Professional Documents
Culture Documents
CODE OF ETHICS
• Not all people will act ethically under all circumstances, as social-economic, political and other
pressures can drive “good” people to do “bad” things.
• Hence, a formal code of ethical conduct sends a message to all affected parties that the organization
will not tolerate unethical acts and that there are consequences for behaving in unacceptable ways.
Ethical codes of conduct serve to:
1. Define acceptable behaviors for relevant parties;
2. Promote high standards of practices throughout the organization;
3. Provide a benchmark for organizational members to use for self-evaluation;
4. Establish a framework for professional behavior, obligations, and responsibilities;
5. Offer a vehicle for occupational identity; and
6. Reflect a mark of occupational maturity.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or
certification holder’s conduct and, ultimately, in disciplinary measures.
IRREGULAR AND ILLEGAL ACTS IN IT AUDIT
Fraud, which is any act involving the use of deception to obtain illegal advantage
Deliberate misrepresentation of facts with the aim of gaining advantage or hiding irregularities
or illegal acts
Acts that involve noncompliance with laws and regulations, including failure to ensure that IT
systems or processes meet applicable laws and regulations
Unauthorized disclosure of data subject to privacy laws
Data retention practices that violate applicable privacy laws and regulations
Acts that involve noncompliance with enterprise agreements and contracts entered with third
parties, such as banks, suppliers, vendors, service providers and stakeholders
Manipulation, falsification, forgery or alteration of records or documents, whether in
electronic or paper form
Suppression or omission of the effects of transactions from records or documents, whether in
electronic or paper form
Inappropriate or deliberate leakage of confidential information
Recording transactions (whether in electronic or paper form) that lack substance and are
known to be false—e.g., false disbursements, payroll fraud, tax evasion
Misappropriation and misuse of assets
Skimming or defalcation, which is the misappropriation of cash before it is recorded in the
financial records of an enterprise
Acts that violate intellectual property (IP) rights, such as copyrights, trademarks and patents,
whether intentional or unintentional
Granting unauthorized access to information and systems
Errors in financial or other records that arise due to unauthorized access to data and systems
Responsibilities of Management
The management and the board of the organization are responsible. Management typically uses the
following means to obtain reasonable assurance that irregularities and illegal acts are deterred,
prevented or detected in a timely manner:
Responsibilities of Practitioners
Practitioners are not responsible for the prevention or detection of irregularities or illegal acts. An audit
engagement cannot guarantee that irregularities will be detected.
Practitioners who have specific information about the existence of an irregularity or illegal act have an
obligation to report it.
Practitioners should inform management and those charged with governance if they have identified
situations in which there is a higher level of risk for a potential irregularity or illegal act, even if none is
detected.
If practitioners become aware of information concerning a possible irregularity or illegal act, they should
consider taking the following steps after receiving direction from the appropriate legal authority:
Obtain an understanding of the nature of the act
Understand the circumstances in which the act occurred
Gather evidence of the act
Identify all persons involved in committing the act
Obtain sufficient supportive information to evaluate the effect of the act
Perform limited additional procedures to determine the effect of the act
Document and preserve all evidence and work performed
Internal reporting
Practitioners should communicate the detection of irregularities and illegal acts to the appropriate
people in the enterprise in writing or orally and in a timely manner. The notification should be directed
to management at a higher level than the level at which the irregularities and illegal acts are suspected
to have occurred. In addition, irregularities and illegal acts should be reported to those charged with
enterprise governance, such as the board of directors, trustees, audit committee or equivalent body.
External reporting
External reporting of fraud, irregularities or illegal acts may be a legal or regulatory obligation. The
obligation may apply to enterprise management, to the individuals involved in detecting the
irregularities or to both. Legal reporting requirements for the auditor are subject to local jurisdiction and
supersede internal policy and/or contractual agreements.
Other considerations
Reduce audit risk to an acceptable level in planning and performing the engagement.
Consider unusual or unexpected relationships that may indicate a risk of material errors, control
deficiencies or misstatements due to irregularities and illegal acts.
Design and perform procedures to test the appropriateness of internal controls and the risk that
management could override controls intended to prevent or detect irregularities and illegal acts.
Disclose the pertinent results of any risk assessment that indicates errors, control deficiencies or
misstatements that may exist as a result of an irregularity or illegal act.
Disclose management’s knowledge of irregularities and illegal acts affecting the enterprise in
relation to management and employees who have significant roles in internal control.
Disclose management’s knowledge of any alleged or suspected irregularities and illegal acts
affecting the enterprise as communicated by employees, former employees, regulators and
others.
EMPLOYMENT CONTRACTS
An employment contract is a signed agreement between an individual employee and an
employer or a labor union. It establishes both the rights and responsibilities of the two parties: the
worker and the company.
It is a unilateral contract bound to the employer
Agreements
a) Confidentiality agreement
A legal contract between at least two parties that outlines confidential material,
knowledge, or information that the parties wish to share with one another for certain purposes,
but wish to restrict access to or by third parties
Content of the agreement:
a) Employee agrees not to divulge confidential information
b) Describe nature of protected information
c) List permissible uses of such information
d) Identify remedies for non-compliance
e) State term of agreement
b) Trade secret agreement
A trade secret is a formula, practice, process, design, instrument, pattern, or compilation
of information which is not generally known or reasonably ascertainable, by which a business
can obtain an economic advantage over competitors or customers.
• Enforceable for indefinite period of time.
c) Discovery agreement
For employees hired to develop ideas and innovations.
Agreement transfers ownership of discovery to employer.
Prevents employees from claiming the discovery as their own property.
Document Template
• Document Title • Disclosures
• Unique Number • Intended Use
• Effective Date • Warranty
• Expiration Date • Liability
• Seller & Buyer Name / Address • Compliance with Laws
• Document Purpose • Export Control
• Authorized Signatures • Information Confidentiality
• Goods/Services Description, Quantity & • Force Majeure
Price • Penalty / Cancellation Terms Resolution
• Payment Terms Remedy
• Delivery & Shipping
COMPUTER CRIME
"Offences that are committed against individuals or groups of individuals with a criminal
motive to intentionally harm the reputation of the victim or cause physical or mental harm to
the victim directly or indirectly, using modern telecommunication networks such as Internet
Includes any behaviors that are deemed by states or nations to be illegal, examples:
a) Fraud achieved by the manipulation of computer records
b) Spamming wherever outlawed completely or where regulations controlling it are
violated
c) Deliberate circumvention of computer security systems
d) Unauthorized access to or modification of computer programs or data
e) Intellectual property theft, including software piracy
f) Industrial espionage by means of access to or theft of computer materials
g) Identity theft where this is accomplished by use of fraudulent computer transactions
h) Writing or spreading computer viruses or worms
i) Salami slicing
j) Denial-of-service attack
JURISDICTION
• Internet users remain in physical jurisdictions and are subject to law independent of their
presence on the Internet
• A single transaction may involve the laws of at least three jurisdictions:
a) The laws of the state/nation in which the user resides
b) The laws of the state/nation that apply where the server hosting the transaction is
located, and
The laws of the state/nation which apply to the person or business with whom the transaction takes
place.
Other areas that necessitate the auditor to be reasonably familiar with are the Intellectual Property and
Privacy Issues. Having knowledge on such will help the auditor in identifying risk factors that may
contribute to the occurrence of irregular or illegal acts.
INTELLECTUAL PROPERTY
• Creations of the mind, such as inventions, literary and artistic works, designs, symbols, names, and
images used in commerce.
• R.A. 8293 known as “The Intellectual Property Code of the Philippines” as amended by R.A. 10372
provides the legal basis in dealing with Intellectual Property in the Philippines.
1. Industrial Property
Patents – protects invention 20 years from date of application
– territorial rights, i.e. the exclusive rights are only applicable in the country or
region in which a patent has been filed and granted, in accordance with the law
of that country or region
– criteria for an invention to be patented includes: being novel or that it has never
existed before; useful ; not of obvious nature; and the idea must be the subject
matter to be patentable
– four types of discoveries that can receive patents:
a) machines or mechanical device;
b) human made products;
c) compositions of matter (chemical composition or other substance); and
d) processing methods - method of doing something
Trademarks – grants the owner exclusive right to use the trademark on the
intended or related products for identification
– covers: a) distinctive images (symbols, pictures, words)
b) distinctive and unique packaging
c) color combinations
d) building designs
e) product styles
f) overall presentations
2. Individual Property
• If the IT auditor observes that the client appears to use some distinctive techniques within its IT
infrastructure, such as novel processes of encrypting data or unique methods of thwarting denial
of service attacks, the auditor should investigate whether such processes are already patented
by other entities. If so, the auditor should ensure that the client has legally procured the right to
use such patents.
• If the IT auditor observes that the client appears to use the trademarks of other entities in its
digital communications, the auditor should ensure that client is not illegally using such
trademarks
• If the IT auditor learns that the client owns one or more patents pertaining to the IT
infrastructure, the IT auditor should investigate whether and how the company continually scans
the environment to ensure that other persons or entities are not infringing on the client’s
patent(s). If the company has no policies or activities aimed at protecting its patent(s) in this
regard, the IT auditor could add value to the engagement by suggesting several scanning
methods.
• If the client places its own unique logo on its digital communications, the IT auditor should
investigate whether and how the company continually scans the environment to ensure that
other persons or entities are not using the company logo. If the company has no policies or
activities aimed at protecting its logo, the IT auditor could add value to the engagement by
suggesting several scanning methods.
• If the IT auditor discovers that the client has developed unique and novel components of the
digital IT infrastructure that give competitive advantage to the company, the IT auditor could
suggest that the client consider the possibility of applying for patents, if it has not already done
so. If successful, the client will be able to legally protect its intellectual property rights.
• If the client places a unique logo on its digital communications but has not properly registered it,
the IT auditor should suggest that the client registers the logo as a way to protect the marketing
value ascribed to the logo.
• If the IT auditor observes that the client appears to use copyrighted creative works belonging to
external parties, such as software applications, the auditor should investigate whether the rights
to use such copyrighted works have been properly procured. With regard to software
applications, which reflect the most likely type of infringements an IT auditor will encounter, the
client should possess properly executed software licensing agreements.
• If the IT auditor learns that the client owns one or more copyrights, such as software applications
that the company has developed, the auditor should investigate whether and how the company
continually scans the environment to ensure that other persons or entities are not infringing on
the client’s copyrights. If the company has no policies or activities aimed at protecting its
copyrights in this regard, the IT auditor could add value to the engagement by suggesting several
scanning methods.
• If the IT auditor discovers that the client has developed its own creative works, such as software
applications, and the company has not copyrighted its material, the IT auditor could suggest that
the client consider the possibility of registering for such copyrights, if it has not already done so.
The client should register its creative works as a way to put the public on notice that it considers
its works to be protected as intellectual property.
PRIVACY
• the right to be free from secret surveillance and to determine whether, when, how, and to
whom, one's personal or organizational information is to be revealed
• it is critical that the organization implements an effective privacy program
• having such corporate classification program for privacy-protected data will assist organization in
prioritizing the data as well as assigning sensitivity level — such as proprietary, confidential, or
public — to data, in assisting in evaluating the appropriateness of the controls over the
technology and business processes that handle the data
• effective privacy program may include:
A privacy statement.
Written policies, procedures, controls, and processes.
Roles and responsibilities.
Employee training and education.
Monitoring and auditing.
Information security practices.
Incident response plans.
Privacy laws and regulations.
Plans for responding to detected problems and corrective action.
R.A. 10173 known as “Data Privacy Act of 2012” and R.A. 8792 known as “Electronic Commerce Act of
2000” provides legal guidance that helps recognize the vital role of information and communications
technology and seeks to act on its inherent obligation of ensuring that personal information in
information and communications systems in the government and in the private sector are secured and
protected.
Reference:
ISACA (2014). ITAF A Professional Practices Framework for IS Audit/Assurance (3 rd Ed).
Illinois, USA.