You are on page 1of 2

Legal Auditing of Information Systems:

Preventing Legal Problems, Promoting Competitiveness

Eneken Tikk, attorney, Lextal Law Firm, Estonia

The legal auditing of information systems is a service which is aimed at discov- ering, mapping and minimising of legal risks related to the electronic informa- tion system of a business or organisation.


A legal audit examines the properties and functions of oper- ating principles, inputs and out- puts of an information system, as well as the relevant human fac- tor. This makes it possible to di- agnose legal risks and their lev- el, and then a plan for minimis- ing the risks can be established (contracts, instructions, disclai- mers, etc.). An information system (Fi- gure 1) is made up of relations between the enterprise and other parties (employees, customers, co-operation partners, etc.). It is necessary to define the rights and obligations of each relevant party so as to optimise informa- tion processing, determine the extent of authority, and grant ac- cess to inputs and outputs (the Web, extranet, intranet) or com- ponents thereof (price lists, cus- tomer databases).


Businesses and organisations usually face the following legal requirements in relation to their information systems:

• Personal data protection; • Contracts in the IT field, in- cluding issues such as digital sig- natures and E-contracting; • Copyright and intellectual


property; • Competition and liability. A legal IS audit usually cov- ers:

• Personal data and other confidential information (e.g., trade and business secrets); • Intellectual property (copy- right, protection of trademarks and domain names); • Information Society services (SPAM, requirements for ser- vices, liability of ISPs); • IT contracts; • Aspects of market law.


Auditing is aimed at medium and large businesses and organ- isations which rely on informa- tion systems in their everyday activities. Before an audit is conducted, the potential bene- fits in terms of the organisa- tion’s competitive position are assessed.


In advance of an audit, con- sultations occur between the IS manager and/or owner on the one hand and the auditor on the other. The auditor learns about the main properties of the sys- tem, its purposes, as determined through the area of activity and the practices of the enterprise,

Baltic IT&T Review



and all other relevant informa- tion that is needed before an au- dit offer is made. The offer is then submitted to the owner of the information sys- tem, setting out a preliminary schedule, a statement of costs and logistics, and a specification of follow-up activities. When the audit is accepted, a contract is drawn up. It specifies the extent and purposes of the audit, as well as relevant risks. It must also include provisions on over- all auditing terms, a detailed schedule, the auditors who will conduct the process, and the doc- umentation, testing and report- ing which will take place.


An audit is usually carried out in two or three stages. The first focuses mostly on legal is- sues. For instance, many busi- nesses and organisations process personal data online, while most Web sites do not comply with the relevant legal requirements. In the second stage, the legal practices of an enterprise are re- constructed on the basis of find- ings from the first stage. The relevant instructions, contracts, etc., are drawn up. The third stage of the audit focuses on the strategy and capa-

bilities of the enterprise and proposes the best solutions to be implemented over the course of time. The main question focuses on how best to use the legal framework in the interests of the client.


An audit report is always pre- pared, and it indicates:

• The legal nature of the or- ganisation’s information system; • Legal requirements applied to the system, its functions, its operations, and its operators; • Legal risks related to areas of activity and the interests of the organisation. Proposals on minimising legal risks are attached to the audit report, as is an assessment of the conformity of marketing strategies, labour and customer relations, and the organisation’s contract base to the law. An audit allows an enterprise to take a critical look at its IS investments. All activities will then be in line with the law, and potential risks and damages are minimised. Most audits also speak to the further develop- ment of an IS from the legal per- spective, producing an analysis of the relevant legal require- ments.

E-COMPANIES and all other relevant informa- tion that is needed before an au- dit offer is

Figure 1. The information system of an enterprise

Baltic IT&T Review