Business Ethical Dilemma One

Document Sample
Business Ethical Dilemma One Powered By Docstoc
					                                     Business Ethical Dilemma One

       I was an IT Director at a publicly-held company and was responsible for the IT portion of

a Sarbanes-Oxley (SOX) compliance initiative. My direct supervisor was the CTO, but as part

of this project I was also accountable to the Controller. The project was huge. I was responsible

for securing all applications, processes and hardware that could potentially be used to change

financial statements, this included both outside sources and internal employees, and for

implementing a system of checks and balances to ensure constant monitoring of the systems.

       SOX compliance is determined by quarterly internal audits and yearly independent

audits. The integral element in a SOX audit is the ability to prove that you recognize your own

risks and have taken appropriate steps to mitigate those risks. If a particular remediation fails the

audit, and is deemed to have a high impact on financial statement accuracy, it is required that

shareholders be notified and there is a possibility that both the CEO and CFO will be jailed.

       For my company, SOX compliance was segregated into two initiatives, business and IT.

One main area of focus was securing employee access to financial application screens and

functionality. This was considered the responsibility of the business team, but was very difficult

for them because they didn’t understand the underlying technology. I agreed to spearhead this

effort knowing that my team had the most knowledge of the applications and solution options.

       My team met with each manager to communicate the effort and specific risks associated

with unnecessary access. Each manager was required to approve and document access needs for

their teams. We then restricted access and created custom application menus to meet specific

needs where necessary. All information was given to the business project manager to test prior

to the final audit. Whether she tested access or not is still unknown, but the independent auditor

considered the test a failure indicating that too many people had updateable access to important
financial transactions. The business project manager agreed and escalated the issue to the

Controller. When asked about the issue by the Controller, I communicated what my team had

done to remediate the risk and my belief that my team had followed the SOX remediation

procedure appropriately. We had documented manager approval of access and had restricted

access accordingly. In the absence of a specified level of access from the business team or

auditor, I believed that we had followed the inherent SOX compliance appropriately through

identifying and mitigating our own risk.

       Because this would be considered a significant deficiency, the Controller escalated the

issue to the CFO and the CTO. Our final audit was in two days and a significant deficiency

would result in a very unflattering note to the shareholders, and possibly jail time for the CEO

and CFO. This would also almost certainly result in repercussions for whoever was responsible.

       The CFO called an emergency meeting to discuss and determine a plan to fix the issue.

Prior to this meeting, the CTO took me aside and told me in no uncertain terms that I was not to

blame for this failure. He agreed that I remediated appropriately for what I knew, noted that the

business team didn’t test it well or obviously didn’t understand the task to begin with, but also

stated that he felt I shouldn’t have agreed to remediate the task at all. This being said, he told me

that in the meeting I was not to take any blame whatsoever and not to agree to help fix the issue.

He thought that if I agreed to help fix the issue I was inherently taking some blame. He also

didn’t believe it was possible to fix in two days, so I would be setting myself up to take the fall.

       I knew that it was impossible to fix without the expertise of my team, which would

ultimately be a huge detriment to the company and would also go against my values. However,

agreeing to help set me and my supervisor up for potential repercussions, not to mention would

go against what he had directed me to do. What should I do at this point?



                                             Page 2 of 7
                                     Business Ethical Dilemma Two

       I was an independent consultant when a peer of mine contacted me regarding a work

dilemma. He was an employee of a consulting firm who was contracted by a law firm to provide

expert testimony for a corporate lawsuit involving a local manufacturer, a competing consulting

firm, and a large software manufacturer. The local manufacturer claimed the software

manufacturer knowingly sold them an ERP software application that did not fit their business

needs, and that the consulting firm performed an inappropriate scope and implementation of the

software.

       My friend gave me the background of his predicament; the law firm representing the

manufacturer identified him as the best resource within the company to provide the testimony

because of his background with this particular ERP application and his expertise in software

sales and selections. It was his choice to take the project. He was well aware of the limitations

this may put on his future career opportunities with the other two companies involved in the

lawsuit, but had still agreed because those opportunities were not part of his intended career path.

He also took special interest in this particular case because of the bad light it shed on consultants

in general. Having been a consultant for many years he had suffered through the stigma that

“less-than-expert” consultants create.

       He had been working on the case for approximately nine months, very part-time,

studying case documentation and providing industry and technology expertise to the lawyers so

they could perform detailed depositions. He studied and took note of emails, sales

documentation, individual depositions and all project documentation involved in the lifetime of

the implementation project in question, which lasted over one year.




                                             Page 3 of 7
       Approximately two months before his affidavit of expert testimony was due, he was

contacted by the consulting company involved in the lawsuit about opportunities for

employment. Some former co-workers were now employed by the company, and had referred

him for some very enticing opportunities. It was good timing in that he had become increasingly

dissatisfied with the opportunities available with his current employer. The economy was

becoming increasingly worse, opportunities for consultants in general were poor and his family

was dependent upon his income.

       He knew that if he provided the testimony he would never be hired by the consulting

company in question. More importantly, the company would probably not survive if the lawsuit

did not go in their favor, and some of his friends worked there. With the poor economy he was

also becoming concerned about limiting future opportunities with the software manufacturer.

        His obligation to the law firm was to provide technical and industry expertise, and to

provide an independent expert opinion on the case in question based on his knowledge and the

documents he had received. His opinion could not be biased by the fact that he was hired by

lawyers for one party, it was an independent opinion. He would stand by that impartiality, but

was struggling with where he really stood on the issue and was concerned that the external

factors were possibly biasing his opinion to the detriment of his client. However, he had made a

commitment to this project and his current employer to follow-thru on this testimony. He had

been working on the project for a long time and had billed the law firm accordingly, and his rates

were not cheap. The case knowledge he had gained would be lost for someone starting fresh, not

to mention that anyone new coming in would only have two months to get up to speed and write

the affidavit. When he contacted me he had already decided what he was going to do. What

should he do at this point?



                                           Page 4 of 7
                                       What Actually Happened?

Dilemma One:
      When I arrived at the meeting I was told that my supervisor was going to be late. The

CFO took immediate control of the meeting by stating that he had already been informed of what

happened, was aware of the issues of all parties involved, and that he was only concerned about

how we were going to fix it. I was silent while the Controller and business project manager

discussed their outright furor over how we got to this point. When they finished, the CFO

looked directly at me and asked how I would recommend fixing it. I gave him my

recommendation. He asked if I thought it could be done in two days. I told him my

recommendation was a stop-gap measure not a long-term solution. I told him I was confident

that it could be done on the technical side, but the business processes of each department would

be affected tremendously. He then asked who would be the best resources to work on it. I gave

him the names of my team members and two additional IT resources. My manager came in right

around the time that the CFO said he recognized that this audit area was very vague and that the

responsibility lies with each department to secure their data, and that IT was not responsible for

this audit failure. He stated that he and the Controller would take responsibility for

communication to the business departments about the lockdown and the long-term solution, and

that I would be responsible for the short-term IT tasks.

       After the meeting my manager didn’t have any concerns with what happened. I was

comfortable with the meeting and the outcome because I didn’t offer anything but answered all

questions honestly, and I thought we were working together towards the best solution. We

worked fast and furious and got the system locked down in less than two days, and passed the

audit with flying colors. I found out later that the CFO, who had worked very closely with each

of us in the past, accurately assessed the underlying issues and asked his questions very directly

                                             Page 5 of 7
because he understood my predicament. He didn’t care at all to place blame, only to fix the

problem before it became his issue, and in order to do this he knew he had to have the IT

expertise.



Dilemma Two:

       When I got the call from my friend he had already decided to remove himself from the

project. He felt that his personal bias would be too intrusive to his independent opinion, and he

didn’t want to burn bridges with the companies involved in the lawsuit. He called me

specifically to ask if I would take the project in his place. We have similar professional

experiences in this regard, and he felt that I would be a good replacement. I no longer lived in

the area where these companies do business, so he felt that long-term career options would be

less of a factor for me as well. I agreed to take the project.

       By the time he called me he only had six weeks until the deadline for his affidavit. I had

no background knowledge of the case at all, so had to put in a lot of late nights reviewing the

information, meeting with lawyers and documenting my analysis of the situation. The lawyers

were less than pleased that they had paid for time and effort that was now wasted, but they

recognized the risk they would be taking if they insisted on keeping my friend on the project.

The consulting company my friend worked for was supportive since I had worked with them in

the past; however, they were also less than pleased with the circumstances surrounding the

switch. They came to an agreement with the law firm in regards to previous and future payments

for services, and I know that the consulting company took a pretty big hit because of my friend’s

decision.




                                              Page 6 of 7
       The law firm was extremely pleased with my affidavit and the lawsuit settled out of court

a couple months later, approximately over a year after it officially began. Interestingly I

received a call from the consulting company involved in the lawsuit about a week after they

received notice that I was preparing the affidavit. They had some long-term opportunities they

thought I would be interested in. I didn’t return the call. My friend is still employed by the

consulting company contracted by the law firm; apparently the enticing opportunities with the

competing company didn’t pan out. I was told that my expert opinion had a great affect on the

outcome and that the other parties were “running scared”. Whether that was the case or not,

that’s the story I tell…




                                            Page 7 of 7