E-COMPANIES

Legal Auditing of Information Systems: Preventing Legal Problems, Promoting Competitiveness

Eneken Tikk, attorney, Lextal Law Firm, Estonia The legal auditing of information systems is a service which is aimed at discovering, mapping and minimising of legal risks related to the electronic information system of a business or organisation.

OVERVIEW
A legal audit examines the properties and functions of operating principles, inputs and outputs of an information system, as well as the relevant human factor. This makes it possible to diagnose legal risks and their level, and then a plan for minimising the risks can be established (contracts, instructions, disclaimers, etc.). An information system (Figure 1) is made up of relations between the enterprise and other parties (employees, customers, co-operation partners, etc.). It is necessary to define the rights and obligations of each relevant party so as to optimise information processing, determine the extent of authority, and grant access to inputs and outputs (the Web, extranet, intranet) or components thereof (price lists, customer databases).

property; Competition and liability. A legal IS audit usually covers: Personal data and other confidential information (e.g., trade and business secrets); Intellectual property (copyright, protection of trademarks and domain names); Information Society services (SPAM, requirements for services, liability of ISPs); IT contracts; Aspects of market law.

THE TARGET GROUP

Auditing is aimed at medium and large businesses and organisations which rely on information systems in their everyday activities. Before an audit is conducted, the potential benefits in terms of the organisations competitive position are assessed.

TOPICS
Businesses and organisations usually face the following legal requirements in relation to their information systems: Personal data protection; Contracts in the IT field, including issues such as digital signatures and E-contracting; Copyright and intellectual

ACTIVITIES
In advance of an audit, consultations occur between the IS manager and/or owner on the one hand and the auditor on the other. The auditor learns about the main properties of the system, its purposes, as determined through the area of activity and the practices of the enterprise,

24

Baltic IT&T Review #37

E-COMPANIES
and all other relevant information that is needed before an audit offer is made. The offer is then submitted to the owner of the information system, setting out a preliminary schedule, a statement of costs and logistics, and a specification of follow-up activities. When the audit is accepted, a contract is drawn up. It specifies the extent and purposes of the audit, as well as relevant risks. It must also include provisions on overall auditing terms, a detailed schedule, the auditors who will conduct the process, and the documentation, testing and reporting which will take place. bilities of the enterprise and proposes the best solutions to be implemented over the course of time. The main question focuses on how best to use the legal framework in the interests of the client.

RESULTS
An audit report is always prepared, and it indicates: The legal nature of the organisations information system; Legal requirements applied to the system, its functions, its operations, and its operators; Legal risks related to areas of activity and the interests of the organisation. Proposals on minimising legal risks are attached to the audit report, as is an assessment of the conformity of marketing strategies, labour and customer relations, and the organisations contract base to the law. An audit allows an enterprise to take a critical look at its IS investments. All activities will then be in line with the law, and potential risks and damages are minimised. Most audits also speak to the further development of an IS from the legal perspective, producing an analysis of the relevant legal requirements.

STAGES
An audit is usually carried out in two or three stages. The first focuses mostly on legal issues. For instance, many businesses and organisations process personal data online, while most Web sites do not comply with the relevant legal requirements. In the second stage, the legal practices of an enterprise are reconstructed on the basis of findings from the first stage. The relevant instructions, contracts, etc., are drawn up. The third stage of the audit focuses on the strategy and capa-

Figure 1. The information system of an enterprise

Baltic IT&T Review #37

25