IT Governance, Risk, and Compliance


July 1, 2013  2:02 AM

Government-Audit Convergence Part VII

Robert Davis Robert Davis Profile: Robert Davis

Technology deployment and associated management information systems can provide a competitive advantage as well as increased control requirements. Legal noncompliance risks are an irrefutable fact, where consequences range from significant financial penalties to the threat of damage to an entity’s reputation. IT auditors are indirectly, if not directly, an entity control mechanism assuring mandated compliance expectations are adequately addressed by management. In one form or another, ensuring legal compliance serves as a significant information security audit objective for most entities. Amplifying information security criticality is the number of IAP related laws and regulations impacting compliance expectations.

Source:

Bakman, Alex. “If Compliance Is So Critical, Why Are We Still Failing Audits? How to Minimize Failure and Make the Audit Process Easier.” Information Systems Control Journal, vol. 5 (2007).

Generally Accepted Information Security Principles Committee. GAISP V3.0. N.p.: Information Systems Security Association, 2004.

June 28, 2013  6:10 AM

Government-Audit Convergence Part VI

Robert Davis Robert Davis Profile: Robert Davis

The most common audit practice laws and regulations influences are evidence collection and perseverance. Where legal compliance audits are decreed, if an illegal act is suspected, IT auditors must ensure evidential legal mandates are satisfied in order to successfully provide authorities with untainted items to prosecute alleged perpetrators. Additionally, when an IT auditor is performing audits on an international scale, understanding various evidentiary requirements can become critical to a professional audit practice. Under most circumstances, reflective of ISACA’s standard for Irregularities and Illegal Acts, audit evidence available to the IT auditor during an IAP legal compliance audit should be persuasive in nature rather than conclusive for demonstrating due diligence.

Source:

ISACA. “Irregularities and Illegal Acts.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, September 2005. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).


June 23, 2013  10:47 PM

Government-Audit Convergence Part V

Robert Davis Robert Davis Profile: Robert Davis

Accountability is responsibility for performance against agreed-upon expectations either stated and/or implied.  Professionally, an IT auditor should exercise due caution from disclosing information acquired in the course of an engagement to any person other than the entity’s dually  appointed representatives, without consent or otherwise, as required by any statute for the time being in force.  An IT auditor “should always keep in view the various regulatory and statutory issues applicable” to the entity being audited to provide reasonable assurance of compliance with information disclosure mandates.  For example, IT auditors should disclose IAP related information as required by law and, where appropriate, with client consent.

Source:

ISACA. “Responsibility, Authority and Accountability.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, March 2006. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).


June 21, 2013  5:02 PM

Government-Audit Convergence Part IV

Robert Davis Robert Davis Profile: Robert Davis

Regarding laws and regulations, when professional standards are applied to compliance engagements, an IT auditor has the right to believe that management has established appropriate controls to prevent, deter and detect illegal acts, unless tests and evaluations carried on by an IT auditor prove otherwise. Furthermore, IT auditors should forego utilizing unlicensed tools and software when conducting IAP audit assignments.

Source:

ISACA. “Responsibility, Authority and Accountability.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, March 2006. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).


June 17, 2013  1:31 AM

Government-Audit Convergence Part III

Robert Davis Robert Davis Profile: Robert Davis

Professional prudence dictates legal mandates impacting IT-IAP audit practice areas should be thoroughly understood by audit team members prior to proceeding with fieldwork. Specifically, IT auditors “should review compliance with applicable statutory laws, regulations as well as contracts and, where applicable, seek legal guidance” when participating in an IAP related audit. Therefore, through preliminary discussions with a practicing attorney, an IT auditor should acquire sufficient knowledge to identify illegal act indicators. However, an IT auditor should not be expected to have the expertise of individuals whose primary responsibility is detecting and investigating illegal acts.

Source:

ISACA. “Professional Competence.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, January 2005. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).

ISACA. “Responsibility, Authority and Accountability.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, March 2006. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).


June 15, 2013  5:19 PM

Government-Audit Convergence Part II

Robert Davis Robert Davis Profile: Robert Davis

Government sponsored laws and regulations can influence auditor conduct and impose IT audit practice requirements.  Therefore, applying ISACA’s Professional Ethics and Standards, an IT auditor “should maintain the highest degree of integrity and conduct, and not adopt any methods that could be seen as unlawful, unethical or unprofessional to obtain or execute audit assignments.”  Considering ISACA’s assurance service standard for avoiding government imposed mandates transgressions by general members and certified individuals; practicing IT auditors should pursue sustaining currency with applicable information assets protection (IAP) related laws and regulations.

Source:

U.S. GAO. Government Auditing Standards. Rev. ed. Washington, DC: Government Printing Office, 2007. http://www.gao.gov/govaud/d07162g.pdf (accessed April 21, 2008).


June 10, 2013  2:30 AM

Government-Audit Convergence Part I

Robert Davis Robert Davis Profile: Robert Davis

Generally, audit has a responsibility for ensuring that (1) independence and objectivity are maintained in all phases of assignments, (2) professional judgment is utilized in planning approaches, performing procedures, and reporting results of engagements, (3) work is conducted by personnel who are professionally competent and collectively have the necessary skills and knowledge, and (4) an independent peer review is periodically performed resulting in an opinion issued as to whether the audit quality control system is designed and operated to provide reasonable assurance of conforming with professional standards as well as legal mandates.

Source:

U.S. GAO. Government Auditing Standards. Rev. ed. Washington,  DC: Government Printing Office, 2003. http://www.gao.gov/govaud/d07162g.pdf (accessed April 21, 2008).


June 7, 2013  4:20 AM

Revisiting the Safeguarding of Information Assets – Part XXII

Robert Davis Robert Davis Profile: Robert Davis

An entity in a multiple-compliance scenario may benefit by developing a centralized oversight function that evaluates controls across all compliance arenas, interfaces with auditors for each compliance area and provides direction on the most cost-effective controls that maximize total compliance benefit.


June 3, 2013  3:16 AM

Revisiting the Safeguarding of Information Assets – Part XXI

Robert Davis Robert Davis Profile: Robert Davis

Generally, there are three main dimensions to jurisdiction decisions: procedural, substantive, and enforcement issues.  Procedural jurisdiction considers which court or state has the proper authority.  Substantive jurisdiction determines which rules should be applied.  Whereby, enforcement jurisdiction addresses how court decisions should be implemented.  The principal criteria employed when establishing jurisdiction in particular cases are:

  • Personal Link – normally considered as the state’s right to govern its citizens wherever they might be located;
  • Territorial Link – generally presented as the state’s right to govern persons and property within its geographical domain;
  • Effects Link – usually defined as the state’s right to rule on the economic and legal outcomes regarding a particular territory, stemming from activities conducted elsewhere.

Source:

Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).


June 1, 2013  1:43 AM

Revisiting the Safeguarding of Information Assets – Part XX

Robert Davis Robert Davis Profile: Robert Davis

International jurisdiction is based predominantly on geographical world division into national territories. Within these geographical divisions, each established government has the sovereign right to exercise magistracy over its territory. However, upon detection of an illegal act, if a citizen of a country commits an IT-related crime in another country, problems may arise when the perpetrator is residing in their home country during violation discovery. For instance, when attempting to convict computer-related crime suspects, many countries resist extraditing nationals. In such situations, as feasible legal strategies, an existing rules extension to the extraterritorial jurisdiction or a change in proceedings venue can be considered; with a perspective for creating the necessary prerequisites enabling successful prosecution in at least one jurisdiction linked to the illegal act. Collaboratively, mutual assistance agreements, extradition laws, recognition and reciprocity provisions, legal proceedings transfers and other international cooperation in matters relating to IAP may facilitate aid to extraterritorial jurisdictional issues during violation investigations, apprehension of perpetrators as well as court appearances.

Source:

Generally Accepted Information Security Principles Committee. GAISP V3.0. N.p.: Information Systems Security Association, 2004.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: