INTRODUCTION TO THE NEED FOR A CODE OF ETHICS AND INTERNAL CONTROLS (STUDY OBJECTIVE 1)
During the early 2000s, a wave of information appeared in the news regarding company after company named in fraudulent financial reporting. Among the names were Enron Corp., Global Crossing USA, Inc., Adelphia Communications Corp., WorldCom Inc., and Xerox Corporation. In the case of Enron alone, fraudulent financial reporting led to the loss of billions of dollars for investors, job and retirement-fund losses for employees, the collapse of the Arthur Andersen LLP audit firm, and a further depressing of an already weak stock market. There are many other examples of such problems. An infamous example of fraud and bankruptcy is Phar-Mor, Inc. An examination of the Phar-Mor case illustrates the linkages among ethics, fraud, and internal control.
THE REAL WORLD
The drugstore chain Phar-Mor is a classic example of fraud leading to a bankruptcy and many other problems for investors and auditors. At the time Phar-Mor filed bankruptcy, it represented one of the largest cases of fraud in U.S. history. In that bankruptcy, investors lost nearly 1 billion dollars, and Phar-Mor closed many stores and dismissed thousands of workers. The fraud began when top management attempted to make its earnings match the budgeted amounts. Management, desperately trying to overstate revenues or understate expenses to meet expected earnings targets, used illegal accounting tricks such as falsifying inventory. Phar-Mor's top management behaved unethically and fraudulently in an attempt to achieve a desired result.
Although the Phar-Mor fraud scheme is an older example, it is important to study it as a classic case of the wrong approach to concepts in this chapter and the four that follow. Phar-Mor had unethical leaders, shoddy ethics enforcement, poor internal controls, relaxed corporate governance, weak IT systems, and faulty audits. It represents the poster child of a poor control environment.
When management is unethical, as in the Phar-Mor case, fraud is likely to occur. On the other hand, if the top management of a company emphasizes ethical behavior, models ethical behavior, and hires ethical employees, the chance of fraud or ethical lapses can be reduced. In the case of a company such as Phar-Mor, management did not act ethically and did not encourage ethical behavior. Although the company had written and adopted a code of ethics, most of the officers in the company were not aware that it existed.1 This is an indication that ethics were merely “window dressing” and that management did not wish to emphasize and model ethical behavior.
Another way that the Phar-Mor fraud could have been avoided or detected was through the proper operation of the accounting system and internal controls. For example, a good accounting system will process all checks through a bank account that is part of the normal payment approval process. In the case of Phar-Mor, management maintained a separate bank account and used it for fraudulent purposes. Checks drawn on this account did not go through a regular approval process. In summary, maintaining high ethics and following proper procedures can help prevent or detect many kinds of fraud.
In addition to acting ethically, the management of any organization has an obligation to maintain a set of processes and procedures that assure accurate and complete records and protection of assets. This obligation arises because many groups have expectations of management. First, management has a stewardship obligation to those who provide funds to, or invest in, the company. Stewardship is the careful and responsible oversight and use of the assets entrusted to management. This requires that management maintain systems which allow it to demonstrate that it has appropriately used these funds and assets. Investors, lenders, and funding agencies must be able to examine reports showing the appropriate use of funds or assets provided to management. Management must maintain accurate and complete accounting records and reports with full disclosure. Second, management has an obligation to provide accurate reports to those who are not owners or investors, such as business organizations with whom the company interacts and governmental units like the Internal Revenue Service (IRS) and the Securities and Exchange Commission (SEC).
Finally, to efficiently and effectively manage an organization, management and the board of directors must have access to accurate and timely feedback regarding the results of operations. An organization cannot determine whether it is meeting objectives unless it continuously monitors operations by examining reports that summarize the results of operations. In many cases, these reports are outputs of the computerized system. Therefore, IT systems must provide accurate and timely information in reports. When a vice president at Phar-Mor became concerned about the adequacy of the IT system and the resulting reports, he formed a committee to address the problems; however, the committee was squelched by members of senior management who were involved in the fraud.
The management obligations of stewardship and reporting point to the need to maintain accurate and complete accounting systems and to protect assets. To fulfill these obligations, management must maintain internal controls and enforce a code of ethics. If these two items are operating effectively, many types of fraud can be avoided or detected. Internal controls have been defined by several bodies, but perhaps the most encompassing description of accounting internal controls is contained in the Committee of Sponsoring Organizations'2 (COSO's) report on internal control.3 The COSO report defines internal control as follows:
a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with applicable laws and regulations.
These internal control processes and procedures will assist in protecting assets and ensuring accurate records. In addition to the accounting internal controls, an organization should also have internal controls covering its IT systems. If not properly controlled, IT systems may become exposed to the risks of unauthorized access, erroneous or incomplete processing, and interruption of service. Guidelines for IT controls are provided by the AICPA and are discussed later.
To help ensure accurate and complete accounting systems and reports, an organization should have good accounting internal controls, good IT controls, and an enforced code of ethics. A code of ethics is a set of documented guidelines for moral and ethical behavior within the organization. It is management's responsibility to establish, enforce, and exemplify the principles of ethical conduct valued in the organization. The importance of an ethics code is perhaps easier to see by looking at it from the opposite perspective. As has become obvious with the flood of accounting fraud scandals within the past decade at companies such as Enron, Worldcom, Global Crossing, and others, top management does not always exhibit ethical behavior. If management does not demonstrate ethical behavior, employees at all levels are much more likely to follow suit in their disregard for ethical guidelines. Of course, the opposite should also be true. Management that emphasizes and models ethical behavior is more likely to encourage ethical behavior in employees.
THE REAL WORLD
Even companies that have good ethics codes and enforcement must guard against fraud. Johnson & Johnson has always been known as a model of good corporate ethics. However, in 2007 an internal investigation revealed that certain sales units within the company were paying bribes to gain sales of medical devices in foreign countries. Johnson & Johnson voluntarily turned this information over to the U.S. Department of Justice, because such bribes are a violation of the Foreign Corrupt Practices Act. On April 8, 2011, Johnson & Johnson announced it had reached a negotiated settlement with the Department of Justice that avoided prosecution, yet the company did pay fines exceeding $70 million to the United States and Germany. The company's self-disclosure, full cooperation, and improved controls probably significantly reduced the punishment. This is an example of how fraud should be handled when discovered within a company's management. Strong attention to ethics and controls may not always prevent fraud, but it usually helps uncover fraud and lessen the effects.
In summary, a company that maintains a good system of accounting and IT internal controls and values ethical behavior will be more likely to avoid fraud, other ethical problems, and errors in accounting records. This chapter describes some types of fraud that can occur and provides details of internal control systems and ethics codes. It is not possible for a single chapter to include all potential types of fraud or the controls to prevent them. The purpose of this chapter is to explain some of these fraud schemes to help you see the nature of the risks involved. With an understanding of the risks, you will find it easier to learn the nature of accounting and IT internal control systems intended to prevent or detect errors and fraud.