CIS-496 / I.S. Auditing

Document Sample
CIS-496 / I.S. Auditing Powered By Docstoc
					Pertains to the principles of conduct that
 individuals use in making choices and guiding
 their behavior in situations that involve the
 concepts of right and wrong.


              Business Ethics
   How do managers decide on what is right
              in conducting business?
   Once managers have recognized what is
    right, how to they achieve it?
   The necessity to have an articulate
    foundation for ethics and a consistent
    application of the ethical standards.
                         IT Auditing & Assurance, 2e, Hall &
                                                   Singleton
               Basis of Ethical Standards
                Religious
                Philosophical
                Historical
                IBM combination of all three
   Ethical Issues in Business [Table 11-1]
 Equity                       Honesty
    Exec. salaries                  Conflicts of interest
    Pricing                         Security of data & records
 Rights                             Foreign practices [FCPA]
    Health (screening)              Accurate F/S reporting
    Privacy                   Exercise of Corp. Power
    Sexual harassment               PAC, and politics
    Equal opportunity               Workplace safety
    Whistleblowing                  Downsizing, closures
                                IT Auditing & Assurance, 2e, Hall &
                                                          Singleton
           1990 Business Roundtable
    Greater commitment of top management
    Written codes (policy) that clearly
     communicate standards and expectations
    Programs to implement ethical guidelines
    Techniques to monitor compliance
 Boeing
    Uses line managers to lead ethics training
    Toll-free number to report violations
 General Mills
    Published guidelines with vendors, competitors, customers
 Johnson & Johnson
    Creed integral to its culture
    Uses surveys to ascertain compliance
 SAIC
    Toll-free number, required training, separate dept.

                                 IT Auditing & Assurance, 2e, Hall &
                                                           Singleton
                Role of Management
 Create and maintain appropriate ethical atmosphere
 Limit the opportunity and temptation for unethical
  behavior
 Management needs a methodology for including
  lower-level managers and employees in the ethics
  schema
    Many times, lower-level managers responsible to uphold
     ethical standards
    Poor ethical standards among employees are a root cause of
     employee fraud and abuses
 Managers and employees both should be made
  aware of firm’s code of ethics
 What if management is unethical? e.g., Enron

                                IT Auditing & Assurance, 2e, Hall &
                                                          Singleton
                  Reported Abuses
   Typically junior employees (Wall Street Journal)
   Half of American workers believe the best way
    to get ahead is politics and cheating
   One-third of a group of 9,175 surveyed had
    stolen property and supplies from employers
   Ethics Resource Center: 1994 study
      41% falsified reports
      35% committed theft

               Ethical Development
 Most people develop a personal code of ethics from
  family, formal education, and personal experience
 Go through stages of moral evolution [Figure 11-2]

                               IT Auditing & Assurance, 2e, Hall &
                                                         Singleton
               Making Ethical Decisions
 Business schools can and should be involved in ethical
  development of future managers
 Business programs can teach students analytical techniques to
  use in trying to understand and properly handle a firm’s conflicting
  responsibilities to its employees, shareholders, customers, and
  the public
 Every ethical decision has risks and benefits. Balancing them is
  the manager’s ethical responsibility:

                     Ethical Principles
 Proportionality: Benefits of a decision must outweigh the
  risks. Choose least risky option.
 Justice: Distribute benefits of decision fairly to those who
  share risks. Those who do not benefit should not carry any
  risk
 Minimize Risk: Minimize all risks.
                                     IT Auditing & Assurance, 2e, Hall &
                                                               Singleton
The analysis of the nature and social impact
       of computer technology and the
 corresponding formulation and justification
    of policies for the ethical use of such
                  technology.
           Levels of Computer Ethics
 POP: the exposure to stories and reports in popular media
 PARA: taking a real interest in computer ethics cases and
  acquiring some level of skill and knowledge
 THEORETICAL: multi-disciplinary researchers who apply the
  theories of philosophy, sociology, and psychology to computer
  science, intending to bring some new understanding to the field.
  That is, ethics research.

                                IT Auditing & Assurance, 2e, Hall &
                                                          Singleton
A new problem or just a new twist to an old
                problem?

 Although computer programs are a new type of
    asset, many believe that they should not be
     considered as different form other forms of
 property; i.e., intellectual property is the same as
  real property and the rights associated with real
                        property.




                          IT Auditing & Assurance, 2e, Hall &
                                                    Singleton
1. Privacy:
     Ownership of personal information
     Policies
2. Security:
     Systems attempt to prevent fraud and abuse of
      computer systems, furthering the legitimate
      interests of firm
     Shared databases have potential to disseminate
      inaccurate info to authorized users
3. Ownership of Property:
     Federal copyright laws
4. Race:
     African-Americans and Hispanics constitute 20%
      of population but 7% of MIS professionals
                               IT Auditing & Assurance, 2e, Hall &
                                                         Singleton
5. Equity in Access:
      Some barriers are avoidable, some are not
      Factors: economic status, affluence of firm,
       documentation language, cultural limitations
6. Environmental Issues:
      Should firms limit non-essential hard copies?
      What is non-essential?
      Disposal of equipment and supplies (toner)
7. Artificial Intelligence:
      Who is responsible for faulty decisions from
       an Expert System?
      What is the extent of AI/ES in decision-making
       processes?
                            IT Auditing & Assurance, 2e, Hall &
                                                      Singleton
8. Unemployment & Displacement:
      Computers and technology sometimes replace jobs
       (catch-22, productivity)
      Some people unable to change with IT, get displaced
       and find it difficult to obtain new job
9. Misuse of Computer:
      Copying proprietary software
      Using a firm’s computers for personal benefit
      Snooping through firm’s files
10. Internal Control Responsibility:
      Unreliable information leads to bad decision, possible
       financial distress
      Management must establish and maintain a system of
       appropriate internal controls to ensure integrity and
       reliability of data (antithetical)
      IS professionals and accountants are central to
       adequate internal controls
                                IT Auditing & Assurance, 2e, Hall &
                                                          Singleton
The lack of ethical standards* is fundamental to the occurrence of
    business fraud.
No major aspect of the independent auditor’s role has caused more
    difficulty for public accounting than the responsibility for detection of
    fraud during an audit. [article]
This issue has gathered momentum outside the accounting profession to
    the point where the profession faces a crisis in public confidence in
    its ability to perform independent attest functions. [SAS 82]
     Fraud denotes a false representation of a material
       fact made by one party to another party with the
        intent to deceive and induce the other party to
      justifiably rely on the fact to his/her detriment, i.e.,
                       his/her injury or loss.
         Synonyms: White-collar crime, defalcation,
                   embezzlement, irregularities.
                                        IT Auditing & Assurance, 2e, Hall &
                                                                  Singleton
A fraudulent act must meet the following
               5 conditions:

1.   False representation
2.   Material fact
3.   Intent
4.   Justifiable reliance
5.   Injury or loss



                            IT Auditing & Assurance, 2e, Hall &
                                                      Singleton
 Asset misappropriation fraud
   1.   Stealing something of value – usually cash or inventory (i.e.,
        asset theft)
   2.   Converting asset to usable form
   3.   Concealing the crime to avoid detection
   4.   Usually, perpetrator is an employee

 Financial fraud
   1.   Does not involve direct theft of assets
   2.   Often objective is to obtain higher stock price (i.e., financial fraud)
   3.   Typically involves misstating financial data to gain additional
        compensation, promotion, or escape penalty for poor performance
   4.   Often escapes detection until irreparable harm has been done
   5.   Usually, perpetrator is executive management

 Corruption fraud
   1. Bribery, etc.

                                        IT Auditing & Assurance, 2e, Hall &
                                                                  Singleton
 Fraudulent financial statements {5%}
 Corruption {10%}
   Bribery
   Illegal gratuities
   Conflicts of interest
   Economic extortion
 Asset misappropriation {85%}
   Charges to expense accounts
   Lapping
   Kiting
   Transaction fraud
                            IT Auditing & Assurance, 2e, Hall &
                                                      Singleton
 Employee Theft

  1) Theft of asset
  2) Conversion of asset (to cash, to
     fraudster)
  3) Concealment of fraud



                      IT Auditing & Assurance, 2e, Hall &
                                                Singleton
 Special Characteristics:

  1. Perpetrated at levels of management above the
     one where internal controls relate
  2. Frequently involves using the financial statements
     to create false image of corporate financial health
  3. If fraud involves misappropriation of assets, it
     frequently is shrouded in a complex maze of
     business transactions, and often involves third
     parties. [e.g., ZZZZ Best fraud]


                              IT Auditing & Assurance, 2e, Hall &
                                                        Singleton
 People engage in fraudulent activities as a result of forces
  within the individual (their ethical system) and without (from
  temptation and/or stress from the external environment)
  1. Situational Pressures
  2. Opportunity
  3. Rationalization
 A person with a high level of personal ethics and limited
  pressure and opportunity to commit fraud is most likely to
  behave honestly [Figure 11-2]
 A person with low level of integrity, and moderate to high
  pressures, and moderate to high opportunity is most likely
  to commit fraud
 Auditors can develop a “red flag” checklist to detect
  possible fraudulent activity
 A questionnaire approach could be used to help auditors
  uncover motivations for fraud
                                IT Auditing & Assurance, 2e, Hall &
                                                          Singleton
Do key executives have unusually high personal debt?
Do key executives appear to be living beyond their means?
Do key executives engage in habitual gambling?
Do key executives appear to abuse alcohol or drugs?
Do key executives appear to lack personal codes of ethics?
Do key executives appear to be unstable (e.g., frequent job or residence
    changes, mental or emotional problems)?
Are economic conditions unfavorable within the company’s industry?
Does the company use several different banks, none of which sees the
   company’s entire financial picture?
Do key executives have close associations with suppliers?
Do key executives have close associations with members of the Audit
    Committee or Board?
Is the company experiencing a rapid turnover of key employees, either
     through quitting or being fired?
Do one or two individuals dominate the company?
Does anyone never take a vacation?   IT Auditing & Assurance, 2e, Hall &
                                                               Singleton
   1996, 2002, and 2004 study by Association of CFE (“Report to the
    Nation”) estimated losses from fraud and abuse at 6% of annual
    revenues! Based on GDP in 2002, that would be $600B, and in
    2004 $660B in losses.
   Actual cost is difficult to quantify because:
    1. All fraud is not detected
    2. Of ones detected, not all are reported
    3. In many cases, incomplete information is gathered
    4. Information is not properly distributed to management or law
        enforcement authorities
    5. Too often, business organizations decide to take no civil or
        criminal action against the perpetrator of fraud
   Organizations with 100 or fewer employees were the most
    vulnerable to fraud
     SEC fraud violations reported in COSO “Landmark Study” 1998
                                    IT Auditing & Assurance, 2e, Hall &
                                                              Singleton
 Profile of perpetrator:
      By position – Table 11-3
      By gender – Table 11-5
      By age – Table 11-6
      By Education – Table 11-7
      Conclusions about profile?
        Fraudsters do not look like crooks!
 Collusion – Table 11-4
   1. Significant reason to adhere to segregation of
      duties
   2. Risks associated with a key position held by a
      trusted employee who unknowingly has weak
      ethics
                              IT Auditing & Assurance, 2e, Hall &
                                                        Singleton
 Lack of auditor independence
 Lack of director independence
 Questionable executive
  compensation schemes
 Inappropriate accounting practices




                    IT Auditing & Assurance, 2e, Hall &
                                              Singleton
 PCAOB
 Auditor independence
   List of services considered non-
     independent
 Corporate governance
 Issuer and management disclosure
 Fraud and criminal penalties


                    IT Auditing & Assurance, 2e, Hall &
                                              Singleton
 Fraud auditors
 Forensic accountants
 Association of Certified Fraud Examiners
   Certified Fraud Examiner certification
   – http://www.acfe.org
            Forensic Accounting
 Investigation
 Evidence for court
 Litigation
 CFE – Association of Certified Fraud
  Examiners
 See newsletter sample at ACFE web site
                      IT Auditing & Assurance, 2e, Hall &
                                                Singleton
Professor’s Note:
I have incorporated material from other
sources into this presentation to include
ethical issues.




                     IT Auditing & Assurance, 2e, Hall &
                                               Singleton
Culture Helps Determine Laws
and Ethical Standards




                            IT Auditing & Assurance, 2e, Hall &
Chapter 15   Forensic and Investigative Accounting                27
                                                      Singleton
Ethical Principles


    • Golden rule: Do unto others as you would
             have them do unto you

    • Immanuel Kant’s categorical imperative:
             If an action is not right for everyone to take,
             then it is not right for anyone



                                                IT Auditing & Assurance, 2e, Hall &
Chapter 15                       Forensic and Investigative Accounting                28
                                                                          Singleton
Ethical Principles

   • Descartes’ rule of change: If an action
         cannot be taken repeatedly, then it is not right
         to be taken at any time


   • Utilitarian principle: Put values in rank
         order and understand consequences of various
         courses of action



                                           IT Auditing & Assurance, 2e, Hall &
Chapter 15                  Forensic and Investigative Accounting                29
                                                                     Singleton
Ethical Principles

    • Risk aversion principle: Take the action
             that produces the least harm or incurs the least
             cost


    • Ethical “no free lunch” rule: All tangible
             and intangible objects are owned by creator
             who wants compensation for the work



                                               IT Auditing & Assurance, 2e, Hall &
Chapter 15                      Forensic and Investigative Accounting                30
                                                                         Singleton
Information Rights: Privacy and
Freedom in the Internet Age
   • Privacy: Claim of individuals to be left alone,
         free from surveillance or interference from
         other individuals, organizations, or the state


   • Fair information practices: Set of
         principles governing the collection and use of
         information on the basis of U.S. and European
         privacy laws


                                           IT Auditing & Assurance, 2e, Hall &
Chapter 15                  Forensic and Investigative Accounting                31
                                                                     Singleton
U.S. Federal Privacy Laws
 General Federal Privacy Laws
 • Freedom of Information Act, 1968
 • Privacy Act of 1974
 • Electronic Communications Privacy Act of 1986
 • Computer Matching and Privacy Protection Act
   of 1988
 • Computer Security Act of 1987
 • Federal Managers Financial Integrity Act of 1982



                                     IT Auditing & Assurance, 2e, Hall &
Chapter 15            Forensic and Investigative Accounting                32
                                                               Singleton
Communications with Children

     Children’s Online Privacy Protection Act of
      1998 (COPPA)

       ◦ Provides restrictions on data collection that must be
         followed by electronic commerce sites aimed at
         children

       ◦ Requires schools that receive federal funds to
         install filtering software on computers




                                           IT Auditing & Assurance, 2e, Hall &
Chapter 15                  Forensic and Investigative Accounting                33
                                                                     Singleton
    Sanrio’s Approach to COPPA
    Compliance




                              IT Auditing & Assurance, 2e, Hall &
Chapter 15     Forensic and Investigative Accounting                34
                                                        Singleton
Ethical Issues (continued)

     Principles for handling customer data
       ◦ Use data collected to provide improved customer
         service
       ◦ Do not share customer data with others outside
         your company without the customer’s permission
       ◦ Tell customers what data you are collecting and
         what you are doing with it
       ◦ Give customers the right to have you delete any of
         the data you have collected about them




                                           IT Auditing & Assurance, 2e, Hall &
Chapter 15                  Forensic and Investigative Accounting                35
                                                                     Singleton
                            IT Auditing & Assurance, 2e, Hall &
Chapter 15   Forensic and Investigative Accounting                36
                                                      Singleton
Ethical Issues

     Under what conditions should the privacy of
      others be invaded?

     What legitimaizes intruding into others’ lives
      through unobtrusive surveillance, through
      market research, or by whatever means?




                                       IT Auditing & Assurance, 2e, Hall &
Chapter 15              Forensic and Investigative Accounting                37
                                                                 Singleton
Ethical Issues

     Do we have to inform people that we are
      eavesdropping?

     Do we have to inform people that we are
      using credit history information for
      employment screening purposes?




                                      IT Auditing & Assurance, 2e, Hall &
Chapter 15             Forensic and Investigative Accounting                38
                                                                Singleton
Property Rights: Intellectual
Property

            Intellectual property: Intangible creations
             protected by law

            Trade secret: Intellectual work or product
             belonging to business, not in public domain




                                             IT Auditing & Assurance, 2e, Hall &
Chapter 15                    Forensic and Investigative Accounting                39
                                                                       Singleton
Property Rights: Intellectual
Property
            Copyright: Statutory grant protecting
             intellectual property from getting copied for
             28 years

            Patents: Legal document granting the owner
             an exclusive monopoly on the ideas behind an
             invention for 20 years




                                             IT Auditing & Assurance, 2e, Hall &
Chapter 15                    Forensic and Investigative Accounting                40
                                                                       Singleton
Web Site Content Issues

            Fair use of a copyrighted work
             ◦ Includes copying it for use in criticism,
               comment, news reporting, teaching, or research

            Vicarious copyright infringement
             ◦ Entity becomes liable if
               It is capable of supervising infringing activity
               Obtains financial benefit from infringing activity



                                                  IT Auditing & Assurance, 2e, Hall &
Chapter 15                         Forensic and Investigative Accounting                41
                                                                            Singleton
 Domain Names,
Cybersquatting, and Name
Stealing (continued)
     U.S. Anticybersquatting Consumer Protection
      Act (ACPA)
       ◦ Protects trademarked names from being registered
         as domain names by other parties
       ◦ Parties found guilty of cybersquatting can be held
         liable for damages of up to $100,000 per
         trademark



                                           IT Auditing & Assurance, 2e, Hall &
Chapter 15                  Forensic and Investigative Accounting                42
                                                                     Singleton
Defamation

     Defamatory statement
       ◦ Statement that is false and injures the reputation of
         another person or company
     Product disparagement
       ◦ If a defamatory statement injures the reputation of
         a product or service instead of a person
     Per se defamation
       ◦ Court deems some types of statements to be so
         negative that injury is assumed



                                           IT Auditing & Assurance, 2e, Hall &
Chapter 15                  Forensic and Investigative Accounting                43
                                                                     Singleton
Deceptive Trade Practices

     Federal Trade Commission
       ◦ Regulates advertising in the United States
       ◦ Publishes regulations and investigates claims of
         false advertising
       ◦ Provides policy statements
       ◦ Policies cover specific areas such as
              Bait advertising
              Consumer lending and leasing
              Endorsements and testimonials




                                                IT Auditing & Assurance, 2e, Hall &
Chapter 15                       Forensic and Investigative Accounting                44
                                                                          Singleton
    Federal Statutes Related to
    Cybercrimes
18 U.S.C. 1029 Fraud and Related Activity in
               Connection with Access
               Devices
18 U.S.C. 1030 Fraud and Related Activity in
               Connection with Computers
18 U.S.C. 2701 Unlawful Access to Stored
               Communications

                                   IT Auditing & Assurance, 2e, Hall &
Chapter 15          Forensic and Investigative Accounting                45
                                                             Singleton
USA Patriot Act of 2001
       The USA Patriot Act has strengthened U.S.
        cyber laws and expanded cybercrime
        definitions.
       Under the Act, an activity covered by the law
        is considered a crime if it causes a loss
        exceeding $5,000, impairment of medical
        records, harm to a person, or threat to public
        safety.




                                        IT Auditing & Assurance, 2e, Hall &
Chapter 15               Forensic and Investigative Accounting                46
                                                                  Singleton
USA Patriot Act of 2001
            Amendments made by the Act make it
             easier for an Internet service provider (ISP)
             to make disclosures about unlawful
             customer actions without the threat of civil
             liability to the ISP.
            Another revision made by the Act provides
             that victims of hackers can request law
             enforcement help in monitoring
             trespassers on their computer systems.



                                             IT Auditing & Assurance, 2e, Hall &
Chapter 15                    Forensic and Investigative Accounting                47
                                                                       Singleton
                            IT Auditing & Assurance, 2e, Hall &
Chapter 15   Forensic and Investigative Accounting                48
                                                      Singleton
                            IT Auditing & Assurance, 2e, Hall &
Chapter 15   Forensic and Investigative Accounting                49
                                                      Singleton
   Controlling the Assault of Non-Solicited
    Pornography and Marketing Act
   Establishes requirements for those who send
    commercial email, spells out penalties for
    spammers and companies whose products
    are advertised in spam if they violate the law,
    and gives consumers the right to ask emailers
    to stop spamming them.




                           IT Auditing & Assurance, 2e, Hall &
                                                     Singleton
   It bans false or misleading header
    information.
   It prohibits deceptive subject lines.
   It requires that your email give recipients an
    opt-out method.
   It requires that commercial email be
    identified as an advertisement and include
    the sender's valid physical postal address.
   Report Violations to 1-877-FTC-HELP


                           IT Auditing & Assurance, 2e, Hall &
                                                     Singleton
                                  Hall & Singleton
IT Auditing & Assurance, 2e, Assurance, 2e, Hall &
                    IT Auditing &
                                       Singleton

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:11/6/2012
language:English
pages:53