Every business or private entity operates in a certain legal framework wherein it has to comply with certain regulations and laws. And it is the responsibility of the entity’s management o ensure compliance with all applicable laws and regulations.
Because of the IS systems becoming the backbone of a lot of key business functions, it has become important over the years that the IS systems and practices are also complying with the legal requirements.
When it comes to legal compliance, there are two dimensions to it. First is the responsibility placed on the audit function as a result of this legal framework that a company operates in and secondly the legal conditions and requirements that the auditee, its business and IT systems, data storage and reporting etc.
The importance of compliance with relevant laws and regulations has become an area of big concerns after many systems based frauds were reported. The result is an ever increasing scrutiny of the law. For example, in the United States the Health Portability and Accountability Act, Practices of Personal Data Directives and Sarbanes Oxley Act are some of the examples of legal requirements that the business have to operate in.
Sarbanes Oxley act requires that the business entities need to ensure the selection and implementation of a control framework to ensure that a standardized control structure is in place. While auditing information systems in the United States, the IS auditors must be aware of the implications of Sarbanes Oxley Act. Similarly in Europe, Protection of Personal Data Directives and Electronic Commerce are some of the laws that the IS auditor should consider as part of IS Audit planning.
As a IS auditor, you need to thoroughly understand the legal atmosphere and domain in which the entity works. Then you need to list all the IT systems, data, HR, applications and process flows within systems and applications, all the contracts that deal with information systems (including support contracts) and evaluate which areas fall under the legal compliance requirements and how much they are compliant. Any departure or gaps should be identified because of the high risks and costs these entail for the auditee.
As a CISA candidate, you will not be evaluated on the basis of any particular law or regulation but you should be aware of the general guidelines and underlying principles when it comes to legal compliance by the entity and the auditor himself.