Published by Robert E. Davis at Smashwords
Copyright 2009 Robert E. Davis, MBA, CISA, CICA. All rights reserved.
Smashwords Edition, License Notes
This ebook is licensed for your personal enjoyment only. This ebook may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each recipient. If you’re reading this book and did not purchase it, or it was not purchased for your use only, then please return to Smashwords.com and purchase your own copy. Thank you for respecting the hard work of this author.
Preface
Laws continue to be enacted, and the regulatory environment has become more complex due to unacceptable conduct remediation. Consequently, entities continue to be compelled to demonstrate compliance with legal mandates through documented assurance assessments.
The migration from manual to IT generated information has resulted in verdicts and judgments where liability, guilt, or innocence are based solely or largely on electronically encoded evidence. Reliance on IT generated information as evidence raises issues and challenges from a management perspective that must be addressed through effective governance and audit.
“Assuring IT Legal Compliance” was written with the intent to create quality quick reference material for assurance service practitioners. Therefore, this pocket guide is appropriate for entity employees interested in ensuring, or verifying, IT legal compliance in any industry or geographic location. As for content; Audit Managers, Chief Compliance Officers, Chief Information Officers, Chief Information Security Officers, Auditors, Information Security professionals, and Control Self Assessment personnel will find this pocket guide an informative, and authoritative, IT legal compliance document.
About the Author
Robert E. Davis, MBA, CISA, CICA obtained a Bachelor of Business Administration degree in Accounting and Business Law and a Master of Business Administration degree in Management Information Systems from Temple and West Chester University; respectively. During his twenty years of involvement in education, Robert acquired Postgraduate and Professional Technical licenses in Computer Science and Computer Systems Technology. Robert also obtained the Certified Information Systems Auditor (CISA) certificate -- after passing the 1988 Information Systems Audit and Control Association’s rigorous three hundred and fifty multiple-choice questions examination; and was conferred the Certified Internal Controls Auditor (CICA) certificate by the Institute for Internal Controls.
Since starting his career as an information systems (IS) auditor, Robert has provided data security consulting and IS auditing services to the United States Securities and Exchange Commission, United States Enrichment Corporation, Raytheon Company, United States Interstate Commerce Commission, Dow Jones & Company and Fidelity/First Fidelity (Wachovia) corporations as well as other organizations; in staff through management positions.
Prior to engaging in the practice of IS auditing and information security consulting; Robert (as a corporate employee) provided inventory as well as general accounting services to Philip Morris, USA and general accounting services to Philadelphia National Bank (Wachovia). Furthermore, he has prior experience as a freelance writer of IT audit and information security training material. Specifically, his published credits include:
Pleier Corporation
• IT Auditing: An Adaptive Process
• IT Auditing: Assuring Information Assets Protection
• IT Auditing: Information Assets Protection
• IT Auditing: Information Security Governance
• IT Auditing: Irregular and Illegal Acts
• IT Auditing: IT Governance
• IT Auditing: IT Service Delivery and Support
• IT Auditing: The Process
Boson Software, Inc.
• CISA ExSim #1
• CISA ExSim #3
• CISM ExSim #1
ISACA Journal
• Preserving Electronically Encoded Evidence
ITAudit magazine
• Did IT Auditing Forget the Foreign Corrupt Practices Act?
IT Governance Publishing
• Security Management: Legal Compliance Alignment
• Security Management: Safeguarding Information Assets
• How Does Management Support Deploying IT Governance
• Security Management: First-Tier Governance Development
Introduction
Acronyms
Glossary
Bibliography
Chapter 1: Governments -- addresses intersection and interaction between government issued mandates, entity framed responses, and audit practice areas.
Chapter 2: Entities -- contains an overview for framing compliance, control environment influencers, compliance management processes, and entity employee responsibilities.
Chapter 3: Audits -- presents five generally accepted audit process phases: planning, studying and evaluating controls, testing and evaluating controls, reporting, and follow-up to explain general compliance assurance procedures.
Introduction
The concept of industrial compliance with applicable laws and regulations deals with obeying the statutory requirements to which the entity is subject. Compliance infers acceptance. Societal expected behavior acceptance requires value(s) conformity to established norms. Conformance to government enforced rules is the ultimate goal for most societies to ensure a common baseline of legally acceptable entity behavior, whether laws or regulations apply to individuals or groups.
Governments and governmental agencies enact governance related laws and regulations to ensure that entity managers refrain from participating in corrupt, fraudulent, or unethical behavior. Governments and governmental agencies also enact laws and regulations to provide for stakeholder confidence that management will perform its fiduciary responsibilities. This fiduciary relationship between stakeholders and management typically requires that the entity’s management safeguards assets entrusted to it for use by the entity in generating revenues or paying expenses. To sustain compliance with this legal objective; an entity’s management is expected to provide accurate and complete information about the entity’s past and current performance, as well as their assessments of any confirmed future economic events that may/will affect the entity’s financial status and its present financial position.
Government laws and regulations usually require an entity’s management to design, implement, and maintain a system of controls. However, controls existence and effectiveness verification is commonly an external and/or internal statutory audit responsibility. Auditors that conduct these entity compliance attestation engagements are directed toward examining, reviewing, or performing agreed-upon procedures regarding a subject matter; or an assertion about a subject matter, and reporting evidentially-supported results.
Separately or jointly, government-sponsored laws and regulations can impose audit practice requirements that impact entity compliance attestation service efforts. Where laws and regulations promote managements' accountability of entity assets to stakeholders, information technology (IT) legal compliance audit area and/or ambit may be mandated by governments and governmental agencies -- such as the Japanese Financial Instruments and Exchange Law (J-SOX) and United States Federal Information Security Management Act (FISMA). Alternatively, IT audit engagements may be determined by perceived noncompliance risk or the entity’s audit committee can direct IT audit coverage to assess expected compliance by the entity's management. Nevertheless, professional IT auditors must evaluate potential irregularities and illegal acts during the entire IT assurance process,1 even when directed by the audit committee to focus on a particular IT auditable unit -- within the engagement's audit area.
1. ISACA, “Irregularities and Illegal Acts,” in Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals, (Rolling Meadows: ISACA, September 2005), 17–8.