2.

2 Irregular
& Illegal Acts
(IS Audit and Assurance Guideline
2207 Irregularity and Illegal Acts)

Definition of Terms
Irregular

act

Reflects

either an intentional violation of corporate policies

or regulations or an unintentional breach of law

Violation

of an established management policy or regulatory

requirement

It

may consist of deliberate misstatements or omission of

information concerning the area under audit or the enterprise
as a whole gross negligence or unintentional illegal acts.

Illegal

act

Represents

a willful violation of law

Examples

Fraud

Deliberate misrepresentation of facts

any act involving the use of deception to obtain illegal advantage

this has the aim of gaining illegal advantage or hiding irregularities or
illegal acts

Acts that involve non-compliance with laws and regulations

includes the failure of IT systems to meet applicable laws and

regulations

Unauthorized disclosure of data that is subject to privacy laws

Acts that involve non-compliance with enterprise agreements and

contracts with third parties

banks, suppliers, vendors, service providers and stakeholders

Examples

Manipulation, falsification, forgery or alteration of

records or documents

electronic or paper form

Suppression or omission of the effects of transactions

from records or documents

electronic or paper form

Inappropriate or deliberate leakage of confidential

information

Recording of transactions in financial or other records

that lack substance and are known to be false

electronic or paper form

false disbursement, payroll fraud, tax evasion

Examples

Misappropriation and misuse of assets

Skimming or defalcation

the misappropriation of cash before it is recorded in

the financial records of an enterprise

Acts that violate intellectual property (IP) rights

intentional or unintentional

copyright, trademark or patents

Granting unauthorized access to information and systems

Errors in financial or other records

these arise due to unauthorized access to data and

systems

Fraudulent Irregularities

Deliberate circumvention of controls with the

intent to conceal the perpetuation of fraud

Unauthorized use of assets or services

Abetting or helping to conceal these types of

activities

Non-Fraudulent Irregularities

Intentional violations of established

management policy

Intentional violations of regulatory

requirements

Deliberate misstatements or omissions of

information concerning the area under audit
or the enterprise as a whole

Gross negligence

Unintentional illegal acts

Determination of Illegality

This is based on the advice of an informed

expert qualified to practice law or may have
to await final determination by a court of law

Responsibility for Prevention,

Detection, and Reporting

Management is responsible for the prevention and

detection of irregular and illegal acts, not the IT
auditor.

CPA s are qualified to determine if acts are material to

financial statements.

ISACA guidelines on irregular & illegal acts clearly

states that auditors ARE NOT QUALIFIED to determine
whether an irregular, illegal or erroneous act has
occurred.

It is outside the scope of an IT Auditor

If required to disclose such acts (mandated by authorized

legal entities), IT Auditors should consult legal counsel
before making any disclosures to external parties

Responding to Irregularities
and Illegal Acts

Professionals should demonstrate an attitude of

professional skepticism.

Indicators:

Overrides of controls by management

Irregular or poorly explained management behaviour

Consistently over performing, compared to set targets

Problems with, or delays in, receiving requested information or

evidence

Transactions not following the normal approval cycles

Increase in activity of a certain customer

Increase in complaints from customers

Deviating access controls for some applications or users

Responding to Irregularities
and Illegal Acts

When professionals become aware of information

concerning a possible irregularity or illegal act, they
should consider taking the following steps after direction
from the appropriate legal authority:

Obtain an understanding of the nature of the act

Understand the circumstances in which the act occurred

Gather evidence of the occurrence of the act (e.g., letters, system

records, computer files, security logs, customer of vendor
information)

Identify all persons involved in committing the act

Obtain sufficient supportive information to evaluate the effect of

the act

Perform limited additional procedures to determine the effect of

the act and whether additional acts exist

Document and preserve all evidence and work performed

Responding to Irregularities
and Illegal Acts

Professionals should then consult with audit management

to determine their next actions which may involve
reporting the event to enterprise management, passing
further action to internal fraud investigators, and/or
reporting to law enforcement or regulators.

When an irregularity involves a member of management,

professionals should reconsider the reliability of
representations made by management. Typically,
professionals should work with an appropriate level of
management above the one associated with the
irregularity or illegal act.