Legal and Ethical Issues for IT Auditors

CHAPTER 2 CISB424

Code of Ethics Irregular and Illegal ActsRegulatory and Legal IssuesComputer Crime and Intellectual PropertyPrivacy Issues

WHAT WILL BE COVERED?

What is ETHICS?Ethics @ moral philosophy is a branch of philosophy that involves systematizing, defending and recommending concepts of right and wrong conduct

ETHICS

"Ethics has to do with what my feelings tell me is right or wrong.“

"Ethics has to do with my religious beliefs.“"Being ethical is doing what the law requires.“"Ethics consists of the standards of behavior our society

accepts.“"I don't know what the word means.“

Source: Issues in Ethics IIE V1 N1 (Fall 1987)

WHAT DOES ETHICS MEAN TO YOU?

What is Ethical Code?a list of codes that is adopted by organizations to assist members in understanding the difference between 'right' and 'wrong' and in applying that understanding to their decisions

An ethical code generally implies documents at three levels: 1. codes of business ethics, 2. codes of conduct for employees, and 3. codes of professional practice.

ETHICAL CODE

Not all people will act ethically under all circumstances (social, economic, political and others)

Hence, a formal code if ethical codes sends a message to all affected parties that the organization will not tolerate unethical acts and that there are consequences for behaving in unacceptable manners.

It is about values, rights and obligations towards organizationEven though written ethical guidelines will not prevent ‘some

people’ from engaging in unethical conduct, BUT it does make clear that the organization’s stand of unethical conduct.

* Just like locks on doors, ethical codes will help to keep honest people honest*

WHY DEVELOP ETHICAL CODES?

1.Define acceptable behaviors for relevant parties

2.Promote high standards of practice throughout the organization

3.Provide a benchmark for organizational members to use for self-evaluation

4.Establish a framework for professional behavior, obligations, and responsibilities

5.Offer a vehicle for occupational identity6.Reflect a mark of occupational maturity

REASONS FOR DEVELOPING ETHICAL CODES

ISACA (Information Systems Audit and Control Association) has developed a code of professional ethics applicable to its members and those who hold the designation of CISA (Certified Information Systems Auditor)

10 ethical standards are;1. Support the implementation of, and encourage

compliance with, appropriate standards, procedures, and controls of IS

2. Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not knowingly be a party to any illegal or improper activities

ISACA & CISA

3. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties

4. Perform their duties in an independent and objective manner and avoid activities that impair, or may appear to impair, their independence or objectivity

5. Maintain competency in their respective fields of auditing and information systems control

6. Agree to undertake only those activities that they can reasonably expect to complete with professional competence

7. Perform their duties with due professional care

ISACA & CISA - CONTINUED

8. Inform the appropriate parties of the results of information systems audit and/or control work performed, revealing all material facts known to them, which, if not revealed, could either distort reports of operations or conceal unlawful practices

9. Support the education of clients, colleagues, the general public, management and boards of directors in enhancing their understanding of information systems auditing and control

10. Maintain high standards of conduct and character and not engage in acts discreditable to the profession

ISACA & CISA - CONTINUED

FAILURE TO COMPLY:

Can result in investigation

Ultimately in disciplinary action

Irregular act Reflects either an intentional violation of corporate policies or

regulations or an unintentional breach of law

Illegal act Represents a willful violation of law

Examples of irregular & illegal acts

Fraud Reflects the intentional use of deception to achieve unfair or

unlawful personal gain at the expense of another partyComputer crimes

Misuse of information, computer viruses, denial-of-service attacks, malware (malicious code), cyberstalking, identity theft, information warfare, phishing scams.

IRREGULAR & ILLEGAL ACTS

ISACA guidelines on irregular & illegal acts clearly states that auditors ARE NOT QUALIFIED to determine whether an irregular, illegal or erroneous act has occurred.

It is outside the scope of an IT Auditor

But, what if an IT Auditor discover such activities? Point out to management who is responsible for the prevention

and detection of such acts. Mgmt is supposed to establish policies, procedures aiming at governing employee conduct

Must keep matters confidential If required to disclose such acts (mandated by authorized legal

entities), IT Auditors should consult legal counsel before making any disclosures to external parties

WHAT HAPPENS IF IT AUDITOR DISCOVER IRREGULAR & ILLEGAL ACTS?

WHO IS RESPONSIBLE FOR PREVENTION, DETECTION, AND REPORTING?

Management is responsible for the prevention and detection of irregular and illegal acts, not the IT auditor.

Characterization should be made by qualified expert.

CPA s are qualified to determine if acts are material to financial statements.

IT AUDITOR’S RESPONSIBILITIES

Plan the IT audit engagement based on an assessed level of risk that irregular and illegal acts might occur and that such acts could be material to the subject matter of the IT auditor’s report

Design audit procedures that consider the assessed risk level for irregular and illegal acts

Review the result of audit procedures for indications of irregular and illegal acts

Report suspected irregular and illegal acts to any of the following parties;1. Immediate supervisor or corporate governance bodies (board of

directors/audit committee)2. Appropriate personnel within organization (manager or at least

one level above those been suspected)3. If top mgmt is suspected, refer to corporate governance bodies4. Legal counsel or external experts

5. Assume the act is not isolated6. Determine how the act slipped through the internal control

system7. Broaden audit procedures to consider the possibility of more

acts of this nature8. Conduct additional audit procedures9. Evaluate the results of expanded audit procedures10. Consult legal counsel and corporate governance bodies to

estimate the potential impact of irregular and illegal acts, taken as a whole, on the subject matter of the engagement, audit report and organization

11. Report all facts and circumstances (suspected or confirmed) if the acts have an effect to the organization

12. Distribute the report to internal parties (manager of one level higher) and/or corporate governance bodies

IT AUDITOR’S RESPONSIBILITIES

Types of regulatory and legal issues are vast and varies

Among the obvious issues;

Legal ContractsComputer Crimes Intellectual Property RightsPrivacy issues

REGULATORY AND LEGAL ISSUES

A contract is an agreement between or among two or more persons or entities (businesses, organizations, or government agencies) to do, or to abstain from doing, something in return for an exchange of consideration

Contracts are promises that are enforceable by law If any terms of a contract is breached, the law provides

remedies, which might include recuperation of losses, or specific performance

Guidelines in preparing the legality of contracts are divided into two; Statutory law - the written law enacted by a legislature,  the

collection of rules imposed by authority Common law – reflects to customs and general principles , law

developed by judges through decisions of courts and similar tribunals

LEGAL CONTRACTS

IT auditors will examine written contracts of purchase and sale of goods (e.g. computer equipment and software applications) and services (e.g. outsourcing arrangements and maintenance agreements).

IT Auditors must look to ensure that at least there are THREE elements stated in a contract; Offer - nature or subject matter of agreement (product or

services) Consideration – state what the offeror expects in return from the

offeree Acceptance – clearly identify the offeror and offeree, and both

must sign and date the contract

LEGAL CONTRACTS - CONTINUED

1. Employee Contracts – special type of agreement between employee and employer (position titles, performance criteria, compensation schemes, relocation expense reimbursements, working hours)

2. Confidentiality Agreements - a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties.

3. Trade Secret Agreements – trade secret: information about a formula, pattern, compilation, program, device, method, technique, process that derives independent economic value and to be maintain its secrecy. Thus, the agreement (@non-disclosure agreements) protecting such secrets from disclosure.

4. Discovery Agreements – agreement between employer with employer which allows the transfer of ownership of discovery to the employer (intellectual property)

5. Noncompete agreements - @ covenant not to compete – an agreement from the employee about not to enter into or start a similar profession or trade in competition against the employer.

6. Trading Partner Contracts –written agreement between companies and their trading partners (customers and vendors). Might also include confidentiality, trade secrets, discovery, noncompete)

LEGAL CONTRACTS - CONTINUED

EMPLOYMENT CONTRACTS

Unilateral Contract – Employee is not bound.

Cannot include that employee must work for stated period of time.

CONFIDENTIALITY AGREEMENTS

Employee agrees not to divulge confidential information Should describe nature of protected information

List permissible uses of such information

Identify remedies for non-compliance

State term of agreement

TRADE SECRET AGREEMENTS

A trade secret reflects a wide array of information that derives independent economic value from not being widely disclosed or readily ascertainable.

Enforceable for indefinite period of time.

DISCOVERY AGREEMENTS

For employees hired to develop ideas and innovations.

Agreement transfers ownership of discovery to employer.

Prevents employees from claiming the discovery as their own property.

NON-COMPETE AGREEMENTS

Employee agrees to not work for competing employer (including self) for Specified time (must be reasonable) Specified geography

Prevents employee from working for other companies in connection with the design or sale of a competitive product.

Monetary remedy may be awarded to company for violation

SAMPLE NON COMPETE AGREEMENT

EMPLOYEE NON-COMPETE AGREEMENTFor good consideration and as an inducement for ___________ (Company) to employ ________Employee), the undersigned Employee hereby agrees not to directly or indirectly compete with the business of the Company and its successors and assigns during the period of employment and for a period of ___ years following termination of employment and notwithstanding the cause or reason for termination.

The term "not compete" as used herein shall mean that the Employee shall not own, manage, operate, consult or to be employed in a business substantially similar to, or competitive with, the present business of the Company or such other business activity in which the Company may substantially engage during the term of employment.

The Employee acknowledges that the Company shall or may in reliance of this agreement provide Employee access to trade secrets, customers and other confidential data and good will. Employee agrees to retain said information as confidential and not to use said information on his or her won behalf or disclose same to any third party.This non-compete agreement shall extend only for a radius of________ miles from the present location of the Company and shall be in full force and effect for________ years, commencing with the date of employment termination.

This agreement shall be binding upon and inure to the benefit of the parties, their successors, assigns, and personal representatives.

Signed this _____ day of __ 20____._____________________ _____________________Company Representative Employee

TRADING PARTNER CONTRACTS

Ratifies agreements between companies & their trading partners with written contracts.

IT auditors examine Trading Partner Contracts as to the sale and purchase of goods and services.

CONTRACT TEMPLATE

Document TitleUnique NumberEffective DateExpiration DateSeller & Buyer Name / AddressDocument PurposeAuthorized SignaturesGoods/Services Description, Quantity & Price Payment Terms

CONTRACT TEMPLATE

Delivery & ShippingDisclosuresIntended Use WarrantyLiabilityCompliance with LawsExport ControlInformation ConfidentialityForce MajeurePenalty / Cancellation Terms Resolution

Remedy;

Computer Crime – the direct or indirect use of computer and communication technologies to perpetrate a criminal act.

These acts are behaviors that are deemed by states/nations to be illegal (e.g., hacking into a network, stealing intellectual property, sabotaging company’s database, denying access/service to others, pirating software, using the internet to coordinate narcotic sales and logistics)

COMPUTER CRIME

JURISDICTION

Internet users remain in physical jurisdictions and are subject to law independent of their presence on the Internet

A single transaction may involve the laws of at least three jurisdictions: The laws of the state/nation in which the user resides The laws of the state/nation that apply where the server hosting

the transaction is located, and The laws of the state/nation which apply to the person or business

with whom the transaction takes place

WHICH JURISDICTIONS APPLY?

Alex lives in Kansas, USA. He sells a fake handbag through his website to Marni that lives in Birmingham, Britain. The online storefront that Alex used is hosted in a server in Canada

Intellectual Property – refers to valuable creations of human minds (inventions, artistic works, symbols, designs) .

Divided into two;

Industrial property – patent and trademarks Individual property – copyright to works, designs

INTELLECTUAL PROPERTY

Patent – it allows an inventor the right to exclude others from producing or using the inventor’s discovery or invention for a limited period of time (twenty years from the date of application - nonrenewable)

To be patented, an invention must be; Novel Useful Industry applicable

Four types of inventions covered under patent law; Machines Human-made products Compositions of matters Processing methods

INTELLECTUAL PROPERTY - CONTINUED

TOP 10 BRANDS IN 2013

What do these companies have in common?

Ranking

Company

1 Apple

2 Google

3 Coke

4 IBM

5 Microsoft

6 GE

7 McDonalds

8 Samsung

9 Intel

10 Toyota

TRADEMARK AS A REPRESENTATION OF THE BRAND

Trademarks Reflects distinctive images (e.g. symbols and pictures) or word

that sellers affix to distinguish and identify their products.

It may also be granted to distinctive and unique packaging, color combinations, building designs, product styles, and overall presentations.

The owner of the trademark has exclusive rights to use it on the product

INTELLECTUAL PROPERTY - CONTINUED

Letters and words;

Logos;

Pictures;

A combination of words and a logo;

Slogans;

Colors;

Scents;

Product shapes; and

Sounds.

WHAT CAN BE TRADEMARKED?

THE COCA-COLA CO. OF CANADA V PEPSI-COLA CO. OF CANADA (RPC)

1942

Coke sued Pepsi for infringing their registered trademark.

Court held that “Cola” was simply a descriptive word identifying a type of beverage and that the “distinguishing feature” of the Coca-Cola trademark is the word COCA.

As the distinguishing feature is not borrowed, there is no likelihood of deception.

Source:www.wipo.int/edocs/.../wipo_smes_kul_11_ref_theme_02_01.ppt

DANONE BISCUITS MANUFACTURING (M) SDN BHD V HWA TAI INDUSTRIES BHD

ChipsMore is a registered trademark.

The Court held, having regard to the totality of circumstances, the ChipsPlus mark so nearly resembles the ChipsMore trademark as to be likely to cause confusion:-

The identical phonetic representation of the prefix “Chips”;

The similar import of the suffixes “Plus” and “More;

The omission of the space between the two individual words “Chips” and “Plus” corresponding to the omission of the space between the two individual words “Chips” and “More”;

The larger letter “C” of the prefix and “P” of the suffix of the ChipsPlus trademark corresponding to the larger letter “C” of the prefix and “M” of the suffix of the ChipsMore trademark;

The similar stylized double perimeter around the alphabets of both trade marks.

TRADEMARK FOR BUILDING DESIGN

Apple Building in New York

Copyright

Protects creative works from being reproduced, performed, or disseminated by others without permission,

The owner has exclusive right ; to reproduce the protected work To prepare derivative works that only slightly change the protected

work To sell or lend copies of the protected work to the public To perform protected works in public for profit To display copyrighted works publicly

The life of copyright begins the moment the work is created and lasts for the author’s life (plus an additional 50 years)

INTELLECTUAL PROPERTY - CONTINUED

CYBER INFORMATION CRIMES

When electronic information is compromised

Three categories; Confidentiality – occurs when a person knowingly accesses a

computer without authorization or when a person exceeds his authorized access; or when hackers view or copy proprietary or private information

Integrity – occurs when a system or data has been accidentally or maliciously modified, altered, or destroyed without authorization (e.g., virus altered source code allowing hackers to gain unauthorized access – integrity breach)

Availability – occurs when an authorized user is prevented from timely, reliable access to data or a system (denial to service)

MALAYSIA LAWS

Communications & Multimedia Act 1998 Malaysian Communications & Multimedia Commission Act

1998 Digital Signature Act 1997 Computer Crimes Act 1997 Telemedicine Act 1997 Optical Discs Act 2000 Copyright Act 1987 Trade Marks Act 1976

MALAYSIA LAWS

Patents Act 1983 Industrial Designs Act 1996 Layout Designs of Integrated Circuits Act 2000 Geographical Indications Act 2000 Trade Description Act 1972 Intellectual Property Corporation of Malaysia Act 2002E-Commerce Act 2006

All can be downloaded from: http://www.msc.com.my/cyberlaws/index.asp

@ Penumbra rightsThe rights and obligations of individuals and organizations

with respects to the collection, use, disclosure, and retention of personally identifiable information

Organizations (managers) are obligated to institute proper internal controls aimed at protecting the confidentiality of personal information that is collected during the normal course of business.

What information is protected? Factual – age, name, income, ethnicity, blood type, biometric

images, DNA, credit card numbers, loan information, and medical records

Subjective – opinions, evaluations, comments, disciplinary actions, and disputes

IT Auditors must ensure mgmt develops, implements, operates internal controls to protect the private information collected and stored during the course of business.

PRIVACY ISSUES

PRIVACY IN OTHER COUNTRIES

Comprehensive LegislationAll EU countries, including the 10 new member states

(Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia)

Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Thailand, Philippines

Chile, Argentina, Brazil, Mexico In Middle East, only Israel Indonesia and China are working on a comprehensive data

protection law

PRIVACY IN OTHER COUNTRIES

Legislation + Self RegulatoryUSA – Privacy Act 1974 + 12 federal sectoral based

legislation + State Laws + Safe Harbour

Self-RegulatorySingapore

PRIVACY IN OTHER COUNTRIES

Doing Nothing so farBruneiVietnamLaosCambodiaMany more

PRIVACY IN MALAYSIA

The MCMC regulates that "service providers must be open, transparent and meet generally accepted fair information principles including providing notice as to what personal information they collect, use and disclose..."

MALAYSIA: DATA PROTECTION JOURNEY

2000: First DraftAvailable to public for comment2007: CTOS2007: New draft2009: First reading2010: 5 April – Second & Third Reading2010: 4 May – Dewan Negara2010: 2 June – Royal Assent was granted2010: 10 June - Gazetted

Announcements have been made by YB Dato' Sri Ahmad Shabery bin Cheek, Minister of Communications and Multimedia, that the Personal Data Protection Act 2010 ("PDPA") which was passed by the Malaysian Parliament in 2010, will come into force on 16 August 2013. It is reported that Tuan Haji Abu Hassan Ismail will likely to be appointed as the Personal Data Protection Commissioner. Nonetheless, to date, the official Gazette formalizing the date of coming into force has not been published.

Once the PDPA comes into force, data users will have a three-month transitional period to comply with its provisions in respect of existing personal data being processed, but will have to immediately comply with its provisions in respect of new personal data collected.

The penalties for breaching the PDPA include the imposition of fines of up to RM500,000 and/or a term of imprisonment not exceeding two years. Directors, CEOs, COOS, managers or other similar officers have joint and several liability for non-compliance by the body corporate, subject to the due diligence defence. The Commissioner is not empowered to order compensation for damage suffered, and there is no express right to pursue a civil claim for non-compliance.

HAS IT BEEN IMPLEMENTED?

SCOPE AND APPLICATION

This Act shall not apply to the Federal Government and State Governments.

This Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.

PERSONAL DATA PROTECTION ACT 2010

There are seven data protection principles that form the basis of protection:

General Principle: The processing of personal data requires consent; Notice and Choice Principle: Data users are required to notify the data

subjects regarding the purpose for which the data is collected and about the right to request access and correction of the personal data;

Disclosure Principle: No personal data shall be disclosed without the consent of the data subject;

Security Principle: A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

Retention Principle: The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of the purpose to which it was obtained for.

Data Integrity Principle: A data user shall take reasonable steps to ensure the accuracy and to maintain the data current for the purpose it was collected for.

Access Principle: A data subject shall be given access to his personal data and shall be able to correct the personal data where the data is inaccurate or incomplete.

Data UsersA person who is either alone or jointly or in common with other person processes or authorizes the processing of any personal data or has control over personal data, but does not include a data processor

Data subjectAn individual who is the subject of the personal data

EXEMPTIONS

RIGHT OF DATA SUBJECT

EXAMPLE OF PRIVACY STATEMENT

Telco A

“Personal information held by Telco A may include your name, date of birth, current address, telephone/mobile phone number, email address, credit cards details, occupation, user ID or password… as well as certain details about your personal interest.”

“Telco A complies with and is registered under the data protection law in Malaysia and…”

EXAMPLE OF PRIVACY STATEMENT

Bank A

“Any information sent to Bank A Bhd through the use of this site will be deemed not to be confidential and be deemed to remain the property of Bank A Bhd who shall be free to use, copy, publish, reproduce, distribute and/or transmit all such information at Bank A Bhd’s absolute discretion for any purpose and…”

EXAMPLE OF PRIVACY STATEMENT

Bank Z“… the Bank does not warrant the security of any information transmitted by the Customer using the Bank’s Internet Banking Services. Accordingly, the Customer hereby accepts the risk that any information transmitted or received using the Bank’s Internet Banking Services may be accessed by unauthorised third parties and the Customer agrees not to hold the Bank liable for any such unauthorised access or any loss or damage suffered as a result thereof.”

Source: PDP Conference, Prof. Abu Bakar Munir

IT AUDITOR’S ROLE IN PRIVACY

To ensure that management develops, implements and operates sound internal controls aimed at the protecting private information it collects and stores during the normal course of business.

To assess the strength and effectiveness of controls designed to protect personally identifiable information in organizations.

You must be able to explain and identify the meaning and important details of;

Code of EthicsIrregular and Illegal ActsRegulatory and legal issues (all the legal contracts)Computer crimes Intellectual PropertyPrivacy Issues

SUMMARY

SAMPLE EXAM QUESTION

1. As a businessman, choose a protection between patent and trade secret. Explain how your company can generate money based on the chosen protection method.

2. When are trade secrets the better choice? Explain.3. Explain why profession needs a code of ethics. What are the

particular needs of a code of ethics for auditor?

ANSWER

2. Trade secrets are the only choice when your invention was, but no longer is, patentable (for example if you have publicly used the invention for more than one year or you have sold (or offered to sell) the invention for more than one year).Trade secrets are the better choice when the life of your product is substantially shorter than the 20-year life of a patent. If you expect to make the most money from your product in a year or two, then by the time your patent issues (usually in two to three years), the product's value will be near zero, and your patent will be essentially worthless.Trade secrets may be the only choice when you don't have $5,000 to $30,000 per invention to pursue patents. It doesn't make much sense to say that patents are the better choice if you don't have the money to pursue them.

ANSWER

3. The public gains a measure of assurance that any person who is a

member of the association will deal with them in a morally correct manner. They will provide a service which at least conforms to an acceptable minimum standard, but which should be of the highest quality possible, as well being independent and objective.

This will include advice which is independent of other influences, that their affairs will be kept in confidence and that the advice given will be technically correct and within the area of the auditor professional competence.

The public will also have available to them a source of redress if a matter is not dealt with in an ethical manner, and some kind of disciplinary action will be taken in such cases.