Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson focuses on ethics, doing the right thing at the right time, every time. This lesson focuses on the ISACA code; which is the code IS auditors which is the standard set forth by the Information Systems and Audit Control Association (ISACA) as a code in professional conduct. This lesson focuses on how auditors must be honest, objective as well as detailed. This lesson also discusses the prevention of ethical conflicts. [toggle_content title="Transcript"] Okay, so let's talk about professional ethics. What does this really mean in the big picture? Ethics in general, it means that you're trying to do the right thing, even when no one's watching. That's what it kind of boils down to. So, in a professional sense, you should assume someone is watching, of course, and always behave as if someone was watching, so that you do the right thing at the right time every time. That's what we're trying to get at. The ISACA code addresses this somewhat. So they want to make sure that if you are a certified IS auditor, that you have a very high level of ethical behavior so that the results of your work should never be brought into question as a result of poor ethics. So the auditors agree to support the implementation of policies, standards and guidelines, and procedures. We talked about what those differences were between a policy, a guideline, a procedure and a standard was. So the auditor should embrace what the organization wants to do and regard with those different types of documentation and then enforce that appropriately. The auditor is also supposed to be objective. They should do their due care and due diligence and make sure that the actions that they're taking and the decisions that they make and the findings that they arrive at are not biased in any way by their personal relationship with the auditee, or with the organization itself. They should be looking only at the information that is discovered and making their determination in an objective sense. Auditors have to serve the interests of the stakeholders. This means, of course, that they have to do this within the confines of the law. If your boss is telling you to do something, or not to do something, which you know is unlawful, then that would be a time where you're not going to obey the interests of the stakeholder. So you align yourselves with the interests of stakeholders in a lawful manner. That just makes sense that everyone is working together, staying on the same page, everything is on the up and up and there's no danger of violating regulations or other types of laws. The last item to think about here on this page is that the auditor must maintain the privacy and secrecy of the information that they discover during the process of their activities. I mentioned this earlier when we were talking about the large numbers of corporate officers and attorneys, and so on, who have been prosecuted for fraud. Obviously those people thought that they could use some information or some resources that they had access to for their own personal gain. Sometimes that works for a while and sometimes it doesn't, but the idea is that you should always avoid that kind of activity to begin with. That way you don't have to worry about becoming compromised at some later point in time. So a second part of our ISACA code for auditors, the auditors should only do those kinds of actions or take those kinds of actions that they are actually qualified to do. If you're skilled at auditing IS and not so much at financial systems, then there might be some areas where other people might have to do certain aspects of an audit. So having the proper training, being certified, showing competency based on past results, or work that was done previously. These are all things to think about in order to prove that the auditor is working effectively and is gathering information and using the correct methodologies. Auditors must promise to disclose the accurate results of their work. So this means, again, being objective. If the auditor discovers that there are, you know, 275 findings during their audit, they should not try to minimize that number in any way to make things look better than they really are. If it's 275 findings, all of those should be disclosed, and done so with the appropriate level of detail to the appropriate stakeholders that need to know this information. It stands to reason that an auditor has to have an ongoing education for themselves. So, if you become a CISA, obviously there are requirements for continuing education there, but even if you're not becoming a CISA you still have some expectation to stay in-touch with different advances in the field, different trends, new regulations and laws that come out. All of those things must be considered so that the auditor stays synchronized with the best practices in their industry. If an auditor becomes lazy and starts to lose connection with different trends and different laws, then they could make mistakes down the line which could have been avoided had they spent more time on their own education. Now, I mentioned earlier, if the CISA does not comply with these guidelines in those code of ethics, then they might be investigated and potentially lose their certification. So there are consequences to be considered for not following the code of ethics. How do we prevent ethical conflicts? This is a pretty broad subject to think about, but one thing to start off with, at the top, is if you know something is unlawful, criminal behavior, just avoid it altogether. You don't necessarily have to become paranoid about it, but it's important to understand where the line is between what's ethical and lawful and what's not. If you always stay on the correct side of that line, then you shouldn't have problems and your organization shouldn't have problems. So, stealing intellectual property, this is a big problem and it comes in many different forms, but that's why we have trademarks and copyrights and patents and so on: so that people that create their intellectual property can then protect that. Copyright violations. We see this all the time where people make a knock-off version of a legitimate product. Maybe it comes from some foreign country where the laws are more lax. When they try to sell those things here, software, logos lots of different things, purses, watches - What about following your own rules? We talked about having a personal policy for ethical behavior. If your personal policy for yourself is in conflict with what's expected as a professional auditor, then you might need to reconsider some of your decisions. As I mentioned, the auditor has a reputation to uphold beyond just the results of their work. So if you present yourself as a person with integrity, that's truthful, hard-working, honest follows the rules, then that reputation should carry over to the results of your actual auditing activity. Of course, when violating the law's involved, if the auditor's in a position where they are helping to investigate, or helping to uncover information used in investigation, then they should know what they're looking for and how it's applicable to the task at-hand. That also applies to the behavior of the auditor themselves. For instance, it would be clearly unethical and most likely illegal to accept some kind of a bribe in order to gloss over some audit findings, or to change or falsify information in order to benefit your client. Sometimes this happens in financial audits where accountants, you know, so-called cook the books. They're making changes to the way they should be recording the information in order to benefit the organization. And, of course, those people typically get caught at some point and now they have to deal with losing their professional accreditations, going to jail, financial penalties possibly. That's usually not worth the risk for engaging in that kind of behavior. What about this: Not reporting a violation promptly? If you know that something is incorrect and is in violation of some standard or some regulation the burden is on the person discovering this to act quickly. If you don't do so, then it may look like you are covering something up, or trying to help someone else cover something up. So it's best to act quickly when you discover that there's a problem. [/toggle_content]

Video Transcription

00:04
Okay, so let's talk about professional ethics.
00:07
What does this really mean in the big picture?
00:11
Ethics in general, it means that you're trying to do the right thing
00:16
even when no one's watching. Right?
00:18
That's that's what it kind of boils down to.
00:22
So, in a professional sense,
00:24
you should assume someone is watching, of course,
00:27
and always behaved as if someone was watching so that you do the right thing at the right time every time.
00:33
That's that's what we're trying to get at
00:37
the ASAC. A code
00:39
addresses that somewhat.
00:41
So they want to make sure that if you are a certified I s auditor,
00:46
that you have a very high level of ethical behavior
00:50
so that your
00:52
the results of your work should never be brought into question
00:56
as a result of poor ethics. So the auditors
01:00
agreed to support
01:02
implementations of policies, standards and guidelines and procedures.
01:06
We talked about what those differences were between a policy ah, guideline of procedure Standard was
01:11
so the auditor should embrace what the organization wants to d'oh
01:17
in regard with those different types of documentation and then enforce that appropriately,
01:23
The auditor is also supposed to be objective
01:27
they should do their due care and due diligence
01:30
and make sure that the actions that they're taking
01:36
and the decisions that they make and the findings that they arrive at
01:38
are not
01:41
biased in any way by their personal relationship
01:44
with the oddity or
01:46
with the organization itself.
01:49
They should be looking on Lee at the information that has discovered
01:53
and making their determination
01:55
in an objective sense. Auditors have to serve the interests of the stakeholders. This means,
02:00
of course, that they have to do this within the confines of the law.
02:06
If the if your boss is
02:07
telling you to do something or not to do something which you know is unlawful,
02:14
then that would be a time where you're not going to obey the interests of the stakeholder.
02:19
So you you align yourselves with the interest of stakeholders in a lawful manner,
02:25
and that just makes sense that everyone is working together, staying on the same page. Everything is on the up and up,
02:30
and there's no danger of violating regulations or or other types of laws. And the last time to think about here on this page is that the auditor must maintain the privacy and secrecy of information that they discovered during the process of their activities. I mentioned this earlier.
02:50
We were talking about the
02:53
large numbers of
02:54
corporate officers and attorneys and so on who have been
02:59
prosecuted for fraud.
03:01
Obviously, those people thought that they could use some information or some resource is
03:07
that that they had access to for their own personal gain.
03:12
And sometimes that works for a while, and sometimes it doesn't.
03:15
But
03:16
the idea is that you should always avoid that kind of activity to begin with.
03:21
That way, you don't have to worry about
03:23
becoming compromise at some later point in time. So second part of our Osaka code for auditors,
03:30
the auditors should only do those kinds of actions or take those kinds of actions that they are actually qualified to do.
03:38
If you're skilled at autumn ing, I s
03:42
and not so much a financial systems, then there might be some areas where other people might have to do certain
03:49
aspects of a known it.
03:52
So having the proper training being certified,
03:55
showing competency based on past results
04:00
or work that was done previously. These are all things to think about
04:03
in order to prove
04:05
that the auditor is working effectively
04:09
and is
04:11
is gathering information and using the correct methodologies.
04:15
Auditors that must promise it is closed the accurate results of their work.
04:19
So this means again being objective.
04:24
If the auditor discovers that there are,
04:27
uh, you know, 275 findings
04:30
during their audit,
04:31
they should not
04:32
trying to minimize that number anyway,
04:35
to make things look better than they really are.
04:39
If it's 275 findings, all those should be disclosed
04:43
and done so with the appropriate level of detail to the appropriate stakeholders that need to know this information.
04:53
It stands to reason that an auditor has to have a ongoing
04:58
education for themselves.
05:00
So if you become a C, I s a obviously there are
05:04
requirements for continuing education there.
05:08
But even if you're not becoming a C, I s a,
05:13
you still have some expectation
05:15
to stay in touch with different advances in the field, different trends, new regulations and laws that come out.
05:21
All those things must be considered
05:25
so that the auditor stays synchronized with
05:28
the best practices
05:29
in their industry. If a non eater becomes lazy
05:33
and starts to lose connection with
05:35
different trends in different laws than than they could make mistakes down the line, which could have been avoided had they
05:43
spent more time
05:45
on their own education.
05:48
And I mentioned earlier, If the C I s A does not comply with these guidelines in this code of ethics,
05:57
then they might be investigated and potentially lose their certification.
06:00
So there are consequences
06:03
to be considered for not
06:05
following the code of ethics. How do we prevent ethical conflicts? This is a pretty broad subject to think about, but one thing to start off with at the top is, if you know something is unlawful criminal behavior,
06:20
just avoid it altogether.
06:24
You don't necessarily have to
06:26
become paranoid about it, but it's important to understand where where the line is between, what what's ethical and lawful and what's not.
06:34
And if you always stay on the correct side of that line and you shouldn't have problems in your organization shouldn't have problems. So stealing intellectual property,
06:44
this is a big problem and it comes in many different forms.
06:47
But that's why we have trademarks and copyrights and patents and so on
06:53
so that people that create their intellectual property can then
06:57
protect that
06:59
copyright violations distribute something.
07:03
We see this all the time when people make a,
07:06
uh,
07:08
a knockoff version of a legitimate product.
07:11
Maybe it comes from some foreign country where there with laws are more lax when they try to sell those things Here.
07:17
Um,
07:18
software logo's
07:21
lots of different things. You know, purses, watches.
07:26
What about following your own rules?
07:29
We talked about having a
07:31
a personal
07:33
policy for ethical behavior.
07:36
If if you're, uh,
07:40
personal policy for yourself
07:42
is in conflict with what's expected as a professional auditor,
07:46
then you might need need to reconsider some of your decisions, right.
07:51
As I mentioned, the the auditor has a reputation to uphold
07:57
beyond just the results of their work.
08:00
So if you present yourself as a person with integrity, that's truthful,
08:05
hardworking, honest
08:07
follows the rules
08:09
than that reputation should carry over to the results of your actual auditing activity.
08:16
Of course,
08:16
when
08:18
the violating the laws involved,
08:22
if the auditors in a position where they are and helping to investigate,
08:26
we're helping to uncover information, used an investigation
08:30
and they should know
08:31
what they're looking for and how it's applicable to the task at hand
08:37
that also applies to the behavior of the auditor themselves.
08:41
For instance,
08:43
it would be clearly unethical and most likely illegal to accept some kind of a bribe
08:50
in order to gloss over some audit findings
08:54
or to change or falsify information
08:58
in order to benefit your client.
09:01
Uh, sometimes this happens in financial audits,
09:03
where accountants,
09:05
eso eso call, cook the books
09:09
right there. They're making changes
09:11
two there,
09:13
the way they should be recording the information or in order to benefit the organization.
09:18
And, of course, those people
09:20
typically get caught at some point,
09:22
and now they have to deal with
09:26
losing their professional accreditations, going to jail financial penalties. Possibly
09:31
that's usually not worth the risk for engaging in that kind of behavior. And what about this? Not reporting a violation?
09:37
Probably
09:39
if you know that something is incorrect
09:43
and is in violation of some standard of some regulation.
09:46
The burden is on the person discovering this
09:50
to act quickly. If you don't do so,
09:54
then it may look like you are covering something up or trying to help someone else cover something up.
10:00
So it's best to act quickly when you discover that there's a problem

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor