1
BSAC 117 Computer Audit
SEATWORK 1 (Ethics, Fraud and Internal Control)
Deadline for Submission: Tonight at 9:00 PM
Topic: Laws on Information Technology
SURNAME: Medina
Question #1. Enumerate the
provisions of the ISACA
Code of Ethics.
References:
Question #2. What is the
objective of the RA 10175
(Cybercrime Prevention Act)
References:
C. Gonzaga
Date: August 17, 2020
Where to submit: Google Classroom
FIRST NAME:Leoreyn Faye M.I. Y.
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance
with, appropriate standards and procedures for the effective
governance and management of enterprise information
systems and technology, including: audit, control, security and
risk management.
2. Perform their duties with objectivity, due diligence and
professional care, in accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while
maintaining high standards of conduct and character, and not
discrediting their profession or the Association.
4. Maintain the privacy and confidentiality of information obtained
in the course of their activities unless disclosure is required by
legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to
undertake only those activities they can reasonably expect to
complete with the necessary skills, knowledge and
competence.
6. Inform appropriate parties of the results of work performed
including the disclosure of all significant facts known to them
that, if not disclosed, may distort the reporting of the results.
7. Support the professional education of stakeholders in
enhancing their understanding of the governance and
management of enterprise information systems and
technology, including: audit, control, security and risk
management.
8. Failure to comply with this Code of Professional Ethics can
result in an investigation into a member's or certification
holder's conduct and, ultimately, in disciplinary measures.
Reference: https://www.isaca.org/credentialing/code-of-professional-
ethics#:~:text=Perform%20their%20duties%20with%20objectivity,their
%20profession%20or%20the%20Association.
1. To provide an environment conducive to the development,
acceleration, and rational application and exploitation of
information and communications technology (ICT) to attain
free, easy, and intelligible access to exchange and/or delivery
of information
2. To protect and safeguard the integrity of computer, computer
and communications systems, networks, and databases, and
the confidentiality, integrity, and availability of information and
data stored therein, from all forms of misuse, abuse, and illegal
access by making punishable under the law such conduct or
conducts
3. To prevent and combat such offenses by facilitating their
 2

detection, investigation, and prosecution at both the domestic

and international levels, and by providing arrangements for fast
and reliable international cooperation

Reference: https://www.officialgazette.gov.ph/2012/09/12/republic-act-
no-10175/

Question #3. Enumerate the

acts that constitute
cybercrime offenses? Define Offenses against the confidentiality, integrity and availability of
or describe each briefly. computer data and systems:

1. Illegal Access. – The access to the whole or any part of a

computer system without right.
References: 2. Illegal Interception. – The interception made by technical
means without right of any non-public transmission of
computer data to, from, or within a computer system including
electromagnetic emissions from a computer system carrying
such computer data.
3. Data Interference. — The intentional or reckless alteration,
damaging, deletion or deterioration of computer data,
electronic document, or electronic data message, without right,
including the introduction or transmission of viruses.
4. System Interference. — The intentional alteration or reckless
hindering or interference with the functioning of a computer or
computer network by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data
or program, electronic document, or electronic data message,
without right or authority, including the introduction or
transmission of viruses.
5. Misuse of Devices.
a) The use, production, sale, procurement, importation,
distribution, or otherwise making available, without
right, of:
i. A device, including a computer program,
designed or adapted primarily for the
purpose of committing any of the offenses
under this Act; or
ii. A computer password, access code, or
similar data by which the whole or any part
of a computer system is capable of being
accessed with intent that it be used for the
purpose of committing any of the offenses
under this Act.
b) The possession of an item referred to in paragraphs
5(i)(aa) or (bb) above with intent to use said devices
for the purpose of committing any of the offenses
under this section.
6. Cyber-squatting. – The acquisition of a domain name over the
internet in bad faith to profit, mislead, destroy reputation, and
deprive others from registering the same, if such a domain
name is:
a) Similar, identical, or confusingly similar to an
existing trademark registered with the appropriate
government agency at the time of the domain
name registration:
b) Identical or in any way similar with the name of a
person other than the registrant, in case of a
personal name; and
c) Acquired without right or with intellectual property
interests in it.

Computer-related Offenses:

1. Computer-related Forgery
a) The input, alteration, or deletion of any computer
data without right resulting in inauthentic data with
the intent that it be considered or acted upon for
 3

legal purposes as if it were authentic, regardless

whether or not the data is directly readable and
intelligible; or
b) The act of knowingly using computer data which is
the product of computer-related forgery as defined
herein, for the purpose of perpetuating a
fraudulent or dishonest design.
2. Computer-related Fraud. — The unauthorized input, alteration,
or deletion of computer data or program or interference in the
functioning of a computer system, causing damage thereby
with fraudulent intent: Provided, That if no damage has yet
been caused, the penalty imposable shall be one (1) degree
lower.
3. Computer-related Identity Theft. – The intentional acquisition,
use, misuse, transfer, possession, alteration or deletion of
identifying information belonging to another, whether natural or
juridical, without right: Provided, That if no damage has yet
been caused, the penalty imposable shall be one (1) degree
lower.

Content-related Offenses:

1. Cybersex. — The willful engagement, maintenance, control, or

operation, directly or indirectly, of any lascivious exhibition of
sexual organs or sexual activity, with the aid of a computer
system, for favor or consideration.
2. Child Pornography. — The unlawful or prohibited acts defined
and punishable by Republic Act No. 9775 or the Anti-Child
Pornography Act of 2009, committed through a computer
system: Provided, That the penalty to be imposed shall be (1)
one degree higher than that provided for in Republic Act No.
9775.
3. Unsolicited Commercial Communications. — The transmission
of commercial electronic communication with the use of
computer system which seek to advertise, sell, or offer for sale
products and services are prohibited unless:
a) There is prior affirmative consent from the
recipient; or
b) The primary intent of the communication is for
service and/or administrative announcements from
the sender to its existing users, subscribers or
customers; or
c) The following conditions are present:
i. The commercial electronic
communication contains a simple, valid,
and reliable way for the recipient to
reject. receipt of further commercial
electronic messages (opt-out) from the
same source;
ii. The commercial electronic
communication does not purposely
disguise the source of the electronic
message; and
iii. The commercial electronic
communication does not purposely
include misleading information in any part
of the message in order to induce the
recipients to read the message.
4. Libel. — The unlawful or prohibited acts of libel as defined in
Article 355 of the Revised Penal Code, as amended,
committed through a computer system or any other similar
means which may be devised in the future.

Other Offenses:

1. Aiding or Abetting in the Commission of Cybercrime. – Any

person who willfully abets or aids in the commission of any of

Reference: https://www.officialgazette.gov.ph/2012/09/12/republic-act-
no-10175/
Question #4. Under this Act,
what are the penalties for
cybercrime offenses?
References:
Reference: https://www.officialgazette.gov.ph/2012/09/12/republic-act-
no-10175/
Question #5. What are the
objectives of the Philippine
E-commerce Act?
References:
Reference: http://www.bsp.gov.ph/downloads/laws/RA8792.pdf
Question #6. Enumerate the
offenses that are punishable
4
the offenses enumerated in this Act shall be held liable.
2. Attempt in the Commission of Cybercrime. — Any person who
willfully attempts to commit any of the offenses enumerated in
this Act shall be held liable.
1. Any person found guilty of any of the punishable acts
enumerated in Sections 4(a) and 4(b) of this Act shall be
punished with imprisonment of prision mayor or a fine of at
least Two hundred thousand pesos (PhP200,000.00) up to a
maximum amount commensurate to the damage incurred or
both.
2. Any person found guilty of the punishable act under Section
4(a)(5) shall be punished with imprisonment of prision mayor
or a fine of not more than Five hundred thousand pesos
(PhP500,000.00) or both.
3. If punishable acts in Section 4(a) are committed against critical
infrastructure, the penalty of reclusion temporal or a fine of at
least Five hundred thousand pesos (PhP500,000.00) up to
maximum amount commensurate to the damage incurred or
both, shall be imposed.
4. Any person found guilty of any of the punishable acts
enumerated in Section 4(c)(1) of this Act shall be punished
with imprisonment of prision mayor or a fine of at least Two
hundred thousand pesos (PhP200,000.00) but not exceeding
One million pesos (PhP1,000,000.00) or both.
5. Any person found guilty of any of the punishable acts
enumerated in Section 4(c)(2) of this Act shall be punished
with the penalties as enumerated in Republic Act No. 9775 or
the “Anti-Child Pornography Act of 2009”: Provided, That the
penalty to be imposed shall be one (1) degree higher than that
provided for in Republic Act No. 9775, if committed through a
computer system.
6. Any person found guilty of any of the punishable acts
enumerated in Section 4(c)(3) shall be punished with
imprisonment of arresto mayor or a fine of at least Fifty
thousand pesos (PhP50,000.00) but not exceeding Two
hundred fifty thousand pesos (PhP250,000.00) or both.
7. Any person found guilty of any of the punishable acts
enumerated in Section 5 shall be punished with imprisonment
one (1) degree lower than that of the prescribed penalty for the
offense or a fine of at least One hundred thousand pesos
(PhP100,000.00) but not exceeding Five hundred thousand
pesos (PhP500,000.00) or both.
To facilitate domestic and international dealings, transactions,
arrangements, agreements, contracts and exchanges and
storage of information through the utilization of
electronic, optical and similar medium, mode, instrumentality
and technology to recognize the authenticity
and reliability of electronic documents related to such activities
and to promote the universal use of
electronic transaction in the government and general public.

under this Act. Define or
describe each briefly.
References:
Reference: http://www.bsp.gov.ph/downloads/laws/RA8792.pdf
Question #7. What are the
penalties for violating the
Philippine E-commerce Law?
References:
Reference: http://www.bsp.gov.ph/downloads/laws/RA8792.pdf
Question # 8. Based on the
Philippine E-commerce Act,
5
1. 1.Hacking or cracking which refers to unauthorized access into
or interference in a computer system/server or information and
communication system; or any access in order to corrupt, alter,
steal, or destroy using a computer or other similar information
and communication devices, without the knowledge and
consent of the owner of the computer or information and
communications system, including the introduction of computer
viruses and the like, resulting in the corruption, destruction,
alteration, theft or loss of electronic data messages or
electronic document
2. Piracy or the unauthorized copying, reproduction,
dissemination, distribution, importation, use, removal,
alteration, substitution, modification, storage, uploading,
downloading, communication, making available to the public,
or broadcasting of protected material, electronic signature or
copyrighted works including legally protected sound recordings
or phonograms or information material on protected works,
through the use of telecommunication networks, such as, but
not limited to, the internet, in a manner that infringes
intellectual property rights
3. Violations of the Consumer Act or Republic Act No. 7394 and
other relevant or pertinent laws through transactions covered
by or using electronic data messages or electronic documents,
shall be penalized with the same penalties as provided in
those laws and other violations of this act
1. Hacking or cracking which refers to unauthorized access into
or interference in a computer system/server or information and
communication system; or any access in order to corrupt, alter,
steal, or destroy using a computer or other similar information
and communication devices, without the knowledge and
consent of the owner of the computer or information and
communications system, including the introduction of computer
viruses and the like, resulting in the corruption, destruction,
alteration, theft or loss of electronic data messages or
electronic document shall be punished by a minimum fine of
one hundred thousand pesos (P100,000.00) and a maximum
commensurate to the damage incurred and a mandatory
imprisonment of six (6) months to three (3) years;
2. Piracy or the unauthorized copying, reproduction,
dissemination, distribution, importation, use, removal,
alteration, substitution, modification, storage, uploading,
downloading, communication, making available to the public,
or broadcasting of protected material, electronic signature or
copyrighted works including legally protected sound recordings
or phonograms or information material on protected works,
through the use of telecommunication networks, such as, but
not limited to, the internet, in a manner that infringes
intellectual property rights shall be punished by a minimum fine
of one hundred thousand pesos (P100,000.00) and a
maximum commensurate to the damage incurred and a
mandatory imprisonment of six (6) months to three (3) years;
3. Violations of the Consumer Act or Republic Act No. 7394 and
other relevant or pertinent laws through transactions covered
by or using electronic data messages or electronic documents,
shall be penalized with the same penalties as provided in
those laws; d) Other violations of the provisions of this Act,
shall be penalized with a maximum penalty of one million
pesos (P1,000,000.00) or six (6) years imprisonment.

define the following
terminologies:
a. Electronic Document
b. Electronic signature
c. Electronic Key
d. Electronic Data Message
e. Information and
Communication System
f. Hacking
g. Piracy
References:
Reference:
Question # 9. Are digital
documents admissible as a
legal evidence? Identify the
specific provisions that
supports your answer.
References:
Reference: https://www.set.gov.ph/resources/rules-on-electronic-
evidence/#:~:text=%E2%80%93%20An%20electronic%20document
%20is%20admissible,manner%20prescribed%20by%20these
%20Rules.
Question #10. Why was
6
1. Electronic document refers to information or the
representation of information, data, figures, symbols or
other modes of written expression, described or however
represented, by which a right is established or an
obligation extinguished, or by which a fact may be proved
and affirmed, which is received, recorded, transmitted,
stored, processed, retrieved or produced electronically.
2. Electronic signature refers to any distinctive mark,
characteristic and/or sound in electronic form, representing
the identity of a person and attached to or logically
associated with the electronic data message or electronic
document or any methodology or procedures employed or
adopted by a person and executed or adopted by such
person with the intention of authenticating or approving an
electronic data message or electronic document.
3. Electronic key refers to a secret code which secures and
defends sensitive information that crosses over public
channels into a form decipherable only with a matching
electronic key.
4. Electronic Data message refers to information generated,
sent, received or stored by electronic, optical or similar
means.
5. Information and communication system refers to a system
intended for and capable of generating, sending, receiving,
storing or otherwise processing electronic data messages
or electronic documents and includes the computer system
or other similar device by or in which data is recorded or
stored and any procedures related to the recording or
storage of electronic data message or electronic
document.
6. Hacking or cracking which refers to unauthorized access
into or interference in a computer system/server or
information and communication system; or any access in
order to corrupt, alter, steal, or destroy using a computer or
other similar information and communication devices,
without the knowledge and consent of the owner of the
computer or information and communications system,
including the introduction of computer viruses and the like,
resulting in the corruption, destruction, alteration, theft or
loss of electronic data messages or electronic document.
7. Piracy or the unauthorized copying, reproduction,
dissemination, distribution, importation, use, removal,
alteration, substitution, modification, storage, uploading,
downloading, communication, making available to the
public, or broadcasting of protected material, electronic
signature or copyrighted works including legally protected
sound recordings or phonograms or information material
on protected works, through the use of telecommunication
networks, such as, but not limited to, the internet, in a
manner that infringes intellectual property rights
According to A.M. NO. 01-7-01-SC.- RE: RULES ON
ELECTRONIC EVIDENCE Rule 2 Section 2. Admissability, an
electronic document is admissible in evidence if it complies
with the rules on admissibility prescribed by the Rules of Court
and related laws and is authenticated in the manner prescribed
by these Rules.

Sarbanes Oxley (SOX) Act
of 2002 enacted? (Hint: You
may give a brief historical
background of this Law.)
References:
Reference:https://www.investopedia.com/terms/s/sarbanesoxleyact.as
p#:~:text=The%20Sarbanes%2DOxley%20(SOX)%20Act%20of
%202002%20came%20in,imposed%20more%20stringent
%20recordkeeping%20requirements.
Question #11. Explain briefly
the provisions of SOX
concerning the following:
a. Public Accounting
Company Oversight Board
b. Corporate Responsibility
for Financial Reports
c. Prohibited activities of
independent auditor
d. Management Assessment
of Internal Controls
e. Real-time issuer
disclosures
f. Attempts and conspiracies
to commit fraud offenses
References:
7
The Sarbanes-Oxley Act of 2002 came in response to financial
scandals in the early 2000s involving publicly traded
companies such as Enron Corporation, Tyco International plc,
and WorldCom. The high-profile frauds shook investor
confidence in the trustworthiness of corporate financial
statements and led many to demand an overhaul of decades-
old regulatory standards.
1. Public Accounting Company Oversight Board – This is
established to oversee the audit of public companies that are
subject to the securities laws, and related matters, in order to
protect the interests of investors and further the public interest
in the preparation of informative, accurate, and independent
audit reports for companies the securities of which are sold to,
and held by and for, public investors. The Board shall be a
body corporate, operate as a nonprofit corporation, and have
succession until dissolved by an Act of Congress.
2. The Commission shall, by rule, require, for each company filing
periodic reports that the principal executive officer or officers
and the principal financial officer or officers, or persons
performing similarfunctions, certify in each annual or quarterly
report filed or submitted under either such section of such Act
that—
i. the signing officer has reviewed the report;
ii. based on the officer’s knowledge, the report does not
contain any untrue statement of a material fact or omit
to state a material fact necessary in order to make the
statements made, in light of the circumstances under
which such statements were made, not misleading;
iii. based on such officer’s knowledge, the financial
statements, and other financial information included in
the report fairly present in all material respects the
financial condition and results of operations of the
issuer as of, and for, the periods presented in the
report;
iv. the signing officers—
a) are responsible for establishing and
maintaininginternal controls;
b) have designed such internal controls to ensure
that material information relating to the issuer and
its consolidated subsidiaries is made known to
such officers by others within those entities,
particularly during the period in which the periodic
reports are being prepared;
c) have evaluated the effectiveness of the issuer’s
internal controls as of a date within 90 days prior
to the report; and
d) have presented in the report their conclusions
about the effectiveness of their internal controls
based on their evaluation as of that date;
v. the signing officers have disclosed to the issuer’s
auditors and the audit committee of the board of
directors (or persons fulfilling the equivalent function)
—
a) all significant deficiencies in the design or
operation of internal controls which could
adversely affect the issuer’s ability to record,
process, summarize, and report financial data and
have identified for the issuer’s auditors any
material weaknesses in internal controls; and
b) any fraud, whether or not material, that involves
management or other employees who have a
 8

significant role in the issuer’s internal controls;

and
vi. the signing officers have indicated in the report
whether or not there were significant changes in
internal controls or in other factors that could
significantly affect internal controls subsequent to the
date of their evaluation, including any corrective
actions with regard to significant deficiencies and
material weaknesses
3. Prohibited activities of independent auditor - it shall be unlawful
for a registered public accounting firm (and any associated
person of that firm, to the extent determined appropriate by the
Commission) that performs for any issuer any audit required by
this title or the rules of the Commission under this title or,
beginning 180 days after the date of commencement of the
operations of the Public Company Accounting Oversight Board
established under section 101 of the Sarbanes-Oxley Act of
2002, the rules of the Board, to provide to that issuer,
contemporaneously with the audit, any non-audit service,
including—
a) bookkeeping or other services related to the
accountingrecords or financial statements of the
audit client;
b) ‘financial information systems design and
implementation;
c) appraisal or valuation services, fairness opinions,
or contribution-in-kind reports;
d) actuarial services;
e) internal audit outsourcing services;
f) management functions or human resources;
g) broker or dealer, investment adviser, or investment
banking services;
h) legal services and expert services unrelated to the
audit; and
i) any other service that the Board determines, by
regulation, is impermissible.
4. Management Assessment of Internal Controls - each
registered public accounting firm that prepares or issues the
audit report for the issuer shall attest to, and report on, the
assessment made by the management of the issuer. An
attestation made under this subsection shall be made in
accordance with standards for attestation engagements issued
or adopted by the Board. Any such attestation shall not be the
subject of a separate engagement.
5. Real-time issuer disclosures - Each issuer reporting shall
disclose to the public on a rapid and current basis such
additional information concerning material changes in the
financial condition or operations of the issuer, in plain English,
which may include trend and qualitative information and
graphic presentations, as the Commission determines, by rule,
is necessary or useful for the protection of investors and in the
public interest.
6. Attempts and conspiracies to commit fraud offenses - Any
person who attempts or conspires to commit any offense under
this chapter shall be subject to the same penalties as those
prescribed for the offense, the commission of which was the
object of the attempt or conspiracy.

Reference:
https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxl
ey_Act_of_2002.pdf

Question #12. What are the

major changes in auditing
brought about by the 1. SOX created the Public Company Accounting Oversight
Sarbanes Oxley Act? Board. It set standards for audit reports. It requires all auditors
of public companies to register with them. The PCAOB
a. Effect on Public inspects, investigates, and enforces the compliance of these
Accounting Firms firms. It prohibits accounting firms from doing business

b. Internal Controls
c. Fraud
d. Corporate Governance
e. Information System Audit
(IS)/ and IS Auditors
1. Independence of IS
Auditors
2. Audit Considerations for
Irregularities
3. Skills and Competence of
IS Auditors
4. Use of Risk Assessment in
Audit Planning
5. Audit documentation
6. Use of CAATS
References:
9
consulting with the companies they are auditing. They can still
act as tax consultants. But the lead audit partners must rotate
off the account after five years.
2. Private companies must also adopt SOX-type internal control
structures. Otherwise, they face increased difficulties. They will
have trouble raising capital. They will also face higher
insurance premiums and greater civil liability. These would
create a loss of status among potential customers, investors,
and donors.
3. The Sarbanes-Oxley Act was passed by Congress to curb
widespread fraudulence in corporate financial reports,
scandals that rocked the early 2000s. The Act now holds
CEOs responsible for their company’s financial statements.
Whistleblowing employees are given protection. More stringent
auditing standards are followed. These are just a few of the
SOX stipulations.
4. The Sarbanes-Oxley Act of 2002 cracks down on corporate
fraud. It created the Public Company Accounting Oversight
Board to oversee the accounting industry. It banned company
loans to executives and gave job protection to whistleblowers.
The Act strengthens the independence and financial literacy of
corporate boards. It holds CEOs personally responsible for
errors in accounting audits.
5. Information System Audit
a) Independence of IS Auditors - it shall be unlawful
for a registered public accounting firm (and any
associated person of that firm, to the extent
determined appropriate by the Commission) that
performs for any issuer any audit required by this
title or the rules of the Commission
b) Audit Considerations for Irregularities- In
supervising nonregistered public accounting firms
and their associated persons, appropriate State
regulatory authorities should make an independent
determination of the proper standards applicable,
particularly taking into consideration the size and
nature of the business of the accounting firms they
supervise and the size and nature of the business
of the clients of those firms. The standards applied
by the Board under this Act should not be
presumed to be applicable for purposes of this
section for small and medium sized nonregistered
public accounting firms.
c) Skills and Competence of IS Auditors - Financial
and accounting backgrounds are still needed, of
course. But the new skills currently in high demand
will “diversify” the team’s offerings, according to
Chambers. At the same time, he says, internal-
audit teams should not be well rounded “just for
the sake of it.” Instead, the teams’ makeup and
priorities should depend on each company’s
assessments of its risks.
d) Use of Risk Assessment in Audit Planning -In
contrast, Sarbanes-Oxley’s demand on proper and
effective internal controls over financial reporting
narrowed the focus of internal-audit teams. That
change, of course, made sense since the
profession is a risk-based function: internal
auditors are expected to focus on prioritizing the
risks to their business, and controls were a high-
risk area during the past decade.
e) Audit Documentation – Auditors inspect and
review selected audit and review engagements of
the firm (which may include audit engagements
that are the subject of ongoing litigation or other
controversy between the firm and 1 or more third
parties), performed at various offices and by
various associated persons of the firm, as selected
by the Board and evaluate the sufficiency of the
 10

quality control system of the firm, and the manner

of the documentation and communication of that
system by the firm and perform such other testing
of the audit, supervisory, and quality control
procedures of the firm as are necessary or
appropriate in light of the purpose of the inspection
and the responsibilities of the Board.
f) Use of CAATs Auditor acceptance of CAATs may
be driven by both firm resource issues and
individual user perceptions. Prior information
systems research indicates that even when
sufficient resources exist to purchase IT, users
may not use (i.e., accept) the new IT (Davis 1989).

Reference:
https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_
Act_of_2002.pdf