Chapter Two Ethical & Legal Issues

Why a Code of Ethics? Not all people act ethically under all circumstances. Written guidelines are not a guarantee, but ethical codes help keep honest people honest!

IRREGULAR AND ILLEGAL ACTS Irregular act : reflects an intentional violation of corporate policies or regulatory requirements or an unintentional breach of law Illegal act : represents a willful violation of law

EXAMPLES Fraud Computer crimes Nonconformity with agreements & contracts between the organization & third parties Violations of intellectual property rights Noncompliance with other regulations & laws.

Unethical and Illegal Behavior Categories Ignorance Accident Intent Deterrence Feare of penalty Probability of being caught Probably of penalty being administered

Overview of Responsibilities Plan the IT audit engagement based on an assessed level of risk that irregular and illegal acts might occur, and that such acts could be material to the subject matter of the IT auditor’s report. Design audit procedures that consider the assessed risk level for irregular and illegal acts. Review the results of audit procedures for indications of irregular and illegal acts.

Report suspected irregular and illegal acts Assume that the act is not isolated; Determine how the act slipped through the internal control system; Broaden audit procedures to consider the possibility of more acts of this nature; Conduct additional audit procedures; Evaluate the results of expanded audit procedures;

Consult with legal counsel and possibly corporate governance bodies to estimate the potential impact of the irregular and illegal acts, taken as a whole, on the subject matter of the engagement, audit report and organization. Report all facts and circumstances of the irregular and illegal acts (whether suspected or confirmed) if the acts have a material effect on the subject matter of the engagement and/or the organization. Distribute the report to appropriate internal parties, such as managers who are at least one level above those who are suspected or confirmed to have committed the acts, and/or corporate governance bodies.

Regulatory & Legal Issues Auditors need a working knowledge of regulations and laws so they at least can determine when to refer matters to legal counsel.

Legal Contracts A contract is an agreement between or among two or more persons or entities (businesses, organizations or government agencies) to do, or to abstain from doing, something in return for an exchange of consideration. Law provides remedies, including recuperation of losses or specific performance.

Employment Contracts Unilateral Contract – Employee is not bound. Cannot include that employee must work for stated period of time.

Confidentiality Agreements Employee agrees not to divulge confidential information Should describe nature of protected information List permissible uses of such information Identify remedies for non-compliance State term of agreement

Trade Secret Agreements A trade secret reflects a wide array of information that derives independent economic value from not being widely disclosed or readily ascertainable. Enforceable for indefinite period of time.

Discovery Agreements For employees hired to develop ideas and innovations. Agreement transfers ownership of discovery to employer. Prevents employees from claiming the discovery as their own property.

Non-Compete Agreements Employee agrees to not work for competing employer (including self) for Specified time (must be reasonable) Specified geography Prevents employee from working for other companies in connection with the design or sale of a competitive product. Monetary remedy may be awarded to company for violation

Trading Partner Contracts Ratifies agreements between companies & their trading partners with written contracts. IT auditors examine Trading Partner Contracts as to the sale and purchase of goods and services.

Computer Crime & Intellectual Property Computer Crime includes any behaviors that are deemed by states or nations to be illegal hacking into an entities network stealing intellectual property sabotaging a company’s database denying service to others who wish to use a Web site harassing or blackmailing someone violating privacy rights engaging in industrial espionage pirating computer software perpetrating fraud and so on.

Intellectual Property Intellectual Property (IP) referst to valuable creations of the mind. Most of computer crime involves the theft or misuse of Intellectual Property (IP). Two Categories of Intellectual Property: Industrial Property Patents, trademarks Individual Property Copyrights of literary and artistic works.

Cyber Information Crimes Three Breaches involving electronic information: Confidentiality – Access without authorization Integrity – Modification of data without authorization Availability – Authorized user denied access

Auditors & Cybercrime Auditors need general knowledge of cybercrime law Auditors may run across suspicious activities May help companies ward off potential acts.

Privacy Known as a “penumbra right.” Existing Laws narrow in scope, but expanding in response to the seriousness of the problem. The international community is working to protect privacy rights (e.g., EU “Safe Harbor”)

What is protected? Any personally identifiable information, factual or subjective, that is collected by an organization. Information is considered private if it can be specifically tied to or identified with an individual.

Subjective Information Factual Information Age Name Income Ethnicity Blood type Biometric images DNA Credit card numbers Loan information Medical records Opinions Evaluations Comments Disciplinary actions Disputes

IT Auditor’s Role in Privacy To ensure that management develops, implements and operates sound internal controls aimed at the protecting private information it collects and stores during the normal course of business. To assess the strength and effectiveness of controls designed to protect personally identifiable information in organizations.