Managerial Primer for Assuring IT Legal Compliance

Overview: The concept of industrial compliance with applicable laws and regulations deals with obeying the statutory requirements to which the entity is subject. Compliance infers acceptance. Societal expected behavior acceptance requires value(s) conformity to established norms. Conformance to government enforced rules is the ultimate goal for most societies to ensure a common baseline of legally acceptable entity behavior, whether laws or regulations apply to individuals or groups. Governments and governmental agencies enact governance related laws and regulations to ensure that entity managers refrain from participating in corrupt, fraudulent, or unethical behavior. Governments and governmental agencies also enact laws and regulations to provide for stakeholder confidence that management will perform its fiduciary responsibilities. This fiduciary relationship between stakeholders and management typically requires that the entity’s management safeguards assets entrusted to it for use by the entity in generating revenues or paying expenses. To sustain compliance with this legal objective; an entity’s management is expected to provide accurate and complete information about the entity’s past and current performance, as well as their assessments of any confirmed future economic events that may/will affect the entity’s financial status and its present financial position. Government laws and regulations usually require an entity’s management to design, implement, and maintain a system of controls. However, controls existence and effectiveness verification is commonly an external and/or internal statutory audit responsibility. Auditors that conduct these entity compliance attestation engagements are directed toward examining, reviewing, or performing agreed-upon procedures regarding a subject matter; or an assertion about a subject matter, and reporting evidentially-supported results. Separately or jointly, government-sponsored laws and regulations can impose audit practice requirements that impact entity compliance attestation service efforts. Where laws and regulations promote managements' accountability of entity assets to stakeholders, information technology (IT) legal compliance audit area and/or ambit may be mandated by governments and governmental agencies -- such as the Japanese Financial Instruments and Exchange Law (J-SOX) and United States Federal Information Security Management Act (FISMA). Alternatively, IT audit engagements may be determined by perceived noncompliance risk or the entity’s audit committee can direct IT audit coverage to assess expected compliance by the entity's management. Nevertheless, professional IT auditors must evaluate potential irregularities and illegal acts during the entire IT assurance process,1 even when directed by the audit committee to focus on a particular IT auditable unit -- within the engagement's audit area. Laws and regulations are enacted and reinforced to ensure entities comply with a particular society’s expectations for ethical behavior when conducting business. Depending on societal perceptions; laws and regulations are ratified to ensure compliance with perceived entity responsibilities. Beneficially, countries imposing legal mandates provide expectation consistency for sustaining governance within their boundaries of authority. Groups conceive customs, rules and prevailing opinions that an established government can convert into laws. Enforceable laws reflect an official society’s behavioral norms -- with legal interpretation indicating the corresponding community’s sociological trends. Laws can embrace a society’s desire for: Peace keeping Facilitating planning Social justice promotion Enabling orderly change Maintaining the status quo Enforcing conduct standards Influencing conduct standards Compromise solution provisioning Facilitating reasonable expectations realization Providing for maximum individual self-assertion Why should you Attend: Information and associated technologies continue to advance toward diverse distributed configuration environments for entering, processing, storing, and retrieving data. The magnitude of changes occurring can be clearly seen in the explosion of linked IT infrastructures connected to cloud computing service providers and mobile computing devices. Consequently, the impact of such decentralization has increased the need for effective safeguarding of information assets. Foundationally paraphrasing from Title 44, Chapter 35, Subchapter III, Section 3542(b)(1) of the United States Code; the term "information security" is defined as the protecting of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Correspondingly, information security is typically a complex and dynamic safeguarding subject. Given the descriptive attributes normally associated with information security, IT auditors usually have a vast array of sub-topics to contemplate when performing information assets protection (IAP) related audits, reviews, or agreed-upon procedures. Information security design, deployment and assurance require dedication to continuous improvement to ensure optimum effectiveness and efficiency. Whereby, conformation of compliance with legislation, regulations, policies, directives, procedures, standards, and rules enable asserting ‘superior’ information security governance (ISG). Nonetheless, monitoring and evaluating the current state of implemented controls may take a variety of forms; including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.