Copyright 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

The IS Auditors Consideration of Irregularities and Illegal Acts

By Peter Niblett, CISA, CA, MIIA, FCPA, and Sander S. Wechsler, CISA, CPA
necessary to have a common definition for what constitutes an illegal act. For purposes of the guideline and this article, illegal acts are broadly defined as: FraudAny act that involves the use of deception to obtain an illegal advantage Noncompliance with laws and regulations, including the failure of IT systems to meet the applicable laws and regulations Noncompliance with the organizations agreements and contracts with third parties such as banks, suppliers and vendors Manipulation, falsification, forgery or alteration of records or documents (whether in electronic or paper form) Suppression or omission of the effects of transactions from records or documents (whether in electronic or paper form) Recording of transactions in the financial or other records (whether in electronic or paper form) of the organization that are without substance Misappropriation and misuse of IS and/or non-IS assets Trademark, copyright and patent violations Errors in the financial records or other records of the organization that arise from unauthorized access to, or use of, the organizations IT systems Irregularities, however, include illegal acts by an organization not defined above. Hence, irregularities include violations of organizational codes of conduct, ethics violations and any act not deemed to be a violation of a law or regulation.

ynthia Cooper, the internal auditor credited with discovering the huge accounting fraud at WorldCom, is a hero. She did her job. Unfortunately, the job that she did is the least glamorous type of work in which auditors engage. Her work was not a value added audit, and it did not identify cost savings or generate revenue for the internal audit department. Instead, it was plain old-fashioned compliance-based internal audit work. However, in light of the discoveries at Enron and WorldCom, and others elsewhere, there will be increased pressure on internal audit organizations to increase the amount of compliance audit work performed and to include procedures designed to detect irregularities or illegal acts. To provide guidance to IS auditors, the Information Systems Audit and Control Association (ISACA) has issued an IS Auditing Guideline titled Irregularities and Illegal Acts. The guideline addresses the auditors responsibility with regard to these issues. Professional standards always have placed a certain level of responsibility on IS auditors to identify and detect irregularities and illegal acts, but in light of recent events surrounding Enron and WorldCom, there is an increased demand on auditors to consider irregularities and illegal acts in their procedures. In fact, in a post-Enron and WorldCom environment, there undoubtedly is increased public expectation that auditors must perform procedures to detect whether irregularities or illegal acts have occurred. Under this guidance issued by ISACAs Standards Board, IS auditors are directed to assess risk that irregularities or illegal acts could occur. Based on that risk assessment, IS auditors are directed to perform procedures based on the level of risk that exists in an organization. Obviously, the extent, timing and nature of the procedures vary based on the type of engagement, the planned report, materiality considerations and the expected users of the report. Finally, if irregularities or illegal acts are detected, ISACAs IS Audit Guidelines provide the IS auditors with a set of procedures that should be considered when assessing whether an irregularity or illegal act has occurred and its likely impact on an organization.

Responsibilities of Management and the IS Auditor

It is the responsibility of management to prevent and detect irregularities and illegal acts. In carrying out this responsibility, management can use a variety of methods to reduce the risk of irregularities and illegal acts occurrences. These methods include: Implemented internal control techniques including policies, procedures and monitoring controls Implemented procedures governing employee codes of conduct Compliance validation and monitoring procedures The IS auditor should understand that these methods never completely eliminate the possibility that irregularities or illegal acts may exist and can remain undetected. In most of the recent publicized cases of fraudulent financial reporting, senior financial management is accused of either being aware of or directly participating in the illegal act(s). In each of these

Irregularities and Illegal Acts

There are many definitions and notions as to what constitutes an irregularity or illegal act. Illegal acts typically involve a violation of law or governmental regulation. As a result, various countries or jurisdictions define an illegal act differently. To avoid confusion, and to create a common platform, it is

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

situations, the system of internal controls and the other procedures in place were circumvented by those put in charge of the systems that were designed to detect these kinds of illegal acts. When management, particularly senior management, is involved in the irregularities or illegal acts, it is much more difficult to detect these occurrences. It is important to remember that the IS auditor is not professionally responsible for the prevention or detection of irregularities or illegal acts. It is, however, the responsibility of management. Hence, in theory, unless there is information to the contrary, the IS auditor has no obligation to perform procedures specifically designed to detect irregularities or illegal acts. In light of recent history, auditors should assume that there is some level of irregularities or illegal acts ongoing and that the risk of irregularities and illegal acts is not zero. IS auditors should inform management and the audit committee (or equivalent) when they identify situations where a higher degree of risk of irregularities or illegal acts occurs, even if none are detected. However, under the terms of reference for an engagement, the IS auditor may be given a specific requirement to perform procedures designed to detect irregularities or illegal acts. During the performance of procedures, evidence may be identified that indicates that an illegal act may occur or has already occurred. While it is natural for the IS auditor to try to determine whether or not a violation of law or regulation has occurred, the question of whether an irregularity, illegal act or error has been committed and its materiality or effect on the organization is beyond the scope and responsibility of the IS auditor. Hence, the determination as to whether a particular act or acts are illegal generally is based on the advice of an informed expert qualified to practice law.

Planning and Conducting the Engagement

While the IS auditor has no explicit responsibility to detect or prevent illegal acts or irregularities, the IS auditor should design procedures to detect illegal acts or irregularities based on the assessed level of risk that irregularities or illegal acts could occur. Hence, when planning the engagement, the IS auditor should obtain an understanding of the organizations system of internal controls, including: Implemented internal control techniques, including policies, procedures and monitoring controls Implemented policies and procedures governing employee conduct Implemented compliance validation and monitoring procedures The legal and regulatory environment in which the organization operates The mechanism the organization uses to obtain, monitor and ensure compliance with the laws and regulations that affect the organization The IS auditor then should perform an assessment of the risk that irregularities or illegal acts which are material to the subject matter of the report exist and are undetected by the system of internal controls. The risk assessment should consider only those factors that are relevant to the organization and the subject of the engagement, including such things as:

Risk factors relating to irregularities or illegal acts that affect the financial accounting records Risk factors relating to irregularities or illegal acts that do not affect the financial records, but affect the organization Risk factors relating to other irregularities or illegal acts that relate to the adequacy of the organizations internal controls The IS auditor also should consider other factors in the risk assessment process that could affect these risks, including: The effect of employee dissatisfaction Potential layoffs, outsourcing, divestiture or restructuring The existence of assets that are easily susceptible to misappropriation Poor organizational financial and/or operational performance Managements focus on financial and/or operational performance including the desire to meet external revenue or earnings expectations Managements attitude on ethical conduct Irregularities and illegal acts that are common to a particular industry or have occurred in similar organizations As part of the planning process and performance of the risk assessment, the IS auditor should make inquiries to management with regard to such issues as: Their understanding of the level of risk of irregularities and illegal acts in the organization Whether they have knowledge of irregularities and illegal acts that have occurred or could have occurred against or within the organization How the risk of irregularities or illegal acts is monitored, managed and controlled The IS auditor should design procedures that take into account the identified level of risk for irregularities and illegal acts. In practice, this means that when a high risk of irregularities or illegal acts is identified, procedures designed to identify whether irregularities or illegal acts exist should be performed. As the identified level of risk increases, so should the nature, timing and extent of procedures performed. Even if the assessment of risk is low, the IS auditor should inquire of IT and user management, as appropriate, concerning compliance with laws and regulations. The IS auditor should review the results of engagement procedures to determine whether there are indications that irregularities or illegal acts may have occurred. When this evaluation is performed, risk factors identified during planning should be reviewed against the actual procedures performed to provide reasonable assurance that all identified risks have been addressed. The evaluation also should include an assessment of the results of the procedures to determine if undocumented risk factors exist.

When Irregularities or Illegal Acts Are Detected

It is the responsibility of management to detect irregularities and illegal acts. Hence, the IS auditors duty to investigate and report irregularities arises only in circumstances when evidence of an irregularity or illegal act is identified, either explicitly or implicity. When the IS auditor becomes aware of information concerning a possible illegal act, the IS auditor should:

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

 Obtain an understanding of the nature of the act Understand the circumstances in which it occurred Obtain sufficient information to evaluate the effect of the irregularity or illegal act Perform additional procedures to determine the effect of the irregularity or illegal act and whether additional acts exist The IS auditor should work with others in the organization (such as organizational security personnel), including management (at an appropriate level above those involved, if possible), to determine whether an irregularity or illegal act has occurred and its effect. The existence of irregularities or illegal acts may come to the attention of the IS auditor during an engagement. If indications of an illegal act are identified, the IS auditor should consider the potential effect on the subject matter of the engagement, the report and the organization. The IS auditor should consult with legal counsel and other appropriate individuals within the organization when a potential irregularity or illegal act is identified, because only legal counsel can assess whether an act is truly an irregularity or illegal act. Unless circumstances clearly indicate otherwise, the IS auditor should assume that an irregularity or illegal act is not an isolated occurrence. The IS auditor also should review applicable portions of the organizations internal controls to determine why they failed to prevent or detect the occurrence of an irregularity or illegal act. The IS auditor should reconsider the prior evaluation of the sufficiency, operation and effectiveness of the organizations internal controls. When the IS auditor has identified situations where an irregularity or illegal act exists, whether potential or in fact, he should modify the procedures performed to confirm or resolve the issue identified during the engagement. The extent of such modifications or additional procedures depends on the IS auditors professional judgment as to the: Type of irregularity or illegal act that may have occurred Perceived risk of its occurrence Potential effect on the organization, including financial effects and the organizations reputation Likelihood of the recurrence of similar irregularities or illegal acts Possibility that management may have knowledge of or be involved in the irregularity or illegal act Actions, if any, that the governing body or management is taking Possibility that noncompliance with laws and regulations has occurred unintentionally Likelihood that a material fine or other sanction, e.g., the revocation of an essential license, may be imposed as a result of noncompliance Effect on the public interest that may result from the irregularity When an irregularity involves a member of management, the IS auditor should reconsider the reliability of representations made by management. Typically, the IS auditor should work with an appropriate level of management above the one associated with the irregularity or illegal act.

Reporting
Irregularities and illegal acts vary considerably in their materiality and potential effect on the subject matter or the report. The assessment of the effect of an irregularity or illegal act should be performed in conjunction with legal counsel and organizational governance, such as the board of directors or audit committee, or management, if necessary. The assessment should consider the effect that the irregularity or illegal act has on such things as applicable agreements, contracts, laws and regulations. The potential effect that an irregularity or illegal act has on the subject matter and report varies according to the type of illegal act and the nature of the organizations operations. Unless otherwise required, the IS auditor is responsible only to report the events and circumstances surrounding the act. It is managements responsibility, typically in consultation with legal counsel, to determine and report whether the act is in fact an irregularity or illegal act. In certain jurisdictions, the IS auditor may have further obligations that go beyond the requirements discussed above. In that case, the IS auditor also must provide reasonable assurance of compliance with any and all additional requirements. The IS auditor should include in a report a description of the events and circumstances surrounding the irregularities or illegal acts. The findings should be reported to the appropriate levels of management higher than the one involved in the act(s). If all levels of management are involved, or if the IS auditor suspects that all levels of management are involved, then the findings should be reported first to governing bodies of the organization, such as the board of directors or governors, trustees or the audit committee. The IS auditor should use professional judgment when reporting irregularities or illegal acts. The IS auditor should discuss the findings, and the nature, timing and extent of any further procedures to be performed with an appropriate level of management that is at least one level above the person who appears to be involved directly. In these circumstances, it is particularly important that the IS auditor maintains independence. In determining the appropriate person to whom to report irregularities or illegal acts, the IS auditor should consider all relevant circumstances, including the possibility of senior management involvement. The IS auditor should seek to avoid alerting any person who may be implicated or involved in the irregularities or illegal acts to reduce the potential for those individuals to destroy or suppress evidence. Notwithstanding an organizations responsibility to report illegal acts or irregularities, the IS auditors duty of confidentiality to the organization precludes reporting any potential or identified irregularities or illegal acts. However, in certain circumstances, the IS auditor may be required to disclose irregularities or illegal acts. These include such things as: Compliance with legal or regulatory requirements External auditor requests Subpoena or court order Funding agency or government agency in accordance with requirements for the audits of entities that receive governmental financial assistance

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

In situations where an IS auditor is required to disclose potential or identified irregularities or illegal acts, legal advice and counsel should be sought prior to complying with the request. In some jurisdictions, the IS auditor may be protected by qualified privilege. Even in situations where the IS auditor is protected by privilege, the IS auditor should seek legal advice and counsel prior to making this type of disclosure to ensure that he/she is in fact protected by this privilege. If the organization fails to disclose known irregularities or illegal acts, or requires the IS auditor to suppress these findings, the IS auditor should seek legal advice and counsel.

Conclusion
While recent events surrounding Enron and WorldCom place additional public scrutiny on auditors to detect irregularities and illegal acts, it does not mean that IS auditors must become fraud investigators. Professional standards require IS auditors to assess the risk or the likelihood that irregularities and illegal acts may or may not occur. Based on risk assessment, IS auditors must design procedures that are appropriate given a particular risk assessment. While increased scrutiny is being placed on IS auditors to detect irregularities and illegal acts, ultimately it is management that is responsible for its detection and prevention.

Proposed Guidance on Fraud

Recently, the American Institute of Certified Public Accountants issued a new audit standard on fraud that provides new guidance for external auditors in the United States. The standard does not substantially change an external auditors responsibilities for detecting fraud in a financial statement audit. Instead, it provides additional guidance to external auditors to assist them in meeting those responsibilities. It introduces three new concepts that are beneficial to all IS auditors during the assessment of the risk of irregularities and illegal acts: OpportunityCircumstances that provide an opportunity to carry out an irregularity or illegal act Incentive/pressureIncentives or pressures on management or other employees to commit irregularities or illegal acts Attitude/rationalizationAn attitude, charter or set of values that allows one or more individuals to knowingly and intentionally commit irregularities or illegal acts The most significant change is that it requires external auditors to assess whether or not controls put in place to reduce the risk of irregularities and illegal acts have been suitably designed and are placed in operation. This new guidance expands the requirements of external IS auditors, as there is no current requirement for IS auditors to evaluate specifically the design and operation of these types of controls. However, it is entirely possible for an IS auditor to perform this evaluation in an engagement. Due to the complex nature of this particular issue, additional guidance may need to be provided to IS auditors in meeting this proposed requirement.

References
Irregularities and Illegal Acts, IS Auditing Guideline, 030.010.010, ISACA, effective 1 July 2002, www.isaca.org/standard/guide21.htm Peter Niblett, CISA, CA, CIA, CPA is a director of IT risk management at Day Neilson, a chartered accounting firm in Geelong, Victoria, Australia. He is an information systems specialist experienced in a wide range of IT systems and issues. He specializes in risk management, quality assurance and e-business and e-commerce solutions. Niblett was a member of the Audit and Assurance Standards Board (AuASB) of the Australian Accounting Research Foundation from 1999 to 2001, and is a member of ISACAs Standards Board. Sander S. Wechsler, CISA, CPA is the IT internal audit manager for NCR Corporation in Dayton, Ohio, USA. He worked previously at Ernst & Young LLP and BDO Seidman LLP as a senior manager. Wechsler has more than 13 years of IT audit experience. He is a past member of ISACAs Standards Board and of the AICPA Task Force responsible for the development of the SysTrust 2.0 product.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003