This lesson focuses on ethics, doing the right thing at the right time, every time. This lesson focuses on the ISACA code; which is the code IS auditors which is the standard set forth by the Information Systems and Audit Control Association (ISACA) as a code in professional conduct. This lesson focuses on how auditors must be honest, objective as well as detailed. This lesson also discusses the prevention of ethical conflicts. [toggle_content title="Transcript"] Okay, so let's talk about professional ethics. What does this really mean in the big picture? Ethics in general, it means that you're trying to do the right thing, even when no one's watching. That's what it kind of boils down to. So, in a professional sense, you should assume someone is watching, of course, and always behave as if someone was watching, so that you do the right thing at the right time every time. That's what we're trying to get at. The ISACA code addresses this somewhat. So they want to make sure that if you are a certified IS auditor, that you have a very high level of ethical behavior so that the results of your work should never be brought into question as a result of poor ethics. So the auditors agree to support the implementation of policies, standards and guidelines, and procedures. We talked about what those differences were between a policy, a guideline, a procedure and a standard was. So the auditor should embrace what the organization wants to do and regard with those different types of documentation and then enforce that appropriately. The auditor is also supposed to be objective. They should do their due care and due diligence and make sure that the actions that they're taking and the decisions that they make and the findings that they arrive at are not biased in any way by their personal relationship with the auditee, or with the organization itself. They should be looking only at the information that is discovered and making their determination in an objective sense. Auditors have to serve the interests of the stakeholders. This means, of course, that they have to do this within the confines of the law. If your boss is telling you to do something, or not to do something, which you know is unlawful, then that would be a time where you're not going to obey the interests of the stakeholder. So you align yourselves with the interests of stakeholders in a lawful manner. That just makes sense that everyone is working together, staying on the same page, everything is on the up and up and there's no danger of violating regulations or other types of laws. The last item to think about here on this page is that the auditor must maintain the privacy and secrecy of the information that they discover during the process of their activities. I mentioned this earlier when we were talking about the large numbers of corporate officers and attorneys, and so on, who have been prosecuted for fraud. Obviously those people thought that they could use some information or some resources that they had access to for their own personal gain. Sometimes that works for a while and sometimes it doesn't, but the idea is that you should always avoid that kind of activity to begin with. That way you don't have to worry about becoming compromised at some later point in time. So a second part of our ISACA code for auditors, the auditors should only do those kinds of actions or take those kinds of actions that they are actually qualified to do. If you're skilled at auditing IS and not so much at financial systems, then there might be some areas where other people might have to do certain aspects of an audit. So having the proper training, being certified, showing competency based on past results, or work that was done previously. These are all things to think about in order to prove that the auditor is working effectively and is gathering information and using the correct methodologies. Auditors must promise to disclose the accurate results of their work. So this means, again, being objective. If the auditor discovers that there are, you know, 275 findings during their audit, they should not try to minimize that number in any way to make things look better than they really are. If it's 275 findings, all of those should be disclosed, and done so with the appropriate level of detail to the appropriate stakeholders that need to know this information. It stands to reason that an auditor has to have an ongoing education for themselves. So, if you become a CISA, obviously there are requirements for continuing education there, but even if you're not becoming a CISA you still have some expectation to stay in-touch with different advances in the field, different trends, new regulations and laws that come out. All of those things must be considered so that the auditor stays synchronized with the best practices in their industry. If an auditor becomes lazy and starts to lose connection with different trends and different laws, then they could make mistakes down the line which could have been avoided had they spent more time on their own education. Now, I mentioned earlier, if the CISA does not comply with these guidelines in those code of ethics, then they might be investigated and potentially lose their certification. So there are consequences to be considered for not following the code of ethics. How do we prevent ethical conflicts? This is a pretty broad subject to think about, but one thing to start off with, at the top, is if you know something is unlawful, criminal behavior, just avoid it altogether. You don't necessarily have to become paranoid about it, but it's important to understand where the line is between what's ethical and lawful and what's not. If you always stay on the correct side of that line, then you shouldn't have problems and your organization shouldn't have problems. So, stealing intellectual property, this is a big problem and it comes in many different forms, but that's why we have trademarks and copyrights and patents and so on: so that people that create their intellectual property can then protect that. Copyright violations. We see this all the time where people make a knock-off version of a legitimate product. Maybe it comes from some foreign country where the laws are more lax. When they try to sell those things here, software, logos lots of different things, purses, watches - What about following your own rules? We talked about having a personal policy for ethical behavior. If your personal policy for yourself is in conflict with what's expected as a professional auditor, then you might need to reconsider some of your decisions. As I mentioned, the auditor has a reputation to uphold beyond just the results of their work. So if you present yourself as a person with integrity, that's truthful, hard-working, honest follows the rules, then that reputation should carry over to the results of your actual auditing activity. Of course, when violating the law's involved, if the auditor's in a position where they are helping to investigate, or helping to uncover information used in investigation, then they should know what they're looking for and how it's applicable to the task at-hand. That also applies to the behavior of the auditor themselves. For instance, it would be clearly unethical and most likely illegal to accept some kind of a bribe in order to gloss over some audit findings, or to change or falsify information in order to benefit your client. Sometimes this happens in financial audits where accountants, you know, so-called cook the books. They're making changes to the way they should be recording the information in order to benefit the organization. And, of course, those people typically get caught at some point and now they have to deal with losing their professional accreditations, going to jail, financial penalties possibly. That's usually not worth the risk for engaging in that kind of behavior. What about this: Not reporting a violation promptly? If you know that something is incorrect and is in violation of some standard or some regulation the burden is on the person discovering this to act quickly. If you don't do so, then it may look like you are covering something up, or trying to help someone else cover something up. So it's best to act quickly when you discover that there's a problem. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.