FRAUD IN THE AIS

Fraud in the AIS

Professor Daniel Acheampong
ACC 564 Accounting Information Systems
December 15, 2013

FRAUD IN THE AIS

Fraud in the AIS

An effective accounting information system is a key factor in protecting organizations
from embezzlement or fraud. The accounting information system should be designed and used as
a control tool preventing theft internally or externally. Unfortunately, a case of theft or the
accounting information system fails to prevent embezzlement, happens often. The failure of an
accounting information system occurs due to a flaw in the controls of the system or manipulation
of the system by an internal user. According to estimates of the Association of Certified Fraud
Examiners, the average company loses seven percent of its revenues to fraud, although much of
this fraud involves external parties, such as shoplifting by customers and cheating by suppliers
(Arens el al., 2010).
In 2011, Ausaf Siddiqui was convicted and sentenced for a four year embezzlement
scheme. Beginning in 2004, Siddiqui manipulated the system by completely bypassing all
internal controls. As an executive for Frys Electronics, he convinced suppliers to pay him
directly for products instead of his employer. Ausaf Siddiqui went to his supervisors and
convinced them he would be able to obtain products at a reduced rate compared to their current
vendors. In actuality, Siddiqui created dummy supplier companies for Frys to pay in advance,
and then he would purchase the products from suppliers at a different rate than he reported to
Frys. The scheme was discovered by federal authorities and arrested Siddiqui before his
employer was even aware of any issues.
Frys failed to protect the companys interests in this particular case. Frys gave Siddiqui
the opportunity to complete the scheme, when he was allowed as vice president of operations and
purchasing to make purchasing decisions while also having authority to approve supplier
payments. Ausaf bypassed the accounting information system completely when he authorized

FRAUD IN THE AIS

the purchasing of products and did not enter any of the items. The information he did enter it was
for payments to the dummy companies he set up for himself. This occurred so he could pocket
as much of the profits he wanted without anyone at Frys being aware.
Good internal control requires that no single employee be given too much responsibility
over business transactions or processes (Romney & Steinbart, 2012). Frys should have made
sure all of the duties in the purchasing department were segregated. It is important to segregate
the duties of accounting and also the systems duties. In the case of Frys they failed to segregate
the authorization and recording duties. According to Romney and Steinbart (2012), the effective
segregation of accounting duties is achieved when the following functions are separated:

Authorization- approving transactions and decisions

Recording preparing source documents; entering data into online systems;
maintaining journals, ledgers, files or databases; and preparing reconciliations and

performance reports
Custody Handling cash, tools, inventory, or fixed assets; receiving incoming
customer checks; writing checks

Any management team should be responsible and implement controls to prevent

embezzlement in their organization. Unfortunately, employees are able to hide their
dishonesty in certain accounting systems, solely due to their knowledge. If an employee
has the full ins and outs of an accounting system, this knowledge can be used for
deception. Ausaf Siddiqui manipulated the records on product requisitions and purchase
orders. Adequate documents and records are also a vital section of internal controls
within an accounting information system. Certain principles dictate the proper design
and use of documents and records (Arens el al, 2010). Arens also states documents and
records should be:

FRAUD IN THE AIS

Prenumbered consecutively to facilitate control over missing documents and as an

aid to locating documents when they are needed at a later date. Prenumbered

documents are important for the completeness transaction related audit objective.
Prepared at the time a transaction takes place, or as soon as possible thereafter, to

minimize timing errors.

Designed for multiple use, when possible, to minimize the number of different

forms.
Constructed in a manner that encourages correct preparation. This can be done by
providing internal checks within the form or record.

Management has to make the proper decisions pertaining to the controls of their
organization and protection of its accounting information systems. In addition to segregation of
duties and proper documentation, Romney and Steinbart note the following is important for an
organization to:

Create and enforce appropriate policies and procedures.

Maintain accurate records of all assets.
Restrict access to assets.
Protect records and documents.

The protection of an accounting information system from embezzlement or fraud can be

complicated. Some organizations utilize a third party accounting system which fosters a
majority of the complex control and design of accounting information systems. In one survey,
some 73% of companies outsourced some or all of their information systems, and most
outsourced to several companies to increase flexibility, foster competition, and reduce costs
(Romney & Steinbart, 2012). Using a third party system has disadvantages and can have a
negative impact to an organization. Management will have to take in consideration the exposure
to financial, technology and regulatory risks, when using a third party service provider. If a
breach occurs and embezzlement or fraud is a product of that breach, management and the

FRAUD IN THE AIS

service provider are responsible. The organization has a high level of responsibility due to their
choice of using an outside source to process and maintain their financial information.
Therefore, a service provider also has a high level of responsibility when a security
breach happens. In a usual fashion, the service provider will take steps to prevent a breach in
the future and also review the incident to determine the cause. Consequently, most
organizations may choose to discontinue service with the provider, mainly due to the exposure
of confidential information with the loss of privacy. Service providers have as much
responsibility as the organization to protect any and all data.
With the advances in accounting, Frys Electronics could utilize new techniques to
protect their assets from internal and external threats. First and foremost, implementing and
enforcing the use of an adequate accounting information system. According to the AICPA, an
AIS has five primary objectives: to identity and record all valid transactions, properly classify
transactions, record transactions at their proper monetary value, record transactions in the
proper accounting period, and properly present transactions and related disclosures in the
financial statements ( Romney & Steinbart, 2012).
Once the system is in place, monitoring and auditing of the system periodically will
prevent and help identify fraud. A procedure needs to be in place for both monitoring certain
activities and auditing specific duties. Management must set a standard for employees in an
organization on the importance of an accounting information system and its maintenance.
Employees should be trained on the system, monitored while using the system, and expected to
report any suspicious behavior from others regarding embezzlement or fraud.
Organizations need to be vigilant and punish any employee or executive who exhibits
fraudulent behavior. When fraud occurs, organizations need to be responsible and take action to

FRAUD IN THE AIS

prevent this type of behavior in the future. Also conducting periodic audits of an accounting
information system should identify possible frauds. Internal audits assess the reliability and
integrity of financial and operating information, evaluate internal control effectiveness, and
assess employee compliance with management policies and procedures as well as applicable
laws and regulations (Romney & Steinbart, 2012). Auditing typically dissuades employees
from attempting fraud. Individuals are less likely to exhibit negative behavior when they are
aware of being watched or can be caught.
Frys should make sure to have an audit committee who will handle internal audits. The
committee is independent from the accounting and operation functions of an organization. An
internal auditor could have identified the kickback scheme of Ausaf Siddiqui, if Frys had been
utilizing this type of technique within an accounting information system.
Another area of advancement, Frys Electronics could incorporate within their
accounting information system, is a forensic specialist. A computer forensic specialist can
evaluate an accounting information system and determine if fraudulent activity occurred and
identify the culprit. A Deloitte & Touche forensics team uncovered evidence that helped convict
a Giant Supermarket purchasing manager who had accepted over $600,000 in supplier
kickbacks (Romney & Steinbart, 2012). This was very similar to the kickback scheme of Ausaf
Siddiqui.
Ausaf manipulated the expenditure cycle of the accounting system. The primary
objective in the expenditure cycle is to minimize the total cost of acquiring and maintaining
inventories, supplies, and the various services the organization needs to function (Romney &
Steinbart, 2012). Ausaf used this objective to convince his employer of his capacity to
minimize costs and provide quality product at optimal prices. If Frys had utilized an EDI

FRAUD IN THE AIS

system, it would have reduced the number of product orders and streamlined the process which
would have eliminated Ausafs involvement with their suppliers.
The EDI system may completely prevent the opportunity of a kickback scheme. Access
to the EDI system should be controlled and limited to authorized personnel through the use of
passwords, user IDs, access control matrices, and physical access controls (Romney &
Steinbart, 2012). Encryption provides privacy in an EDI system and a periodic review of
transactions can determine if transactions are processed properly by established procedures. In
addition to EDI, an approved supplier list that is periodically reviewed can also help. Using
approved suppliers only and having authorization procedures for those suppliers, hopefully will
prevent a kickback scheme.
The last technique which could have prevented the kickback scheme is an effective
detection control called supplier audit. An audit of the supplier and its records can identify
problems such as a supplier having fictitious third party invoices or duplicate billings.
Frys had several advances in accounting or techniques which could prevent
embezzlement. An outside agency identifying fraudulent behavior in your organization is
embarrassing. An organization should be ahead of the curve and know of any threats whether
internal or external.
Despite advances in accounting and the technology available to an organization, most of
the regulations pertain to the financial statements or actions of top management regarding
accuracy of those statements. Congress passed the Sarbanes-Oxley Act (SOX) in 2002. SOX
applies to publicly held companies and their auditors and was designed to prevent financial
statement fraud, make financial reports more transparent, protect investors, strengthen internal
controls, and punish executives who perpetrate fraud (Romney & Steinbart, 2012). It was a

FRAUD IN THE AIS

very influential piece of legislation to business and accuracy of financial information of publicly
held companies. SOX placed more responsibility on upper management to put into place
internal controls for their organizations which is a great addition for financial health.
When an organization has better internal controls, it makes them lower risks and has
more opportunity for lower borrowing with creditors. Great internal control sets up good
corporate governance in an organization. Paul Coombes, former director and current advisor to
McKinsey & Company, and Professor Mark Watson conducted a study showing that investors
will pay as much as a 27% premium for shares in companies with good corporate governance
(Prentice & Bredeson, 2010). Section 302 of SOX covers the development of internal controls,
while section 404 requires maintenance of those controls. Section 404 requires each annual
report to contain an internal control report stating the responsibility of management for
establishing and maintaining an adequate internal control structure so that accurate financial
statements could be produced, and containing an assessment, as of the end of the most recent
fiscal year, of the effectiveness of the internal control structure and procedures (Prentice &
Bredeson, 2010). Which means executives in top management cannot simply say they were
unaware of any issues with financial statements to be free of implication.
The SOX act is not perfect and as with any legislation it may need amendments going
forward to cover the crimes currently not penalized through its inception. With multiple sections
and sanctions create through SOX, none cover a kickback scheme. I think a new section should
be added for this type of embezzlement by an employee or manager. It should not only be
focused on executives or anyone that sets out to embezzle millions from their employer should
face punishment. Currently, with the Anti-kickback Act of 1986, the only consequences
regarding kickbacks occur if a payment is made for the purpose of obtaining a federal

FRAUD IN THE AIS

government contract or for referrals of services paid by a federal government health care
program.
Unfortunately, this leaves several organizations vulnerable and no real protection if it
occurs. It is a form of theft so an organization may prosecute an employee if they have
evidence. Various government agencies, such as the Office of Foreign Assets Control and the
Bureau of Industry and Security in the Department of Commerce, maintain lists of individuals
and companies with whom it is illegal to transact business (Romney & Steinbart, 2012). Of
course, this is beneficial in a government aspect but not if you are a small business or private
owned.
Embezzlement can be very detrimental to a small business where they may never
recover. In 2005, I begin working for a small paper manufacturing company in Dallas area.
They were a small family owned company but they had huge customers in Walmart, Xerox, and
Best Buy. I was impressed by how small they were but still handle millions in profits. I thought
it was a great opportunity for me to learn a different industry in accounting. I arrived my first
day and in my meeting with Human Resources, I was informed they did not offer any health
benefits or pension plan. The HR Manager explained I would have to pay for health insurance
myself that as of January 2005 they no longer provided any of those benefits. At first I didnt
question if but I become very curious and ask a coworker why the company didnt have any
benefits. My coworker explained in the previous year, the payroll manager, at the time had
embezzled more than 1 million from the company pension fund and bank accounts. The
company was forced to lay off several people when the embezzlement was discovered. They
were not able to cover pay checks or the retirement plans for several months after. The owner
was not able to prosecute the payroll manager mainly due to she skipped town and authorities

FRAUD IN THE AIS

10

were not able to locate her. The company at the time did not have a control to keep this
employee from writing checks to her personal account. Of course, afterwards the company
changed their procedures and implemented new policies to protect themselves and employees.
Any organization small or large should have a strategy to deter fraud and have policies
in place if it occurs. Frys Electronics will need to spend a significant amount of time
developing an efficient accounting system to prevent future business information failures. An
adequate accounting system which is efficient and reliable can eliminate risk, establish a
competitive advantage and provide information security. Organizations want protection of their
financial information and their clients want trust that information is secure.
After the development of an efficient accounting information system, Frys will need to
implement the system within their work environment. It is important to train employees and
make sure all appropriate parties are aware of procedures and policies. Proper control
procedures, especially segregation of duties, are needed to mitigate various threats such as
errors in performing expenditure cycle activities and the theft of inventory or cash (Romney &
Steinbart, 2012).
Internal controls of the accounting system should be in place at the time of
implementation and employees need proper knowledge of what their roles are within the
system. Employees should know consequences exist including termination when security
procedures are not followed. With proper training, employees can play an important role in
protecting the confidentiality of an organizations information and enhance the effectiveness of
related controls.
Lastly, Frys will need to maintain and monitor the accounting information system on a
regular basis. This will ensure internal controls are working properly and preventing threats of

FRAUD IN THE AIS

11

possible fraud. Routine checks can also identify external threats to information within an
accounting information system. Hacking of an accounting information system by an outside
party is a real and present threat. Information security for an organization is a large
responsibility, and if a breach occurs it is typically detrimental.
Organizations need to be resourceful in developing and implementing a reliable
accounting system. New developments in technology continuously create new security threats
and make old solutions obsolete (Romney & Steinbart, 2012). Technology is continually
changing and an organization will need to adjust to any new threats. With constant advances in
accounting and information security, Frys Electronics could have protected their organization
and hopefully they have done so since the costly incident with Ausaf Siddiqui.

FRAUD IN THE AIS

12

References
Arens, A., Elder, R. J., & Beasley, M. 2010. Auditing and assurance services: 2010 custom
edition (13th ed.). Upper Saddle River, NJ: Pearson
Romney, M.B., Steinbart, P.J. 2012. Accounting Information Systems. 12th ed. Upper Saddle
River, NJ: Pearson.
Prentice, R., Bredeson, D. 2010. Student Guide to the Sarbanes-Oxley Act. 2nd ed. Mason, OH:
South-western.