IT AUDIT SOLUTIONS MANUAL

CHAPTER TWO

ETHICAL AND LEGAL ISSUES FOR IT AUDITORS

DISCUSSION QUESTIONS
2-1 Who is responsible for prevention and detection of irregular and illegal acts? Management is responsible for the prevention and detection of irregular and illegal acts, not the IT auditor. 2-2 What types of written contracts do auditors typically examine? What are the three elements the auditor must ensure a contract contains? Auditors typically examine written contracts dealing with purchase and sale of goods and services. Auditors should look to ensure that there at least three elements contained in the contract: offer, consideration and acceptance. 2-3 What cannot be included in an employment contract?

An employment contract cannot include that the employee must work for the employer for a stated period of time. 2-4 What stipulation of non-disclosure agreements dealing with trade secrets differ from confidentiality agreements? The term of non-disclosure agreements may last indefinitely. 2-5 When is the contract element of consideration required and not required in a noncompete agreement? Why? If a non-compete agreement is signed before or immediately after employment, consideration is not required because the employment itself is the consideration. If an employer requests an employee to sign a non-compete agreement during or upon termination of employment, additional consideration on the part of the employer may be required since the employment has already been established. 2-6 What does computer or cyber crime mean? Give ten examples. Computer or cyber crime is the direct or indirect use of computer and communication technologies to perpetrate a criminal act. Acts include any behaviors determined by states or nations to be illegal. Examples include: hacking into an entities network stealing intellectual property sabotaging a companys database denying service to others who wish to use a Web site harassing or blackmailing someone violating privacy rights engaging in industrial espionage

pirating computer software perpetrating fraud any instrumental use of a computer and/or the Internet to the assist or carry out a crime, such as an illegal narcotics trafficker who uses the Internet to coordinate sales and logistics.

2-7 What are the three requirements of an invention in order to receive a patent? An invention must be novel, useful, and not of an obvious nature. 2-8 What are four general types of intellectual discoveries covered under patent law? machines human made products compositions of matter processing methods

2-9. What does a breach of availability mean? A breach of availability occurs when an authorized user is prevented from timely, reliable access to data or a system, such as a denial of service attack. 2-10 What is the responsibility of a manager in an organization for individual privacy rights? Mangers are obligated to institute proper internal controls aimed at protecting the confidentiality of personal information that is collected during the normal course of business

EXERCISES
2-11 In September 1997, eBay revolutionized the concept of on-line marketplace exchanges by holding auctions over the Internet. Competitor on-line auction sites soon followed, such as Yahoo! and Amazon.com, and a new industry was born. In spring 1999, a related business model emergedauction aggregators. The auction aggregator model was to search on-line auction sites, and offer listings and price information to users. For example, if a user of an auction aggregator was looking for, say, a particular rare coin, the aggregator would search eBay, Yahoo! and Amazon.com for the coin, and display the description and price to the user. Bidders Edge was one of the most notable auction aggregators. The rise of auction aggregators was sparked by a court case which found that facts are public property, even if such facts are collected through the sweat equity of another entity (Feist Publications, Inc. versus Rural Telephone Service Co., 499 U.S., 340). eBay decided to sue Bidders Edge for intellectual property right violations, even though the Feist decision weighed heavily in favor of Bidders edge. Various consumer groups, on both sides of the argument, rallied to the cause. As a result, H.R. 354 and H.R. 1858 were introduced in congress in 1999. H.R. 354 basically asserts the sweat of brow doctrine, which states that facts which are collected as a result of substantial investments of time, personnel and effort are protected intellectual property of the collector. HR 1858, on the other hand, argues that it is in the public interest for Internet users to be able to obtain and compare information from various databases; thus, collected facts are public property.

Required: Discuss the pros and cons of H.R. 354 and H.R. 1858. In responding to this question, please consider the positions taken by Coalition Against Database Piracy (CADP) and NetCoalition.com in the debate. Answer: The answer to the question posed above will certainly stir controversy, as there are legitimate arguments on both sides of the debate. You should encourage the students to visit the web sites of CADP and NetCoalition.com, as well as to read H.R. 354 and H.R. 1858. This is a great exercise for getting students involved in public policy issues, and to get them involved with Internet research.

2-12 In 1999, a company called DoubleClick was formed. The business model of DoubleClick was to track click-stream data, stored on cookies, for advertisers. There was little consumer opposition to DoubleClick, as the company did not collect personal information from users or their computers; rather, users were only identified by an ID number. DoubleClick offered an opt out policy, although it was difficult to find on its website. In 2000, DoubleClick formed Abacus Online, a click stream database where users click-streams were linked to personal information (with an opt-out policy) only when they made catalog purchases, completed on-line surveys or participated in drawings. Then, DoubleClick decided to merge the two databases to provide tailored information to advertisers. This strategy was vehemently opposed by Internet privacy rights groups. After much public outcry, DoubleClick abandoned its merger plans, at a sunk cost of $1.7 billion. Required: How important is privacy to the ultimate survival of the Internet as a viable platform for e-commerce?

Answer: While a few students might argue that privacy does not and should not exist on the Internet, the vast majority of students will likely support some level of Internet privacy. This question should evoke some stimulating debate. Required: What have the private sector, U.S. Federal government and the European Union done to protect Internet Privacy Rights? Answer: This question will require students to research privacy issues over the Internet, where they will find dozens of privacy rights groups. With respect to the private sector, students should at least be aware of the P3P, which means Platform for Privacy Preferences Protection. Regarding the U.S. Federal government, students should refer to the Federal Trade Commissions (FTC) web site for recent positions on Internet privacy. Referring to the European Union, students should, at a minimum, note The Directive on Data Protection, which was the Unions attempt to harmonize privacy policies.