LEGAL AND ETHICAL ISSUES FOR IT AUDITORS

CODE OF ETHICS
• Not all people will act ethically under all circumstances, as social-economic, political and other
pressures can drive “good” people to do “bad” things.
• Hence, a formal code of ethical conduct sends a message to all affected parties that the organization
will not tolerate unethical acts and that there are consequences for behaving in unacceptable ways.
 Ethical codes of conduct serve to:
1. Define acceptable behaviors for relevant parties;
2. Promote high standards of practices throughout the organization;
3. Provide a benchmark for organizational members to use for self-evaluation;
4. Establish a framework for professional behavior, obligations, and responsibilities;
5. Offer a vehicle for occupational identity; and
6. Reflect a mark of occupational maturity.

10 Ethical Standards of ISACA

• ISACA (Information Systems Audit and Control Association) has developed a code of professional
ethics applicable to its members and those who hold the designation of CISA (Certified Information
Systems Auditor). ISACA members and CISA certified auditors shall:
1. Support the implementation of, and encourage compliance with, appropriate standards,
procedures, and controls of information systems.
2. Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not
knowingly be a party to any illegal or improper activities.
3. Maintain the privacy and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
4. Perform their duties in an independent and objective manner and avoid activities that impair, or
may appear to impair their independence or objectivity.
5. Maintain competency in their respective fields of auditing and information systems control.
6. Agree to undertake only those activities that they can reasonably expect to complete with
professional competence.
7. Perform their duties with due professional care.
8. Inform the appropriate parties of the results of information system audit and/or control work
performed, revealing all material facts known to them, which, if not revealed, could either distort
reports of operations or conceal unlawful practices.
9. Support the education of clients, colleagues, the general public, management, and board of
directors in enhancing their understanding of information systems auditing and control.
10. Maintain high standards of conduct and character and not engage in acts discreditable to the
profession.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or
certification holder’s conduct and, ultimately, in disciplinary measures.
 IRREGULAR AND ILLEGAL ACTS IN IT AUDIT

Irregularities and illegal acts

 Irregular Act - An intentional violation of corporate policies or regulatory requirements. An

unintentional breach of law

 Illegal Act - Willful violations of laws or governmental regulations

 They include activities such as, but not limited to:

 Fraud, which is any act involving the use of deception to obtain illegal advantage
 Deliberate misrepresentation of facts with the aim of gaining advantage or hiding irregularities
or illegal acts
 Acts that involve noncompliance with laws and regulations, including failure to ensure that IT
systems or processes meet applicable laws and regulations
 Unauthorized disclosure of data subject to privacy laws
 Data retention practices that violate applicable privacy laws and regulations
 Acts that involve noncompliance with enterprise agreements and contracts entered with third
parties, such as banks, suppliers, vendors, service providers and stakeholders
 Manipulation, falsification, forgery or alteration of records or documents, whether in
electronic or paper form
 Suppression or omission of the effects of transactions from records or documents, whether in
electronic or paper form
 Inappropriate or deliberate leakage of confidential information
 Recording transactions (whether in electronic or paper form) that lack substance and are
known to be false—e.g., false disbursements, payroll fraud, tax evasion
 Misappropriation and misuse of assets
 Skimming or defalcation, which is the misappropriation of cash before it is recorded in the
financial records of an enterprise
 Acts that violate intellectual property (IP) rights, such as copyrights, trademarks and patents,
whether intentional or unintentional
 Granting unauthorized access to information and systems
 Errors in financial or other records that arise due to unauthorized access to data and systems

Responsibilities of Management

The management and the board of the organization are responsible. Management typically uses the
following means to obtain reasonable assurance that irregularities and illegal acts are deterred,
prevented or detected in a timely manner:

 Designing, implementing and maintaining internal control systems—including transaction review

and approval, and management review procedures—to prevent and detect irregularities or
illegal acts.

 Policies and procedures governing employee conduct

 Compliance validation and monitoring procedures

  Designing, implementing and maintaining suitable systems for reporting, recording and
managing incidents relating to irregularities or illegal acts

 Policies and procedures governing compliance and regulatory requirements

Responsibilities of Practitioners

Practitioners are not responsible for the prevention or detection of irregularities or illegal acts. An audit
engagement cannot guarantee that irregularities will be detected.

Practitioners who have specific information about the existence of an irregularity or illegal act have an
obligation to report it.

Practitioners should inform management and those charged with governance if they have identified
situations in which there is a higher level of risk for a potential irregularity or illegal act, even if none is
detected.

Responding to Irregularities and Illegal Acts

Practitioners should demonstrate an attitude of professional skepticism. Indicators (sometimes called

“fraud” or “red flags”) of persons committing irregularities or illegal acts include:
 Overrides of controls by management
 Irregular or poorly explained management behavior
 Consistent over performance, compared to set targets
 Problems with, or delays in, receiving requested information or evidence
 Transactions not following the normal approval cycles
 Increase in activity of a certain customer
 Increase in complaints from customers
 Deviating access controls for some applications or users
Practitioners should pay close attention if they notice any of these indicators.

If practitioners become aware of information concerning a possible irregularity or illegal act, they should
consider taking the following steps after receiving direction from the appropriate legal authority:
 Obtain an understanding of the nature of the act
 Understand the circumstances in which the act occurred
 Gather evidence of the act
 Identify all persons involved in committing the act
 Obtain sufficient supportive information to evaluate the effect of the act
 Perform limited additional procedures to determine the effect of the act
 Document and preserve all evidence and work performed

Internal reporting

Practitioners should communicate the detection of irregularities and illegal acts to the appropriate
people in the enterprise in writing or orally and in a timely manner. The notification should be directed
to management at a higher level than the level at which the irregularities and illegal acts are suspected
to have occurred. In addition, irregularities and illegal acts should be reported to those charged with
enterprise governance, such as the board of directors, trustees, audit committee or equivalent body.

External reporting

External reporting of fraud, irregularities or illegal acts may be a legal or regulatory obligation. The
obligation may apply to enterprise management, to the individuals involved in detecting the
irregularities or to both. Legal reporting requirements for the auditor are subject to local jurisdiction and
supersede internal policy and/or contractual agreements.

Other considerations

IT audit and assurance practitioners should:

 Reduce audit risk to an acceptable level in planning and performing the engagement.

 Consider unusual or unexpected relationships that may indicate a risk of material errors, control
deficiencies or misstatements due to irregularities and illegal acts.

 Design and perform procedures to test the appropriateness of internal controls and the risk that
management could override controls intended to prevent or detect irregularities and illegal acts.

 Disclose the pertinent results of any risk assessment that indicates errors, control deficiencies or
misstatements that may exist as a result of an irregularity or illegal act.

 Disclose management’s knowledge of irregularities and illegal acts affecting the enterprise in
relation to management and employees who have significant roles in internal control.

 Disclose management’s knowledge of any alleged or suspected irregularities and illegal acts
affecting the enterprise as communicated by employees, former employees, regulators and
others.

 Communicate in a timely manner

REGULATORY AND LEGAL ISSUES

LEGAL CONTRACTS
An agreement with specific terms between two or more persons or entities in which there is a
promise to do something in return for a valuable benefit known as consideration
Statutory Law
 Set by legislative action
 May require contracts to be in writing and with specific requirements
Common Law
 Reflects customs and general principles
 Precedents to situations no covered by statutory law
Elements of legally binding contract
1. An offer
2.An acceptance of that offer which results in a meeting of the minds;
 3.A promise to perform;
4.A valuable consideration (which can be a promise or payment in some form that the
offeror expects in return from the offeree);
5.A time or event when performance must be made (meet commitments);
6.Terms and conditions for performance, including fulfilling promises;
7.Performance

EMPLOYMENT CONTRACTS
An employment contract is a signed agreement between an individual employee and an
employer or a labor union. It establishes both the rights and responsibilities of the two parties: the
worker and the company.
It is a unilateral contract bound to the employer
Agreements
a) Confidentiality agreement
A legal contract between at least two parties that outlines confidential material,
knowledge, or information that the parties wish to share with one another for certain purposes,
but wish to restrict access to or by third parties
Content of the agreement:
a) Employee agrees not to divulge confidential information
b) Describe nature of protected information
c) List permissible uses of such information
d) Identify remedies for non-compliance
e) State term of agreement
b) Trade secret agreement
A trade secret is a formula, practice, process, design, instrument, pattern, or compilation
of information which is not generally known or reasonably ascertainable, by which a business
can obtain an economic advantage over competitors or customers.
• Enforceable for indefinite period of time.

c) Discovery agreement
 For employees hired to develop ideas and innovations.
 Agreement transfers ownership of discovery to employer.
 Prevents employees from claiming the discovery as their own property.

d) Non-compete agreement /Covenant Not to Compete

Employee agrees to not work for competing employer (including self) for
a) Specified time (must be reasonable)
b) Specified geography
• Prevents employee from working for other companies in connection with the design or sale of a
competitive product.
• If a noncompete agreement is signed before or immediately after employment, the usual
contract element of “consideration” is not required.
• If a noncompete agreement is signed during or upon termination of employment, additional
consideration on the part of the employer may be required
 • Monetary remedy may be awarded to company for violation

TRADING PARTNER CONTRACTS

A trading partner agreement is a written consent between two parties participating in a
financial transaction involving a commodity or information exchange that is bound by terms and
conditions.
More commonly, IT auditors will be dealing with trading partner contracts pertaining to the sale
and purchase of goods and services.

Document Template
• Document Title • Disclosures
• Unique Number • Intended Use
• Effective Date • Warranty
• Expiration Date • Liability
• Seller & Buyer Name / Address • Compliance with Laws
• Document Purpose • Export Control
• Authorized Signatures • Information Confidentiality
• Goods/Services Description, Quantity & • Force Majeure
Price • Penalty / Cancellation Terms Resolution
• Payment Terms Remedy
• Delivery & Shipping

COMPUTER CRIME
"Offences that are committed against individuals or groups of individuals with a criminal
motive to intentionally harm the reputation of the victim or cause physical or mental harm to
the victim directly or indirectly, using modern telecommunication networks such as Internet
Includes any behaviors that are deemed by states or nations to be illegal, examples:
a) Fraud achieved by the manipulation of computer records
b) Spamming wherever outlawed completely or where regulations controlling it are
violated
c) Deliberate circumvention of computer security systems
d) Unauthorized access to or modification of computer programs or data
e) Intellectual property theft, including software piracy
f) Industrial espionage by means of access to or theft of computer materials
g) Identity theft where this is accomplished by use of fraudulent computer transactions
h) Writing or spreading computer viruses or worms
i) Salami slicing
j) Denial-of-service attack

JURISDICTION
• Internet users remain in physical jurisdictions and are subject to law independent of their
presence on the Internet
• A single transaction may involve the laws of at least three jurisdictions:
a) The laws of the state/nation in which the user resides
 b) The laws of the state/nation that apply where the server hosting the transaction is
located, and
The laws of the state/nation which apply to the person or business with whom the transaction takes
place.

Other areas that necessitate the auditor to be reasonably familiar with are the Intellectual Property and
Privacy Issues. Having knowledge on such will help the auditor in identifying risk factors that may
contribute to the occurrence of irregular or illegal acts.

INTELLECTUAL PROPERTY
• Creations of the mind, such as inventions, literary and artistic works, designs, symbols, names, and
images used in commerce.

• R.A. 8293 known as “The Intellectual Property Code of the Philippines” as amended by R.A. 10372
provides the legal basis in dealing with Intellectual Property in the Philippines.

• Categories of Intellectual Property:

1. Industrial Property
 Patents – protects invention 20 years from date of application
– territorial rights, i.e. the exclusive rights are only applicable in the country or
region in which a patent has been filed and granted, in accordance with the law
of that country or region
– criteria for an invention to be patented includes: being novel or that it has never
existed before; useful ; not of obvious nature; and the idea must be the subject
matter to be patentable
– four types of discoveries that can receive patents:
a) machines or mechanical device;
b) human made products;
c) compositions of matter (chemical composition or other substance); and
d) processing methods - method of doing something

 Trademarks – grants the owner exclusive right to use the trademark on the
intended or related products for identification
– covers: a) distinctive images (symbols, pictures, words)
b) distinctive and unique packaging
c) color combinations
d) building designs
e) product styles
f) overall presentations

2. Individual Property

 Copyrights Of Literary And Artistic Works

– offers protection from creation of work until the end of authors life plus 50 years
 – protects creative works from others without permission from being reproduced, performed,
disseminated.

EXAMPLES OF ISSUES RELATED TO USING, OWNING, or DEVELOPING INTELLECTUAL PROPERTY

MATERIALS

• If the IT auditor observes that the client appears to use some distinctive techniques within its IT
infrastructure, such as novel processes of encrypting data or unique methods of thwarting denial
of service attacks, the auditor should investigate whether such processes are already patented
by other entities. If so, the auditor should ensure that the client has legally procured the right to
use such patents.

• If the IT auditor observes that the client appears to use the trademarks of other entities in its
digital communications, the auditor should ensure that client is not illegally using such
trademarks

• If the IT auditor learns that the client owns one or more patents pertaining to the IT
infrastructure, the IT auditor should investigate whether and how the company continually scans
the environment to ensure that other persons or entities are not infringing on the client’s
patent(s). If the company has no policies or activities aimed at protecting its patent(s) in this
regard, the IT auditor could add value to the engagement by suggesting several scanning
methods.

• If the client places its own unique logo on its digital communications, the IT auditor should
investigate whether and how the company continually scans the environment to ensure that
other persons or entities are not using the company logo. If the company has no policies or
activities aimed at protecting its logo, the IT auditor could add value to the engagement by
suggesting several scanning methods.

• If the IT auditor discovers that the client has developed unique and novel components of the
digital IT infrastructure that give competitive advantage to the company, the IT auditor could
suggest that the client consider the possibility of applying for patents, if it has not already done
so. If successful, the client will be able to legally protect its intellectual property rights.

• If the client places a unique logo on its digital communications but has not properly registered it,
the IT auditor should suggest that the client registers the logo as a way to protect the marketing
value ascribed to the logo.

• If the IT auditor observes that the client appears to use copyrighted creative works belonging to
external parties, such as software applications, the auditor should investigate whether the rights
to use such copyrighted works have been properly procured. With regard to software
applications, which reflect the most likely type of infringements an IT auditor will encounter, the
client should possess properly executed software licensing agreements.
 • If the IT auditor learns that the client owns one or more copyrights, such as software applications
that the company has developed, the auditor should investigate whether and how the company
continually scans the environment to ensure that other persons or entities are not infringing on
the client’s copyrights. If the company has no policies or activities aimed at protecting its
copyrights in this regard, the IT auditor could add value to the engagement by suggesting several
scanning methods.

• If the IT auditor discovers that the client has developed its own creative works, such as software
applications, and the company has not copyrighted its material, the IT auditor could suggest that
the client consider the possibility of registering for such copyrights, if it has not already done so.
The client should register its creative works as a way to put the public on notice that it considers
its works to be protected as intellectual property.

PRIVACY
• the right to be free from secret surveillance and to determine whether, when, how, and to
whom, one's personal or organizational information is to be revealed
• it is critical that the organization implements an effective privacy program
• having such corporate classification program for privacy-protected data will assist organization in
prioritizing the data as well as assigning sensitivity level — such as proprietary, confidential, or
public — to data, in assisting in evaluating the appropriateness of the controls over the
technology and business processes that handle the data
• effective privacy program may include:
 A privacy statement.
 Written policies, procedures, controls, and processes.
 Roles and responsibilities.
 Employee training and education.
 Monitoring and auditing.
 Information security practices.
 Incident response plans.
 Privacy laws and regulations.
 Plans for responding to detected problems and corrective action.

IT AUDITOR’S ROLE IN PRIVACY

• to ensure that management develops, implements and operates sound internal controls aimed
at the protecting private information it collects and stores during the normal course of business
• to assess the strength and effectiveness of controls designed to protect personally identifiable
information in organizations

R.A. 10173 known as “Data Privacy Act of 2012” and R.A. 8792 known as “Electronic Commerce Act of
2000” provides legal guidance that helps recognize the vital role of information and communications
technology and seeks to act on its inherent obligation of ensuring that personal information in
information and communications systems in the government and in the private sector are secured and
protected.
Reference:
ISACA (2014). ITAF A Professional Practices Framework for IS Audit/Assurance (3 rd Ed).
Illinois, USA.