Ethical & Legal Issues Revised on 2014. Content Code of ethics – what and why? Code of ethics for auditors Illegal and irregular acts Roles of IT auditors

Ethical & Legal Issues Revised on 2014

Content Code of ethics what and why? Code of ethics for auditors Illegal and irregular acts Roles of IT auditors with relation to illegal and irregular acts in an organization Regulatory and Legal Issues CISB424, Sulfeeza

What is Code of Ethics? A document that outlines the mission and values of the business or organization, how professionals are supposed to approach problems, the ethical principles based on the organization's core values and the standards to which the professional will be held. (Source: Investopedia) A written set of guidelines issued by an organization to its workers and management to help them conduct their actions in accordance with its primary values and ethical standards. (Source: BusinessDictionary.com) CISB424, Sulfeeza

Example of Code of Ethics Tenaga Nasional Berhad http://www.tnb.com.my/about-tnb/tnb-code-of-ethics.html CISB424, Sulfeeza

Reasons for Organizations to Develop Codes of Ethical conduct 1. Define acceptable behaviors for relevant parties; 2. Promote high standards of practice throughout the organization; 3. Provide a benchmark for organizational members to use for self evaluation; 4. Establish a framework for professional behavior, obligations and responsibilities ; 5. Offer a vehicle for occupational identity ; 6. Reflect a mark of occupational maturity. CISB424, Sulfeeza

Failure to comply Can result in INVESTIGATION OR DISCIPLINARY ACTION CISB424, Sulfeeza

Code of Ethics for Auditors IIA Code of Ethics a) PRINCIPLES Internal auditors are expected to apply and uphold the following principles: i. Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. ii. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. iii. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. iv. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. CISB424, Sulfeeza

Code of Ethics for Auditors (cont.) b) RULES OF CONDUCT 1. Integrity Internal Auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization. 2. Objectivity Internal Auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. 3. Confidentiality Internal Auditors: 3.1. Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. Competency Internal Auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing. 4.3. Shall continually improve their proficiency and the effectiveness and quality of their services. CISB424, Sulfeeza

Example of Code of Ethics ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and ISACA certification holders shall: a) Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management. b) Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards. c) Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association. d) Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. e) Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence. f) Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results. g) Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management. Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's conduct and, ultimately, in disciplinary measures. CISB424, Sulfeeza

Irregular And Illegal Acts Irregular act : An intentional violation of corporate policies or regulatory requirements An unintentional breach of law Illegal act : Willful violations of laws or governmental regulations CISB424, Sulfeeza

Irregular and Illegal Acts Irregular and illegal acts can have negative impact to organizations, in term of: i.Financial aspects ii.Reputation of the organization iii.Productivity of the organization iv.Retention of employees CISB424, Sulfeeza

Examples of illegal acts: Fraud Act or course of deception, an intentional concealment, omission, or perversion of truth, to (1) gain unlawful or unfair advantage, (2) induce another to part with some valuable item or surrender a legal right, or (3) inflict injury in some manner. (Source: BusinessDictionary.com) CISB424, Sulfeeza

Examples of illegal acts: Computer crimes/ Cybercrime "Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS) (Halder & Jaishankar, 2011) CISB424, Sulfeeza

Examples of illegal acts: Violations of intellectual property rights IP rights - A right that is had by a person or by a company to have exclusive rights to use its own plans, ideas, or other intangible assets without the worry of competition, at least for a specific period of time. (Source: BusinessDictionary.com) CISB424, Sulfeeza

Who is responsible for prevention, detection, and reporting? IT auditors are NOT responsible for preventing and detecting illegal or irregular acts in an organization Then, whose responsibilities are those? The management and Board of Directors of the organization are responsible. They must: adopt a preventative approach for identifying, analyzing and managing the risk of illegal and irregular acts occurrences that could prevent the organization from achieving its business objectives or strategies. have detective procedures in place to increase their ability to detect illegal and irregular acts occurrences and uncover illegal and irregular acts occurrences Designed response controls are to take corrective action and to correct the illegal and irregular acts CISB424, Sulfeeza

What is the IT Auditors Responsibility? According to ISACAs IS Audit and Assurance Guideline 2207 Irregularity and Illegal Acts Section 2.3 Responsibilities of the Professionals 2.3.3 Professionals are NOT responsible for the prevention or detection of irregularities or illegal acts. An audit engagement cannot guarantee that irregularities will be detected. Even when the audit is planned and performed appropriately, irregularities could go undetected. The aim (of an audit engagement) is to determine the control is in place, adequate, effective and complied with 2.3.4Where professionals have specific information about the existence of an irregularity or illegal act, they have an obligation to report it 2.3.5Professionals should inform management and those charged with governance when they have identified situations where a higher level of risk exists for a potential irregularity of illegal act, even none is detected. CISB424, Sulfeeza

How should IT Auditor respond? According to ISACAs IS Audit and Assurance Guideline 2207 Irregularity and Illegal Acts Section 2.6 Responding to Irregularities and Illegal Acts 2.6.2 Professionals should demonstrate an attitude of professional skepticism. Indictors (or Red Flags ) of persons committing irregularities or illegal acts are: Overrides controls by management Irregular or poorly explained management behavior Consistently over performing, compared to set targets Problems with, or delays in, receiving requested information or evidence Transactions not following the normal approval cycles Increase in activity of a certain customer Increase in complaints from customers Deviating access controls for some applications or users CISB424, Sulfeeza

How should IT Auditor respond? According to ISACAs IS Audit and Assurance Guideline 2207 Irregularity and Illegal Acts Section 2.6 Responding to Irregularities and Illegal Acts 2.6.3 When professionals become aware of information concerning a possible irregularity or illegal act, they should consider taking the following steps after direction from the appropriate legal authority: Obtain understanding of the nature of the act Understand the circumstances in which the act occurred Gather evidence of the occurrence of the act Identify all persons involved in committing the act Obtain sufficient supportive information to evaluate the effect of the act Perform limited additional procedures to determine the effect of the act and whether additional acts exist Document and preserve all evidence and work performed CISB424, Sulfeeza

Regulatory & Legal Issues As discussed earlier, auditors need to know when to inform management of they have identified potential irregular or illegal acts; and report if such acts exist during the course of audit But, how do they know whether such acts are considered irregular or illegal? Auditors need to have a working knowledge of regulations and laws so they at least can determine when to refer matters to legal counsel Some knowledge that auditors required to have: Legal contracts Computer crime Intellectual Property Rights Privacy Issues CISB424, Sulfeeza

a) Legal Contracts An agreement with specific terms between two or more persons or entities in which there is a promise to do something in return for a valuable benefit known as consideration (Source: http://legal-dictionary.thefreedictionary.com/contract) Types of legal contracts: Lease a contact between a landlord and a tenant that specifies the terms under which the tenant has the right to use the landlord's property Employment contract a legal agreement between a business and an employee that details the terms of employment, such as pay and benefits. Sales contract an agreement between two parties that details the terms of a financial transaction and documents the fact that ownership of an asset has transferred from seller to buyer. Licensing agreement a contact between the owner of intellectual property and an outside party, that gives the outside party the right use the intellectual property in a capacity specified it the agreement. CISB424, Sulfeeza

Elements of Legally Binding Contract 1. An offer 2. An acceptance of that offer which results in a meeting of the minds; 3. A promise to perform; 4. A valuable consideration (which can be a promise or payment in some form that the offeror expects in return from the offeree); 5. A time or event when performance must be made (meet commitments); 6. Terms and conditions for performance, including fulfilling promises; 7. Performance. CISB424, Sulfeeza

Types of Legally Binding Contract 1. A unilateral contract is a contract in which only one party makes an express promise, or undertakes a performance without first securing a reciprocal (mutual) agreement from the other party (Source: http://legal-dictionary.thefreedictionary.com/Unilateral+contract) CISB424, Sulfeeza

Types of Legally Binding Contract 2. A bilateral contract is an agreement formed by an exchange of a promise in which the promise of one party is consideration supporting the promise of the other party (Source: http://legal-dictionary.thefreedictionary.com/Bilateral+Contract) CISB424, Sulfeeza

Types of Legally Binding Contract Examples: a) I will pay you RM500 to fix my car by Thursday b) I promise to fix your car by Thursday and you promise to pay RM500 on Thursday c) John offers to drive Mary to work on Mondays and Tuesdays in exchange for Mary to drive to work on Wednesdays and Thursdays, or Mary offers to pay John RM15 each day he drives her to work CISB424, Sulfeeza

Employment Contracts What type of contract is employment contracts? Unilerateral Why? Eg: employment contract cannot include that employee must work for the employee for a certain period of time. However, employer may request employee to sign some agreement upon hiring such as: a) Confidentiality agreement b) Trade secret agreement c) Discovery agreement d) Non-compete agreement CISB424, Sulfeeza

i) Confidentiality Agreements A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties (Source: http://encyclopedia.thefreedictionary.com/Confidentiality+agreement) Also known as non-disclosure agreement ( NDA ), confidential disclosure agreement ( CDA ), proprietary information agreement ( PIA ), or secrecy agreement Content of the agreement: Employee agrees not to divulge confidential information Describe nature of protected information List permissible uses of such information Identify remedies for non-compliance State term of agreement CISB424, Sulfeeza

ii) Trade Secret Agreements A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers. (Source: http://encyclopedia.thefreedictionary.com/trade+secret) Enforceable for indefinite period of time. CISB424, Sulfeeza

iii) Discovery Agreements For employees hired to develop ideas and innovations. Agreement transfers ownership of discovery to employer. Prevents employees from claiming the discovery as their own property. CISB424, Sulfeeza

iv) Non-Compete Agreements Employee agrees to not work for competing employer (including self) for a)Specified time (must be reasonable) b)Specified geography Prevents employee from working for other companies in connection with the design or sale of a competitive product. Monetary remedy may be awarded to company for violation CISB424, Sulfeeza

b) Computer Crime "Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)" (Halder & Jaishankar, 2011) Includes any behaviors that are deemed by states or nations to be illegal, examples: a.Fraud achieved by the manipulation of computer records b.Spamming wherever outlawed completely or where regulations controlling it are violated c.Deliberate circumvention of computer security systems d.Unauthorized access to or modification of computer programs or data e.Intellectual property theft, including software piracy f.Industrial espionage by means of access to or theft of computer materials g.Identity theft where this is accomplished by use of fraudulent computer transactions h.Writing or spreading computer viruses or worms i.Salami slicing http://www.pcpro.co.uk/news/201252/hacker-takes-50-000-a-few-cents-at-a-time http://www.pcpro.co.uk/news/201252/hacker-takes-50-000-a-few-cents-at-a-time j.Denial-of-service attack (Source: http://www.crime-research.org/news/26.11.2005/1661/) CISB424, Sulfeeza

Jurisdiction Internet users remain in physical jurisdictions and are subject to law independent of their presence on the Internet A single transaction may involve the laws of at least three jurisdictions: The laws of the state/nation in which the user resides The laws of the state/nation that apply where the server hosting the transaction is located, and The laws of the state/nation which apply to the person or business with whom the transaction takes place (Source: Suneet Dwivedi, https://www.academia.edu/3700793/Jurisdictional_Issues_in_Cyber_Crime) CISB424, Sulfeeza

Which jurisdictions apply? Alex lives in Kansas, USA. He sells a fake handbag through his website to Marni that lives in Birmingham, Britain. The online storefront that Alex used is hosted in a server in Canada. CISB424, Sulfeeza

Intellectual Property Creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce Categories of Intellectual Property: 1.Industrial Property Patents, trademarks 2.Individual Property Copyrights of literary and artistic works. CISB424, Sulfeeza

Patents Patent protects invention 20 years from date of application Patents are territorial rights, i.e. the exclusive rights are only applicable in the country or region in which a patent has been filed and granted, in accordance with the law of that country or region Criteria for a patent are that an invention must be: Novel - means that it has never existed before Useful Not of obvious nature Idea must be subject matter that is patentable. There are four types of discoveries that can receive patents: a) Machines or mechanical device http://www.prv.se/en/Patents/Why-apply-for-a-patent/Examples-of-patents/System-for-shorter-flight- times/ b) Human made products http://www.prv.se/en/Patents/Why-apply-for-a-patent/Examples-of-patents/Life-saving-invention/ c) Compositions of matter (chemical composition or other substance) d) Processing methods - method of doing something CISB424, Sulfeeza

Trademarks Grants the owner exclusive right to use the trademark on the intended or related products for identification. Covers a)Distinctive images Symbols Pictures Words b)Distinctive & unique packaging c)Color Combinations d)Building Designs e)Product Styles f)Overall Presentations May grant trademark status for secondary meaning over time that identifies it with the product or seller. http://www.legalteamusa.net/tacticalip/2012/11/13/five-classic-examples-of-trademark/ CISB424, Sulfeeza

Copyrights Offers protection from creation of work until the end of authors life plus 50 years. Protects creative works from others without permission from being: Reproduced Performed Disseminated CISB424, Sulfeeza

Malaysia Laws Communications & Multimedia Act 1998 Malaysian Communications & Multimedia Commission Act 1998 Digital Signature Act 1997 Computer Crimes Act 1997 Telemedicine Act 1997 Optical Discs Act 2000 Copyright Act 1987 Trade Marks Act 1976 Patents Act 1983 Industrial Designs Act 1996 Layout Designs of Integrated Circuits Act 2000 Geographical Indications Act 2000 Trade Description Act 1972 Intellectual Property Corporation of Malaysia Act 2002 E-Commerce Act 2006 All can be downloaded from: http://www.msc.com.my/cyberlaws/index.asp http://www.msc.com.my/cyberlaws/index.asp CISB424, Sulfeeza

Examples & Issues related to using patented materials CISB424, Sulfeeza If the IT auditor observes that the client appears to use some distinctive techniques within its IT infrastructure, such as novel processes of encrypting data or unique methods of thwarting denial of service attacks, the auditor should investigate whether such processes are already patented by other entities. If so, the auditor should ensure that the client has legally procured the right to use such patents. If the IT auditor observes that the client appears to use the trademarks of other entities in its digital communications, the auditor should ensure that client is not illegally using such trademarks.

Examples & Issues related to owning patented materials CISB424, Sulfeeza If the IT auditor learns that the client owns one or more patents pertaining to the IT infrastructure, such as those mentioned above, the IT auditor should investigate whether and how the company continually scans the environment to ensure that other persons or entities are not infringing on the clients patent(s). If the company has no policies or activities aimed at protecting its patent(s) in this regard, the IT auditor could add value to the engagement by suggesting several scanning methods. If the client places its own unique logo on its digital communications, the IT auditor should investigate whether and how the company continually scans the environment to ensure that other persons or entities are not using the company logo. If the company has no policies or activities aimed at protecting its logo, the IT auditor could add value to the engagement by suggesting several scanning methods.

Examples & Issues related to developing patented materials CISB424, Sulfeeza If the IT auditor discovers that the client has developed unique and novel components of the digital IT infrastructure that give competitive advantage to the company, such as those mentioned above, the IT auditor could suggest that the client consider the possibility of applying for patents, if it has not already done so. If successful, the client will be able to legally protect its intellectual property rights. If the client places a unique logo on its digital communications but has not properly registered it with the U.S. Patent and Trademark Office, the IT auditor should suggest that the client registers the logo as a way to protect the marketing value ascribed to the logo.

Examples & Issues related to copyrighted materials If the IT auditor observes that the client appears to use copyrighted creative works belonging to external parties, such as software applications, the auditor should investigate whether the rights to use such copyrighted works have been properly procured. With regard to software applications, which reflect the most likely type of infringements an IT auditor will encounter, the client should possess properly executed software licensing agreements. If the IT auditor learns that the client owns one or more copyrights, such as software applications that the company has developed, the auditor should investigate whether and how the company continually scans the environment to ensure that other persons or entities are not infringing on the clients copyrights. If the company has no policies or activities aimed at protecting its copyrights in this regard, the IT auditor could add value to the engagement by suggesting several scanning methods. If the IT auditor discovers that the client has developed its own creative works, such as software applications, and the company has not copyrighted its material, the IT auditor could suggest that the client consider the possibility of registering for such copyrights, if it has not already done so. The client should register its creative works as a way to put the public on notice that it considers its works to be protected as intellectual property. CISB424, Sulfeeza

Privacy The right to be free from secret surveillance and to determine whether, when, how, and to whom, one's personal or organizational information is to be revealed. In specific, privacy may be divided into four categories: (1) Physical : restriction on others to experience a person or situation through one or more of the human senses; (2) Informational : restriction on searching for or revealing facts that are unknown or unknowable to others; (3) Decisional : restriction on interfering in decisions that are exclusive to an entity; (4) Dispositional : restriction on attempts to know an individual's state of mind. (Source: http://www.businessdictionary.com/definition/privacy.html) CISB424, Sulfeeza

Four Types of Invasion of Privacy Intrusion When a person invades another person's private affairs Public Disclosure When someone publishes hurtful, embarrassing or offensive facts about a person's private life False Light When someone produces false statements about a person or depicts that person in a false manner Appropriation of name or likeness The unauthorized commercial use of a person's name or image without his knowledge or approval. (Source: http://www.ehow.com/info_8068982_four-types-invasion-privacy.html) CISB424, Sulfeeza

Privacy and Organizations A corporate classification program for privacy-protected data will assist organization in prioritizing the data as well as assigning sensitivity level such as proprietary, confidential, or public to data, in assisting in evaluating the appropriateness of the controls over the technology and business processes that handle the data It is critical that the organization implements an effective privacy program that includes: a) A privacy statement. b) Written policies, procedures, controls, and processes. c) Roles and responsibilities. d) Employee training and education. e) Monitoring and auditing. f) Information security practices. g) Incident response plans. h) Privacy laws and regulations. i) Plans for responding to detected problems and corrective action. (Source: ITAudit, CAE Bulletin, IIA, 2006) CISB424, Sulfeeza

IT Auditors Role in Privacy IIA released Global Technology Audit Guide (GTAG) 5 Managing and Auditing Privacy Risks to provide internal auditors and management with insight into privacy risks that the organization should address when it collects, uses, retains and discloses personal information According to GTAG 5, good governance include: a) Identifying significant risks to organization; b) Ensuring appropriate controls are in place to mitigate these risks What are the benefits of good governance to organization? a) Protecting the organizations public image and brand b) Protecting valuable data on the organizations customers and employees c) Achieving competitive advantage in the marketplace d) Enhancing credibility and promoting confidence and goodwill (Source: ITAudit, CAE Bulletin, IIA, 2006) CISB424, Sulfeeza

IT Auditors Role in Privacy Specific activities that auditors can perform: 1. Work with legal counsel to determine what privacy legislation and regulations would be applicable to the organization. 2. Work with IT management and business process owners to assess whether information security and data protection controls are in place and are reviewed regularly. 3. Conduct privacy risk assessments, or review the effectiveness of privacy policies, practices, and controls across the organization. 4. Identify types of personal information collected, the collection methodology used, and whether the organization's use of the information is in accordance with its intended use. 5. Review policies, procedures, and guidelines governing data flows and handling procedures 6. Conduct an assessment of service providers' interactions, including a review of procedures and controls over providers who manage personally identifiable information or sensitive data on behalf of the organization. 7. Review current training practices and materials, and takes inventory on the privacy awareness and training materials available and needed. 8. Perform a gap analysis of data flows and handling procedures against relevant policies, laws, regulations, and best practices for consistency and compliance (Source: ITAudit, CAE Bulletin, IIA, 2006) CISB424, Sulfeeza

IT Auditors Role in Privacy GTAG 5 provides 10 privacy questions internal auditors should ask during a privacy assessment: 1. What privacy laws and regulations impact the organization? 2. What type of personal information does the organization collect? 3. Does the organization have privacy polices and procedures with respect to collection, use, retention, destruction, and disclosure of personal information? 4. Does the organization have responsibility and accountability assigned for managing a privacy program? 5. Does the organization know where all personal information is stored? 6. How is personal information protected? 7. Is any personal information collected by the organization disclosed to third parties? 8. Are employees properly trained in handling privacy issues and concerns? 9. Does the organization have adequate resources to develop, implement, and maintain an effective privacy program? 10. Does the organization complete a periodic assessment to ensure that privacy policies and procedures are being followed? (Source: ITAudit, CAE Bulletin, IIA, 2006) CISB424, Sulfeeza

Example of Privacy Frameworks 1) Organization for Economic Co-operation and Development (OECD) Privacy Principles 2) Asia-Pacific Economic Cooperation (APEC) Privacy Framework 3) United States Department of Commerce Safe Harbor Privacy Principles 4) Generally Accepted Privacy Principles (GAPP) CISB424, Sulfeeza

Documents

Ethical & Legal Issues Revised on 2014. Content Code of ethics – what and why? Code of ethics for auditors Illegal and irregular acts Roles of IT auditors