Review Ch. 13, “Management Issues,” and Ch. 14, “Support Tools and Frameworks,” of Auditor’s Guide to IT Auditing for information about fraud in IT, and laws and regulations around it.
Discuss fraud and major laws and regulations that pertain to IT functions related to fraud. What might exempt an organization from a law or regulation? Why is understanding fraud and related laws and regulations relevant for the purposes of a control self-assessment?
Don't use plagiarized sources. Get Your Custom Essay on
Fraud in IT
Just from $13/Page
CHAPTER FOURTEEN
Support Tools and Frameworks
THIS CHAPTER INTRODUCES the reader to the need for support tools and frameworks such as Control Objectives for Information and related Technology (COBIT®): Management Guidelines, a framework for Information Technology/Information Systems (IT/IS) managers and COBIT: audit’s use in support of the business Support cycle. International standards and good practices such as ISO 17799, IT Infrastructure Library® (ITIL®), privacy standards, Committee of Sponsoring Organizations (COSO), Criteria of Control (CoCo), Cadbury, King, and Sarbanes-Oxley also play a vital role in ensuring the appropriate governance.
GENERAL FRAMEWORKS
COBIT is one of the most widely accepted models of IT governance and control utilized to manage risks and implement controls within an IT environment in order to achieve business objectives.
COBIT was introduced to meld existing IT standards and best practices into one comprehensive structure designed to achieve international accepted governance standards. Working from the strategic requirements of the organization, COBIT encompasses the full range of IT activities focusing on the achievement of control objectives rather than the implementation of specific controls. As such, it integrates and aligns IT practices with organizational governance and strategic requirements. It is not the only set of standards in common use, but it integrates with other standards to achieve defined levels of control.
What may be classed as best practice for an organization must be appropriate to that organization based upon its needs and capabilities. Standards themselves do not achieve best practice but require careful selection, interpretation, and implementation in order to achieve an adequacy of control. At its highest level, COBIT presents a framework for overall control based upon a model of IT processes intended as a generic model upon which specific controls can be overlaid in order to achieve a unique system of internal controls specifically tailored to the business needs of the organization.
COBIT is designed to be utilized at different levels of management. Executive management can utilize it to ensure value is obtained from the significant investment in IT and to ensure that risk and control investment is appropriately balanced. From an operational management perspective, COBIT facilitates the gaining of assurance that the management and control of IT services, whether insourced or outsourced, is appropriate. IT management can use it as an operational tool to ensure the business strategy is supported in a controlled and appropriately managed manner in providing IT services. IT auditors can utilize COBIT to evaluate the adequacy of controls, design appropriate tests to determine the effectiveness of controls, and provide management with appropriate advice on the system of internal controls.
COBIT is based upon research into best practice within a variety of IT environments and is subject to continuous research and maintenance due to the dynamic nature of information technology. It is geared toward all aspects of IT governance unlike some other standards that are specific to, for example, security alone. Because of its close alignment with international accepted principles of good corporate governance, it is intrinsically acceptable to multiple layers of management as well as regulators.
COBIT utilizes a framework of domains and processes in order to create a logical structure of IT activities in a manner that can be easily subject to managerial controls. The process model divides IT into 34 processes covering:
· Planning and organizing. This domain covers all of the processes undertaken by management in order to ensure that the IT function is properly planned and controlled to provide assurance that corporate IT objectives will be achieved. Detailed processes include:
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
· Acquire and implement. This domain covers the processes involved in identifying solutions through to installation and accreditation of solutions and changes. Detailed processes include:
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
· Deliver and support. This domain includes all of the processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance. Detailed processes include:
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
· Monitor and evaluate. This domain includes the processes required to monitor overall IT performance and ensure effective IT governance. Detailed processes include:
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance
Each of these is further subdivided into a variety of individual control objectives which, in turn, identify the control requirements, principal control structures, and measurement criteria. The measurement criteria are, perhaps, the most critical part of COBIT in terms of achieving corporate governance. Within each process, detailed control objectives are specified as a minimum level of managerial control. Roles and responsibilities for achieving these control objectives are spelled out and a maturity model for each process is given with measurement metrics under the headings:
· Nonexistent
· Initial/ad hoc
· Repeatable but intuitive
· Defined process
· Managed and measurable
· Optimized
These metrics facilitate management’s and the auditors’ judgment as to the degree of compliance achieved in each of the processes.
COBIT is based upon the understanding that the design and implementation of automated application controls is the responsibility of IT based upon the business needs as specified by the business-process owner. General IT controls are the direct responsibility of the IT function and are therefore also covered within COBIT.
Further Information
Further information is available from the IT Governance Institute (
www.itgi.org
). Details of direct interest to the IT auditor include the COBIT:
· Framework
· Control objectives
· Control practices
· IT assurance guide
· IT control objectives for Sarbanes-Oxley
· IT governance implementation guide
CobiT 5®, which was released in the third quarter of 2011, is a major revision, designed to meet the current and future needs of stakeholders and align with the latest thinking in enterprise governance and IT management techniques. It effectively merges with the existing Information Systems Audit and Control Association (ISACA) standards to provide an integrated Governance Framework. In addition, it facilitates the connectivity to the Information Technology Infrastructure Library (ITIL) and International Standards Organization (ISO) frameworks.
COSO: INTERNAL CONTROL STANDARDS
As noted in
Chapter 4
, internal control was defined by COSO as a broadly defined process, affected by people, designed to provide reasonable assurance regarding the achievement of the three objectives that all businesses strive for, namely:
1. Economy and efficiency of operations, including achievement of performance goals and safeguarding of assets against loss
2. Reliable financial and operational data and reports
3. Compliance with laws and regulations
In order to achieve these objectives, COSO defined five components that would assist management in achieving these objectives, namely:
1. A sound control environment
2. A sound risk-assessment process
3. Sound operational-control activities
4. Sound information and communications systems
5. Effective monitoring
An internal control system would be judged to be effective if all five components were present and functioning effectively for operations, financial reporting, and compliance.
COBIT originally adapted its definition of control from COSO in that the policies, procedures, practices, and organizational structures are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. COBIT emphasizes the role and impact of IT control as they relate to business processes, whereas COSO defined internal control, described its components, and provided criteria against which control systems could be evaluated.
The major goals of COSO were to establish a common definition of internal control in order to serve a variety of different parties and, at the same time, provide a standard against which organizations could assess their internal control systems and identify areas for improvement.
COSO emphasized that the internal control system is a tool of management, not a substitute, and that controls should be integral to operating activities rather than added on. Unlike COBIT, COSO defined internal control as a process in its own right and recommended that periodic evaluation of the effectiveness of internal control be carried out from time to time.
COSO also attempted to address the limitations of an internal control system including faulty human judgment, misunderstanding of instructions, management override, collusion, errors, and cost-benefit considerations, all of which can serve to undermine the effectiveness of the overall system of internal control.
COSO also stated that there should be separate and independent evaluations conducted of the system of internal control with the frequency and scope of such reviews dependent upon the assessment of risks and the effectiveness of management’s monitoring procedures.
OTHER STANDARDS
Security: BS 7799 and ISO 17799/27001/27002
As noted in
Chapter 4
, British Standard (BS) 7799 and ISO 17799 were both developed to assist companies by ensuring security and control within electronic trading systems. The 10 areas depicted within the standards facilitate the introduction of key controls as mandatory features and additional controls in higher risk organizations.
The ISO 27001™ standard was published in October 2005, essentially replacing the old BS7799-2™ standard and is the specification for an Information Security Management System (ISMS). It is intended as a certification standard, compliance with which can benefit an organization by providing proof of IT security management.
The process is predicated by an organization making the decision to embark on the exercise. This requires management commitment and the assignment of responsibilities for the certification project itself. Once commitment is made, an organizational top-level policy is normally developed and published, usually supported by subordinate policies.
This is followed by the scoping of the project in order to define which part(s) of the organization will be covered by the ISMS including the location, assets, and technology to be included.
At this stage a risk assessment is undertaken to determine the organization’s IT risk exposure/profile, and identify the best potential routes to address this. The document produced will form the basis for the next stage, which is the management of those risks through the implementation of appropriate controls.
A part of this process will be the selection of appropriate controls with respect to those outlined in the standard (and ISO 27002™), with the justification for each decision recorded in a Statement of Applicability (SOA). The controls themselves should then be implemented as appropriate.
ISO 27002, itself, is a code of practice for information security. In essence, it outlines hundreds of potential controls and control mechanisms, which may theoretically be implemented, subject to the guidance provided within ISO 27001.
The standard is intended to establish both guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization. The intention is that, following a formal risk assessment, actual controls may be selected from among those listed in the standard in order to address the specific requirements identified as a result of the risk analysis.
Overall the standard addresses the component areas of:
· Structure
· Risk Assessment and Treatment
· Security Policy
· Organization of Information Security
· Asset Management
· Human Resources Security
· Physical Security
· Communications and Ops Management
· Access Control
· Information Systems Acquisition, Development, Maintenance
· Information Security Incident Management
· Business Continuity
· Compliance
Once the risk architecture is identified, and the appropriate controls selected and implemented, the certification process itself can then be embarked upon via a suitable accredited independent third party.
Service Management: ITIL
ITIL® (
www.itil.org
) is intended to define the best practice in IT Service Management. It was developed by the Office of Government Commerce (OGC) and is supported by publications, qualifications, and an international user group. The approach is a top-down, business-driven approach to the management of IT, which is intended to address the need to deliver a high-quality IT service in order to deliver strategic business value. IT Service Management focuses on the people, processes, and technology issues that IT organizations face. ITIL, itself, attempts to assist organizations to develop a framework for IT Service Management by providing a cohesive set of best practices, drawn from both the public and private sectors. It offers a comprehensive qualifications scheme and accredited training organizations as well as specifically developed implementation and assessment tools.
Project Management: PRINCE
Projects in Controlled Environments (PRINCE®) is a widely used project-management method that navigates the user through all the essential elements for implementation of a successful project.
It was first developed in 1989 by the Central Computer and Telecommunications Agency (CCTA) as a U.K. government standard for IT project management. Since its introduction, PRINCE has become widely used in both the public and private sectors and is a widely recognized standard for project management both within IT as well for non-IT projects. It is designed to incorporate the requirements of existing users and to enhance the method toward a generic, best practice approach for the management of a variety of projects.
Criteria of Control: CoCo
CoCo, sponsored by the Canadian Institute of Chartered Accountants, is intended to translate COSO into practical, implementable activities and defines three major control objectives:
1. Effectiveness and efficiency of operations
2. Reliability of internal and external reporting
3. Compliance with applicable laws and regulations and internal policies
Within the CoCo framework, control is defined as encompassing:
· Purpose, which defines criteria that promote an understanding of the organization’s direction. They use techniques such as vision and strategy, risks and opportunities, planning, policy development, and use of performance targets and indicators.
· Commitment, which defines criteria that promote a belief in the organization’s identity and values. They impact ethical values, including integrity; human resource policies; responsibility and accountability; authority; and mutual trust.
· Capability, which defines criteria that address an organization’s competence. They involve knowledge and competencies, skills and tools, information, use of appropriate communication processes, coordination, and control activities.
· Monitoring and Learning, which defines criteria that will facilitate the organization’s evolution. They involve monitoring internal and external environments, monitoring performance, challenging assumptions, reassessing information needs and information systems, execution of follow-up procedures, and assessing the overall effectiveness of control.
CoCo promotes the treatment of risk through:
· Avoidance of risk
· Reducing the likelihood of risk occurring
· Reducing the impact should a risk occur
· Transferring the risk to a third party
· Accepting or retaining the risk
This is seen to be effected using controls of the five basic types, namely: directive, preventative, detective, corrective, and recovery controls.
GOVERNANCE FRAMEWORKS
Three standards have become widely recognized as IT governance frameworks. While each has significant IT governance strengths, none may be looked on as a complete IT governance solution.
ITIL
ITIL, as mentioned previously, was developed by the United Kingdom’s Office of Government Commerce. Although it is directed specifically toward service management, a part of that is, itself, directed toward the governance of service delivery.
CobiT
CobiT®, as mentioned previously in greater detail, is a generic IT governance framework.
CobiT regards IT governance as a balance between two primary areas:
1. Creation of corporate value
2. Minimizing IT risks
With overall objectives of:
· Ensuring strategic orientation, focusing on corporate solutions.
· Creation of benefits, focusing on optimizing the tasks and assessing the benefit of the IT.
· Implementation of risk management relating to the protection of the IT assets and taking account of disaster recovery and continuation of the corporate processes in the event of a crisis.
· Effective resource management in order to ensure the optimization of knowledge and infrastructure.
· Adequacy of performance measurement and the creation of the bases for continual improvement.
The CobiT approach to controlling is essentially a top-down approach where corporate objectives form the basis for defining the IT objectives that in turn define the IT architecture. This is intended to ensure that IT processes are appropriately defined and operated, ensure that information is processed, IT resources managed, and services delivered in a well-governed manner.
ISO/IEC 38508
ISO/IEC (International Organization for Standardization /International Electrotechnical Commission) 38508 was developed by the joint technical committee ISO/IEC JTC1, information technology, subcommittee SC 7, software and systems engineering. Designed as a worldwide formal international IT Governance Standard, ISO/IEC 38500 was published in June 2008 and sets out a clear framework for the Board’s governance of information and communications.
The framework sets out six principles for good corporate governance of IT under the headings of:
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human behavior
As with all such frameworks, the difficulty comes in the implementation.
The CALDER-MOIR IT Governance Framework
1
is designed to facilitate the obtaining of maximum benefit from all these overlapping and competing frameworks and standards, and also to deploy best-practice guidance. The framework itself, is divided into six segments:
1. Business Strategy
2. Risk, Conformance, and Compliance
3. IT Strategy
4. Change
5. Information and Technology Balance Sheet
6. Operations
Each segment is then divided into three layers representing:
1. The board
2. Executive management
3. IT and IT-governance practitioners
Starting with the overall business strategy, each segment is then executed in clockwise order. In the first three segments the board establishes directions and business strategies. Depending on the nature of the organization, these need to be compliant with the overall corporate governance regimes and risk assessed. In the last three steps, architectures and plans are then developed to meet business strategies through use of the appropriate IT. After these plans are approved by the board, they are then implemented via a series of change projects.
The main tasks for directors in IT governance, evaluate, direct, and monitor, as per ISO/IEC 38500, are contained within the Calder-Moir framework. The board evaluates business conditions and strategies, directs using IT principles, and monitors all processes in the framework. Executive managers also evaluate, direct, and monitor processes carried out by IT practitioners.
NOTE
1
Calder and S. Moir. IT Governance. IT Governance Publishing, 2009.
CHAPTER THIRTEEN
Management Issues
THIS CHAPTER LOOKS at the broader Information Systems/Information Technology (IS/IT) management issues including the legal issues relating to the introduction of IT to the enterprise, intellectual property issues in cyberspace, trademarks, copyrights, patents, as well as ethical issues, rights to privacy, and the implementation of effective IT governance.
The introduction of IT to organizations has had a dramatic impact on many aspects of their compliance with the law. Perhaps the most fundamental impact of IT on enterprises doing business has been the impact on the legal position of transactions. In order for business to continue taking place in a modern computerized environment, it must be enforceable that transactions concluded and performed in whole or in part by electronic means be regarded as legally binding. In addition, a variety of concerns regarding confidentiality, accuracy, and completeness of information, identity authenticity, and protection of intellectual property have required the rethinking of existing laws and legislation. The extent to which legislation has kept pace with advances in technology varies from country to country, although all face the same problems.
Business moving onto the Internet has created some of the greatest opportunities for fraud the world has ever known. Cyberfraud is a major international growth industry that has both the business and legal world struggling to keep pace. Fraud itself typically involves a false statement or omission made deliberately to induce an individual or organization to rely upon it to its prejudice. Prejudice itself may be actual or potential depending on the wording of the individual legislation. Electronic fraud, utilizing Internet technology, may come in the form of creating a false identity on the Internet, intercepting information sent over the Internet, using the Internet to spread false information, or using the Internet to access and manipulate information within the corporate information systems.
There is an old saying that “on the Internet nobody knows you’re a dog” and identity misrepresentation or even identity theft have become a twenty-first century phenomenon. Such acts range from impersonation of an existing authorized user on a computer system, through grooming children on Internet chat rooms, to phishing for information by pretending to be a legitimate information seeker, to stealing an individual’s identity via knowledge gained on the Internet. Creating a false identity is not a new phenomenon but it is considered more difficult to detect electronically. Acquisition of goods and services from a genuine dealer by assuming a false identity and using a false credit card number is comparatively common.
This is where Certification Authorities become critical. A Certification Authority is an organization that guarantees that the business or person is as claimed having checked their identity independently. This is not to say that all Certification Authorities are equal. Some merely check that a business exists and that the bank account is valid. Others go into considerably more detail and cost correspondingly more. One difficulty with the issuance of such certificates is that many customers do not have certificates and the cyber trader can either deny access to such potential customers and therefore lose business, or take a chance that the customer is legitimate even without the appropriate certificates. Given that the Internet appeals to customers who like to do things in an easy manner, as with most things, control is frequently seen to be an inconvenience.
One of the more common concerns about doing business electronically is that someone will intercept transaction and payment details in a form of electronic eavesdropping and use them to commit the kind of fraud described earlier. Although we have had the ability to encrypt information since information processing began, most of our communication remains in clear text, easily intercepted, read, amended, and retransmitted.
Circulating information over the Internet calls for little or no capital outlay and the information circulated may be erroneous, intentionally misleading, or even libelous. Misuse in this area ranges from falsely spreading rumors for financial gain, through character assassination, through the publication of propaganda for extremist groups of every sort. Much of this information sounds plausible, although factually it is false. Tracing the originations of such rumors is not impossible but does take effort, time, and money, which individuals and organizations may be unwilling to spend.
Deliberate penetration of an organization’s systems with the intent to access and manipulate corporate information has become so common that it rarely warrants a mention in national newspapers. It has always been possible to break into any secure system, but the advent of e-commerce has effectively invited the world to have a go. Law-abiding citizens who would never consider larceny and burglary look on information larceny as a “bit of fun” and, in some cases, a challenge. The old laws regarding trespass were intended to prevent physical access and do not normally recognize logical access wherein nothing is physically damaged or removed.
New laws may be required to redefine these crimes should existing laws prove inadequate. Laws defining evidence, the nature of the signature, and proof may need to be reviewed in light of the advent of information processing.
PRIVACY
Privacy itself is concerned with the collection and use or misuse of computer store data. Many information systems retained data on individuals, which has been collected, stored, and used without that individual’s knowledge or consent. Although information databases are normally used correctly and justifiably, the potential for misuse is inherent in all information systems. Countries around the world and several states within the United States have enacted privacy legislation to provide safeguards for individuals against an invasion of personal privacy by facilitating:
· The individual determining which records have been collected, maintained, used, or distributed regarding themselves
· The prevention of records pertaining to the individual gathered for a specific purpose from being used or made available for another purpose without their consent
· The obtaining of by an individual of such information as has been held on the individual with the opportunity to correct or amend such records
· The determination that information held is current and accurate for its intended use and that adequate safeguards exist for the prevention of misuse of such information
· Civil suit for any damages incurred as a result of willful or intentional action violating the individual’s rights under these acts
In April 2011 legislation, the Commercial Privacy Bill of Rights Act of 2011, was introduced in the United States to protect the “fundamental right of American citizens, that is the right to privacy”
1
and is currently in committee. Personally identifiable information was defined as including a first and last name, a residential mailing address, a Web cookie, an e-mail address, a telephone number, biometric data, and so on. Sensitive information is a subset and includes health records, religious information, or data that could lead to “economic or physical harm.” One anomaly of this legislation was that it would regulate only commercial and nonprofit use of information that is personally identifiable. In addition, the legislation did not apply to government agencies including the Department of Health and Human Services, the Department of Veterans Affairs, the Social Security Administration, the Census Bureau, and the Internal Revenue Service (IRS), all of which collect vast amounts of data on U.S. citizens.
Many international regulations exist when the information, particularly financial information, crosses international borders and a control such as encryption is compulsory in some legislation and banned in others. Such trans-border data flow has become more complicated with the explosion of Internet traffic in an unregulated environment and in particular within a cloud-computing environment (see
Chapter 19
).
COPYRIGHTS, TRADEMARKS, AND PATENTS
Countries have, in the past, created enforceable rights in certain intangibles that have become known as intellectual property. This categorization includes copyrights, trademarks, patents, and trade secrets. As today’s economy grows increasingly reliant on the current proliferation of computers and computer networks, the illegal reproduction and distribution of protected material has become considerably easier to accomplish.
Conventional wisdom is that copyright protection is important to protect the computer software industry. It should always be remembered because an organization’s information itself may be as important to protect as the software it utilizes. Some of the most vital information and trade secrets are held on computers, connected into networks, and ultimately connected to the world at large. A trade secret may be defined as:
any formula, pattern, device, or compilation of information used in a business to obtain an advantage over competitors who do not know or use it.
2
A great deal of time and effort is now being spent in countries such as the United States in order to ensure that an organization’s copyrights, trademarks, and patents have a legal protection within IT legislation. Obviously, the legal remedy is only of significance after a transgression has taken place, and the auditor’s role may be to ensure that practical countermeasures have been put in place by management to prevent such transgressions from occurring. Countermeasures could include:
· Cryptography
· Effective access control
· Permissions management
· Biometric authentication
· Digital signatures and certification authorities
These technologies are discussed further in
Chapter 27
.
ETHICAL ISSUES
Business ethics lay out the rules under which business takes place—fairness, honesty, integrity, and the opportunity for all participants to be winners. All stakeholders within an organization maintain an ethical responsibility to act in the best interests of the organization and all of its stakeholders.
An understanding of business ethics is essential for the IT auditor who will encounter ethical issues and dilemmas in his or her daily interaction with management and auditees in any organization. Thus it is useful to understand that the general dimensions of economic activity where management will be making decisions often present tensions between ethical and legal choices. Rossouw
3
identifies three main areas as including:
1. Macro or systemic dimension. The policy framework determined by the political power of the state that determines the basis for economic exchanges nationally and internationally between governments.
2. Meso or institutional dimension. The relations between economic organizations, such as public sector entities, private sector entities, and private individuals and those outside the organizations.
3. Micro or intra-organizational dimension. The economic actions and decisions of individuals within an organization.
Ethics are commonly confused with individual moral principles but in fact go far beyond them. They are designed to address issues from both practical and idealistic standpoints and as such the idealism may frequently be in conflict with the practical. From the professional’s perspective they become a way of life. Wheelwright
4
defined three key elements in defining the impact of ethics on decision making:
1. Ethics involve questions requiring reflective choice
2. Ethics involve guides of right and wrong
3. Ethics are concerned with consequences of decisions
In respect to information systems, ethical issues commonly involve the use to which information is put and can be seen with and for specific areas of concern, namely, privacy, accuracy, intellectual property, and access.
As has been described earlier, privacy deals with the collection and use or abuse of computer store data. Accuracy and its risk equivalent inaccuracy can create havoc to individuals and organizations because the use of computerized systems involves an implicit trust in the accuracy and completeness of information provided. Intellectual property rights reflect the ownership and use of information including who has the right to buy or acquire the information as well as who determines the value of intellectual property. Access, as an ethical issue, is concerned with the ability of individuals to gain entry into information and information systems.
CORPORATE CODES OF CONDUCT
One of the common controls in this area is the implementation of a Corporate Code of Conduct. Such codes are directive controls and do not enforce ethical behavior. Where they are combined with detective controls designed to identify breaches of the code and corrective controls designed to take effective action where such breaches are identified, they may serve as a means of expelling non-conforming members of a population.
Codes of conduct should be in place for all companies (recommended in 1987 by the Treadway Commission and confirmed by King II
5
) and should be enforced. They assist in setting an ethical tone at the top of the organization and must apply to all levels from the top down. They open channels of communications between management and employees and assist in the prevention of, for example, fraudulent reporting.
Codes of conduct are based upon a shared understanding of the values including but not limited to:
· Honesty. No intentional deception
· Integrity. One standard of conduct for all involved
· Morality. Acting in terms of accepted social norms
· Equity. Acting in a fair manner with equal treatment for all
· Equality. Provision of equal opportunities to compete and collaborate in business activities
· Accountability. To accurately record an individual’s actions and to account to the stakeholders responsibly for those actions
· Loyalty. Trustworthy commitment to all those with whom an individual has dealings
· Respect. Recognition of the worth of superiors, subordinates, suppliers, and customers
These values are normally aligned to the values statement to form the basis for the agreed code of conduct.
Codes of conduct may typically take two forms:
1. Positive statement of honest intentions (all embracing but impossible to control)
2. Lists of improper behavior (easier to audit but difficult to keep comprehensive)
Codes that have been observed to be most effective contain a combination of positive generalizations and specific prohibitions. They include the basic rules of acceptable and unacceptable behavior and cover corporate positions and rules concerning:
· Acceptance of gifts
· Confidentiality
· Conflicts of interest
· Standards of corporate practice
It is inevitable that in the conduct of business ethical dilemmas will arise that have to be faced and resolved as a result of conflicting values among various stakeholders. There is often no way of telling which values are correct or incorrect because different people have different values that they pursue.
IT GOVERNANCE
The word “govern” is derived from the Latin word gubenare, referring to the steering of a ship, and the word “governor” is derived from gubenator, which refers to the captain of a ship or steersman. Business and corporate governance place the goal of business success within the context of honest business behavior and sound stakeholder relations. The purpose of good governance is to match business behavior and management conduct with the organizational intentions, mission, and objectives.
Following a variety of well-publicized breaches of the principles of good corporate governance, it was inevitable that IT governance would emerge as one of the more critical issues in the IT field. In well-managed companies IT governance was implemented in order to ensure the overall achievement of good management principles within the organization. In others it has become just another set of rules to be complied with. Governance responsibilities include setting the strategy, managing the risks, delivering perceived value, and measuring achieved performance.
These responsibilities, overall, have been driven by the need to demonstrate the transparency of risks to the enterprise, but the impact of IT and the organization as a whole has created a dependency requiring specific focus on IT governance. Risk management in these areas include the management of IT’s impact and business continuity as well as reputational risk as a result of failures within IT itself. Generally then, IT governance is intended to facilitate the sustaining of organizational operations directed toward implementation of its general business strategies in the present and in the future.
IT governance itself has been defined as:
. . . the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives
6
This indicates a clear difference between IT governance and IT management. Governance is concerned with IT achieving the current and future information needs of the organization in a controlled manner. Management focuses on ensuring an ongoing supply of quality services and products at an acceptable cost.
From a governance perspective, the ultimate responsibility lies with the board of directors or governing body of the particular institution. A critical part of the execution of this responsibility lies in ensuring that the managerial levels understand part of the play in achieving good governance and implement the appropriate control structures in order to achieve that. Overall, the primary responsibility for implementing the strategic plans and policies of the organization as laid down by the board rests on the Chief Executive Officer.
Given the critical role of information systems in achieving corporate strategies, the IT manager has a critical role to play in achieving good governance. The IT manager sets the operating objectives for the IT function ensuring alignment with the organizational strategic objectives in order to provide the initial goals for the IT function. Management control is achieved by creating a continuous feedback mechanism for measurement of performance, comparison to objectives, refinement of processes where necessary, and realignment of objectives where required.
One critical element of the government’s process is the placement of the decision-making role for IT within the organization. Centralized versus decentralized was the traditional choice, but a more modern alternative is the Federal structure combining the efficiencies of the centralized structure with the flexibility of the decentralized.
Because IT governance occurs at different layers within the organization, Control Objectives for Information and Related Technology (COBIT©) addresses the governance issues via key goal indicators and key performance indicators. The Board Briefing on IT Governance includes IT governance checklists, a Board IT Governance toolkit, a management IT Governance toolkit, and detailed breakdowns of roles and responsibilities in achieving good IT governance.
Because both internal and external auditors are part of the conformance function of corporate governance, it is critical that IT auditors are familiar with the roles and responsibilities laid down in this document.
SARBANES-OXLEY ACT
The far-reaching Sarbanes-Oxley Act (2002)
7
in the United States provides stringent legal requirements to enforce sound corporate governance requirements on all U.S. Securities and Exchange Commission (SEC) registrants as well as their subsidiaries and associated entities, wherever established and operating in the world. All contain references to the important role of Audit Committees and Internal Audit in assisting management to ensure the effectiveness of the corporate governance processes.
The Act itself primarily focuses on what is required for acceptable financial reporting; however, the suggested internal control framework (Committee of Sponsoring Organizations [COSO]) to be used for compliance with the Sarbanes-Oxley Act, as recommended by the SEC, addresses the topic of IT controls, although it does not dictate requirements for such control objectives and related control activities, leaving such decisions to the discretion of each organization. Section 404 of the Act requires that the management of public companies specified within the Act assess the effectiveness of the internal control over financial reporting and report annually on the result of that assessment. Given that financial reporting in such companies is directly dependent on the establishment of a well-controlled IT environment, SEC registrants must provide assurance that their IT controls are effective within their financial reporting context.
In its document “IT Control Objectives for Sarbanes Oxley,”
8
the IT Governance Institute discusses the IT control objectives that might be considered by organizations for assessing their internal controls, as required by the Act.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS
9
With the increasing electronic commerce utilizing payment by electronic cards, the Payment Card Industry Security Standards Council developed a set of standards to encourage cardholder data security and facilitate the adoption of consistent data security measures on a global basis. The second version became effective in January 2011 and consists of 12 significant requirements and multiple sub-requirements that contain numerous directives against which businesses may measure their own payment card security policies, procedures, and guidelines.
The Standards encompass:
· Installing and maintaining a firewall configuration to protect cardholder data
· Changing vendor supply defaults for system passwords and other security parameters
· Protecting stored cardholder data
· Encrypting transmission of cardholder data across open, public networks
· Use of regularly updated antivirus software
· Development and maintenance of secure systems and applications
· Restriction of access to cardholder’s data by business need-to-know
· Assignment of a unique ID to each person with computer access
· Restriction of physical access to cardholder data
· Tracking and monitoring of all access to network resources and cardholder data
· Regular testing of security systems and processes
· Maintenance of policies that address information security for all personnel
While the Standards have not yet been fully adopted on a worldwide basis, nevertheless in the United States some 46 states have implemented strict Security Breach Notification Laws with some states such as Nevada, Massachusetts, and Wisconsin specifically mentioning the Payment Card Industry Data Security Standard (PCI DSS) and/or Information Security Policies.
HOUSEKEEPING
Housekeeping procedures are intended to reduce the risk of loss or destruction of software and information and to ensure that sensitive output does not fall into unauthorized hands. Such procedures typically relate to the use of supplies, storage of software programs, handling of files including backups, distribution of outputs, and general care of the hardware itself.
In a centralized information processing facility, housekeeping controls and procedures are normally well established to ensure minimization of such risks. In a distributed, user-controlled environment, however, such controls may not be as obviously required, leading to food and beverage contamination of hardware; fire hazards caused by the use of multiple electrical adapters; data files and backups lost, stolen, or strayed; and confidential information either left lying around or sent to the wrong recipients.
The auditor must ensure that basic organizational controls are in place and effective in order to minimize such elementary risks.
NOTES
1
Press conference in Washington, D.C. John McCain (R-Ariz.,) April 12, 2011.
2
David Goldstone. Prosecuting Intellectual Property Crimes, Office of Legal Education Executive Office for United States Attorneys,
http://www.usdoj.gov/criminal/cybercrime/ipmanual.htm
.
3
D. Rossouw. Business Ethics in Africa, 2nd Edition. Cape Town, Oxford University Press Southern Africa, 2002.
4
P. Wheelwright. A Critical Introduction to Ethics, 3rd Edition. New York: Odyssey Press, Inc., 1959, p 4.
5
The Institute of Directors (IOD), The King Report on Corporate Governance for South Africa, 2002.
6
IT Governance Institute, Board Briefing on IT Governance, 2nd Edition,
www.itgi.org
, 2003.
7
The Sarbanes-Oxley Act (2002), 107th Congress of the United States, Washington, January 2002.
8
IT Governance Institute, IT Control Objectives for Sarbanes-Oxley,
www.itgi.org
, 2004.
9
https://www.pcisecuritystandards.org/documents/pci_dss_v2
.
