CORPORATE CODES OF CONDUCT

One of the common controls in this area is the implementation of a Corporate Code of
Conduct. Such codes are directive controls and do not enforce ethical behavior. Where they
are combined with detective controls designed to identify breaches of the code and corrective
controls designed to take effective action where such breaches are identified, they may serve
as a means of expelling non-conforming members of population.
Codes of conduct should be in place for all companies (recommended in 1987 by the
Treadway Commission and confirmed by King IP) and should be enforced. They assist in
setting an ethicaltone at the top of the organization and must apply to all levels from the top
down. They open channels of communications between management and employees and
assist in the prevention of for example, fraudulent reporting.
Codes of conduct are based upon a shared understanding of the values including but not
limited to:
Honesty. No intentional deception
Integrity. One standard of conduct for all involved
Morality. Acting in terms of accepted social norms
Equity. Acting in a fair manner with equal treatment for all
Equality. Provision of equal opportunities to compete and collaborate un business
activities account to the
Accountability. To accurately record an individuals actions and to stakeholders
responsibly for those actions
Loyalty. Trustworthy commitment to all those with whom an individual has dealings
Respect. Recognition of the worth of superiors, subordinates. suppliers, and cus-
tomers
These values are normally aligned to the values statement to form the basis for the agreed
code of conduct.
Codes of conduct may typically take two forms:
1. Positive statement of honest intentions (allembracing but impossible to contro)
2. Lists of improper behavior (easier to audit but difficult to keep comprehensive)
Codes that have been observed to be most effective contain a combination of positive
generalizations and specific prohibitions. They include the basic rules and unacceptable
behavior and cover corporate positions and rules concerning
Acceptance of gifts
Confidentiality
Conflicts of interest
Standards of corporate practice
It is inevitable that in the conduct of business ethical dilemmas will arise that have to be faced
and resolved as a result of conflicting values among various stakeholders. There is often no
way of telling which values are correct or incorrect because different people have different
values that they pursue.
IT GOVERNANCE
The word govern" is derived from the Latin word subenare. referring to the steering of a ship
and the word governor derived from gubenator which relers to the captain of a ship or
steeruman Busines and corporate governance place the goal of business success within the
context of honest business behavior and sound stakeholder relations. The od governattce is
to match business behavior and management conduct mission, and objectives.
governance it was inevitable thatm overnance would emerge oncolthe cal issues in the IT
field. In well-managed companirs rr governance was implemented n order to ensure the
overall achievement of good management principles within the organization. In others it has
become ust another set of rules to be complied with Governance responsibilities include
setting the strategy managing the risks delivering perceived value. and measuring achieved
performance.
These responsibilities, overall have been driven by the need to demonstrate the transparency
of risks to the enterprise, but the impact of IT and the organization as a a requiring specific
locus on IT governance. Risk man- whole has creat agement in these areas include the
management IT's impact and business continu- ity as well as reputational risk as a result of
failures within IT itself Generally then IT governance is intended to facilitate the sustaining of
organizational operations directed toward implementation of its general business strategies
in the present and in the future.
IT governance itselrhas been defined as:
the responsibility of the Board of Directors and executive management. It is an integral part
orenterprise governance and consists of the leadership and organizauonal structures and
processesthat ensure that the sustains and extends the organization's strategy and objectives
This indicates a clear difference between governance and IT management Gov ernance is
concerned with IT achieving the current and future information needs of the organization in
a controlled manner Management ocuses on ensuringan ongoing supply of quality services
and products at an acceptable cost
From a governance perspective the ultimate responsibility lies with the board of directors or
governing body ofthe particular institution. A critical part of the execution of this
responsibility lies in ensuring that the managerial levels understand part of the play in
achieving good governance and implement the appropriate control structures in order to
achieve that overall, the primary responsibility for implementing the stra- tegic plans and
policies of the organization as laid down by the board rests on the chief Executive Officer.
Given the critical role of informnation systems in achieving te strategies. the corpora IT
manager has a criticalrole to play in achieving good governance. The IT manager sets the
operating objectives for the IT function ensuring alignment with the organizational strategic
objectivesin order to provide the initial goals for the IT function Management control is
achieved by creating a continuous leedback mechanism for measurement of performance,
comparison to objectives, refinement of processes where necessary, and realignment
ofobiectives where required.
One critical element of the government's process is the placement of the decision- making
role for IT within the organization, Centralized versus decentralized was the tradi nal choice
bun a re modern allernative is the Federal structure combining the lity of the decentralized.
Because IT governance occurs at different layers within the objectives for Information and
Related Technology (coBIT)addressesthe governance issues via key goal indicators and key
performance indicators. The Board Briefing on IT Governance includes IT governance
checklists, a Board IT Governance toolkit. a man- agement IT Governance toolkit, and detailed
breakdowns of roles and responsibilities in achieving good IT governance. conformance
function
Because both internal and external auditors are part of the of corporate governance, it is
critical that IT auditors are familiar with the roles and responsibilities laid down in this
document
SARBANES-OXLEY ACT
The far-reaching Sarbanes-oxley Act (2002) in the United States provides stringent legal
requirements to enforce sound corporate governance requirements on all U S Securities and
Exchange Commission (SEC) registrants as well as their subsidiaries and associated entities,
wherever established and operating in the world. All contain refer- ences to the important
role of Audit Committees and Internal Audit in assisting manage- ment to ensure the
effectiveness ofthe corporate governance processes. report-
The Act itself primarily focuses on what is required for acceptable financial ing: however, the
suggested internal control framework (Committee of Sponsoring organizations Icoso] to be
used for compliance with the Sarbanes-Oxley Act, as rec ommended by the SEC. addresses
the topic of IT control although it does not dictate requirements for such control objectives
and related control activities, leaving such decisions to the discretion of each organization.
Section 404 of the Act requires that the management of public companies specified within
the Act assess the effectivene of the internal control over financial reporting and report
annually on the result ofthat assessment. Given that financial reporting in such companies is
directly dependent on the establishment of a well-controlled IT environment. SEc registrants
must provide assurance that their IT controls are effective within their financial reporting
context in its document "ITControl for Sarbancs orleg." the IT Governance Inst tute discusses
the IT control ectives that might be considered by organizations for assessing their internal
controls. as required by the Act.
PAYMENT CARDINDUSTRY DATA SECURITY STANDARDS
With the increasing electronic commerce utilizing paynient by electronic cards, the Payment
Card Industry Security Standards Council developed a set of standards to encourage
cardholder data security and facilitate the adoption of consistent data secu rity measures on
a global basis. The second version became effective in January 2011 and consists of
12significant requirements and multiple sub-requirements that contain numerous directives
against which businesses may measure their own payment card security policies. procedures,
and guidelines. Because IT governance occurs at different layers within the objectives for
Information and Related Technology (coBIT)addressesthe governance issues via key goal
indicators and key performance indicators. The Board Briefing on IT Governance includes IT
governance checklists, a Board IT Governance toolkit. a man- agement IT Governance toolkit,
and detailed breakdowns of roles and responsibilities in achieving good IT governance.
conformance function Because both internal and external auditors are part of the of
corporate governance, it is critical that IT auditors are familiar with the roles and
responsibilities laid down in this document SARBANES-OXLEY ACT The far-reaching Sarbanes-
oxley Act (2002) in the United States provides stringent legal requirements to enforce sound
corporate governance requirements on all U S Securities and Exchange Commission (SEC)
registrants as well as their subsidiaries and associated entities, wherever established and
operating in the world. All contain refer- ences to the important role of Audit Committees and
Internal Audit in assisting manage- ment to ensure the effectiveness ofthe corporate
governance processes. report- The Act itself primarily focuses on what is required for
acceptable financial ing: however, the suggested internal control framework (Committee of
Sponsoring organizations Icoso] to be used for compliance with the Sarbanes-Oxley Act, as
rec ommended by the SEC. addresses the topic of IT control although it does not dictate
requirements for such control objectives and related control activities, leaving such decisions
to the discretion of each organization. Section 404 of the Act requires that the management
of public companies specified within the Act assess the effectivene of the internal control over
financial reporting and report annually on the result ofthat assessment. Given that financial
reporting in such companies is directly dependent on the establishment of a well-controlled
IT environment. SEc registrants must provide assurance that their IT controls are effective
within their financial reporting context in its document "ITControl for Sarbancs orleg." the IT
Governance Inst tute discusses the IT control ectives that might be considered by
organizations for assessing their internal controls. as required by the Act. PAYMENT
CARDINDUSTRY DATA SECURITY STANDARDS With the increasing electronic commerce
utilizing paynient by electronic cards, the Payment Card Industry Security Standards Council
developed a set of standards to encourage cardholder data security and facilitate the
adoption of consistent data secu rity measures on a global basis. The second version became
effective in January 2011 and consists of 12significant requirements and multiple sub-
requirements that contain numerous directives against which businesses may measure their
own payment card security policies. procedures, and guidelines.
The Standards encompass: Installing and maintaining a firewall configuration to protect
cardholder data Changing vendor supply defaults for system passwords and other security
parameters Protecting stored cardholder data Encrypting transmission orcardholder data
across open. public networks Use of regularly updated antivirus software Development and
maintenance of secure systems and applications Restriction of access to cardholder's data by
business need-to-know Assignment of a unique ID to each person with computer access
Restriction of physical access to cardholder data Tracking and monitoring of all access to
network resources and cardholder data Regular testing of security systems and processes
Maintenance of policies that address information security for all personnel While the
Standards have not yet been fully adopted on a worldwide basis, nev- ertheless in the United
States some 46 states have implemented strict Security Breach Notification Laws with some
states such as Nevada, Massachusetts, and Wisconsin spe- cifically mentioning the Payment
Card Industry Data Security Standard (PCIDSS) and/ or Information Security Policies.

HOUSEKEEPING

Housekeeping procedures are intended to reduce the risk of loss or destruction of software and
information and to ensure that sensitive output does not fall into unauthorized hands such
procedures typically relate to the use of supplies, storage of software programs, handling of files
including backups distribution of outputs. and general care of the hardware itself.

In a centralized information processing facility, housekeeping controls and procedures are normally
well established to ensure minimization of such risks. In a distributed, user-controlled environment,
however, such controls may not be as obviously required, leading to food and beverage
contamination of hardware: fire hazards caused by the use of multiple electrical adapters data files
and backups !ost. stolen. or strayed: and confidential information either left lying around or sent to
the wrong recipients.

The auditor must ensure that basic organizational controls are in place and effective in order to
minimize such elementary risks