the is auditor's consideration of irregularities

7/29/2019 The IS Auditor's Consideration of Irregularities

1/4

IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 3

The IS Auditors Consideration ofIrregularities and Illegal Acts

By Peter Niblett, CISA, CA, MIIA, FCPA, and Sander S. Wechsler, CISA, CPA

Cynthia Cooper, the internal auditor credited with dis-

covering the huge accounting fraud at WorldCom, is a

hero. She did her job. Unfortunately, the job that she

did is the least glamorous type of work in which auditors

engage. Her work was not a value added audit, and it did not

identify cost savings or generate revenue for the internal

audit department. Instead, it was plain old-fashioned compli-

ance-based internal audit work. However, in light of the dis-

coveries at Enron and WorldCom, and others elsewhere, therewill be increased pressure on internal audit organizations to

increase the amount of compliance audit work performed and

to include procedures designed to detect irregularities or illegal

acts.

To provide guidance to IS auditors, the Information

Systems Audit and Control Association (ISACA) has issued an

IS Auditing Guideline titled Irregularities and Illegal Acts. The

guideline addresses the auditors responsibility with regard to

these issues. Professional standards always have placed a

certain level of responsibility on IS auditors to identify and

detect irregularities and illegal acts, but in light of recent

events surrounding Enron and WorldCom, there is an increased

demand on auditors to consider irregularities and illegal acts

in their procedures. In fact, in a post-Enron and WorldCom

environment, there undoubtedly is increased public expectation

that auditors must perform procedures to detect whether

irregularities or illegal acts have occurred.

Under this guidance issued by ISACAs Standards Board,

IS auditors are directed to assess risk that irregularities or ille-

gal acts could occur. Based on that risk assessment, IS auditors

are directed to perform procedures based on the level of risk

that exists in an organization. Obviously, the extent, timing

and nature of the procedures vary based on the type of engage-

ment, the planned report, materiality considerations and the

expected users of the report. Finally, if irregularities or illegal

acts are detected, ISACAs IS Audit Guidelines provide the IS

auditors with a set of procedures that should be considered

when assessing whether an irregularity or illegal act has

occurred and its likely impact on an organization.

Irregularities and Illegal ActsThere are many definitions and notions as to what consti-

tutes an irregularity or illegal act. Illegal acts typically involve

a violation of law or governmental regulation. As a result, vari-

ous countries or jurisdictions define an illegal act differently.

To avoid confusion, and to create a common platform, it is

necessary to have a common definition for what constitutes an

illegal act. For purposes of the guideline and this article, illega

acts are broadly defined as:

FraudAny act that involves the use of deception to obtain

an illegal advantage

Noncompliance with laws and regulations, including the

failure of IT systems to meet the applicable laws and

regulations

Noncompliance with the organizations agreements and con-

tracts with third parties such as banks, suppliers and vendors Manipulation, falsification, forgery or alteration of records

or documents (whether in electronic or paper form)

Suppression or omission of the effects of transactions from

records or documents (whether in electronic or paper form)

Recording of transactions in the financial or other records

(whether in electronic or paper form) of the organization that

are without substance

Misappropriation and misuse of IS and/or non-IS assets

Trademark, copyright and patent violations

Errors in the financial records or other records of the organi-

zation that arise from unauthorized access to, or use of, the

organizations IT systems

Irregularities, however, include illegal acts by an organiza-

tion not defined above. Hence, irregularities include violations

of organizational codes of conduct, ethics violations and any

act not deemed to be a violation of a law or regulation.

Responsibilit ies of Managementand the IS Auditor

It is the responsibility of management to prevent and detect

irregularities and illegal acts. In carrying out this responsibili-

ty, management can use a variety of methods to reduce the risk

of irregularities and illegal acts occurrences. These methods

include:

Implemented internal control techniques including policies,procedures and monitoring controls

Implemented procedures governing employee codes of

conduct

Compliance validation and monitoring procedures

The IS auditor should understand that these methods never

completely eliminate the possibility that irregularities or illegal

acts may exist and can remain undetected. In most of the

recent publicized cases of fraudulent financial reporting, senior

financial management is accused of either being aware of or

directly participating in the illegal act(s). In each of these

Copyright 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.


2/4


situations, the system of internal controls and the other proce-

dures in place were circumvented by those put in charge of the

systems that were designed to detect these kinds of illegal acts.

When management, particularly senior management, is

involved in the irregularities or illegal acts, it is much more

difficult to detect these occurrences.

It is important to remember that the IS auditor is not

professionally responsible for the prevention or detection of

irregularities or illegal acts. It is, however, the responsibility of

management. Hence, in theory, unless there is information tothe contrary, the IS auditor has no obligation to perform proce-

dures specifically designed to detect irregularities or illegal

acts. In light of recent history, auditors should assume that

there is some level of irregularities or illegal acts ongoing and

that the risk of irregularities and illegal acts is not zero.

IS auditors should inform management and the audit com-

mittee (or equivalent) when they identify situations where a

higher degree of risk of irregularities or illegal acts occurs,

even if none are detected. However, under the terms of refer-

ence for an engagement, the IS auditor may be given a specific

requirement to perform procedures designed to detect irregu-

larities or illegal acts.

During the performance of procedures, evidence may be

identified that indicates that an illegal act may occur or has

already occurred. While it is natural for the IS auditor to try to

determine whether or not a violation of law or regulation has

occurred, the question of whether an irregularity, illegal act or

error has been committed and its materiality or effect on the

organization is beyond the scope and responsibility of the IS

auditor. Hence, the determination as to whether a particular act

or acts are illegal generally is based on the advice of an

informed expert qualified to practice law.

Planning and Conducting the Engagement

While the IS auditor has no explicit responsibility to detector prevent illegal acts or irregularities, the IS auditor should

design procedures to detect illegal acts or irregularities based

on the assessed level of risk that irregularities or illegal acts

could occur. Hence, when planning the engagement, the IS

auditor should obtain an understanding of the organizations

system of internal controls, including:

Implemented internal control techniques, including policies,

procedures and monitoring controls

Implemented policies and procedures governing employee

conduct

Implemented compliance validation and monitoring proce-

dures

The legal and regulatory environment in which the organiza-tion operates

The mechanism the organization uses to obtain, monitor and

ensure compliance with the laws and regulations that affect

the organization

The IS auditor then should perform an assessment of the

risk that irregularities or illegal acts which are material to the

subject matter of the report exist and are undetected by the sys-

tem of internal controls. The risk assessment should consider

only those factors that are relevant to the organization and the

subject of the engagement, including such things as:

Risk factors relating to irregularities or illegal acts that affect

the financial accounting records

Risk factors relating to irregularities or illegal acts that do

not affect the financial records, but affect the organization

Risk factors relating to other irregularities or illegal acts that

relate to the adequacy of the organizations internal controls

The IS auditor also should consider other fac-

tors in the risk assessment process that could affect these risks,

including:

The effect of employee dissatisfaction Potential layoffs, outsourcing, divestiture or restructuring

The existence of assets that are easily susceptible to misap-

propriation

Poor organizational financial and/or operational performance

Managements focus on financial and/or operational perfor-

mance including the desire to meet external revenue or earn-

ings expectations

Managements attitude on ethical conduct

Irregularities and illegal acts that are common to a particular

industry or have occurred in similar organizations

As part of the planning process and performance of the risk

assessment, the IS auditor should make inquiries to manage-

ment with regard to such issues as:

Their understanding of the level of risk of irregularities and

illegal acts in the organization

Whether they have knowledge of irregularities and illegal

acts that have occurred or could have occurred against or

within the organization

How the risk of irregularities or illegal acts is monitored,

managed and controlled

The IS auditor should design procedures that take into

account the identified level of risk for irregularities and illegal

acts. In practice, this means that when a high risk of irregulari-

ties or illegal acts is identified, procedures designed to identify

whether irregularities or illegal acts exist should be performed.As the identified level of risk increases, so should the nature,

timing and extent of procedures performed. Even if the assess-

ment of risk is low, the IS auditor should inquire of IT and user

management, as appropriate, concerning compliance with laws

and regulations.

The IS auditor should review the results of engagement pro-

cedures to determine whether there are indications that irregu-

larities or illegal acts may have occurred. When this evaluation

is performed, risk factors identified during planning should be

reviewed against the actual procedures performed to provide

reasonable assurance that all identified risks have been

addressed. The evaluation also should include an assessment of

the results of the procedures to determine if undocumented riskfactors exist.

When Irregularities orIllegal Acts Are Detected

It is the responsibility of management to detect irregularities

and illegal acts. Hence, the IS auditors duty to investigate and

report irregularities arises only in circumstances when evi-

dence of an irregularity or illegal act is identified, either explic-

itly or implicity. When the IS auditor becomes aware of infor-

mation concerning a possible illegal act, the IS auditor should:


3/4


Obtain an understanding of the nature of the act

Understand the circumstances in which it occurred

Obtain sufficient information to evaluate the effect of the

irregularity or illegal act

Perform additional procedures to determine the effect of the

irregularity or illegal act and whether additional acts exist

The IS auditor should work with others in the organization

(such as organizational security personnel), including manage-

ment (at an appropriate level above those involved, if possible),

to determine whether an irregularity or illegal act has occurredand its effect.

The existence of irregularities or illegal acts may come to

the attention of the IS auditor during an engagement. If indica-

tions of an illegal act are identified, the IS auditor should con-

sider the potential effect on the subject matter of the engage-

ment, the report and the organization. The IS auditor should

consult with legal counsel and other appropriate individuals

within the organization when a potential irregularity or illegal

act is identified, because only legal counsel can assess whether

an act is truly an irregularity or illegal act.

Unless circumstances clearly indicate otherwise, the IS

auditor should assume that an irregularity or illegal act is not

an isolated occurrence. The IS auditor also should review

applicable portions of the organizations internal controls to

determine why they failed to prevent or detect the occurrence

of an irregularity or illegal act. The IS auditor should reconsid-

er the prior evaluation of the sufficiency, operation and effec-

tiveness of the organizations internal controls. When the IS

auditor has identified situations where an irregularity or illegal

act exists, whether potential or in fact, he should modify the

procedures performed to confirm or resolve the issue identified

during the engagement. The extent of such modifications or

additional procedures depends on the IS auditors professional

judgment as to the:

Type of irregularity or illegal act that may have occurred Perceived risk of its occurrence

Potential effect on the organization, including financial

effects and the organizations reputation

Likelihood of the recurrence of similar irregularities or

illegal acts

Possibility that management may have knowledge of or be

involved in the irregularity or illegal act

Actions, if any, that the governing body or management is

taking

Possibility that noncompliance with laws and regulations has

occurred unintentionally

Likelihood that a material fine or other sanction, e.g., the

revocation of an essential license, may be imposed as a resultof noncompliance

Effect on the public interest that may result from the

irregularity

When an irregularity involves a member of management,

the IS auditor should reconsider the reliability of representa-

tions made by management. Typically, the IS auditor should

work with an appropriate level of management above the one

associated with the irregularity or illegal act.

ReportingIrregularities and illegal acts vary considerably in their

materiality and potential effect on the subject matter or the

report. The assessment of the effect of an irregularity or illegal

act should be performed in conjunction with legal counsel and

organizational governance, such as the board of directors or

audit committee, or management, if necessary. The assessment

should consider the effect that the irregularity or illegal act has

on such things as applicable agreements, contracts, laws and

regulations. The potential effect that an irregularity or illegal

act has on the subject matter and report varies according to the

type of illegal act and the nature of the organizations opera-

tions.

Unless otherwise required, the IS auditor is responsible onl

to report the events and circumstances surrounding the act. It i

managements responsibility, typically in consultation with

legal counsel, to determine and report whether the act is in fac

an irregularity or illegal act. In certain jurisdictions, the IS

auditor may have further obligations that go beyond the

requirements discussed above. In that case, the IS auditor also

must provide reasonable assurance of compliance with any and

all additional requirements.The IS auditor should include in a report a description of

the events and circumstances surrounding the irregularities or

illegal acts. The findings should be reported to the appropriate

levels of management higher than the one involved in the

act(s). If all levels of management are involved, or if the IS

auditor suspects that all levels of management are involved,

then the findings should be reported first to governing bodies

of the organization, such as the board of directors or governor

trustees or the audit committee. The IS auditor should use pro-

fessional judgment when reporting irregularities or illegal acts

The IS auditor should discuss the findings, and the nature, tim

ing and extent of any further procedures to be performed with

an appropriate level of management that is at least one levelabove the person who appears to be involved directly. In these

circumstances, it is particularly important that the IS auditor

maintains independence. In determining the appropriate person

to whom to report irregularities or illegal acts, the IS auditor

should consider all relevant circumstances, including the possi

bility of senior management involvement. The IS auditor

should seek to avoid alerting any person who may be implicat

ed or involved in the irregularities or illegal acts to reduce the

potential for those individuals to destroy or suppress evidence

Notwithstanding an organizations responsibility to report

illegal acts or irregularities, the IS auditors duty of confiden-

tiality to the organization precludes reporting any potential or

identified irregularities or illegal acts. However, in certain cir-cumstances, the IS auditor may be required to disclose

irregularities or illegal acts. These include such things as:

Compliance with legal or regulatory requirements

External auditor requests

Subpoena or court order

Funding agency or government agency in accordance with

requirements for the audits of entities that receive govern-

mental financial assistance


4/4


Information Systems Control Journal, former ly the IS Audi t & Cont ro l Journal , i s publ i shed by the Information Systems Audit and Control Association, I nc .. M em ber sh ip i n t he assoc ia t i on , a vo lun t a r yorganizat ion of persons interested in informat ion systems ( IS) audi t ing, cont ro l and secur i t y, ent i t l es one to receive an annual subscr ipt ion to the Information Systems Control Journal.

Opin ions expressed in the Information Systems Control Journal represent the v iews of the au thors and adver t isers.They may di f fer f rom pol i c ies and of f i c ia l s tatements of the Informat ion Systems Audi tand Cont ro l Associat ion and/ or the IT Governance Inst i tute and thei r commi t tees, and f rom o pin ions endorsed by authors ' emp loyers, or the edi tors of th is Journal . Informat ion Systems Cont ro l Journaldoes not at test to the or ig inal i t y of authors ' content .

Co py rig ht 2 0 0 3 by In fo rm at io n Sy st em s A ud it an d Co nt ro l A ss oc ia ti on In c. , fo rm er ly th e EDP Au di to rs Ass oc ia tio n. All rig ht s res er ve d. ISC ATM Informat ion Systems Cont ro l Associat ion TM

Inst ructors are permi t ted to photoco py i solated ar t i c les for noncomm ercia l c lassroom use wi thout fee. For other copying, repr int or republ i cat ion, permission must b e obtained in wr i t i ng f rom theassociat ion. Where necessary, permission i s granted by the copyr ight owners for those registered wi th the Copyright Clearance Center (CCC) , 27 Congress St . , Salem, Mass. 01 97 0, to photocopy ar t i c lesowned by the Informat ion Systems Audi t and Cont ro l Associat ion Inc. , for a fla t fee of US $2.5 0 per ar t i c le p lus 25 per page. Send payment to the CCC stat ing the ISSN (15 26 -74 07 ) , date, volume,and f i r s t and last page num ber of each ar t i c le. Copying for other than personal use or internal reference, or of ar t i c les or columns no t owned by the associat ion wi thout express permission of theassociat ion or the copyr ight owner is expressly prohibi ted.

www.isaca.org

In situations where an IS auditor is required to disclose

potential or identified irregularities or illegal acts, legal advice

and counsel should be sought prior to complying with the

request. In some jurisdictions, the IS auditor may be protected

by qualified privilege. Even in situations where the IS auditor

is protected by privilege, the IS auditor should seek legal

advice and counsel prior to making this type of disclosure to

ensure that he/she is in fact protected by this privilege. If the

organization fails to disclose known irregularities or illegal

acts, or requires the IS auditor to suppress these findings, the

IS auditor should seek legal advice and counsel.

Proposed Guidance on FraudRecently, the American Institute of Certified Public

Accountants issued a new audit standard on fraud that provides

new guidance for external auditors in the United States. The

standard does not substantially change an external auditors

responsibilities for detecting fraud in a financial statement

audit. Instead, it provides additional guidance to external audi-

tors to assist them in meeting those responsibilities. It intro-

duces three new concepts that are beneficial to all IS auditors

during the assessment of the risk of irregularities and illegalacts:

OpportunityCircumstances that provide an opportunity to

carry out an irregularity or illegal act

Incentive/pressureIncentives or pressures on management

or other employees to commit irregularities or illegal acts

Attitude/rationalizationAn attitude, charter or set of values

that allows one or more individuals to knowingly and inten-

tionally commit irregularities or illegal acts

The most significant change is that it requires external

auditors to assess whether or not controls put in place to

reduce the risk of irregularities and illegal acts have been suit-

ably designed and are placed in operation. This new guidance

expands the requirements of external IS auditors, as there is nocurrent requirement for IS auditors to evaluate specifically the

design and operation of these types of controls. However, it is

entirely possible for an IS auditor to perform this evaluation in

an engagement. Due to the complex nature of this particular

issue, additional guidance may need to be provided to IS

auditors in meeting this proposed requirement.

ConclusionWhile recent events surrounding Enron and WorldCom

place additional public scrutiny on auditors to detect irregulari-

ties and illegal acts, it does not mean that IS auditors must

become fraud investigators. Professional standards require IS

auditors to assess the risk or the likelihood that irregularities

and illegal acts may or may not occur. Based on risk assess-

ment, IS auditors must design procedures that are appropriategiven a particular risk assessment. While increased scrutiny is

being placed on IS auditors to detect irregularities and illegal

acts, ultimately it is management that is responsible for its

detection and prevention.

ReferencesIrregularities and Illegal Acts, IS Auditing Guideline,

030.010.010, ISACA, effective 1 July 2002,

www.isaca.org/standard/guide21.htm

Peter Niblett, CISA, CA, CIA, CPA

is a director of IT risk management at Day Neilson, a chartered

accounting firm in Geelong, Victoria, Australia. He is aninformation systems specialist experienced in a wide range

of IT systems and issues. He specializes in risk management,

quality assurance and e-business and e-commerce solutions.

Niblett was a member of the Audit and Assurance Standards

Board (AuASB) of the Australian Accounting Research

Foundation from 1999 to 2001, and is a member of ISACAs

Standards Board.

Sander S. Wechsler, CISA, CPA

is the IT internal audit manager for NCR Corporation in

Dayton, Ohio, USA. He worked previously at Ernst & Young

LLP and BDO Seidman LLP as a senior manager. Wechsler

has more than 13 years of IT audit experience. He is a past

member of ISACAs Standards Board and of the AICPA Task

Force responsible for the development of the SysTrust 2.0

product.

the is auditor's consideration of irregularities

Documents