icte1073

auditing in a cis environment

Handout #1 – THE LEGAL ENVIRONMENT AND ITS IMPACT ON INFORMATION
TECHNOLOGY

IT CRIMES

3 Types:

1. Computer is the target of the crime – generally involves information theft, but can also involve unauthorized
access and modification of records.

Examples:
 Techno-trespass. Unauthorized access to computerized records.
 Techno-vandalism. After gaining unauthorized access to computerized records, these records are tampered
with.

Most common way of gaining unauthorized access: Being a super-user through a “backdoor” in the system, which
is equivalent to being a system manager/administrator. This enables the IT criminal to access practically all areas
and functions within the system.

2. Computer is used as an instrument of the crime

Examples:
 ATM Skimming. It’s like an identity theft for ATM cards. Thieves use hidden electronics to steal the
personal information stored on your card and record your PIN number to access the cash in your account.
 Cellphone Number Cloning. This crime is committed by capturing computerized billing codes during
cellular transmissions, transferred to a computer, and with the help of a program, the criminal bills his usage
to other customers.
 Fraud from Computer Transactions. Usually involves unauthorized online transactions via credit cards.

3. Computer is not necessary to commit the crime – Use of the computer is incidental and is only used to commit
the crime faster, process greater amounts of information, and make the crime more difficult to identify and trace.

Example: Child Pornography

PROTECTION AGAINST COMPUTER FRAUD

IT auditors’ concern not only include auditing the use and application of IT by the business, but also security of the business’
data. Therefore, IT auditors should alert their clients to the dangers that are present. There are several ways, like:

 Turning audit trails on  Keeping a record of resources used to reestablish the

 Placing a log-in banner system and locate the perpetrator.
 Installing Caller IDs  Encrypting files
 Making backups of damaged or altered files  Encrypting transmissions
 Maintaining old backups to show the status of the  Using one-time password (OTP) generators
original  Using secure firewalls
 Designating one person to secure potential evidence

In addition to the IT auditors’ primary function of auditing the use and application of IT by businesses, he or she has obtained
the additional responsibility of the security of the system.

THE ENRON SCANDAL AND ITS AFTERMATH AND RESPONSES

Enron Corporation – an American energy, commodities, and services company based in Houston. It was founded in 1985
after the merger of Houston Natural Gas and InterNorth. It is one of the world's major electricity, natural gas, communications
and pulp and paper companies.

Arthur Andersen, LLP – was once one of the world’s five largest accounting firms (besides PwC, Deloitte, EY, and KPMG).
It was the firm engaged to audit the financial statements of Enron.

Timeline of the Enron Scandal:

July 1985 Enron is formed by the merger of Houston Natural Gas and Omaha-based InterNorth.

2000 Enron reaches No. 7 on the Fortune 500 list.

August 14, 2001 Skilling resigns as CEO, and Lay becomes CEO again. (He had been CEO from 1985-2000.)

August 15, 2001 Sherron Watkins sends a memo to Lay about accounting issues.

October 16, 2001 Enron announces a third-quarter loss of $618 million.

October 31, 2001 The SEC opens a formal investigation into Enron's transactions.

November 9, 2001 Enron and Dynegy announce a $7.8 billion merger agreement. It would form Dynegy Corp, in which
Dynegy would own 64% and Enron 36%.

November 28, 2001 Dynegy announces it has terminated merger talks with Enron.

December 2, 2001 Enron files for Chapter 11 protection, becoming the largest bankruptcy in US history at that time
and leaving thousands of workers with worthless stock.

January 9, 2002 The US Department of Justice opens a criminal investigation into Enron's collapse.

January 11, 2002 The SEC widens its investigation to include Enron's chief auditor, Arthur Andersen, due to reports
of document shredding.

January 15, 2002 The NYSE suspends trading of Enron shares.

January 17, 2002 Enron ends its partnership with Arthur Andersen.

January 23, 2002 Lay resigns as chairman of the board and CEO.

January 25, 2002 Former Enron vice chairman J. Clifford Baxter commits suicide in Sugarland, Texas.

January 30, 2002 Enron appoints Stephen Cooper as its interim CEO.

February 4, 2002 Lay resigns from Enron's board of directors.

February 7, 2002 Andrew Fastow, Michael Kopper, Richard Buy and Richard Causey all invoke their Fifth
Amendment rights before the House Energy and Commerce Committee.

February 12, 2002 Lay invokes his Fifth Amendment right before the Senate Commerce Committee.

February 14, 2002 Whistleblower Watkins testifies before the House of Representatives.

February 26, 2002 Skilling, Watkins and Jeffrey McMahon testify before the US Senate Commerce Committee.

March 14, 2002 US Justice Department indicts accounting firm Arthur Andersen for obstruction of justice in the
Enron case.

April 2002 Enron rises to No. 5 on the Fortune 500 list despite its bankruptcy filing. Fortune bases its rankings
only on the first nine months of revenue in 2001, which totaled $138.7 billion.

June 15, 2002 Arthur Andersen is found guilty of obstructing justice.

August 21, 2002 Former Enron executive Kopper pleads guilty to conspiracy to commit wire fraud and money
laundering conspiracy.

October 2, 2002 Fastow is charged with securities fraud, wire fraud, mail fraud, money laundering and conspiracy.

May 1, 2003 Fastow, his wife, and seven others are charged in a superseding indictment for actions relating to
the firm's financial scandals.

January 8, 2004 Judge David Hittner says he will accept Lea Fastow's plea deal in exchange for a guilty plea that
could reduce her prison time.

January 14, 2004 Fastow and his wife each plead guilty, as part of a plea agreement.

January 22, 2004 Causey pleads not guilty to five counts of securities fraud and one count of conspiracy to commit
securities fraud.

February 19, 2004 Former Enron CEO Skilling is indicted on fraud and conspiracy charges and pleads not guilty.

May 6, 2004 Lea Fastow pleads guilty to a single count of filing a false tax return and receives a 12-month
sentence.

May 19, 2004 The former Enron vice president responsible for investor relations, Paula Rieker, pleads guilty to
insider trading.

July 7, 2004 Lay is indicted on 11 counts - one count of conspiracy to commit security and wire fraud, two counts
of wire fraud for misleading statements at employee meetings, four counts of securities fraud for
false statements in presentations to securities analysts, one count of bank fraud and three counts
of making false statements to banks.

July 8, 2004 Lay pleads not guilty to all 11 charges and is released on $500,000 unsecured bond.
November 3, 2004 The first criminal trial ends with the acquittal of former accountant Sheila Kahanek.

November 17, 2004 Enron comes out of bankruptcy after selling its interest in three natural gas pipelines to CCE
Holdings for $2 billion.

May 31, 2005 The US Supreme Court overturns Arthur Andersen's obstruction of justice conviction.

December 28, 2005 Causey pleads guilty to securities fraud for his role in the Enron scandal. He will serve only seven
years in exchange for cooperating with prosecutors seeking convictions of his former bosses, Lay
and Skilling.

March 28, 2006 The judge dismisses three counts against Skilling (two charges of securities fraud and one charge
of lying to auditors) and one count of securities fraud against Lay.

May 25, 2006 The jury in the Enron case finds former CEO Skilling and founder Lay guilty of conspiracy and
fraud. Lay is convicted of all six counts against him and Skilling is found guilty on 19 counts of
conspiracy, fraud, false statements and insider trading. Skilling is found not guilty on nine counts
of insider trading. Judge Simeon T. Lake announces four guilty verdicts in the separate bench trial
of Lay on separate counts of conspiracy and fraud.

July 5, 2006 Lay dies in Aspen, Colorado, from a heart attack brought on by severe coronary artery disease.

September 26, 2006 Fastow is sentenced to six years in prison, four years less than his plea agreement stipulated in
January 2004.

October 17, 2006 Judge Lake erases Lay's fraud and conspiracy convictions. This is a long-standing legal practice
of the US federal courts if the defendant dies before he/she has a chance for an appeal to be heard.

October 23, 2006 Skilling is sentenced to 24 years and four months in prison.

November 7, 2006 Fastow reports to the Oakdale, Louisiana, federal detention center to begin serving his six-year
sentence.

November 15, 2006 Former COO Causey is sentenced to five years and six months in prison for one count of securities
fraud.

November 16, 2006 Skilling appeals his convictions to the 5th Circuit Court of Appeals.

December 13, 2006 Skilling reports to prison in Waseca, Minnesota, after a judge refuses to allow him to remain free
pending appeal.

January 3, 2007 Causey reports to the Bastrop Federal Correctional Institution to begin serving his five-and-a-half-
year sentence.

January 6, 2009 The US Court of Appeals affirms Skilling's conviction but sends his case back for resentencing.

June 24, 2010 The US Supreme Court rules that Skilling was incorrectly prosecuted under a law concerning
"honest-services fraud." The court then nullifies Skilling's conviction on that charge.

April 6, 2011 The Fifth US Circuit Court of Appeals confirms Skilling's criminal conviction.

May 16, 2011 Fastow is transferred from a federal prison in Louisiana to a halfway house in Houston. He is later
allowed to move to his home to complete his sentence.

May 17, 2011 Causey begins serving the rest of his five-and-a-half-year sentence in home confinement.

December 17, 2011 Fastow's home confinement ends and he begins two years of probation.

April 16, 2012 The US Supreme Court turns aside Skilling's second appeal. A few weeks later, Skilling's attorney
files a motion requesting a new trial in Houston federal court citing newly discovered evidence.

June 21, 2013 A federal judge reduces Skilling's sentence by more than 10 years. As part of the resentencing deal
brokered between prosecutors and the defense, Skilling agrees to stop challenging his conviction
and forfeit roughly $42 million that will be distributed among the victims of the Enron fraud.

November 18, 2015 A federal judge issues a ruling that bars Skilling from ever acting as an officer or director of a
publicly traded company again, settling a long-running civil suit by the US Securities Exchange
Commission.

March 1, 2017 A federal judge dismisses a class action lawsuit against UBS, accused of hiding fraud committed
by Enron, a former client.

In response to this large-scale accounting fraud that Enron committed and Arthur Andersen helped conceal, the Sarbanes-
Oxley Act was signed into law.
MAJOR ELEMENTS OF THE SARBANES-OXLEY ACT:

1. Public Company Accounting Oversight Board (PCAOB)

Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent
oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked
with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing
conduct and quality control, and enforcing compliance with the specific mandates of SOX.

2. Auditor Independence

Title II consists of 9 sections and establishes standards for external auditor independence, to limit conflicts of interest. It
also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts
auditing companies from providing non-audit services (e.g., consulting) for the same clients.

3. Corporate Responsibility

Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and
completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees,
and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates
specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-
compliance. For example, Section 302 requires that the company's "principal officers" (typically the Chief Executive Officer
and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly.

4. Enhanced Financial Disclosures

Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-
balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for
assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also
requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents
of corporate reports.

5. Analyst Conflicts of Interest

Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting
of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts
of interest.

6. Commission Resources and Authority

Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines
the SEC's authority to censure or bar securities professionals from practice and defines conditions under which a person
can be barred from practicing as a broker, advisor, or dealer.

7. Studies and Reports

Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report
their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating
agencies in the operation of securities markets, securities violations, and enforcement actions, and whether investment
banks assisted Enron, Global Crossing, and others to manipulate earnings and obfuscate true financial conditions.

8. Corporate and Criminal Fraud Accountability

Title VIII consists of seven sections and is also referred to as the "Corporate and Criminal Fraud Accountability Act of 2002".
It describes specific criminal penalties for manipulation, destruction or alteration of financial records or other interference
with investigations, while providing certain protections for whistle-blowers.

9. White Collar Crime Penalty Enhancement

Title IX consists of six sections. This section is also called the "White Collar Crime Penalty Enhancement Act of 2002". This
section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger
sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.

10. Corporate Tax Returns

Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.

11. Corporate Fraud Accountability

Title XI consists of seven sections. Section 1101 recommends a name for this title as "Corporate Fraud Accountability Act
of 2002". It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific
penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to resort to temporarily
freezing transactions or payments that have been deemed "large" or "unusual".