one testifies for the prosecution (turns King's Evidence) against the other and the other

remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes free.

If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each.

This can be summarized:

Prisoner A Stays Silent Prisoner A Betrays

Prisoner B Stays Silent Bother Serve 6 months

Prisoner B serves ten years; Prisoner A goes free

Prisoner B Betrays

Prisoner A serves ten years; Prisoner B goes free Both serve two years

The Dilemma Each prisoner has two options:

to cooperate with his accomplice and stay quiet, or to betray his accomplice and give evidence.

The outcome of each choice depends on the choice of the accomplice. However, neither prisoner knows the choice of his accomplice.

The optimal solution would be for both prisoners to cooperate with each other, as this would reduce the total jail time served by the group to one year total.

Any other decision would be worse for the two prisoners considered together. However by each following their individual interests, the two prisoners each receive a lengthy sentence.

Prisoner's dilemma (Corporate Setting) Two officers of the corporation – the CEO and the Comptroller are arrested for Financial

Reporting fraud The police have insufficient evidence for a conviction (they didn’t take my course) and

having separated both prisoners, visit each of them and offer the same deal: If one testifies for the prosecution against the other and the other remains silent, the silent

accomplice receives the full 10-year sentence and the betrayer goes free. If both stay silent, the police can only give both prisoners 6 months for a minor charge. If both betray each other, they receive a 2-year sentence each.

This can be summarized:

Comptroller Cooperates Comptroller Betrays

CEO Cooperates -.5,-.5 0,-10

CEO Betrays -10,0 -2,-2

The Deal (another view) Or stated differently

Here is how the deal will look to the CEO and the Comptroller

Comptroller Cooperates Comptroller Betrays

CEO Cooperates Win-win Win much – lose much

CEO Betrays Lose much – win much Lose - lose

The Deal Or stated differently

Here is how the deal will look to the CEO and the Comptroller

Comptroller Cooperates Comptroller Betrays

CEO Cooperates Cooperation, 6 months eachComptroller Temptation to Defect

payoff of zero years

CEO BetraysCEO Temptation to Defect payoff

of zero years Sucker’s Payoff (two years each)

Why Ethics are Important! The prisoner's dilemma is a type of non-zero-sum game

it is assumed that each individual player ("prisoner") is trying to maximize his own advantage, without concern for the well-being of the other players.

In Econo-speak: The Nash equilibrium for this type of game does not lead to Pareto optimums (jointly optimum solutions)

Each side has an individual incentive to cheat even after promising to cooperate. This is the heart of the dilemma.

In the iterated prisoner's dilemma the game is played repeatedly. Thus each player has an opportunity to "punish" the other player for previous non-

cooperative play. Cooperation may then arise as an equilibrium outcome. The incentive to cheat may then be overcome by the threat of punishment, leading to

the possibility of a superior, cooperative outcome.

As the number of iterations approach infinity, the Nash equilibrium tends to the Pareto Optimum, because when you face eternity the threat of grudges is a grave one indeed

Fraud at WorldCom

A Corporate IT Auditing Ethical Dilemma

Oops On June 27, 2002, markets around the world were sent

reeling when it was discovered that WorldCom had overstated the prior 15 months of earnings by US$3.9 billion to which was later added another US$3.2 billion for a total of US$7.1 billion in accounting misstatements Ultimately the overstatement of income totaled $11 billion

For a company that reported US$1.4 billion net income in 2001 it seems difficult for the auditors to dismiss this as “immaterial.”

Great Auditing, guys Roman Weil, a professor of accounting at the

University of Chicago, noted that WorldCom’s fraudulent accounting “is so basic that I teach it in the second week of my class.”

Yet the ploy, which misclassified supposedly difficult-to-manipulate cash flows, fooled both Arthur Andersen and KPMG, two of the (at the time) Big 5 accounting firms.

Cash Flow “How do you fake cash flow?

You simply move the negative things – the cash outflows – out of the operating section and you move it into the investing or financing section.”

What was significant was that few companies used the stratagems that undermined Enron; but all corporations use cash flow and earnings before interest,

taxes depreciation, and amortization (EBITDA) as a measure of value.

And cash flow has been championed by the analysts’ community that claims that it is not subject to the ambiguities of “income.”

Blessed by Accountants Did generally accepted accounting principles

(GAAP) contribute to the fraud? Yes; indeed, GAAP is a prime enabler of fraud. Without

double-entry bookkeeping, frauds such as WorldCom’s could never be perpetrated.

From an accounting standpoint, WorldCom had impeccable financials Audited by the Big5 Success solidly founded on inviolable cash flows

Here’s Bernie Bernie Ebbers, one of its original

nine investors in LDDS, was called in to run the company in 1984 Ebbers was previously employed as

a milkman, bartender, bar bouncer, car salesman, truck driver, basketball coach and hotelier.

While he lacked technology experience, Ebbers later joked that his most useful qualification was being "the meanest SOB they

could find." Ebbers took less than a year to

make the company profitable.

Ebbers is now A Prisoner

Corporate Culture (does it matter)

Growth through acquisitions led to a hodgepodge of peoples and cultures

Ebbers called an internal effort to create a corporate code of conduct a "colossal waste of time" encouraged "a systemic attitude conveyed from the top

down that employees should not question their superiors, but simply do what they were told"

Goals "Our goal is not to capture market share or be

global. Our goal is to be the No. 1 stock on Wall Street.“

Ebbers, in 1997

Revenue growth was a key to increasing the company's market value. the demand for revenue growth was "in every brick in every

building,"

Accounting at WorldCom It all centered on Accruals and Culture

Discuss Culture

“… you need to book the entry.“ Myers to David Schneeman, acting CFO of UUNET

When Schneeman refused, Myers told him "Book it right now, I can't wait another minute"

"Here's your number" Myers telling Timothy Schneberger, Director of International Fixed Costs to

release $370 millions of accruals

The Audit ‘Profession’ Arthur Andersen, WorldCom's independent external auditor,

from 1990 to 2002 called WorldCom its "flagship" and most "highly coveted" client, the firm's "Crown

Jewel" Andersen wanted to be considered as a committed member of

WorldCom's team. After WorldCom merged with MCI.

Andersen, which had a Mississippi-based team of 10—12 people working full-time on WorldCom's audits,

under-billed the company and justified the lower charges as a continuing investment in its

WorldCom relationship.

The Bottom Line Who was responsible for WorldCom’s Fraud? What was responsible for WorldCom’s Fraud? Why was it responsible for WorldCom’s Fraud?

Discuss

Ethics in ActionTrue stories from Hong Kong

Technology Hype: Pollution Control

A businesswoman with government ties gets an exclusive contract from the Environmental Protection Department to

supply high tech ‘exhaust cleaners’ to clean up the pollution from diesel taxis and buses in the city

These ‘exhaust cleaners’ are later found to be empty tins with a little steel wool thrown into them,

that were sold to the government at 300% markup The businesswoman uses the proceeds from her scam to promote the IPO of a

new company selling her ‘exhaust cleaners’ And promptly transfers the proceeds of the IPO to another company

Question: Was the businesswoman (1) clever, (2) working through a tradition of ‘guanxi’,

or (3) unethical? What remedy would you prescribe to compensate residents whose health has

deteriorated because of the pollution? To the taxpayers who paid for the scam?

Technology Hype: Pollution Control, part 2

A financial analyst and a celebrity columnist for the local newspaper find out about the bogus ‘exhaust cleaner’ scam, and publish their findings in the newspaper and on the Internet The businesswoman’s husband (who is owner of the company that was IPO’d) Posts material to his own Web site impugning the financial analyst’s character Falsely accusing the analyst of being a ‘porn star’

Question: The businesswoman’s husband (1) was justified in venting his personal anger, (2)

should adjust his medication, or (3) is unethical? What remedy would you prescribe to compensate the analyst?

Yes, Virginia, there is a Santa Claus

A businessman runs a successful business selling plastic Christmas trees He announces plans to sell off this core business (accounting for 99.9% of revenue) To reposition the firm as a producer of game software In order to justify this shift, the businessman claimed last year’s reported profits

dropped 9.6% in the core business whereas they actually increased profits 12.5%

Subsequent analysis revealed that the sale of the plastic Christmas tree business would be to a related party at a substantial discount to the value of the business.

The difference would be borne by (expropriated from) the minority shareholders

Question: Was the businessman (1) ‘clever’, or (2) properly exercising his ‘guanxi’ or (2)

unethical?

What remedy would you prescribe to compensate minority shareholders? Would you recommend that next time they should heed the dictum ‘caveat emptor’ – let the buyer beware?

Cyber-sport

A businessman uses his government ties To coerce the government to subsidize (at taxpayer expense of

$10 billion) a large property development on the last developable ocean view property in the city

The businessman promises that the unique design of this property will make the city a world leader in information technology The property is 75% residential, with another 15% dedicated to

shopping; The remaining 10% is office space no different than available

elsewhere in the city for 50% of the price

Question: Was the businessman (1) ‘clever’, or (2) properly exercising his

‘guanxi’ or (2) unethical?

What remedy would you prescribe to compensate taxpayers?

Cyber-sport, part 2 A businessman uses his investment in government subsidized real estate

To promote an IPO in stock Based on promises of this company becoming a leading global information technology firm The businessman spent millions on marketing firms, ghost writers and payments to create an

image of high technology for himself and his firm

An analysis of the assets of the firm indicates an IPO value of $5 per share, maximum The local securities firm handling the IPO estimates the share value at $25 per share Analysts who contradicted the $25 share price were followed by private investigators The IPO was successful, and the businessman immediately transferred $1 billion from the

IPO into one of his other companies The stock price subsequently collapsed to under $2 per share

Question: Was the businessman (1) ‘clever’, or (2) unethical? What remedy would you prescribe to compensate investors, many of whom were pensioners

or had placed their life savings in these shares?

Cyber-sport, part 3 Government bureaucrats, being unwilling to renege on their real

estate subsidy Instead takes an ownership position in the property And dictate that rental prices will be substantially less than for

property owned by rival property developers This essentially robs paying customers from other property And further depresses the cities property market

Driving investment overseas

Question: The bureaucrats (1) were right to save ‘face’, or (2) were doing their

civil service by protecting the taxpayers subsidy (i.e., two wrongs might make a right) or (3) unethical?

What remedy would you prescribe to compensate rival property owners,

or are they all just too rich and powerful to deserve helping?

Loose Lips

The chairman of a stock exchange publicly announces that he is considering delisting a technology-heavy class of stocks The next trading day, prices collapse, and sell-side liquidity drops

to zero, resulting in investor losses in the billions Acquisitive companies purchase the nearly valueless shares, gain

control, strip the assets from the firms, and fire management and employees

Question: Was the stock exchange chairman (1) careless, or (2) unethical? What remedy would you prescribe to compensate investors,

managers and employees who have been wronged, many of whom were pensioners or had placed their life savings in these shares?

Should the exchange chairman be fired?

Accounting for Technology The President of the Professional Society of Accountants

objects to new accounting rules as ‘invasive’ These rules would crack down on corporate crooks who have used ‘technology hype’ and faulty accounting for

technology assets to rob investors of trillions of dollars, putting it into their own off-shore bank accounts

there are no other rules or regulations in force which will catch the crooks

Question: Question: Accountants (1) have no duty to protect investors, only to make

sure that accounts satisfy accounting principles, or (2) the President of the Professional Society of Accountants has made an unethical recommendation, or (3) something else?

What remedy would you prescribe to compensate investors, managers and employees who have been wronged by these corporate crooks? Should accountants be sued for their part in helping the crooks?