ETHICAL CONSIDERATIONS RELATED TO IT GOVERNANCE (STUDY OBJECTIVE 9)
ETHICAL CONSIDERATIONS FOR MANAGEMENT
The management of any organization has an ethical obligation to maintain a set of processes and procedures that assure accurate and complete records and protection of assets. This obligation arises because management has a stewardship obligation to those who provide funds or invest in the company. Stewardship is the careful and responsible oversight and use by management of the assets entrusted to management. This requires that management maintain systems that allow it to demonstrate that it has appropriately used these funds and assets. Investors, lenders, and funding agencies must be able to examine reports that show the appropriate use of funds or assets provided to management. This is accomplished by the maintenance of accurate and complete accounting records and accounting reports with full disclosure within those reports. Therefore, management should have a mechanism that assists the organization in the development of accurate and complete accounting processes and systems.
In many cases, poorly designed IT systems can allow a fraudster to perpetrate fraud. In the case of the Phar-Mor drugstore chain fraud, a vice president became concerned about the adequacy of the IT system and the resulting reports. This vice president formed a committee to address the problems, but the committee was squelched by members of senior management who were involved in the fraud. Poorly developed IT systems can be used by managers or employees to commit and hide fraud. A management team that is focused on ethics throughout the organization should consistently monitor and improve IT systems. The SDLC is the mechanism to accomplish that. Thus, by diligently adhering to SDLC processes, management is, in part, fulfilling its ethical obligations of stewardship and fraud prevention.
As systems and processes are revised, management must also consider the ethical implications regarding employees. Revising processes and systems can lead to job-related changes for employees. These changes may include changes in job functions or duties, changes in the processes that employees perform, or in some cases, job loss. If managers expect employees to be ethical, then management must be ethical in the treatment of employees. Managers must carefully consider the impact of system changes on employees and be ethical in the manner that it handles employees throughout the processes of change. Although job losses are sometimes unavoidable, management must be especially conscious of the manner that it informs, terminates, and assists employees who experience job loss due to system changes. In addition, managers should maintain confidentiality about the proprietary features and functions of the IT system.
ETHICAL CONSIDERATIONS FOR EMPLOYEES
As managers apply the processes within the SDLC to revise IT systems, employees should not subvert the process. A disgruntled employee may sabotage the SDLC process by not cooperating, providing false information in interviews or questionnaires, or reverting to the old ways of doing things. If management of the organization has made an honest effort to include user feedback and participation in the SDLC processes, employees should likewise make an honest effort to participate, learn new system processes, and properly use the new processes and systems.
For employees who serve on project teams in the revision of IT systems, confidentiality can be an ethical consideration. As they participate in project teams, employees may learn things about people or processes in the organization that they would not otherwise know. These employees should not disclose things that management wishes to keep confidential. However, this can sometimes be a difficult ethical choice. For example, suppose that while serving on a project team, you learn that a friend's job will be eliminated and that management intends to announce the job cuts next week. In the days before the formal announcement, should you tell your friend of the impending job loss? In most circumstances, the project team member should keep this information confidential and allow management to handle the job cuts in a responsible and ethical manner.
ETHICAL CONSIDERATIONS FOR CONSULTANTS
When consultants are employed to assist the organization with phases of the SDLC, they have at least four ethical obligations:
- Bid the engagement fairly, and completely disclose the terms of potential cost increases.
- Bill time accurately to the client, and do not inflate time billed.
- Do not oversell unnecessary services or systems to the client just to inflate earnings on the consulting engagement.
- Do not disclose confidential or proprietary information from the company to other clients.
In the past, many CPA firms offered consulting services to assist organizations in the selection and implementation of accounting system software. The freedom of CPA firms to do such consulting was significantly decreased when Congress enacted the Sarbanes–Oxley Act of 2002, which prohibits CPA firms from providing systems consulting services to any organization for which the CPA firm serves as the auditor. An excerpt from the AICPA summary of Section 201 of the Act follows (emphasis added):
It shall be “unlawful” for a registered public accounting firm to provide any nonaudit service to an issuer contemporaneously with the audit, including: (1) bookkeeping or other services related to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; (8) legal services and expert services unrelated to the audit; (9) any other service that the Board determines, by regulation, is impermissible.
As an example, if Pricewaterhouse Coopers (PwC) audits Anheuser Busch, then PwC would be prohibited from providing systems consulting services to Anheuser Busch. However, PwC could provide systems consulting services to The Boston Beer Company, Inc. (brewers of the Samuel Adams® product line), if it does not audit this company. Only CPA firms face this restriction under Sarbanes–Oxley, because CPA firms are the only entities that are permitted to conduct external audits of public company financial statements. Other companies, such as International Business Machines Corp. (IBM), are not restricted in providing system consulting services to organizations.
The restrictions under the Sarbanes–Oxley Act are intended to enhance CPAs' ethical obligation to remain independent with respect to their clients. On the other hand, if CPAs were to implement new IT systems for their audit clients, the perception of objectivity and independence may be compromised.
Because of this restrictive environment for CPA firms in providing consulting services, most large CPA firms have spun off or sold their consulting divisions. There are still CPA firms that provide system consulting services, but they must be careful not to ever provide both consulting and audit services to the same organization.