the is auditor's consideration of irregularities
TRANSCRIPT
-
7/29/2019 The IS Auditor's Consideration of Irregularities
1/4
IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 3
The IS Auditors Consideration ofIrregularities and Illegal Acts
By Peter Niblett, CISA, CA, MIIA, FCPA, and Sander S. Wechsler, CISA, CPA
Cynthia Cooper, the internal auditor credited with dis-
covering the huge accounting fraud at WorldCom, is a
hero. She did her job. Unfortunately, the job that she
did is the least glamorous type of work in which auditors
engage. Her work was not a value added audit, and it did not
identify cost savings or generate revenue for the internal
audit department. Instead, it was plain old-fashioned compli-
ance-based internal audit work. However, in light of the dis-
coveries at Enron and WorldCom, and others elsewhere, therewill be increased pressure on internal audit organizations to
increase the amount of compliance audit work performed and
to include procedures designed to detect irregularities or illegal
acts.
To provide guidance to IS auditors, the Information
Systems Audit and Control Association (ISACA) has issued an
IS Auditing Guideline titled Irregularities and Illegal Acts. The
guideline addresses the auditors responsibility with regard to
these issues. Professional standards always have placed a
certain level of responsibility on IS auditors to identify and
detect irregularities and illegal acts, but in light of recent
events surrounding Enron and WorldCom, there is an increased
demand on auditors to consider irregularities and illegal acts
in their procedures. In fact, in a post-Enron and WorldCom
environment, there undoubtedly is increased public expectation
that auditors must perform procedures to detect whether
irregularities or illegal acts have occurred.
Under this guidance issued by ISACAs Standards Board,
IS auditors are directed to assess risk that irregularities or ille-
gal acts could occur. Based on that risk assessment, IS auditors
are directed to perform procedures based on the level of risk
that exists in an organization. Obviously, the extent, timing
and nature of the procedures vary based on the type of engage-
ment, the planned report, materiality considerations and the
expected users of the report. Finally, if irregularities or illegal
acts are detected, ISACAs IS Audit Guidelines provide the IS
auditors with a set of procedures that should be considered
when assessing whether an irregularity or illegal act has
occurred and its likely impact on an organization.
Irregularities and Illegal ActsThere are many definitions and notions as to what consti-
tutes an irregularity or illegal act. Illegal acts typically involve
a violation of law or governmental regulation. As a result, vari-
ous countries or jurisdictions define an illegal act differently.
To avoid confusion, and to create a common platform, it is
necessary to have a common definition for what constitutes an
illegal act. For purposes of the guideline and this article, illega
acts are broadly defined as:
FraudAny act that involves the use of deception to obtain
an illegal advantage
Noncompliance with laws and regulations, including the
failure of IT systems to meet the applicable laws and
regulations
Noncompliance with the organizations agreements and con-
tracts with third parties such as banks, suppliers and vendors Manipulation, falsification, forgery or alteration of records
or documents (whether in electronic or paper form)
Suppression or omission of the effects of transactions from
records or documents (whether in electronic or paper form)
Recording of transactions in the financial or other records
(whether in electronic or paper form) of the organization that
are without substance
Misappropriation and misuse of IS and/or non-IS assets
Trademark, copyright and patent violations
Errors in the financial records or other records of the organi-
zation that arise from unauthorized access to, or use of, the
organizations IT systems
Irregularities, however, include illegal acts by an organiza-
tion not defined above. Hence, irregularities include violations
of organizational codes of conduct, ethics violations and any
act not deemed to be a violation of a law or regulation.
Responsibilit ies of Managementand the IS Auditor
It is the responsibility of management to prevent and detect
irregularities and illegal acts. In carrying out this responsibili-
ty, management can use a variety of methods to reduce the risk
of irregularities and illegal acts occurrences. These methods
include:
Implemented internal control techniques including policies,procedures and monitoring controls
Implemented procedures governing employee codes of
conduct
Compliance validation and monitoring procedures
The IS auditor should understand that these methods never
completely eliminate the possibility that irregularities or illegal
acts may exist and can remain undetected. In most of the
recent publicized cases of fraudulent financial reporting, senior
financial management is accused of either being aware of or
directly participating in the illegal act(s). In each of these
Copyright 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
-
7/29/2019 The IS Auditor's Consideration of Irregularities
2/4
IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 3
situations, the system of internal controls and the other proce-
dures in place were circumvented by those put in charge of the
systems that were designed to detect these kinds of illegal acts.
When management, particularly senior management, is
involved in the irregularities or illegal acts, it is much more
difficult to detect these occurrences.
It is important to remember that the IS auditor is not
professionally responsible for the prevention or detection of
irregularities or illegal acts. It is, however, the responsibility of
management. Hence, in theory, unless there is information tothe contrary, the IS auditor has no obligation to perform proce-
dures specifically designed to detect irregularities or illegal
acts. In light of recent history, auditors should assume that
there is some level of irregularities or illegal acts ongoing and
that the risk of irregularities and illegal acts is not zero.
IS auditors should inform management and the audit com-
mittee (or equivalent) when they identify situations where a
higher degree of risk of irregularities or illegal acts occurs,
even if none are detected. However, under the terms of refer-
ence for an engagement, the IS auditor may be given a specific
requirement to perform procedures designed to detect irregu-
larities or illegal acts.
During the performance of procedures, evidence may be
identified that indicates that an illegal act may occur or has
already occurred. While it is natural for the IS auditor to try to
determine whether or not a violation of law or regulation has
occurred, the question of whether an irregularity, illegal act or
error has been committed and its materiality or effect on the
organization is beyond the scope and responsibility of the IS
auditor. Hence, the determination as to whether a particular act
or acts are illegal generally is based on the advice of an
informed expert qualified to practice law.
Planning and Conducting the Engagement
While the IS auditor has no explicit responsibility to detector prevent illegal acts or irregularities, the IS auditor should
design procedures to detect illegal acts or irregularities based
on the assessed level of risk that irregularities or illegal acts
could occur. Hence, when planning the engagement, the IS
auditor should obtain an understanding of the organizations
system of internal controls, including:
Implemented internal control techniques, including policies,
procedures and monitoring controls
Implemented policies and procedures governing employee
conduct
Implemented compliance validation and monitoring proce-
dures
The legal and regulatory environment in which the organiza-tion operates
The mechanism the organization uses to obtain, monitor and
ensure compliance with the laws and regulations that affect
the organization
The IS auditor then should perform an assessment of the
risk that irregularities or illegal acts which are material to the
subject matter of the report exist and are undetected by the sys-
tem of internal controls. The risk assessment should consider
only those factors that are relevant to the organization and the
subject of the engagement, including such things as:
Risk factors relating to irregularities or illegal acts that affect
the financial accounting records
Risk factors relating to irregularities or illegal acts that do
not affect the financial records, but affect the organization
Risk factors relating to other irregularities or illegal acts that
relate to the adequacy of the organizations internal controls
The IS auditor also should consider other fac-
tors in the risk assessment process that could affect these risks,
including:
The effect of employee dissatisfaction Potential layoffs, outsourcing, divestiture or restructuring
The existence of assets that are easily susceptible to misap-
propriation
Poor organizational financial and/or operational performance
Managements focus on financial and/or operational perfor-
mance including the desire to meet external revenue or earn-
ings expectations
Managements attitude on ethical conduct
Irregularities and illegal acts that are common to a particular
industry or have occurred in similar organizations
As part of the planning process and performance of the risk
assessment, the IS auditor should make inquiries to manage-
ment with regard to such issues as:
Their understanding of the level of risk of irregularities and
illegal acts in the organization
Whether they have knowledge of irregularities and illegal
acts that have occurred or could have occurred against or
within the organization
How the risk of irregularities or illegal acts is monitored,
managed and controlled
The IS auditor should design procedures that take into
account the identified level of risk for irregularities and illegal
acts. In practice, this means that when a high risk of irregulari-
ties or illegal acts is identified, procedures designed to identify
whether irregularities or illegal acts exist should be performed.As the identified level of risk increases, so should the nature,
timing and extent of procedures performed. Even if the assess-
ment of risk is low, the IS auditor should inquire of IT and user
management, as appropriate, concerning compliance with laws
and regulations.
The IS auditor should review the results of engagement pro-
cedures to determine whether there are indications that irregu-
larities or illegal acts may have occurred. When this evaluation
is performed, risk factors identified during planning should be
reviewed against the actual procedures performed to provide
reasonable assurance that all identified risks have been
addressed. The evaluation also should include an assessment of
the results of the procedures to determine if undocumented riskfactors exist.
When Irregularities orIllegal Acts Are Detected
It is the responsibility of management to detect irregularities
and illegal acts. Hence, the IS auditors duty to investigate and
report irregularities arises only in circumstances when evi-
dence of an irregularity or illegal act is identified, either explic-
itly or implicity. When the IS auditor becomes aware of infor-
mation concerning a possible illegal act, the IS auditor should:
-
7/29/2019 The IS Auditor's Consideration of Irregularities
3/4
IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 3
Obtain an understanding of the nature of the act
Understand the circumstances in which it occurred
Obtain sufficient information to evaluate the effect of the
irregularity or illegal act
Perform additional procedures to determine the effect of the
irregularity or illegal act and whether additional acts exist
The IS auditor should work with others in the organization
(such as organizational security personnel), including manage-
ment (at an appropriate level above those involved, if possible),
to determine whether an irregularity or illegal act has occurredand its effect.
The existence of irregularities or illegal acts may come to
the attention of the IS auditor during an engagement. If indica-
tions of an illegal act are identified, the IS auditor should con-
sider the potential effect on the subject matter of the engage-
ment, the report and the organization. The IS auditor should
consult with legal counsel and other appropriate individuals
within the organization when a potential irregularity or illegal
act is identified, because only legal counsel can assess whether
an act is truly an irregularity or illegal act.
Unless circumstances clearly indicate otherwise, the IS
auditor should assume that an irregularity or illegal act is not
an isolated occurrence. The IS auditor also should review
applicable portions of the organizations internal controls to
determine why they failed to prevent or detect the occurrence
of an irregularity or illegal act. The IS auditor should reconsid-
er the prior evaluation of the sufficiency, operation and effec-
tiveness of the organizations internal controls. When the IS
auditor has identified situations where an irregularity or illegal
act exists, whether potential or in fact, he should modify the
procedures performed to confirm or resolve the issue identified
during the engagement. The extent of such modifications or
additional procedures depends on the IS auditors professional
judgment as to the:
Type of irregularity or illegal act that may have occurred Perceived risk of its occurrence
Potential effect on the organization, including financial
effects and the organizations reputation
Likelihood of the recurrence of similar irregularities or
illegal acts
Possibility that management may have knowledge of or be
involved in the irregularity or illegal act
Actions, if any, that the governing body or management is
taking
Possibility that noncompliance with laws and regulations has
occurred unintentionally
Likelihood that a material fine or other sanction, e.g., the
revocation of an essential license, may be imposed as a resultof noncompliance
Effect on the public interest that may result from the
irregularity
When an irregularity involves a member of management,
the IS auditor should reconsider the reliability of representa-
tions made by management. Typically, the IS auditor should
work with an appropriate level of management above the one
associated with the irregularity or illegal act.
ReportingIrregularities and illegal acts vary considerably in their
materiality and potential effect on the subject matter or the
report. The assessment of the effect of an irregularity or illegal
act should be performed in conjunction with legal counsel and
organizational governance, such as the board of directors or
audit committee, or management, if necessary. The assessment
should consider the effect that the irregularity or illegal act has
on such things as applicable agreements, contracts, laws and
regulations. The potential effect that an irregularity or illegal
act has on the subject matter and report varies according to the
type of illegal act and the nature of the organizations opera-
tions.
Unless otherwise required, the IS auditor is responsible onl
to report the events and circumstances surrounding the act. It i
managements responsibility, typically in consultation with
legal counsel, to determine and report whether the act is in fac
an irregularity or illegal act. In certain jurisdictions, the IS
auditor may have further obligations that go beyond the
requirements discussed above. In that case, the IS auditor also
must provide reasonable assurance of compliance with any and
all additional requirements.The IS auditor should include in a report a description of
the events and circumstances surrounding the irregularities or
illegal acts. The findings should be reported to the appropriate
levels of management higher than the one involved in the
act(s). If all levels of management are involved, or if the IS
auditor suspects that all levels of management are involved,
then the findings should be reported first to governing bodies
of the organization, such as the board of directors or governor
trustees or the audit committee. The IS auditor should use pro-
fessional judgment when reporting irregularities or illegal acts
The IS auditor should discuss the findings, and the nature, tim
ing and extent of any further procedures to be performed with
an appropriate level of management that is at least one levelabove the person who appears to be involved directly. In these
circumstances, it is particularly important that the IS auditor
maintains independence. In determining the appropriate person
to whom to report irregularities or illegal acts, the IS auditor
should consider all relevant circumstances, including the possi
bility of senior management involvement. The IS auditor
should seek to avoid alerting any person who may be implicat
ed or involved in the irregularities or illegal acts to reduce the
potential for those individuals to destroy or suppress evidence
Notwithstanding an organizations responsibility to report
illegal acts or irregularities, the IS auditors duty of confiden-
tiality to the organization precludes reporting any potential or
identified irregularities or illegal acts. However, in certain cir-cumstances, the IS auditor may be required to disclose
irregularities or illegal acts. These include such things as:
Compliance with legal or regulatory requirements
External auditor requests
Subpoena or court order
Funding agency or government agency in accordance with
requirements for the audits of entities that receive govern-
mental financial assistance
-
7/29/2019 The IS Auditor's Consideration of Irregularities
4/4
IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 3
Information Systems Control Journal, former ly the IS Audi t & Cont ro l Journal , i s publ i shed by the Information Systems Audit and Control Association, I nc .. M em ber sh ip i n t he assoc ia t i on , a vo lun t a r yorganizat ion of persons interested in informat ion systems ( IS) audi t ing, cont ro l and secur i t y, ent i t l es one to receive an annual subscr ipt ion to the Information Systems Control Journal.
Opin ions expressed in the Information Systems Control Journal represent the v iews of the au thors and adver t isers.They may di f fer f rom pol i c ies and of f i c ia l s tatements of the Informat ion Systems Audi tand Cont ro l Associat ion and/ or the IT Governance Inst i tute and thei r commi t tees, and f rom o pin ions endorsed by authors ' emp loyers, or the edi tors of th is Journal . Informat ion Systems Cont ro l Journaldoes not at test to the or ig inal i t y of authors ' content .
Co py rig ht 2 0 0 3 by In fo rm at io n Sy st em s A ud it an d Co nt ro l A ss oc ia ti on In c. , fo rm er ly th e EDP Au di to rs Ass oc ia tio n. All rig ht s res er ve d. ISC ATM Informat ion Systems Cont ro l Associat ion TM
Inst ructors are permi t ted to photoco py i solated ar t i c les for noncomm ercia l c lassroom use wi thout fee. For other copying, repr int or republ i cat ion, permission must b e obtained in wr i t i ng f rom theassociat ion. Where necessary, permission i s granted by the copyr ight owners for those registered wi th the Copyright Clearance Center (CCC) , 27 Congress St . , Salem, Mass. 01 97 0, to photocopy ar t i c lesowned by the Informat ion Systems Audi t and Cont ro l Associat ion Inc. , for a fla t fee of US $2.5 0 per ar t i c le p lus 25 per page. Send payment to the CCC stat ing the ISSN (15 26 -74 07 ) , date, volume,and f i r s t and last page num ber of each ar t i c le. Copying for other than personal use or internal reference, or of ar t i c les or columns no t owned by the associat ion wi thout express permission of theassociat ion or the copyr ight owner is expressly prohibi ted.
www.isaca.org
In situations where an IS auditor is required to disclose
potential or identified irregularities or illegal acts, legal advice
and counsel should be sought prior to complying with the
request. In some jurisdictions, the IS auditor may be protected
by qualified privilege. Even in situations where the IS auditor
is protected by privilege, the IS auditor should seek legal
advice and counsel prior to making this type of disclosure to
ensure that he/she is in fact protected by this privilege. If the
organization fails to disclose known irregularities or illegal
acts, or requires the IS auditor to suppress these findings, the
IS auditor should seek legal advice and counsel.
Proposed Guidance on FraudRecently, the American Institute of Certified Public
Accountants issued a new audit standard on fraud that provides
new guidance for external auditors in the United States. The
standard does not substantially change an external auditors
responsibilities for detecting fraud in a financial statement
audit. Instead, it provides additional guidance to external audi-
tors to assist them in meeting those responsibilities. It intro-
duces three new concepts that are beneficial to all IS auditors
during the assessment of the risk of irregularities and illegalacts:
OpportunityCircumstances that provide an opportunity to
carry out an irregularity or illegal act
Incentive/pressureIncentives or pressures on management
or other employees to commit irregularities or illegal acts
Attitude/rationalizationAn attitude, charter or set of values
that allows one or more individuals to knowingly and inten-
tionally commit irregularities or illegal acts
The most significant change is that it requires external
auditors to assess whether or not controls put in place to
reduce the risk of irregularities and illegal acts have been suit-
ably designed and are placed in operation. This new guidance
expands the requirements of external IS auditors, as there is nocurrent requirement for IS auditors to evaluate specifically the
design and operation of these types of controls. However, it is
entirely possible for an IS auditor to perform this evaluation in
an engagement. Due to the complex nature of this particular
issue, additional guidance may need to be provided to IS
auditors in meeting this proposed requirement.
ConclusionWhile recent events surrounding Enron and WorldCom
place additional public scrutiny on auditors to detect irregulari-
ties and illegal acts, it does not mean that IS auditors must
become fraud investigators. Professional standards require IS
auditors to assess the risk or the likelihood that irregularities
and illegal acts may or may not occur. Based on risk assess-
ment, IS auditors must design procedures that are appropriategiven a particular risk assessment. While increased scrutiny is
being placed on IS auditors to detect irregularities and illegal
acts, ultimately it is management that is responsible for its
detection and prevention.
ReferencesIrregularities and Illegal Acts, IS Auditing Guideline,
030.010.010, ISACA, effective 1 July 2002,
www.isaca.org/standard/guide21.htm
Peter Niblett, CISA, CA, CIA, CPA
is a director of IT risk management at Day Neilson, a chartered
accounting firm in Geelong, Victoria, Australia. He is aninformation systems specialist experienced in a wide range
of IT systems and issues. He specializes in risk management,
quality assurance and e-business and e-commerce solutions.
Niblett was a member of the Audit and Assurance Standards
Board (AuASB) of the Australian Accounting Research
Foundation from 1999 to 2001, and is a member of ISACAs
Standards Board.
Sander S. Wechsler, CISA, CPA
is the IT internal audit manager for NCR Corporation in
Dayton, Ohio, USA. He worked previously at Ernst & Young
LLP and BDO Seidman LLP as a senior manager. Wechsler
has more than 13 years of IT audit experience. He is a past
member of ISACAs Standards Board and of the AICPA Task
Force responsible for the development of the SysTrust 2.0
product.