LEGAL AND ETHICAL ISSUES FOR IT AUDITORS

CODE OF ETHICS

“Why do organizations develop ethical codes?”

“Don’t people know how to act ethically under all circumstances without a written guidance?”

• Not all people will act ethically under all circumstances, as social economic, political and
other pressures can drive “good” people to do “bad” things.
• Hence, formal code of ethical conduct sends a message to all affected parties that the
organization will not tolerate unethical acts and that there are consequences for behaving in
unacceptable ways.
• While written ethical guidelines will not prevent some people from engaging in unethical
conduct, it does make clear the organization’s stand on such matter. Just like locks on doors,
ethical codes will help to keep honest people honest.

6 Good Reasons for Organization to Develop Code of Ethical Conduct

1. Define acceptable behaviors for relevant parties;
2. Promote high standards of practices throughout the organization;
3. Provide a benchmark for organizational members to use for self-evaluation;
4. Establish a framework for professional behavior, obligations, and responsibilities;
5. Offer a vehicle for occupational identity; and
6. Reflect a mark of occupational maturity.

10 Ethical Standards of ISACA

1. Support the implementation of, and encourage compliance with, appropriate standards,
procedures, and controls for information systems.
2. Serve in the interest of relevant parties in a diligent, loyal, and honest manner, and shall not
knowingly be a party to any illegal or improper activities.
3. Maintain the privacy and confidentiality of information obtained in the course of their
duties unless disclosure is required by legal authority. Such information shall not be used
for personal benefit or released to inappropriate parties.
4. Perform their duties in an independent and objective manner and avoid activities that
impair, or may appear to impair, their independence or objectivity.
5. Maintain competency in their respective fields of auditing and information systems control.
6. Agree to undertake only those activities that they can reasonably expect to complete with
professional competence.
7. perform their duties with due professional care.
8. Inform the appropriate parties of the results of information system audit and/or control
work performed, revealing all material facts known to them, which, if not revealed, could
either distort reports of operations or conceal unlawful practices.
9. Support the education of clients, colleagues, the general public, management, and boards of
directors in enhancing their understanding of information systems auditing and control.
10. Maintain high standards of conduct and character and not engage in acts discreditable to
the profession.

Irregular and Illegal Acts

Irregular Act
• Reflects either an intentional violation of corporate policies or regulatory
requirements or an unintentional breach of law.
Illegal Act
• Represents a willful violation of law.
Example of acts covered under Irregular or Illegal Acts:
1. Fraud
2. Computer Crimes
3. Nonconformity with agreements
4. Violation of intellectual property rights
5. Noncompliance with other applicable regulations and laws.

Irregular and Illegal Acts: Professional Guidance

• The ISACA guideline to IT auditors on irregular and illegal acts clearly points out that
auditor are not qualified to determine whether an irregular, illegal, or simply erroneous
act has occurred.
• Instead, the characterization of an act as irregular, illegal, or erroneous should be made by a
qualified expert, such as a lawyer or judge.

So what should the auditor do in case there is irregular or illegal act?

• It is important to point out that management is responsible for the prevention and detection
of irregular and illegal acts, not the IT auditor. Manager should establish policies and
procedures aimed at governing employee conduct; institute appropriate internal control;
and ensure compliance with policies, procedures, and controls.

Again, so what should the auditor do in case there is irregular or illegal act?

Overview of the IT auditor’s responsibilities with respect to irregular and illegal acts:
1. Plan the IT audit engagement based on an assessed level of risk that irregular and illegal
acts might occur and that such acts could be material to the subject matter of the IT
auditor’s report.
2. Design audit procedures that consider the assessed risk level for irregular and illegal acts.
3. Review the results of audit procedures for indication of irregular and illegal acts.
4. Report suspected irregular and illegal acts to one or more of the following parties:
1. The IT auditor’s immediate supervisor and possibly corporate governance
bodies (BOD or audit committee)
2. Appropriate personnel within the organization, such as the manager who is
at least one level above who are suspected to have engaged in such acts.
3. If top management is suspected, then refer to corporate governance bodies
only; and
4. Legal counsel or other appropriate external parties.
5. Assume that the act is not isolated.
6. Determine how the act slipped through the internal control system.
7. Broaden audit procedures to consider the possibility of more acts of this
nature.
8. Conduct additional audit procedures.
9. Evaluate the results of expanded audit procedure.
 10. consult legal counsel and possibly corporate governance bodies to estimate
the potential impact of the irregular or illegal acts; taken as a whole, on the
subject matter of the engagement, audit report and organization.
11. Report all facts and circumstances of the irregular and illegal acts (whether
suspected or confirmed) if the acts have a material effect on the subject
matter of the engagement and/or the organization.
12. Distribute the report to appropriate internal parties, such as managers who
are at least one level above those who are suspected or confirmed to have
committed the acts, and/or corporate governance bodies.

Regulatory and Legal Issues

Auditors need a working knowledge of regulations and laws so they at least can determine when to
refer matters to legal counsel.

Legal Contract
• A contract is an agreement between or among two or more persons or entities (businesses,
organizations or government agencies) to do, or to abstain from doing, something in return
for an exchange of consideration.
• Law provides remedies, including recuperation of losses or specific performance.

Essential Elements of a Contract

• Offer
Clearly identify subject matter of the agreement
Completely describe services including time, place & quality
Identify goods including quantity (Material term under UCC)
• Consideration
Statement of what the offeror expects in return from the offeree.
• Acceptance
Identify offeree
Signed and dated by offeree and offeror

Confidentiality Agreements
• Employee agrees not to divulge confidential information
• Should describe nature of protected information
 List permissible uses of such information
 Identify remedies for non-compliance
 State term of agreement

A Confidentiality Agreement (or Non-Disclosure Agreement) is a legal document created

between two parties that wish to share confidential information between them, while
legally forbidding either party to disclose the information to any other person or entity.
Types of confidential information that may be applicable are such things as inventions,
trade secrets, new products or manufacturing processes, or any other trade secret items or
data. The Agreement may be one-sided (designed to prevent one of the parties from
disclosing the information) or mutual (whereby both parties cannot disclose any
confidential information received from the other party).

Confidentiality Agreements are frequently used between companies that are

considering doing business with each other and need to understand each other's processes
 or data to evaluate and create a business agreement. They are also used in employer-
employee relationships, where employees need to have access to confidential information
in the course of their employment, but the employer wants to ensure that the employee
does not use or disclose this information for any other purpose. Occasionally, disclosure of
the fact that a Non-Disclosure Agreement even exists is forbidden by the agreement.

These agreements perform several important functions:

1. Defining exactly what information cannot be disclosed

2. Protect sensitive information from being disclosed
3. Prevent forfeiture of patent rights, which in some cases occur automatically once a
public disclosure is made

Some common items included in a Confidentiality Agreement include:

 The complete names and contact information of the parties,

 A complete description of what information is confidential (this list is often long),
 Any cases in which restrictions on disclosure are not applicable (for example, if one
party heard about the secret information already from a different source, or if the
information or materials are generally available to the public),
 The duration of the confidentiality,
 Obligations regarding proper use of the information, and
 Circumstances where disclosure is permitted (e.g. to the police or in court).

Trade Secret Agreement

• A trade secret reflects a wide array of information that derives independent economic value
from not being widely disclosed or readily ascertainable.
• Enforceable for indefinite period of time.

Discovery Agreement
• For employees hired to develop ideas and innovations.
• Agreement transfers ownership of discovery to employer.
• Prevents employees from claiming the discovery as their own property.

Non-compete Agreement
• Employee agrees to not work for competing employer (including self) for
• Specified time (must be reasonable)
• Specified geography
• Prevents employee from working for other companies in connection with the design or sale
of a competitive product.
• Monetary remedy may be awarded to company for violation

Trading Partner Contracts

• Ratifies agreements between companies & their trading partners with written contracts.
• IT auditors examine Trading Partner Contracts as to the sale and purchase of goods and
services.

What is Computer Crime?

Includes any behaviors that are deemed by states or nations to be illegal
 hacking into an entities network
 stealing intellectual property
 sabotaging a company’s database
 denying service to others who wish to use a Web site
 harassing or blackmailing someone
 violating privacy rights
 engaging in industrial espionage
 pirating computer software
 perpetrating fraud
 and so on.

Intellectual Property
• Two Categories of Intellectual Proper
• ty:
1. Industrial Property
• Patents, trademarks
2. Individual Property
• Copyrights of literary and artistic works.
Patents
Patent protects invention 20 years from date of application.
Criteria for a patent are that an invention must be:
 Novel
 Useful
 Not of obvious nature

There are four types of discoveries that can receive patents:

1. Machines
2. Human made products
3. Compositions of matter
4. Processing methods
Trademarks
Grants the owner exclusive right to use the trademark on the intended or related products
for identification.
 Covers
 Distinctive images
• Symbols
• Pictures
• Words
 Distinctive & unique packaging
 Color Combinations
 Building Designs
 Product Styles
 Overall Presentations
 May grant trademark status for secondary meaning over time that identifies it with
the product or seller.

Copyrights
• Offers protection from creation of work until the end of authors life plus 50 years.
• Protects creative works from others without permission from being:
  Reproduced
 Performed
 Disseminated

The Cybercrime Prevention Act of 2012, officially recorded as Republic Act No. 10175,
is a law in the Philippines approved on September 12, 2012. It aims to address legal issues
concerning online interactions and the Internet in the Philippines. Among the cybercrime offenses
included in the bill are cybersquatting, cybersex, child pornography, identity theft, illegal access to
data and libel.
Cybersquatting is registering, trafficking in, or using an Internet domain name with bad
faith intent to profit from the goodwill of a trademark belonging to someone else. Cybersex also
called computer sex, Internet sex, netsex and, colloquially, cyber or cybering, is a virtual sex
encounter in which two or more people connected remotely via computer network send each other
sexually explicit messages describing a sexual experience.
Child pornography is pornography that exploits children for sexual stimulation. It may be
produced with the direct involvement or sexual assault of a child (also known as child sexual abuse
images) or it may be simulated child pornography. Abuse of the child occurs during the sexual acts
or lascivious exhibitions of genitals or pubic areas which are recorded in the production of child
pornography.
Identity theft is the deliberate use of someone else’s identity, usually as a method to gain a
financial advantage or obtain credit and other benefits in the other person’s name, and perhaps to
the other person’s disadvantage or loss. While hailed for penalizing illegal acts done via the Internet
that were not covered by old laws, the act has been criticized for its provision on criminalizing libel,
which is perceived to be a curtailment in freedom of expression.

The Act is divided into 31 sections split across eight chapters, criminalizes several types of
offense, including illegal access (hacking), data interference, device misuse, cybersquatting,
computer-related offenses such as computer fraud, content-related offenses such as cybersex and
spam, and other offenses.
The law also reaffirms existing laws against child pornography, an offense under Republic
Act No. 9775 (the Anti-Child Pornography Act of 2009), and libel, an offense under Section 355 of
the Revised Penal Code of the Philippines, also criminalizing them when committed using a
computer system. Finally, the Act includes a “catch-all” clause, making all offenses currently
punishable under the Revised Penal Code also punishable under the Act when committed using a
computer, with severer penalties than provided by the Revised Penal Code alone.

Three salient points or important features, among many, of the Cybercrime Prevention Act
of 2012 are the following:

 The law gives cybercrime definitions that are internationally consistent;

 it grants law enforcement agencies greater authority; and
 it sets forth provisions for enhanced coordination efforts in relation to international
cybercrimes.

Punishable acts
The Cybercrime Prevention Act of 2012 lists the following offenses as punishable acts:

Offenses against the confidentiality, integrity and availability of computer data and systems:
Illegal access, illegal interception, data interference, system interference, misuse of devices, and
cyber-squatting;
Computer-related offenses: Computer-related forgery, computer-related fraud, and computer-
related identity theft;
Content-related offenses: Cybersex, child pornography, unsolicited commercial communications,
and libel; and
Other offenses: Aiding or abetting in the commission of cybercrime and attempt in the commission
of cybercrime.

Three Breaches involving electronic information

• Confidentiality – Access without authorization
• Integrity – Modification of data without authorization
• Availability – Authorized user denied access

Privacy
• Known as a “penumbra right.”
• Existing Laws narrow in scope, but expanding in response to the seriousness of the
problem.
• The international community is working to protect privacy rights.

In the Philippines
Republic Act 10173 or The Data Privacy Act of 2012 was approved into law last August 15,
2012. Here are its salient features:

1. It applies to processing of personal information (section 3g) and sensitive personal information
(Section 3L).

2. Created the National Privacy Commission to monitor the implementation of this law. (section 7)

3. Gave parameters on when and on what premise can data processing of personal information be
allowed. Its basic premise is when a data subject has given direct consent. (section 12 and 13)

4. Companies who subcontract processing of personal information to 3rd party shall have full
liability and can’t pass the accountability of such responsibility. (section 14)

5. Data subject has the right to know if their personal information is being processed. The person
can demand information such as the source of info, how their personal information is being used,
and copy of their information. One has the right to request removal and destruction of one’s
personal data unless there is a legal obligation that required for it to be kept or processed. (Section
16 and 18)

6. If the data subject has already passed away or became incapacitated (for one reason or another),
their legal assignee or lawful heirs may invoke their data privacy rights. (Section 17)

7. Personal information controllers must ensure security measures are in place to protect the
personal information they process and be compliant with the requirements of this law. (Section 20
and 21)

8. In case a personal information controller systems or data got compromised, they must notify the
affected data subjects and the National Privacy Commission. (Section 20)
9. Heads of government agencies must ensure their system compliance to this law (including
security requirements). Personnel can only access sensitive personal information off-site, limited to
1000 records, in government systems with proper authority and in a secured manner. (Section 22)

10. Government contractors who have existing or future deals with the government that involves
accessing of 1000 or more records of individuals should register their personal information
processing system with the National Privacy Commission. (Section 25)

11. Provided penalties (up to 5 million as per sec. 33) on the processing of personal information
and sensitive personal information based on the following acts:
– Unauthorized processing (sec. 25)
– Negligence (sec. 26)
– Improper disposal (sec. 27)
– Unauthorized purposes (sec. 28)
– Unauthorized access or intentional breach (sec. 29)
– Concealment of security breaches (sec. 30)
– Malicious (sec. 31) and unauthorized disclosure (sec. 32)

If at least 100 persons are harmed, the maximum penalty shall apply (section 35).

12. For public officers (working in government), an accessory penalty consisting in the
disqualification to occupy public office for a term double the term of criminal penalty imposed shall
he applied. (sec. 36)

“Safe Harbor” Framework – US

7 Safe Harbor Rules

1. Notice: Organizations must notify individuals about the purposes for which they collect and
use information about them.
2. Choice: Organizations must give individuals the opportunity to choose (opt out) whether
their personal information will be disclosed to a third party or used for a purpose
incompatible with the purpose for which it was originally collected or subsequently
authorized by the individual.
3. Onward Transfer (Transfers to Third Parties): To disclose information to a third party,
organizations must apply the notice and choice principles.
4. Access: Individuals must have access to personal information about them that an
organization holds and be able to correct, amend, or delete that information where it is
inaccurate, except where the burden or expense of providing access would be
disproportionate to the risks to the individual's privacy in the case in question, or where the
rights of persons other than the individual would be violated.
5. Security: Organizations must take reasonable precautions to protect personal information
from loss, misuse and unauthorized access, disclosure, alteration and destruction.
6. Data integrity: Personal information must be relevant for the purposes for which it is to be
used. An organization should take reasonable steps to ensure that data is reliable for its
intended use, and is accurate, complete, and current.
7. Enforcement: In order to ensure compliance with the safe harbor principles, there must be
(a) readily available and affordable independent recourse mechanisms; (b) procedures for
verifying that the commitments companies make to adhere to the safe harbor principles
 have been implemented; and (c) obligations to remedy problems arising out of a failure to
comply with the principles.

ROLE OF ACCOUNTING PROFESSION

• AICPA formed the AICPA Privacy Task Force to review privacy issues.
• The task force defines privacy as:
• The rights and obligations of individuals and organizations with respect to the
collection, use, disclosure and retention of personally identifiable information.

PRIVACY AND ORGANIZATION

• Managers are obligated to institute the internal controls necessary to protect the
confidentiality of personal information collected in the course of business.
• AICPA believes that independent accountants are qualified to conduct privacy engagements
• Ensures privacy related controls are in place and operating effectively

What is protected?
• Any personally identifiable information, factual or subjective, that is collected by an
organization.
• Information is considered private if it can be specifically tied to or identified with an
individual.
Factual Information
• Age
• Name
• Income
• Ethnicity
• Blood type
• Biometric images
• DNA
• Credit card numbers
• Loan information
• Medical records

Subjective Information
• Opinions
• Evaluations
• Comments
• Disciplinary actions
• Disputes

IT Auditors’ Role in Privacy

• To ensure that management develops, implements and operates sound internal controls
aimed at the protecting private information it collects and stores during the normal course
of business.
• To assess the strength and effectiveness of controls designed to protect personally
identifiable information in organizations.