Business Ethical Dilemma One
I was an IT Director at a publicly-held company and was responsible for the IT portion of
a Sarbanes-Oxley (SOX) compliance initiative. My direct supervisor was the CTO, but as part
of this project I was also accountable to the Controller. The project was huge. I was responsible
for securing all applications, processes and hardware that could potentially be used to change
financial statements, this included both outside sources and internal employees, and for
implementing a system of checks and balances to ensure constant monitoring of the systems.
SOX compliance is determined by quarterly internal audits and yearly independent
audits. The integral element in a SOX audit is the ability to prove that you recognize your own
risks and have taken appropriate steps to mitigate those risks. If a particular remediation fails the
audit, and is deemed to have a high impact on financial statement accuracy, it is required that
shareholders be notified and there is a possibility that both the CEO and CFO will be jailed.
For my company, SOX compliance was segregated into two initiatives, business and IT.
One main area of focus was securing employee access to financial application screens and
functionality. This was considered the responsibility of the business team, but was very difficult
for them because they didn’t understand the underlying technology. I agreed to spearhead this
effort knowing that my team had the most knowledge of the applications and solution options.
My team met with each manager to communicate the effort and specific risks associated
with unnecessary access. Each manager was required to approve and document access needs for
their teams. We then restricted access and created custom application menus to meet specific
needs where necessary. All information was given to the business project manager to test prior
to the final audit. Whether she tested access or not is still unknown, but the independent auditor
considered the test a failure indicating that too many people had updateable access to important
financial transactions. The business project manager agreed and escalated the issue to the
Controller. When asked about the issue by the Controller, I communicated what my team had
done to remediate the risk and my belief that my team had followed the SOX remediation
procedure appropriately. We had documented manager approval of access and had restricted
access accordingly. In the absence of a specified level of access from the business team or
auditor, I believed that we had followed the inherent SOX compliance appropriately through
identifying and mitigating our own risk.
Because this would be considered a significant deficiency, the Controller escalated the
issue to the CFO and the CTO. Our final audit was in two days and a significant deficiency
would result in a very unflattering note to the shareholders, and possibly jail time for the CEO
and CFO. This would also almost certainly result in repercussions for whoever was responsible.
The CFO called an emergency meeting to discuss and determine a plan to fix the issue.
Prior to this meeting, the CTO took me aside and told me in no uncertain terms that I was not to
blame for this failure. He agreed that I remediated appropriately for what I knew, noted that the
business team didn’t test it well or obviously didn’t understand the task to begin with, but also
stated that he felt I shouldn’t have agreed to remediate the task at all. This being said, he told me
that in the meeting I was not to take any blame whatsoever and not to agree to help fix the issue.
He thought that if I agreed to help fix the issue I was inherently taking some blame. He also
didn’t believe it was possible to fix in two days, so I would be setting myself up to take the fall.
I knew that it was impossible to fix without the expertise of my team, which would
ultimately be a huge detriment to the company and would also go against my values. However,
agreeing to help set me and my supervisor up for potential repercussions, not to mention would
go against what he had directed me to do. What should I do at this point?
Page 2 of 7
Business Ethical Dilemma Two
I was an independent consultant when a peer of mine contacted me regarding a work
dilemma. He was an employee of a consulting firm who was contracted by a law firm to provide
expert testimony for a corporate lawsuit involving a local manufacturer, a competing consulting
firm, and a large software manufacturer. The local manufacturer claimed the software
manufacturer knowingly sold them an ERP software application that did not fit their business
needs, and that the consulting firm performed an inappropriate scope and implementation of the
My friend gave me the background of his predicament; the law firm representing the
manufacturer identified him as the best resource within the company to provide the testimony
because of his background with this particular ERP application and his expertise in software
sales and selections. It was his choice to take the project. He was well aware of the limitations
this may put on his future career opportunities with the other two companies involved in the
lawsuit, but had still agreed because those opportunities were not part of his intended career path.
He also took special interest in this particular case because of the bad light it shed on consultants
in general. Having been a consultant for many years he had suffered through the stigma that
“less-than-expert” consultants create.
He had been working on the case for approximately nine months, very part-time,
studying case documentation and providing industry and technology expertise to the lawyers so
they could perform detailed depositions. He studied and took note of emails, sales
documentation, individual depositions and all project documentation involved in the lifetime of
the implementation project in question, which lasted over one year.
Page 3 of 7
Approximately two months before his affidavit of expert testimony was due, he was
contacted by the consulting company involved in the lawsuit about opportunities for
employment. Some former co-workers were now employed by the company, and had referred
him for some very enticing opportunities. It was good timing in that he had become increasingly
dissatisfied with the opportunities available with his current employer. The economy was
becoming increasingly worse, opportunities for consultants in general were poor and his family
was dependent upon his income.
He knew that if he provided the testimony he would never be hired by the consulting
company in question. More importantly, the company would probably not survive if the lawsuit
did not go in their favor, and some of his friends worked there. With the poor economy he was
also becoming concerned about limiting future opportunities with the software manufacturer.
His obligation to the law firm was to provide technical and industry expertise, and to
provide an independent expert opinion on the case in question based on his knowledge and the
documents he had received. His opinion could not be biased by the fact that he was hired by
lawyers for one party, it was an independent opinion. He would stand by that impartiality, but
was struggling with where he really stood on the issue and was concerned that the external
factors were possibly biasing his opinion to the detriment of his client. However, he had made a
commitment to this project and his current employer to follow-thru on this testimony. He had
been working on the project for a long time and had billed the law firm accordingly, and his rates
were not cheap. The case knowledge he had gained would be lost for someone starting fresh, not
to mention that anyone new coming in would only have two months to get up to speed and write
the affidavit. When he contacted me he had already decided what he was going to do. What
should he do at this point?
Page 4 of 7
What Actually Happened?
When I arrived at the meeting I was told that my supervisor was going to be late. The
CFO took immediate control of the meeting by stating that he had already been informed of what
happened, was aware of the issues of all parties involved, and that he was only concerned about
how we were going to fix it. I was silent while the Controller and business project manager
discussed their outright furor over how we got to this point. When they finished, the CFO
looked directly at me and asked how I would recommend fixing it. I gave him my
recommendation. He asked if I thought it could be done in two days. I told him my
recommendation was a stop-gap measure not a long-term solution. I told him I was confident
that it could be done on the technical side, but the business processes of each department would
be affected tremendously. He then asked who would be the best resources to work on it. I gave
him the names of my team members and two additional IT resources. My manager came in right
around the time that the CFO said he recognized that this audit area was very vague and that the
responsibility lies with each department to secure their data, and that IT was not responsible for
this audit failure. He stated that he and the Controller would take responsibility for
communication to the business departments about the lockdown and the long-term solution, and
that I would be responsible for the short-term IT tasks.
After the meeting my manager didn’t have any concerns with what happened. I was
comfortable with the meeting and the outcome because I didn’t offer anything but answered all
questions honestly, and I thought we were working together towards the best solution. We
worked fast and furious and got the system locked down in less than two days, and passed the
audit with flying colors. I found out later that the CFO, who had worked very closely with each
of us in the past, accurately assessed the underlying issues and asked his questions very directly
Page 5 of 7
because he understood my predicament. He didn’t care at all to place blame, only to fix the
problem before it became his issue, and in order to do this he knew he had to have the IT
When I got the call from my friend he had already decided to remove himself from the
project. He felt that his personal bias would be too intrusive to his independent opinion, and he
didn’t want to burn bridges with the companies involved in the lawsuit. He called me
specifically to ask if I would take the project in his place. We have similar professional
experiences in this regard, and he felt that I would be a good replacement. I no longer lived in
the area where these companies do business, so he felt that long-term career options would be
less of a factor for me as well. I agreed to take the project.
By the time he called me he only had six weeks until the deadline for his affidavit. I had
no background knowledge of the case at all, so had to put in a lot of late nights reviewing the
information, meeting with lawyers and documenting my analysis of the situation. The lawyers
were less than pleased that they had paid for time and effort that was now wasted, but they
recognized the risk they would be taking if they insisted on keeping my friend on the project.
The consulting company my friend worked for was supportive since I had worked with them in
the past; however, they were also less than pleased with the circumstances surrounding the
switch. They came to an agreement with the law firm in regards to previous and future payments
for services, and I know that the consulting company took a pretty big hit because of my friend’s
Page 6 of 7
The law firm was extremely pleased with my affidavit and the lawsuit settled out of court
a couple months later, approximately over a year after it officially began. Interestingly I
received a call from the consulting company involved in the lawsuit about a week after they
received notice that I was preparing the affidavit. They had some long-term opportunities they
thought I would be interested in. I didn’t return the call. My friend is still employed by the
consulting company contracted by the law firm; apparently the enticing opportunities with the
competing company didn’t pan out. I was told that my expert opinion had a great affect on the
outcome and that the other parties were “running scared”. Whether that was the case or not,
that’s the story I tell…
Page 7 of 7