1

Chapter TwoChapter Two

Ethical & Legal IssuesEthical & Legal Issues

2

Why a Code of Ethics?Why a Code of Ethics?

Not all people act ethically under all Not all people act ethically under all circumstances.circumstances.

Written guidelines are not a guarantee, but Written guidelines are not a guarantee, but ethical codes help keep honest people ethical codes help keep honest people honest!honest!

3

IRREGULAR AND ILLEGAL IRREGULAR AND ILLEGAL ACTSACTS

Irregular actIrregular act : :– reflects an intentional violation of reflects an intentional violation of

» corporate policiescorporate policies oror» regulatory requirementsregulatory requirements

– or an unintentional breach of lawor an unintentional breach of law

Illegal act :Illegal act :– represents a willful violation of law represents a willful violation of law

4

EXAMPLESEXAMPLES

FraudFraud Computer crimesComputer crimes Nonconformity with agreements & Nonconformity with agreements &

contracts between the organization & third contracts between the organization & third partiesparties

Violations of intellectual property rights Violations of intellectual property rights Noncompliance with other regulations & Noncompliance with other regulations &

laws.laws.

5

Unethical and Illegal BehaviorUnethical and Illegal Behavior

CategoriesCategories IgnoranceIgnorance

AccidentAccident

IntentIntent

DeterrenceDeterrence Feare of penaltyFeare of penalty

Probability of being Probability of being caughtcaught

Probably of penalty Probably of penalty being administeredbeing administered

6

Overview of Responsibilities Overview of Responsibilities

1.1. Plan the IT audit engagement based on an Plan the IT audit engagement based on an assessed level of risk that irregular and illegal assessed level of risk that irregular and illegal acts might occur, and that such acts could be acts might occur, and that such acts could be material to the subject matter of the IT auditor’s material to the subject matter of the IT auditor’s report.report.

2.2. Design audit procedures that consider the Design audit procedures that consider the assessed risk level for irregular and illegal acts.assessed risk level for irregular and illegal acts.

3.3. Review the results of audit procedures for Review the results of audit procedures for indications of irregular and illegal acts.indications of irregular and illegal acts.

7

4.4. Report suspected irregular and illegal actsReport suspected irregular and illegal acts

5.5. Assume that the act is not isolated;Assume that the act is not isolated;

6.6. Determine how the act slipped through the Determine how the act slipped through the internal control system;internal control system;

7.7. Broaden audit procedures to consider the Broaden audit procedures to consider the possibility of more acts of this nature;possibility of more acts of this nature;

8.8. Conduct additional audit procedures;Conduct additional audit procedures;

9.9. Evaluate the results of expanded audit Evaluate the results of expanded audit procedures;procedures;

8

10.10. Consult with legal counsel and possibly corporate Consult with legal counsel and possibly corporate governance bodies to estimate the potential impact of the governance bodies to estimate the potential impact of the irregular and illegal acts, taken as a whole, on the irregular and illegal acts, taken as a whole, on the subject matter of the engagement, audit report and subject matter of the engagement, audit report and organization.organization.

11.11. Report all facts and circumstances of the irregular and Report all facts and circumstances of the irregular and illegal acts (whether suspected or confirmed) if the acts illegal acts (whether suspected or confirmed) if the acts have a material effect on the subject matter of the have a material effect on the subject matter of the engagement and/or the organization.engagement and/or the organization.

12.12. Distribute the report to appropriate internal parties, such Distribute the report to appropriate internal parties, such as managers who are at least one level above those who as managers who are at least one level above those who are suspected or confirmed to have committed the acts, are suspected or confirmed to have committed the acts, and/or corporate governance bodies.and/or corporate governance bodies.

9

Regulatory & Legal IssuesRegulatory & Legal Issues

Auditors need a working knowledge of Auditors need a working knowledge of regulations and laws so they at least can regulations and laws so they at least can determine when to refer matters to legal determine when to refer matters to legal counsel.counsel.

10

Legal ContractsLegal Contracts

A contract is an agreement between or A contract is an agreement between or among two or more persons or entities among two or more persons or entities (businesses, organizations or government (businesses, organizations or government agencies) to do, or to abstain from doing, agencies) to do, or to abstain from doing, something in return for an exchange of something in return for an exchange of consideration. consideration. – Law provides remedies, including recuperation Law provides remedies, including recuperation

of losses or specific performance.of losses or specific performance.

11

Employment ContractsEmployment Contracts

Unilateral Contract – Employee is not Unilateral Contract – Employee is not bound.bound.

Cannot include that employee must work Cannot include that employee must work for stated period of time.for stated period of time.

12

Confidentiality AgreementsConfidentiality Agreements

Employee agrees not to divulge confidential Employee agrees not to divulge confidential information information – Should describe nature of protected informationShould describe nature of protected information

– List permissible uses of such informationList permissible uses of such information

– Identify remedies for non-complianceIdentify remedies for non-compliance

– State term of agreementState term of agreement

13

Trade Secret AgreementsTrade Secret Agreements

A trade secret reflects a wide array of A trade secret reflects a wide array of information that derives independent economic information that derives independent economic value from not being widely disclosed or value from not being widely disclosed or readily ascertainable.readily ascertainable.

Enforceable for indefinite period of time.Enforceable for indefinite period of time.

14

Discovery AgreementsDiscovery Agreements

For employees hired to develop ideas and For employees hired to develop ideas and innovations.innovations.

Agreement transfers ownership of discovery to Agreement transfers ownership of discovery to employer.employer.

Prevents employees from claiming the discovery Prevents employees from claiming the discovery as their own property.as their own property.

15

Non-Compete AgreementsNon-Compete Agreements

Employee agrees to not work for competing Employee agrees to not work for competing employer (including self) for employer (including self) for – Specified time (must be reasonable)Specified time (must be reasonable)– Specified geographySpecified geography

Prevents employee from working for other Prevents employee from working for other companies in connection with the design or companies in connection with the design or sale of a competitive product.sale of a competitive product.

Monetary remedy may be awarded to company Monetary remedy may be awarded to company for violationfor violation

16

Trading Partner ContractsTrading Partner Contracts

Ratifies agreements between companies & Ratifies agreements between companies & their trading partners with written contracts.their trading partners with written contracts.

IT auditors examine Trading Partner IT auditors examine Trading Partner Contracts as to the sale and purchase of Contracts as to the sale and purchase of goods and services.goods and services.

17

18

Computer Crime & Intellectual PropertyComputer Crime & Intellectual Property Computer Crime includes any behaviors that are Computer Crime includes any behaviors that are

deemed by states or nations to be illegaldeemed by states or nations to be illegal– hacking into an entities networkhacking into an entities network

– stealing intellectual propertystealing intellectual property

– sabotaging a company’s databasesabotaging a company’s database

– denying service to others who wish to use a Web sitedenying service to others who wish to use a Web site

– harassing or blackmailing someoneharassing or blackmailing someone

– violating privacy rightsviolating privacy rights

– engaging in industrial espionageengaging in industrial espionage

– pirating computer softwarepirating computer software

– perpetrating fraudperpetrating fraud

– and so on. and so on.

19

Intellectual PropertyIntellectual Property Intellectual Property (IP) referst to valuable Intellectual Property (IP) referst to valuable

creations of the mind.creations of the mind.

Most of computer crime involves the theft or Most of computer crime involves the theft or misuse of Intellectual Property (IP).misuse of Intellectual Property (IP).

Two Categories of Intellectual Property:Two Categories of Intellectual Property:1.1. Industrial PropertyIndustrial Property

» Patents, trademarksPatents, trademarks

2.2. Individual PropertyIndividual Property» Copyrights of literary and artistic works.Copyrights of literary and artistic works.

20

Cyber Information CrimesCyber Information Crimes

Three Breaches involving electronic Three Breaches involving electronic information:information:

– Confidentiality – Access without authorizationConfidentiality – Access without authorization

– Integrity – Modification of data without Integrity – Modification of data without authorizationauthorization

– Availability – Authorized user denied accessAvailability – Authorized user denied access

21

Auditors & CybercrimeAuditors & Cybercrime

Auditors need general knowledge of Auditors need general knowledge of cybercrime lawcybercrime law

Auditors may run across suspicious Auditors may run across suspicious activitiesactivities

May help companies ward off potential May help companies ward off potential acts.acts.

22

PrivacyPrivacy

Known as a “penumbra right.”Known as a “penumbra right.”

Existing Laws narrow in scope, but expanding Existing Laws narrow in scope, but expanding in response to the seriousness of the problem.in response to the seriousness of the problem.

The international community is working to The international community is working to protect privacy rights (e.g., EU “Safe protect privacy rights (e.g., EU “Safe Harbor”)Harbor”)

23

What is protected?What is protected?

Any personally identifiable information, Any personally identifiable information, factual or subjective, that is collected by an factual or subjective, that is collected by an organization.organization.

Information is considered private if it can be Information is considered private if it can be specifically tied to or identified with an specifically tied to or identified with an individual.individual.

24

Factual Factual InformationInformation

AgeAge NameName IncomeIncome EthnicityEthnicity Blood typeBlood type Biometric imagesBiometric images DNADNA Credit card numbersCredit card numbers Loan informationLoan information Medical records Medical records

OpinionsOpinions EvaluationsEvaluations CommentsComments Disciplinary actionsDisciplinary actions Disputes Disputes

Subjective Subjective InformationInformation

25

IT Auditor’s Role in PrivacyIT Auditor’s Role in Privacy

To ensure that management develops, To ensure that management develops, implements and operates sound internal implements and operates sound internal controls aimed at the protecting private controls aimed at the protecting private information it collects and stores during the information it collects and stores during the normal course of business.normal course of business.

To assess the strength and effectiveness of To assess the strength and effectiveness of controls designed to protect personally controls designed to protect personally identifiable information in organizations.identifiable information in organizations.