Business Ethical Dilemma One I was an IT Director at a publicly-held company and was responsible for the IT portion of a Sarbanes-Oxley (SOX) compliance initiative. My direct supervisor was the CTO, but as part of this project I was also accountable to the Controller. The project was huge. I was responsible for securing all applications, processes and hardware that could potentially be used to change financial statements, this included both outside sources and internal employees, and for implementing a system of checks and balances to ensure constant monitoring of the systems. SOX compliance is determined by quarterly internal audits and yearly independent audits. The integral element in a SOX audit is the ability to prove that you recognize your own risks and have taken appropriate steps to mitigate those risks. If a particular remediation fails the audit, and is deemed to have a high impact on financial statement accuracy, it is required that shareholders be notified and there is a possibility that both the CEO and CFO will be jailed. For my company, SOX compliance was segregated into two initiatives, business and IT. One main area of focus was securing employee access to financial application screens and functionality. This was considered the responsibility of the business team, but was very difficult for them because they didn t understand the underlying technology. I agreed to spearhead this effort knowing that my team had the most knowledge of the applications and solution options. My team met with each manager to communicate the effort and specific risks associated with unnecessary access. Each manager was required to approve and document access needs for their teams. We then restricted access and created custom application menus to meet specific needs where necessary. All information was given to the business project manager to test prior to the final audit. Whether she tested access or not is still unknown, but the independent auditor considered the test a failure indicating that too many people had updateable access to important
financial transactions. The business project manager agreed and escalated the issue to the Controller. When asked about the issue by the Controller, I communicated what my team had done to remediate the risk and my belief that my team had followed the SOX remediation procedure appropriately. We had documented manager approval of access and had restricted access accordingly. In the absence of a specified level of access from the business team or auditor, I believed that we had followed the inherent SOX compliance appropriately through identifying and mitigating our own risk. Because this would be considered a significant deficiency, the Controller escalated the issue to the CFO and the CTO. Our final audit was in two days and a significant deficiency would result in a very unflattering note to the shareholders, and possibly jail time for the CEO and CFO. This would also almost certainly result in repercussions for whoever was responsible. The CFO called an emergency meeting to discuss and determine a plan to fix the issue. Prior to this meeting, the CTO took me aside and told me in no uncertain terms that I was not to blame for this failure. He agreed that I remediated appropriately for what I knew, noted that the business team didn t test it well or obviously didn t understand the task to begin with, but also stated that he felt I shouldn t have agreed to remediate the task at all. This being said, he told me that in the meeting I was not to take any blame whatsoever and not to agree to help fix the issue. He thought that if I agreed to help fix the issue I was inherently taking some blame. He also didn t believe it was possible to fix in two days, so I would be setting myself up to take the fall. I knew that it was impossible to fix without the expertise of my team, which would ultimately be a huge detriment to the company and would also go against my values. However, agreeing to help set me and my supervisor up for potential repercussions, not to mention would go against what he had directed me to do. What should I do at this point? Page 2 of 7
Business Ethical Dilemma Two I was an independent consultant when a peer of mine contacted me regarding a work dilemma. He was an employee of a consulting firm who was contracted by a law firm to provide expert testimony for a corporate lawsuit involving a local manufacturer, a competing consulting firm, and a large software manufacturer. The local manufacturer claimed the software manufacturer knowingly sold them an ERP software application that did not fit their business needs, and that the consulting firm performed an inappropriate scope and implementation of the software. My friend gave me the background of his predicament; the law firm representing the manufacturer identified him as the best resource within the company to provide the testimony because of his background with this particular ERP application and his expertise in software sales and selections. It was his choice to take the project. He was well aware of the limitations this may put on his future career opportunities with the other two companies involved in the lawsuit, but had still agreed because those opportunities were not part of his intended career path. He also took special interest in this particular case because of the bad light it shed on consultants in general. Having been a consultant for many years he had suffered through the stigma that less-than-expert consultants create. He had been working on the case for approximately nine months, very part-time, studying case documentation and providing industry and technology expertise to the lawyers so they could perform detailed depositions. He studied and took note of emails, sales documentation, individual depositions and all project documentation involved in the lifetime of the implementation project in question, which lasted over one year. Page 3 of 7
Approximately two months before his affidavit of expert testimony was due, he was contacted by the consulting company involved in the lawsuit about opportunities for employment. Some former co-workers were now employed by the company, and had referred him for some very enticing opportunities. It was good timing in that he had become increasingly dissatisfied with the opportunities available with his current employer. The economy was becoming increasingly worse, opportunities for consultants in general were poor and his family was dependent upon his income. He knew that if he provided the testimony he would never be hired by the consulting company in question. More importantly, the company would probably not survive if the lawsuit did not go in their favor, and some of his friends worked there. With the poor economy he was also becoming concerned about limiting future opportunities with the software manufacturer. His obligation to the law firm was to provide technical and industry expertise, and to provide an independent expert opinion on the case in question based on his knowledge and the documents he had received. His opinion could not be biased by the fact that he was hired by lawyers for one party, it was an independent opinion. He would stand by that impartiality, but was struggling with where he really stood on the issue and was concerned that the external factors were possibly biasing his opinion to the detriment of his client. However, he had made a commitment to this project and his current employer to follow-thru on this testimony. He had been working on the project for a long time and had billed the law firm accordingly, and his rates were not cheap. The case knowledge he had gained would be lost for someone starting fresh, not to mention that anyone new coming in would only have two months to get up to speed and write the affidavit. When he contacted me he had already decided what he was going to do. What should he do at this point? Page 4 of 7
What Actually Happened? Dilemma One: When I arrived at the meeting I was told that my supervisor was going to be late. The CFO took immediate control of the meeting by stating that he had already been informed of what happened, was aware of the issues of all parties involved, and that he was only concerned about how we were going to fix it. I was silent while the Controller and business project manager discussed their outright furor over how we got to this point. When they finished, the CFO looked directly at me and asked how I would recommend fixing it. I gave him my recommendation. He asked if I thought it could be done in two days. I told him m y recommendation was a stop-gap measure not a long-term solution. I told him I was confident that it could be done on the technical side, but the business processes of each department would be affected tremendously. He then asked who would be the best resources to work on it. I gave him the names of my team members and two additional IT resources. My manager came in right around the time that the CFO said he recognized that this audit area was very vague and that the responsibility lies with each department to secure their data, and that IT was not responsible for this audit failure. He stated that he and the Controller would take responsibility for communication to the business departments about the lockdown and the long-term solution, and that I would be responsible for the short-term IT tasks. After the meeting my manager didn t have any concerns with what happened. I was comfortable with the meeting and the outcome because I didn t offer anything but answered all questions honestly, and I thought we were working together towards the best solution. We worked fast and furious and got the system locked down in less than two days, and passed the audit with flying colors. I found out later that the CFO, who had worked very closely with each of us in the past, accurately assessed the underlying issues and asked his questions very directly Page 5 of 7
because he understood my predicament. He didn t care at all to place blame, only to fix the problem before it became his issue, and in order to do this he knew he had to have the IT expertise. Dilemma Two: When I got the call from my friend he had already decided to remove himself from the project. He felt that his personal bias would be too intrusive to his independent opinion, and he didn t want to burn bridges with the companies involved in the lawsuit. He called me specifically to ask if I would take the project in his place. We have similar professional experiences in this regard, and he felt that I would be a good replacement. I no longer lived in the area where these companies do business, so he felt that long-term career options would be less of a factor for me as well. I agreed to take the project. By the time he called me he only had six weeks until the deadline for his affidavit. I had no background knowledge of the case at all, so had to put in a lot of late nights reviewing the information, meeting with lawyers and documenting my analysis of the situation. The lawyers were less than pleased that they had paid for time and effort that was now wasted, but they recognized the risk they would be taking if they insisted on keeping my friend on the project. The consulting company my friend worked for was supportive since I had worked with them in the past; however, they were also less than pleased with the circumstances surrounding the switch. They came to an agreement with the law firm in regards to previous and future payments for services, and I know that the consulting company took a pretty big hit because of my friend s decision. Page 6 of 7
The law firm was extremely pleased with my affidavit and the lawsuit settled out of court a couple months later, approximately over a year after it officially began. Interestingly I received a call from the consulting company involved in the lawsuit about a week after they received notice that I was preparing the affidavit. They had some long-term opportunities they thought I would be interested in. I didn t return the call. My friend is still employed by the consulting company contracted by the law firm; apparently the enticing opportunities with the competing company didn t pan out. I was told that my expert opinion had a great affect on the outcome and that the other parties were running scared. Whether that was the case or not, that s the story I tell Page 7 of 7