Auditing in a CIS Environment

Legal and Ethical Issues for IT Auditors

Code of Ethics

A document that outlines the mission and values of the business or organization,
how professionals are supposed to approach problems, the ethical principles based on
the organization's core values and the standards to which the professional will be held.

Importance of the Code of Ethics

1. Ethics is a set of principles that guides professional accountants in appropriately

conducting and portraying themselves to help fulfil the responsibility of the professions

2. The Code serves as the backbone or foundation of the profession in discharging its
obligation by providing ethical principles and obliging professional accountants to
adhere to the principles

Information Systems Audit and Control Association (ISACA) Code of Ethics

ISACA sets forth this Code of Professional Ethics to guide the professional and
personal conduct of members of the association and/or its certification holders.

Code of Ethics for Auditors

1. Integrity

A professional accountant should be straightforward and honest in all professional

and business relationships

2. Objectivity

A professional accountant should not allow bias, conflict of interest or undue

influence of others.

3. Professional Competence and Due Care.

A professional accountant has a continuing duty to maintain professional

knowledge and skill at the level required to ensure that a client or employer receives
competent professional services based on current developments in practice, legislation
and techniques. A professional accountant should act diligently and in accordance with
applicable technical and professional standards when providing professional services.

4. Confidentiality

A professional accountant should respect the confidentiality of information

acquired as a result of professional and business relationships and should not disclose any
such information to third parties without proper and specific authority unless there is a
legal or professional right or duty to disclose. Confidential information acquired as a result
of professional and business relationships should not be used for the personal advantage
of the professional accountant or third parties.

5. Professional Behavior.

A professional accountant should comply with the relevant laws and regulations
and should avoid any action that discredits the profession.

Irregular act:

1. An intentional violation of corporate policies or regulatory requirements

2. An unintentional breach of law

Illegal act:

Willful violations of laws or governmental regulations

Irregular and Illegal Acts

Irregular and illegal acts can have negative impact to organizations, in terms of:

i. Financial aspects

ii. Reputation of the organization

iii. Productivity of the organization

iv. Retention of employees

Examples of illegal acts:

*Fraud

Act or course of deception, an intentional concealment, omission, or perversion of truth,

to:

(1) gain unlawful or unfair advantage,

(2) induce another to part with some valuable item or surrender a legal right, or

(3) inflict injury in some manner

 Computer crimes/ Cybercrime

"Offences that are committed against individuals or groups of individuals with a criminal
motive to intentionally harm the reputation of the victim or cause physical or mental harm
to the victim directly or indirectly, using modern telecommunication networks such as
Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)“
  Violations of intellectual property rights

IP rights - A right that is had by a person or by a company to have exclusive rights to use
its own plans, ideas, or other intangible assets without the worry of competition, at least
for a specific period of time.

Who is responsible for prevention, detection, and reporting?

IT auditors are NOT responsible for preventing and detecting illegal or irregular acts in an
organization

Then, whose responsibilities are those?

The management and Board of Directors of the organization are responsible. They must:

 adopt a preventative approach for identifying, analyzing and managing the risk
of illegal and irregular acts occurrences that could prevent the organization from
achieving its business objectives or strategies.

 have detective procedures in place to increase their ability to detect illegal and
irregular acts occurrences and uncover illegal and irregular acts occurrences

 Designed response controls are to take corrective action and to correct the illegal
and irregular acts

What is the IT Auditor’s Responsibility?

 According to ISACA’s IS Audit and Assurance Guideline 2207 Irregularity and Illegal
Acts

Section 2.3 Responsibilities of the Professionals

2.3.3 Professionals are NOT responsible for the prevention or detection of irregularities or
illegal acts. An audit engagement cannot guarantee that irregularities will be detected.
Even when the audit is planned and performed appropriately, irregularities could go
undetected. The aim (of an audit engagement) is to determine the control is in place,
adequate, effective and complied with

2.3.4 Where professionals have specific information about the existence of an

irregularity or illegal act, they have an obligation to report it

2.3.5 Professionals should inform management and those charged with governance
when they have identified situations where a higher level of risk exists for a potential
irregularity of illegal act, even none is detected.

How should IT Auditor respond?

Section 2.6 Responding to Irregularities and Illegal Acts

2.6.2 Professionals should demonstrate an attitude of professional skepticism.

Indictors (or “Red Flags”) of persons committing irregularities or illegal acts are:

 Overrides controls by management

 Irregular or poorly explained management behavior

 Consistently over performing, compared to set targets

 Problems with, or delays in, receiving requested information or evidence

 Transactions not following the normal approval cycles

2.6.3 When professionals become aware of information concerning a possible irregularity

or illegal act, they should consider taking the following steps after direction from the
appropriate legal authority:

 Obtain understanding of the nature of the act

 Understand the circumstances in which the act occurred

 Gather evidence of the occurrence of the act

 Identify all persons involved in committing the act

 Obtain sufficient supportive information to evaluate the effect of the act

 Perform limited additional procedures to determine the effect of the act and
whether additional acts exist

 Document and preserve all evidence and work performed

Regulatory & Legal Issues

 Some knowledge that auditors required to have:

 Legal contracts

 Computer crime

 Intellectual Property Rights

 Privacy Issues

a) Legal Contracts

 An agreement with specific terms between two or more persons or entities in

which there is a promise to do something in return for a valuable benefit known as
consideration
  Examples of legal contracts:

 Lease – a contact between a landlord and a tenant that specifies the terms
under which the tenant has the right to use the landlord's property

 Employment contract – a legal agreement between a business and an

employee that details the terms of employment, such as pay and benefits.

 Sales contract – an agreement between two parties that details the terms
of a financial transaction and documents the fact that ownership of an
asset has transferred from seller to buyer.

 Licensing agreement – a contact between the owner of intellectual

property and an outside party, that gives the outside party the right use the
intellectual property in a capacity specified it the agreement.

Types of Legally Binding Contract

A unilateral contract is a contract in which only one party makes an express promise, or
undertakes a performance without first securing a reciprocal (mutual) agreement from
the other party

A bilateral contract is an agreement formed by an exchange of a promise in which the

promise of one party is consideration supporting the promise of the other party

Employment Contracts

a written legal document that lays out binding terms and conditions of an
employment relationship between an employee and an employer.

(1) Confidentiality Agreements

 A legal contract between at least two parties that outlines confidential material,
knowledge, or information that the parties wish to share with one another for
certain purposes, but wish to restrict access to or by third parties

(Source: http://encyclopedia.thefreedictionary.com/Confidentiality+agreement)

 Also known as non-disclosure agreement (NDA), confidential disclosure

agreement (CDA), proprietary information agreement (PIA), or secrecy
agreement

 Content of the agreement:

 Employee agrees not to divulge confidential information

 Describe nature of protected information

 List permissible uses of such information

 Identify remedies for non-compliance

  State term of agreement

(2) Trade Secret Agreements

A trade secret is a formula, practice, process, design, instrument, pattern, or
compilation of information which is not generally known or reasonably
ascertainable, by which a business can obtain an economic advantage over
competitors or customers.
(Source: http://encyclopedia.thefreedictionary.com/trade+secret)
 Enforceable for indefinite period of time.
(3) Discovery Agreements
 For employees hired to develop ideas and innovations.
 Agreement transfers ownership of discovery to employer.
 Prevents employees from claiming the discovery as their own property.
(4) Non-Compete Agreements
 Employee agrees to not work for competing employer (including self) for

a. Specified time (must be reasonable)

b. Specified geography

 Prevents employee from working for other companies in connection with the
design or sale of a competitive product.
 Monetary remedy may be awarded to company for violation

Computer Crime

 "Offences that are committed against individuals or groups of individuals with a

criminal motive to intentionally harm the reputation of the victim or cause physical
or mental harm to the victim directly or indirectly, using modern
telecommunication networks such as Internet (Chat rooms, emails, notice boards
and groups) and mobile phones (SMS/MMS)" (Halder & Jaishankar, 2011)

 Includes any behaviors that are deemed by states or nations to be illegal,

examples:

a. Fraud achieved by the manipulation of computer records

b. Spamming wherever outlawed completely or where regulations controlling

it are violated

c. Deliberate circumvention of computer security systems

d. Unauthorized access to or modification of computer programs or data

e. Intellectual property theft, including software piracy

f. Industrial espionage by means of access to or theft of computer materials

g. Identity theft where this is accomplished by use of fraudulent computer

transactions
 h. Writing or spreading computer viruses or worms

i. Salami slicing http://www.pcpro.co.uk/news/201252/hacker-takes-50-000-

a-few-cents-at-a-time

j. Denial-of-service attack

Jurisdiction

 Internet users remain in physical jurisdictions and are subject to law independent
of their presence on the Internet

 A single transaction may involve the laws of at least three jurisdictions:

 The laws of the state/nation in which the user resides

 The laws of the state/nation that apply where the server hosting the
transaction is located, and

 The laws of the state/nation which apply to the person or business with
whom the transaction takes place

Intellectual Property

 Those property rights which result from physical manifestation of original thought.

Patents

 A patentable invention is any technical solution of a problem in any field of human

activity which is new, involves inventive step, and is industrially applicable shall be
Patentable.

Trademarks

 Any visible sign capable of distinguishing the goods (trademark) or services

(service mark) of an enterprise and shall include a stamped or marked container
of goods.

Copyrights

 Right granted by statute to the author or originator of literary, scholarly, scientific,

or artistic productions, including computer programs.

Privacy

The right to be free from secret surveillance and to determine whether, when, how,
and to whom, one's personal or organizational information is to be revealed.

In specific, privacy may be divided into four categories:

(1) Physical: restriction on others to experience a person or situation through one or

more of the human senses;
 (2) Informational: restriction on searching for or revealing facts that are unknown or
unknowable to others;

(3) Decisional: restriction on interfering in decisions that are exclusive to an entity;

(4) Dispositional: restriction on attempts to know an individual's state of mind.

Four Types of Invasion of Privacy

 Intrusion

When a person invades another person's private affairs

 Public Disclosure

When someone publishes hurtful, embarrassing or offensive facts about a person's private
life

 False Light

When someone produces false statements about a person or depicts that person in a
false manner

 Appropriation of name or likeness

The unauthorized commercial use of a person's name or image without his knowledge or
approval.

It is critical that the organization implements an effective privacy program that includes:

a) A privacy statement

b) Written policies, procedures, controls, and processes.

c) Roles and responsibilities.

d) Employee training and education.

e) Monitoring and auditing.

f) Information security practices.

g) Incident response plans.

h) Privacy laws and regulations.

i) Plans for responding to detected problems and corrective action.

IT Auditor’s Role in Privacy

 IIA released Global Technology Audit Guide (GTAG) 5 – Managing and Auditing
Privacy Risks to provide internal auditors and management with insight into privacy
risks that the organization should address when it collects, uses, retains and
discloses personal information

 According to GTAG 5, good governance includes:

a) Identifying significant risks to organization;

b) Ensuring appropriate controls are in place to mitigate these risks

What are the benefits of good governance to organization?

a) Protecting the organization’s public image and brand

b) Protecting valuable data on the organization’s customers and employees

c) Achieving competitive advantage in the marketplace

d) Enhancing credibility and promoting confidence and goodwill

Specific activities that auditors can perform:

1. Work with legal counsel to determine what privacy legislation and regulations
would be applicable to the organization.

2. Work with IT management and business process owners to assess whether

information security and data protection controls are in place and are reviewed
regularly.

3. Conduct privacy risk assessments, or review the effectiveness of privacy policies,

practices, and controls across the organization.

4. Identify types of personal information collected, the collection methodology used,

and whether the organization's use of the information is in accordance with its
intended use.

5. Review policies, procedures, and guidelines governing data flows and handling
procedures

6. Conduct an assessment of service providers' interactions, including a review of

procedures and controls over providers who manage personally identifiable
information or sensitive data on behalf of the organization.

7. Review current training practices and materials, and takes inventory on the
privacy awareness and training materials available and needed.
 8. Perform a gap analysis of data flows and handling procedures against relevant
policies, laws, regulations, and best practices for consistency and compliance

GTAG 5 provides 10 privacy questions internal auditors should ask during a privacy
assessment:

1. What privacy laws and regulations impact the organization?

2. What type of personal information does the organization collect?

3. Does the organization have privacy polices and procedures with respect to
collection, use, retention, destruction, and disclosure of personal information?

4. Does the organization have responsibility and accountability assigned for

managing a privacy program?

5. Does the organization know where all personal information is stored?

6. How is personal information protected?

7. Is any personal information collected by the organization disclosed to third

parties?

8. Are employees properly trained in handling privacy issues and concerns?

9. Does the organization have adequate resources to develop, implement, and

maintain an effective privacy program?

10. Does the organization complete a periodic assessment to ensure that privacy
policies and procedures are being followed?

Reporters:

Jenine M. Cabrera

Danica M. Judit

Lea O. Mesa

Cialaina Leigh O. Ramirez