Вы находитесь на странице: 1из 63

LEGAL AND

ETHICAL ISSUES
FOR IT AUDITORS
Chapter 2
CODE OF ETHICS
Why do organizations
develop ethical codes?
Do not people know how to
act ethically under all
circumstances without a
written guidance?
CODE OF ETHICS
• Not all people will act ethically under all circumstances,
as social economic, political and other pressures can
drive “good” people to do “bad” things.

• Hence, formal code of ethical conduct sends a message


to all affected parties that the organization will not
tolerate unethical acts and that there are consequences
for behaving in unacceptable ways.

• While written ethical guidelines will not prevent some


people from engaging in unethical conduct, it does make
clear the organization’s stand on such matter. Just like
locks on doors, ethical codes will help to keep honest
people honest.
6 Good Reasons for Organization to Develop
Code of Ethical Conduct

1. Define acceptable behaviors for relevant parties;

2. Promote high standards of practices throughout the


organization;

3. Provide a benchmark for organizational members to use for


self-evaluation;

4. Establish a framework for professional behavior, obligations,


and responsibilities;

5. Offer a vehicle for occupational identity; and

6. Reflect a mark of occupational maturity.


10 Ethical Standards of ISACA

1. Support the implementation of, and encourage compliance with,


appropriate standards, procedures, and controls for information
systems.
2. Serve in the interest of relevant parties in a diligent, loyal, and
honest manner, and shall not knowingly be a party to any illegal
or improper activities.
3. Maintain the privacy and confidentiality of information obtained
in the course of their duties unless disclosure is required by legal
authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
4. Perform their duties in an independent and objective manner
and avoid activities that impair, or may appear to impair, their
independence or objectivity.
5. Maintain competency in their respective fields of auditing and
information systems control.
10 Ethical Standards of ISACA
6. Agree to undertake only those activities that they can
reasonably expect to complete with professional
competence.
7. perform their duties with due professional care.
8. Inform the appropriate parties of the results of information
system audit and/or control work performed, revealing all
material facts known to them, which, if not revealed, could
either distort reports of operations or conceal unlawful
practices.
9. Support the education of clients, colleagues, the general
public, management, and boards of directors in enhancing
their understanding of information systems auditing and
control.
10.Maintain high standards of conduct and character and
not engage in acts discreditable to the profession.
Irregular and Illegal Acts
Irregular Act
• reflects either an intentional violation of corporate policies or
regulatory requirements or an unintentional breach of law.

Illegal Act
• represents a willful violation of law.

Example of acts covered under Irregular or Illegal Acts:


1. Fraud
2. Computer Crimes
3. Nonconformity with agreements
4. Violation of intellectual property rights
5. Noncompliance with other applicable
regulations and laws.
Irregular and Illegal Acts: Professional
Guidance
• The ISACA guideline to IT auditors on irregular and illegal
acts clearly points out that auditors are not qualified to
determine whether an irregular, illegal, or simply
erroneous act has occurred.
• Instead, the characterization of an act as irregular, illegal,
or erroneous should be made by a qualified expert, such
as a lawyer or judge.

So what should the auditor do


in case there is irregular or
illegal act?
Irregular and Illegal Acts: Professional
Guidance
• It is important to point out that management is
responsible for the prevention and detection of irregular
and illegal acts, not the IT auditor. Manager should
establish policies and procedures aimed at governing
employee conduct; institute appropriate internal control;
and ensure compliance with policies, procedures, and
controls.

Again, so what should the


auditor do in case there is
irregular or illegal act?
Irregular and Illegal Acts: Professional
Guidance
Overview of the IT auditor’s responsibilities with respect to irregular
and illegal acts:

1. Plan the IT audit engagement based on an assessed level of risk


that irregular and illegal acts might occur and that such acts
could be material to the subject matter of the IT auditor’s
report.

2. Design audit procedures that consider the assessed risk level


for irregular and illegal acts.

3. Review the results of audit procedures for indication of irregular


and illegal acts.
Irregular and Illegal Acts: Professional
Guidance
Overview of the IT auditor’s responsibilities with respect to irregular and
illegal acts:

4. Report suspected irregular and illegal acts to one or more of the


following parties:
a. The IT auditor’s immediate supervisor and possibly
corporate governance bodies (BOD or audit committee)
b. appropriate personnel within the organization, such as the
manager who is at least one level above who are suspected
to have engaged in such acts.
c. If top management is suspected, then refer to corporate
governance bodies only; and
d. Legal counsel or other appropriate external parties.
Irregular and Illegal Acts: Professional
Guidance
Overview of the IT auditor’s responsibilities with respect to
irregular and illegal acts:

5. Assume that the act is not isolated.

6. Determine how the act slipped through the internal


control system.

7. Broaden audit procedures to consider the possibility of


more acts of this nature.

8. Conduct additional audit procedures.

9. Evaluate the results of expanded audit procedure.


Irregular and Illegal Acts: Professional
Guidance
Overview of the IT auditor’s responsibilities with respect to irregular
and illegal acts:

10. consult legal counsel and possibly corporate governance bodies


to estimate the potential impact of the irregular or illegal acts;
taken as a whole, on the subject matter of the engagement, audit
report and organization.
11.Report all facts and circumstances of the irregular and illegal
acts (whether suspected or confirmed) if the acts have a material
effect on the subject matter of the engagement and/or the
organization.
12.Distribute the report to appropriate internal parties, such as
managers who are at least one level above those who are
suspected or confirmed to have committed the acts, and/or
corporate governance bodies.
Regulatory & Legal Issues

• Auditors need a working knowledge


of regulations and laws so they at
least can determine when to refer
matters to legal counsel.
Legal Contracts

• A contract is an agreement between or among


two or more persons or entities (businesses,
organizations or government agencies) to do, or
to abstain from doing, something in return for
an exchange of consideration.

• Law provides remedies, including recuperation


of losses or specific performance.
Three Elements of Contract
• Offer
Clearly identify subject matter of the agreement
Completely describe services including time, place &
quality
Identify goods including quantity (Material term under
UCC)

• Consideration
Statement of what the offeror expects in return from the
offeree.

• Acceptance
Identify offeree
Signed and dated by offeree and offeror
Employment Contracts
Confidentiality Agreements
• Employee agrees not to divulge confidential information
Should describe nature of protected information

• List permissible uses of such information

• Identify remedies for non-compliance

• State term of agreement

Trade Secret Agreements

• A trade secret reflects a wide array of information that


derives independent economic value from not being widely
disclosed or readily ascertainable.

• Enforceable for indefinite period of time.


Discovery Agreements

• For employees hired to develop ideas and innovations.


• Agreement transfers ownership of discovery to employer.
• Prevents employees from claiming the discovery as their own
property.

Non-Compete Agreements

• Employee agrees to not work for competing employer (including self) for
• Specified time (must be reasonable)
• Specified geography
• Prevents employee from working for other companies in connection with the
design or sale of a competitive product.
• Monetary remedy may be awarded to company for violation
Sample Non Compete Agreement

EMPLOYEE NON-COMPETE AGREEMENT

For good consideration and as an inducement for ___________ (Company) to employ


________Employee), the undersigned Employee hereby agrees not to directly or indirectly
compete with the business of the Company and its successors and assigns during the period of
employment and for a period of ___ years following termination of employment and
notwithstanding the cause or reason for termination.
The term "not compete" as used herein shall mean that the Employee shall not own,
manage, operate, consult or to be employed in a business substantially similar to, or competitive
with, the present business of the Company or such other business activity in which the Company
may substantially engage during the term of employment.
The Employee acknowledges that the Company shall or may in reliance of this
agreement provide Employee access to trade secrets, customers and other confidential
data and good will. Employee agrees to retain said information as confidential and
not to use said information on his or her won behalf or disclose same to any third
party.
This non-compete agreement shall extend only for a radius of________ miles from
the present location of the Company and shall be in full force and effect for________
years, commencing with the date of employment termination.
This agreement shall be binding upon and inure to the benefit of the parties, their
successors, assigns, and personal representatives.
Signed this _____ day of __ 20____.
_____________________ _____________________
Company Representative Employee
Trading Partner Contracts

• Ratifies agreements between


companies & their trading
partners with written
contracts.
• IT auditors examine Trading
Partner Contracts as to the
sale and purchase of goods
and services.
Contract Template

• Document Title
• Unique Number
• Effective Date
• Expiration Date
• Seller & Buyer Name / Address
• Document Purpose
• Authorized Signatures
• Goods/Services Description, Quantity &
Price
• Payment Terms
• Delivery & Shipping
• Disclosures
• Intended Use
• Warranty
• Liability
• Compliance with Laws
• Export Control
• Information Confidentiality
• Force Majeure
• Penalty / Cancellation Terms Resolution
Remedy;
Computer Crime
• There are no sheriffs on the Information Superhighway
waiting to zap potential offenders.
What is Computer Crime?

• includes any behaviors that are deemed by states or nations to


be illegal
• hacking into an entities network
• stealing intellectual property
• sabotaging a company’s database
• denying service to others who wish to use a Web site
• harassing or blackmailing someone
• violating privacy rights
• engaging in industrial espionage
• pirating computer software
• perpetrating fraud
• and so on.
Intellectual Property
• Two Categories of Intellectual Property:

1. Industrial Property
• Patents, trademarks
2. Individual Property
• Copyrights of literary and artistic works.

Patents
• Patent protects invention 20 years from date of
application.
• Criteria for a patent are that an invention must be:
• Novel
• Useful
• Not of obvious nature
Patents

• There are four types of discoveries that can receive patents:


1. Machines
2. Human made products
3. Compositions of matter
4. Processing methods
Trademarks
• Grants the owner exclusive right to use the trademark on
the intended or related products for identification.

• Covers
• Distinctive images
• Symbols
• Pictures
• Words
• Distinctive & unique packaging
• Color Combinations
• Building Designs
• Product Styles
• Overall Presentations

• May grant trademark status for secondary meaning over


time that identifies it with the product or seller.
Copyrights

• Offers protection from creation of work until the end of authors life
plus 50 years.

• Protects creative works from others without permission from


being:
• Reproduced
• Performed
• Disseminated
Combating Computer Crime New Laws
Putting Teeth in Old Laws

CCIPS
• Computer Crime & Intellectual Property Section

• Established by the Justice Dept in 1991

• Consists of attorneys who focus on issues raised by


computer and intellectual property crime

CHIP
• Computer Hacking and Intellectual Property
• Established by the Justice Department
Congressional Actions
• Computer Fraud and Abuse Act (1986)
• Clarified definitions of criminal fraud &abuse
• Removed legal ambiguities
• Electronic Communications Privacy Act (ECPA)(1986)
• Addressed privacy issues
• National Information Infrastructure Protection Act (1996)
• Amended Computer Fraud & Abuse Act
• Digital Millennium Copyright (1998)
• Protect electronic intellectual property rights
Title 18 of the U.S.C.
• Most encompassing legal guidance from the Federal
Government

• Entitled “Crimes and Criminal Procedure

• Most pertinent to cybercrime are


sections1029,1030,1362,2511,2701,and 2703.
Title 18 Section 1029
Fraud and Related Activity in
Connection with Access Devices
• Fraud and Related Activity in Connection with Access
Devices

• This section applies to any persons who knowingly and


with intent to defraud, produce, use, or traffic in one or
more counterfeit access devices.
Access Device

• Any card, plate, code, account number, electronic serial


number, mobile identification number, personal
identification number, or other telecommunications
service, equipment, or instrument identifier, or other
means of account access that can be used, alone or in
conjunction with another access device, to obtain money,
goods, services, or any other thing of value, or that can be
used to initiate a transfer of funds (other than a transfer
originated solely by paper instrument)
Counterfeit Access Device
• Any access device that is fictitious, altered, or forged.

Unauthorized access device


• Any access device that is lost, stolen, expired, revoked,
canceled, or obtained with intent to defraud.

Title 18 Section 1030


Fraud and Related Activity in Connection with
Computers
• Pertains to:
• any persons who knowingly access a computer without
authorization
• or exceed authorized access and thereby obtain
information contained
• in a financial record of a financial institution,
• information from any department or agency of the United
States
• information from any protected computer if the conduct
involves an interstate or foreign communication.
Title 18 Section 1030
Fraud and Related Activity ..Continued
• Plus
• covers any persons who access a protected computer
without authorization or exceed authorized access
• engage in fraudulent behavior and obtain anything of
value

• Plus those who


• Knowingly causes the transmission of a program,
information, code, or command, and as a result of
such conduct, intentionally causes damage without
authorization, to a protected computer

• Intentionally access a protected computer without


authorization, and as a result of such conduct,
causes damage
Title 18 Section 1362
Communication Lines, Stations or Systems
• Crimes by persons who:
• Injure or destroy, or attempt to injure or destroy,
any of the works, property, or material of any radio,
telegraph, telephone or cable, line, station, or
system, or other means of communication, operated
or controlled by the United States;
• Willfully or maliciously interfere in any way with the
working or use of any such line or system, or
obstruct, hinder, or delay the transmission of any
communication over any such line or system.
Title 18 Section 2511
Interception and Disclosure of Wire, Oral
or Electronic Communications

• Intentionally intercept, endeavor to intercept, or


procure any other person to intercept or endeavor to
intercept, any wire, oral, or electronic communication;
• Intentionally use, endeavor to use, or procure any
other person to use or endeavor to use any electronic,
mechanical, or other device to intercept any oral
communication
Title 18 Section 2701
Unlawful Access to Stored
Communications

• Prohibited acts to those who


• Intentionally access without authorization a facility through which an
electronic communication service is provided;
• Intentionally exceed an authorization to access that facility; and
thereby obtain, alter, or prevent authorized access to a wire or
electronic communication while it is in electronic storage in such
system.
Title 18 Section 2702
Disclosure of Contents

• A provider of an electronic communication service to the


public shall not:
• knowingly divulge contents of a communication while in
electronic storage

• A provider of a remote computing service to the public


shall not:
• knowingly divulge the contents of any communication which is
carried or maintained on that service.
Title 18 Section 2703
Requirements for Governmental Access
• A governmental entity may require
• An electronic communication service provider to disclose the
contents of an electronic communication
• for 180 days or less
• requires a properly issued warrant
• 180 days can be extended
• Gave powers to law enforcement agencies

• made it easier to obtain wiretaps and warrants for e-mail


messages and library, bookstore and banking records

U.S. Patriot Act (2001)


Cyber Information Crimes

• Three Breaches involving electronic information:


• Confidentiality – Access without authorization
• Integrity – Modification of data without authorization
• Availability – Authorized user denied access
Privacy
• Known as a “penumbra right.”

• Existing Laws narrow in scope, but expanding in


response to the seriousness of the problem.
• The international community is working to protect
privacy rights.

Privacy
Privacy Laws & Regulations

• The Privacy Act of 1974 Title 5, United States Code, Section 552(a)
• Provides safeguards against an invasion of privacy through the misuse of records by Federal
Agencies.

• Right to Financial Privacy Act of 1978 Title12, United States Code, Sections 3401-3413
• Prohibits financial institutions from providing copies or access to the information contained in the
financial records of any customer to government agencies for law enforcement purposes unless the
government has received consent or provided notice and an opportunity for the customer to object.

• Federal Trade Commission Act Title 15, United States Code, Sections 41-58 (as amended)
• Empowers the Commission to prevent unfair competition methods, and unfair or deceptive acts or
practices that may affect commerce, which includes the misuse of private information for such
purposes.

• Cable Communications Policy Act ("CCPA”)Title 15, United States Code, Sections 521-
551
• Protects cable television subscriber information from unauthorized disclosure to third parties.
Privacy Laws & Regulations

• Identity Theft Assumption and Deterrence ActTitle 18, United States Code, Section 1028 (note)
• Designates the Federal Trade Commission as a central clearinghouse for identity theft complaints.

• Fair Credit Reporting Act (ECPA)Title 15, United States Code, Section 1681
• Protects the privacy of information collected by consumer reporting agencies such as credit bureaus,
medical information companies, and tenant screening services: Requires consumer reporting agencies to
develop reasonable measures to store consumers’ information in a confidential and accurate manner.

• The Children's Online Privacy Protection Act ("COPPA")Title 15, United States Code, Section
6501
• Protects children’s privacy by giving parents the tools to control what information is collected while
children are online.

• Gramm-Leach_Bliley ActTo be codified in Title 15, Unites States Code, Sections 6801-6809
• Ensures that financial institutions protect the privacy of consumers' “nonpublic personal financial
information.”
Privacy Laws & Regulations

• The Electronic Communications Privacy Act (ECPA) Title 18, United States Code, Section
2501
• Prohibits unlawful access and certain disclosures of communication contents and prevents government
entities from requiring disclosure of electronic communications from a provider without proper
procedure.

• Customer Proprietary Network Information Electronic Communications Privacy Act of


1986Title 47, United States Code, Section 222.
• Protects the information telephone companies obtain about customers regarding the quantity, technical
configuration, type, destination, and amount of use of a telecommunications service subscribed to by
such customers.

• The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")Code of


Federal Regulations 45, Sections 160 and 164
• Prohibits covered entities (health plans, health care clearinghouses, and health care providers who
transmit any health information in electronic form in connection with a transaction regulated by the
HIPPA) from disclosing protected health information to third parties without the patient’s prior consent.
• Effective 10/98
• Prohibits transfer of personal data to non-European Union
nations that do not meet the ‘adequacy’ standard.
• Different than the sectoral approach used by the U.S. that
relies on a mix of legislation, regulation, and self regulation
• Directive would hamper the ability of U.S. companies to
engage in many trans-Atlantic transactions

European Commission’ Directive


on Data Protection
• Bridges U.S. privacy approaches with the EU directive.
• Certifying to the safe harbor will assure that EU
organizations know that your company provides "adequate"
privacy protection, as defined by the Directive.
• Benefits small & medium enterprises.
• Voluntary for U.S. organizations

“Safe Harbor” Framework


7 Safe Harbor Rules

1. Notice: Organizations must notify individuals about the purposes for which they collect and use
information about them.
2. Choice: Organizations must give individuals the opportunity to choose (opt out) whether their
personal information will be disclosed to a third party or used for a purpose incompatible with the
purpose for which it was originally collected or subsequently authorized by the individual.
3. Onward Transfer (Transfers to Third Parties): To disclose information to a third party,
organizations must apply the notice and choice principles.
4. Access: Individuals must have access to personal information about them that an organization holds
and be able to correct, amend, or delete that information where it is inaccurate, except where the
burden or expense of providing access would be disproportionate to the risks to the individual's
privacy in the case in question, or where the rights of persons other than the individual would be
violated.
7 Safe Harbor Rules

5. Security: Organizations must take reasonable precautions to protect personal


information from loss, misuse and unauthorized access, disclosure, alteration and
destruction.
6. Data integrity: Personal information must be relevant for the purposes for which
it is to be used. An organization should take reasonable steps to ensure that data is
reliable for its intended use, and is accurate, complete, and current.
7. Enforcement: In order to ensure compliance with the safe harbor principles, there
must be (a) readily available and affordable independent recourse mechanisms; (b)
procedures for verifying that the commitments companies make to adhere to the
safe harbor principles have been implemented; and (c) obligations to remedy
problems arising out of a failure to comply with the principles.

Adapted from the U.S. Department of Commerce website at:


http://www.export.gov/safeharbor/sh_overview.html
• AICPA formed the AICPA Privacy Task Force to review
privacy issues.

• The task force defines privacy as:

• The rights and obligations of individuals and organizations


with respect to the collection, use, disclosure and retention of
personally identifiable information.

Role of Accounting
Profession
• Managers are obligated to institute the internal controls
necessary to protect the confidentiality of personal
information collected in the course of business.
• AICPA believes that independent accountants are qualified
to conduct privacy engagements
• Ensures privacy related controls are in place and operating
effectively

Privacy and Organizations


What is protected?
• Any personally identifiable information, factual or subjective,
that is collected by an organization.

• Information is considered private if it can be specifically tied to


or identified with an individual.
Factual Information
• Age
• Name
• Income
• Ethnicity
• Blood type
• Biometric images
• DNA
• Credit card numbers
• Loan information
• Medical records
Subjective Information
• Opinions
• Evaluations
• Comments
• Disciplinary actions
• Disputes
• To ensure that management develops, implements and
operates sound internal controls aimed at the protecting
private information it collects and stores during the normal
course of business.

• To assess the strength and effectiveness of controls designed


to protect personally identifiable information in
organizations.

IT Auditor’s Role in
Privacy
End of Chapter 2

Вам также может понравиться