ETHICAL ISSUES IN IT SYSTEMS (STUDY OBJECTIVE 6)
A strong set of internal controls can assist in discouraging unethical behavior such as fraud and abuse. Management has a duty to maintain internal controls over IT systems for several reasons. Mainly, managers have a stewardship responsibility to safeguard assets and funds entrusted to them by the owners of the organization, and meeting this responsibility requires that controls be in place to safeguard assets. IT systems themselves, such as computer hardware and software, are assets that must be protected from theft, abuse, or misuse. Without proper controls on IT systems, the computer systems can be easily misused by outsiders or employees.
THE REAL WORLD
An unusual case of computer abuse occurred at a federal agency that regulates financial aspects of companies. The Securities and Exchange Commission (SEC) detected senior managers spending excessive hours viewing pornography during regular working hours. One SEC attorney spent as much as eight hours a day viewing pornography on his office computer. A congressional investigation revealed that 33 high-level SEC staffers in Washington, D.C., were involved in such abuse of computers. Ironically, this misconduct was occurring during the same time that this agency should have been monitoring and reviewing banking institutions and other companies involved in the country's financial meltdown.
While such cases are interesting, they expose a serious misuse of government funds. The U.S. taxpayers paid for computers that were being diverted from their intended use. The managers of the SEC have a duty to enforce policies that protect the computers and the IT systems. Similarly, a company has a duty to its owners to enforce policies and controls to prevent misuse.
In addition, a company can be held liable if employees use computers in a way that sexually harasses others. For example, an employee who sends e-mails that are sexually suggestive or lewd can cause legal liability problems for the company. In the United States, 27 percent of Fortune 500 companies have had to engage in legal defense proceedings regarding accusations that employees have sent e-mails of a sexual harassment nature. Companies must try to detect and prevent such misuse of computers.
In addition to computer assets being misused, access to IT systems may give unauthorized users access to other assets. Management must try to prevent theft conducted through the IT system, such as theft accomplished by fraudulent-transaction data entries. Both misuse of computers and theft through the computer systems are unethical behaviors that management must discourage through proper internal controls.
Besides fraud, there are many kinds of unethical behaviors related to computers, such as the following:
- Misuse of confidential customer information stored in an IT system
- Theft of data, such as credit card information, by hackers
- Employee use of IT system hardware and software for personal use or personal gain
- Using company e-mail to send offensive, threatening, or sexually explicit material
The controls described in this chapter can help set an environment in which many of these unethical behaviors are discouraged. Authentication controls, network break-in controls, and computer logging of use can help prevent or detect such behaviors.