64037 by JACKERET J

CHAPTER 3

C H A P T E R 3 Information systems ethics

LEARNING OBJECTIVES After studying this chapter, you should be able to: • Discuss the concepts of ethics, governance and accountability in the business environment. • Describe the ethics framework within which accountants work. • Relate the ethics expectations of the market. • Examine the ethics environment faced by accountants. • Identify different ethics risks. • Appreciate the significance of regulatory reforms which impact upon the accountant. • Understand the approach adopted by the rest of the book in addressing the concepts of ethics, corporate governance and accountability as introduced in the ethics framework. • Describe the different perspectives that can be adopted for an ethical problem. • Consider the role of moral development in making ethical decisions. • Describe and apply the ethical decision-making model. • Consider some areas in which ethical problems may emerge for businesses that use accounting information systems (AIS). • Describe some of the different perspectives of computer crime. • Explain what is meant by spam, phishing, hacking, identity theft and money laundering. • Consider potential ways to reduce the risk of computer crime. ‘The day Arthur Andersen loses the public trust is the day we go out of business.’ Steve Samek, Country Managing Partner, Arthur Andersen US, 1999, in Toffler, BL 2003, Final accounting, ambition, greed, and the fall of Arthur Andersen, p. 1.

PART A: An ethics framework Introduction Recalling the statement made on the firm’s Independence and Ethical Standards CD-ROM in 1999, Barbara Ley Toffler, former partner-in-charge of the Ethics and Responsible Business Practices Division of Arthur Andersen United States (1995–99), wrote:

typical issues are dynamic in nature, and a discussion of the current demands for accountability will provide an insight. Following a historic surge of corporate collapses in the early years of the 21st century, the accounting profession has embarked on regulatory and other reforms in response to the increasing amount of public scrutiny.

It is Arthur Andersen’s lack of accountability that has inspired me to write this book. As an observer of corporate cultures, I believe strongly that the suicide of Arthur Andersen — and the assault on the investing public’s trust — could have been avoided had people paid attention to the danger signs flashing everywhere in the late 1990s . . . [This] is a book about what it was like to work at a respected company as its culture began to decay. It is also about what happens when the values of an organisation begin to distort your own. The book, Ethics, governance and accountability: a professional perspective, is a timely reminder for accountants and auditors of their roles in the competitive, highly regulative and complex business environment. The book has one theme: the long-term viability of a fair market is dependent on the effective and ethical interactions of individuals, the governance body, organisations and regulators. The ethical dispositions of individuals underpin behaviours, which, collectively, provide the framework for ethical cultures, sound values and good leadership, resulting in a fair and transparent system of accountability and responsible practices. This is the ethics framework that affects us all. Hence, the book aims to build the basic foundation for ethics, applicable for accountants and finance professionals in business. The book offers a rich base of knowledge, theories and principles, which are relevant for the ethics framework. This chapter aims to provide the background to contextual matters concerning accountants. It sets the scene for readers to appreciate the significance and value of ethics in the corporate environment. An ethics framework is introduced, showing how ethics, corporate governance and accountability are interrelated and support the functioning of a fair market. We shall explore the risks and supports of the ethics framework for business. Within the framework, we will identify the typical issues that accountants and the accounting profession need to address. The

CHAPTER 3 | INFORMATION SYSTEMS ETHICS

WHAT IS ETHICS, GOVERNANCE AND ACCOUNTABILITY? Ethics is about choices. It is a concept that signifies how we act in order to make the ‘right’ choice, and produce ‘good’ behaviour. It encompasses a thorough (and objective) examination of principles, values, duties and norms, the consideration of available choices or alternatives in order to make the right decision and the strength of character to act in accordance with the decision. Ethics concerns individuals, groups, institutions and society. Governance and accountability are about relationships. The word governance refers to authority and control. Governance means the strategy, method and manner in which a group of people (the governance body) directs, controls and manages an organisation. The governance body of a corporation normally rests with the board of directors and senior management, who possess the authority to govern or control. With authority comes responsibility. Accountability is the responsibility of those charged with governance to account for their choices, decisions and actions. Corporate governance has been around for many years, and has traditionally been defined as ‘the way a corporation is directed and controlled to maximise shareholders’ value’. However, recent corporate events and the apparent failures of the governance system highlight the need to review not only systems and structures, but also relationships, cultures, ethics and leadership within organisations. The latest debates on corporate governance focus on the following issues: • the structures of boards and committees, including independence of directors, committees, required expertise, appointment, compensation, performance assessment, and their accountability to shareholders, regulators and the public • the relationships between the board, management, the shareholders, the auditors and the employees • transparency and fairness in disclosure of financial reporting matters, the audit function, the independence of auditors, their engagement and reporting matters • treatment and the rights of shareholders and stakeholders • ethics, compliance and cultural issues within organisations • shareholders’ and stakeholders’ interests. What is right for individuals is highly subjective. How to define and perhaps develop an equitable balance in dealing with governance matters (such as between conformance and performance) is a delicate issue. You will realise that ethics, corporate governance and accountability are all interrelated within an ethics framework.

The ethics framework for businesses Figure 3.1 shows a schematic of the ethics framework for businesses. Three forces operate in the framework. They are the market (which includes the environment), the business entity and the regulatory regime. The ethics framework shows the interactive relationships among parties within each of these forces and among the forces. The market provides the resources and opportunities (and threats) for the entity to operate in a competitive world. The entity operates as an ongoing concern for the interests of its owners and forms a part of the marketplace. The government, industry regulators and professional organisations, on the other hand, provide support and oversight functions to the market and its entities. Interested parties such as the Australian Shareholder Associations, the unions and the Australian Institute of Company Directors are subgroups that pursue the interests and voice the concerns of their members to exert influence on all three forces. 58

The actions and performance of an entity can be seen by market participants such as shareholders, fund providers, and other stakeholders, including customers and the general public. The performance of the entity is also under the oversight of the regulatory regime. The market responds to the actions of entities and regulatory authorities and increases demand for relevant information, responsible behaviour, safety, protection of the environment, with the long-term expectations of returns and security. The regulatory regime corrects and minimises opportunities for malpractice by enacting legal restrictions and legislative reforms, and through persuading the industry and related professional organisations to introduce stronger self-regulatory standards and rules. Within the entity, the governing body defines the overall strategy and implements control systems to exercise proper governance. Three levels of ethics are found within an entity: the ethics of the governing body (and its management), workplace ethics and individual (employee) ethics. The market

Owners, shareholders, other fund providers

Other stakeholders, customers, the public

Individual upbringing and families

Integrative issue: social + environmental (chapters 8 and 9)

The entity

The regulatory regime

Directors' and management's ethics, leadership and governance (chapter 5)

The government and regulators

Workplace ethics and culture (chapters 11 and 12)

Industry standards and norms

Individual ethics: • ethical sensitivity (all) • ethical priorities, values and understanding of principles, theories (chapters 2 and 3) • ethical/moral development – capability to make ethical decisions (chapters 2, 3 and 4) • ethical courage to act.

Integrative issue: earnings management + frauds (chapters 6 and 7)

Professional standards and norms

Integrative issue: independence (chapter 10)

Figure 3.1 ◗ A schematic for an ethics framework

CHAPTER 3 | INFORMATION SYSTEMS ETHICS

ETHICS OF THE GOVERNING BODY The ethics of the governing body and its management concern the priorities given to the formulation of goals, mission and overall direction in the interests of the shareholders and stakeholders, thus implementing them into policies, procedures and control systems. The governing body of an entity is typically represented by the board of directors, the senior management and relevant board committees. The primary responsibility of the directors and management is to provide and facilitate good corporate governance practices, and to satisfy key corporate drivers for both performance and conformance. Corporate governance is not only about structures and processes, but also strategies for addressing stakeholder needs, in the form of products, services and information. Governance is characterised by an entity’s priorities in values and leadership.

ETHICS OF THE WORKPLACE The ethics of the workplace are influenced by the visibility of the values and leadership practised by the governing body. Workplace ethics can be characterised by the transparency of information and operation, open communication between levels, equitable treatment among and within subgroups and a generally supportive workplace environment. Workplace ethics concerns the implementation of governance polices and procedures, while monitoring the soft issues of ‘unwritten norms’ or cultures. The existence of a code of conduct, for example, is an incomplete feature when there is a lack of constant review regarding its adequacy, or when there is no monitoring procedure (i.e. supporting mechanism when an individual within an entity enforces the code or disciplinary measures when an individual breaches the code). Whistle-blowing programs, workplace conflicts, bribes or other conflicts of interests are issues which must be addressed in order to provide the contexts for ethical behaviour in a healthy workplace. The ethics of the governing body and workplace ethics shape the entity’s culture through their interactions and support. Culture in turn influences individuals.

INDIVIDUAL ETHICS Individual ethical behaviour is influenced by four interrelated components, according to James Rest. Individuals must be capable of identifying ethical problems (ethical sensitivity); appreciating the values and priorities through their understanding of principles, rules, norms and theories (ethical priorities); developing their individual sets of reasoning and judgment (ethical judgment); and developing the strength of character to act upon such decisions (ethical courage). So when an individual employee encounters a situation, he or she (1) acknowledges the ethical dimensions of the problem; (2) assesses available principles, rules and norms; (3) evaluates the adequacy of existing policies, practices and workplace standards; and (4) acts. All four components have to be present, according to James Rest, to result in ethical behaviour.

ETHICAL EXPECTATIONS OF THE MARKETS The growth of Australia’s markets and financial services industry has been rapid and sustained. Statistics have shown that nearly one in two Australian adults now directly own shares, which is the highest proportion in the world, ahead of the United States, United Kingdom, Canada, Germany and New Zealand, in both direct and indirect share ownership. Different from Europe, Australia’s market profile is also increasingly skewed towards retail investors. Millions of Australian investors are eager to help fund their 60

retirement through some kind of equity ownership. Three out of four working Australians invest in superannuation, and over five million Australians use financial advisers. This growth in market size and coverage inevitably means that many investors are participating for the first time in financial markets, which they may not entirely or adequately understand. During the late 1990s, many inexperienced financial services consumers bought a complicated range of products and services and were caught out, losing their life savings.

IN PRACTICE Johnson & Johnson and others Crisis may strike a company unexpectedly. A huge amount of blame can be placed on a company if it fails to respond properly to a crisis. In 1982, Tylenol commanded 35 per cent of America’s over-the-counter analgesic market, contributing about 15 per cent of Johnson & Johnson’s profits. Unfortunately, an individual succeeded in lacing the drug with cyanide and seven people died as a result. After that incident, there was panic about Tylenol and the market value fell by $1 billion. When the same situation occurred in 1986, the company acted quickly. It recalled all Tylenol products from every outlet, not just the outlets where the products had been tampered with. The company also decided the product should not be re-established until something had been done to provide better product protection. As a result, tamper-proof packaging was developed. The cost was high and the lost production and destroyed goods of the recall were considerable. However, the company won praise for its quick and appropriate action, and achieved the status of consumer champion. Within five months of the disaster, the company regained 70 per cent of its market share for the drug. The company had succeeded in preserving the long-term value of the brand and its loyalty. Contrast that with the case of Bridgestone/Firestone in 2001. In Washington, it paid US$41.5 million in settlement to fend off lawsuits by states over defective tyres the company recalled in late 2000. The United States investigators had documented 271 deaths from thousands of accidents involving the tyres and the Attorneys-general raised doubts as to whether Bridgestone/Firestone and Ford were aware of the problems with the tyres long before the recall was announced. Can you think of any other real-life cases similar to these?

The market, including owners and investors, public stakeholders and the general public, has certain ethical expectations. The market’s support for an entity depends upon the credibility of the entity’s corporate commitments and reputation, and the strength of its competitive advantage. Credibility depends on the trust that stakeholders place in the entity’s activities, and trust, in turn, depends upon the values underlying such corporate activities. Stakeholders increasingly expect an entity’s activities to show respect for their values and interests. This respect for stakeholder values and interests determines the ethical standing and success of a corporation. The Johnson & Johnson example shows the importance of respect for stakeholder values and interests. With an increasing amount of interest in corporate activities and accountability, the public expectations of businesses and the professions have become far more concerned with stakeholder interests and ethical matters than has been the case in the past. Directors, executives and business managers, who serve the often conflicting interests of CHAPTER 3 | INFORMATION SYSTEMS ETHICS

shareholders directly, and the public indirectly, must be aware of the public’s ethical expectations, and manage the related ethics risks accordingly. More than just to provide financial outcomes, their awareness must be combined with traditional values and incorporated into a framework for ethical decision making and action. Otherwise, just as with Enron and Arthur Andersen, the credibility, reputation and, eventually, competitive advantage of capital markets — as well as the organisation, management and the profession — will suffer. In the aftermath of the corporate failures in the early 2000s, the general community has been caught up with extensive financial and other injuries. The collapse of HIH, one of Australia’s largest home-building market insurers, left the building industry in turmoil. Home owners were left without compulsory home warranty insurance, owners of residential dwellings found that cover for defective building work had vanished, and builders were unable to operate because they could not obtain builders’ warranty insurance. Thousands of other individual cases of hardship also emerged. For example, about 200 permanently disabled people no longer received their regular payments from HIH. A 50-year-old school principal who had developed a brain tumour, and who had relied on an income protection insurance policy, found his monthly cheque from HIH was dishonoured and his policy worthless. Corporate collapses and the extensive damages to the community were a wakeup call for ethics in business. In summary, market participants have ethical expectations from both the entity and its accounting and finance personnel. Table 3.1 illustrates some of the ethical expectations of the market. Table 3.1 ◗ The right angle of a triangle means nothing to me

EXAMPLES OF ETHICAL EXPECTATIONS BY THE MARKET

Market participants

Ethical expectations of the entity

Owners, shareholders and fund providers

• Ongoing viability • Reputation and credibility • Integrity of information and returns • Accountability.

• Effective governance and objective risk management process • Integrity in financial management • Transparency, objectivity and disclosure.

Other public stakeholders, employees, and individuals etc.

• Product safety and product quality • Socially responsible activities • Fairness and equity • Honesty and respect for the public interest • Professional and other developments • Open communications • Fair compensation.

• Understand corporate social responsibility and triple bottom line reporting • Integrity in judgments for operations, financial and other business dealings • Ensure compliance with standards, legal and regulatory matters • Maintain integrity and the duty of care • Undertake corrective actions in cases of wrongdoings • Implement and monitor codes and whistleblowing programs.

Accountants’ or executives’ roles

THE ACCOUNTANT IN THE ETHICS FRAMEWORK Accountants provide skilful services. These services have developed from a traditional financial focus to a broad range of services including auditing, advisory, assurance and consultative roles, on matters which have economic outcomes, in the short or long term. Accountants therefore may assume responsibilities in any part of the ethics framework, providing services either as an employee, a financial expert or an independent service provider.

Accountants as the moral agent Accountants are also said to be the moral agents of organisations, and provide an objective account of matters in a fiduciary relationship. They are relied upon because of their professional status and ethical standards. Hence, within an entity, accountants have a duty towards their employer, loyalty to the governing body and management, and the responsibility to ensure such duties are performed with the objectivity, integrity and ethics of a professional person. Accountants providing independent services, such as in auditing, have a duty to their own employers, while maintaining an independent but cordial relationship with their clients. One complication of the accountantâ&#x20AC;&#x2122;s role in public accounting firms is the relationship between the accountant and the client. The cosy relationship, which often develops as a result of an accountantâ&#x20AC;&#x2122;s increasing assistance to management in the form of consultancy and other services, may in turn jeopardise the perceived independence of the accountant as an auditor. It has been reported that, over the period 1992â&#x20AC;&#x201C;2002, the total audit fees paid by the Australian Stock Exchange (ASX) top 100 companies grew by 99 per cent, while the total non-audit fees paid by these companies to their audit firms grew by 501 per cent. The Australian Securities and Investments Commission (ASIC) also reported in 2002 that audit firms were earning substantial fees for non-audit services and that most companies lacked robust processes for ensuring that the independence of audit was not prejudiced by the provision of non-audit services. The spate of audit and financial disclosure reforms in the Corporate Law Economic Reform Program (Audit Reform and Audit Disclosure) Act 2004 is partly the result of the extensive nature of auditor involvements in their audit clients, which has led to the alleged failure of objectivity and integrity in major corporate collapses. Although there are historical and economic reasons in support of the broadening of services provided by accountants and auditors, the evidence presented after recent corporate collapses has rendered stringent rules for audit independence inevitable. On the other hand, accountants employed within an organisation can be challenged with matters that are not necessarily financial in nature, but which have ethical implications. For example, an operational disaster which leads to human injuries involves financial compensation and the accountant may either be aware of the situation or part of the investigation. Or, an accountant may be involved in alerting a management to internal fraudulent activities, which could expose the organisation to potential financial losses. Outside the entity, accountants may be involved in providing professional forecasts and analyses, or undertaking investigative projects to evaluate investment proposals. Accountants representing the regulatory regime contribute to the understanding, development and interpretation of the law, industry and professional CHAPTER 3 | INFORMATION SYSTEMS ETHICS

standards, with possible involvements in forensic issues. In sum, the roles of accountants in the ethics framework are diverse and complex. All accountants are expected to observe the standards of care, professionalism and ethical behaviour as part of their primary professional duty to safeguard the public interest. This, of course, is an extremely simplistic description of the principles regarding accountantsâ&#x20AC;&#x2122; roles in the ethics framework. The complex ethical positions of the accountant are briefly discussed here.

The impact of competitive pressures and environmental concerns The development of the global market has given rise to the free flow of capital, goods and services throughout the world. Corporations try to combat competitive pressure through greater productivity and lower costs. Questionable behaviour, undertaken to increase short-term profitability, such as in the case of Bridgestone/Firestone, does not outweigh the risk of long-term reputation damage. There are also increasing concerns regarding environmental matters, excessive management compensation and bad business judgments. These issues, together with the corporate collapses and financial scandals, have led to the general public becoming less trusting of business executives and professionals, such as accountants and auditors. Some of these cases are illustrated in the following section.

Ethical problems faced by accountants Accountants are educated to possess the competence and skills to deliver their services in the public interest. They are regarded as professionals who have a fiduciary relationship with those whom they service. Accounting bodies traditionally exercise a self-regulatory system in order to ensure that members safeguard the public interest by performing their tasks professionally, competently, ethically, responsibly and with due care. As shown in figure 3.1, accountants, like other individuals employed within an entity, be it commercial or professional in nature, are subject to the same complex framework of relationships and influences. Furthermore, the requirement of allegiance towards professional standards and behaviour means that accountants must regard the public interest as their top priority. Any conflicts between the public interest and selfinterest, loyalty to the entity and its governing body, may result in ethical dilemmas and possibly lapses. A choice has to be made. The choice made may even have very far-reaching consequences. In a professional environment, such as within an accounting firm, an accountantâ&#x20AC;&#x2122;s role requires performance under tight budget and timelines, maintaining relationships with clients and firm management, and applying strict accounting rules and professional standards. Hence, the ethics framework for an accountant working in a professional entity can be both demanding and complex, resulting in ethical issues to be faced by individual accountants. The technology market bubble of the late 1990s and its puncturing in 2000 occurred alongside major collapses in corporate governance. Those who had contributed to the accounting scandals also contributed to the loss of public confidence in the accounting profession. High profile collapses such as Enron, WorldCom, Global Crossing, Adelphia Communications and Tyco in the United States, HIH, One.Tel and Harris Scarfe, in 64

Australia, were largely the result of a period of disguise, restatement of the financial statements and a general disregard of ethics and integrity by business management, the board and the accountants involved. Parallel to this was great concern regarding the fairness of the operation of a market system where shareholders, employees in general, and pensioners lost large sums, while those running companies, exercising bad business and ethical judgments, had enriched themselves with massive compensation pay-outs. Some argued that the catalyst for these events was the fierce battle by many managers and directors to meet investors’ expectations that the company in which they purchased shares would report a steady stream of high and ever-increasing quarterly profits and revenues. In the struggle to deliver results, management, as well as investment bankers and analysts, with lawyers working alongside, lost sight of their responsibility and accountability. Some auditors also lost their autonomy and good judgment, and blurred the line between right and wrong. On too many occasions professionals in our largest and most respected accounting firms yielded to management pressure, permitting misleading financial information to be published. To some extent, there have been some lapses in the way accounting firms have structured compensation policies and other incentives, rewarding those partners who generated the greatest amount of new auditing or consulting assignments rather than those who delivered the best quality audit work. The following examples show how accountants have been involved in ethical lapses. • A forensic audit by PricewaterhouseCoopers at HealthSouth, an Alabama-based rehabilitative clinic, reported a revised fraud of US$4.6 billion on 22 January 2004, representing fraudulent accounting entries from 1996 to 2002, incorrect accounting for goodwill and other aggressive accounting in that period to March 2003. Fifteen former executives, including five former chief financial officers, have pleaded guilty to charges related to the fraud. Former auditors at Ernst & Young, and former investment bankers at UBS Warburg, were said to have known about the fraud even as they signed off on financial statements and sold HealthSouth securities to the public. • Parmalat Finanziaria, the parent company of the Italian dairy group, has removed Deloitte & Touche SpA and Grant Thornton SpA as auditors following the discovery of a phoney asset certificate in the Cayman Islands. Two accountants at GT SpA were arrested on suspicion of falsely certifying Pamalat’s balance sheets. Both firms were cited in a class action suit brought on behalf of United States investors. • Former HIH Insurance financial executive Bill Howard was the first person convicted for his role in the HIH collapse when he was sentenced in the New South Wales Supreme Court to a three-year suspended jail term in December 2003. He admitted he received AUD$124 000 in bribes to organise payments to companies linked with Brad Cooper, including a $737 500 payment from HIH, which HIH was not obliged to make. It was alleged that when Cooper made an offer to ‘look after’ Howard, in return for retrieving funds from HIH, the HIH executives had their hands full trying to keep the company afloat. They asked Howard to ‘deal’ with Cooper. When Howard was asked at the HIH Royal Commission as to the reason for his action, he said, ‘I don’t know. I think I just gave in to the incessant battering ... I have been punting all my life’. • Alan Hodgson, the CFO at Harris Scarfe, admitted that for about five years he had in effect been keeping two sets of books. He had artificially increased the company’s profits in the monthly financial reports, as well as the half-yearly and annual financial statements for the board and the Australian Stock Exchange (ASX). Hodgson stood to gain nothing from his actions other than the ‘approval’ of those around him. When the executive CHAPTER 3 | INFORMATION SYSTEMS ETHICS

chairman said he wanted to achieve a particular profit margin, Alan interpreted it as an order to do whatever it took to get that margin. Hodgson was sentenced in 2001 to a sixyear jail sentence, with a non-parole period of three years. These examples are just some of those appearing in the media about the corporate collapses in recent years, other than Enron and WorldCom. Many of the cases had similar features: a strong and dominating leader, a dysfunctional board, an aggressively resultsdriven corporate culture, manipulation of accounts, and accounting personnel caught in the middle, trying to balance the pressure to perform and to maintain their own position, possibly within an ethics lapse situation.

THREATS TO ETHICS, CORPORATE GOVERNANCE AND ACCOUNTABILITY In light of the current environment of competition and drive for performance, accountants, auditors and other finance executives face issues which pose threats to their ability to maintain their ethical position and implement good governance practices. The sources of threats can include: • stakeholders — where one group of stakeholders has an unfair advantage over other groups • products or services — where the poor quality of products or performance of service compromises the standards (e.g. of safety and health) • organisational culture, norm and objectives — where there is a lack of responsible leadership, combined with a self-interested culture and objectives being defined by the ‘bottom-line’ and short-term financial benefits for individuals • social status and reputation — professional and organisational misconduct where the organisation or the industry acts in a way perceived to be detrimental to society, leading to loss of credibility. In describing the ‘bill our brains out’ culture of Arthur Andersen, Barbara Toffler referred to the fact that, by the late 1990s, all of the firm’s employees were expected to be ‘masters of creativity’ when it came to figuring out ways to sell more services — auditing or consulting — to clients. There were regular meetings of SOAR teams (‘Sales Opportunities and Resources’), ‘Crown Jewel’ teams and ‘Elephant Target’ teams. They were there to exploit every possible void. Everyone from auditors, internal auditors, tax specialists and consultants attended these meetings. Over the course of an hour or two, the status of a client’s account would be reviewed, and then everyone would pitch in with ideas about how to increase revenue. ‘It was all about cross-selling — offering the soup, the nuts, and everything in between . . . the meetings also had the effect of increasing the pressure.’ Such a culture of pressure on individual employees led to the only way to get ahead, or to keep up, was to compromise quality. ‘So that’s what we did,’ wrote Toffler. Ethics threats or risks can be defined as the risk of failure to achieve a certain expected standard of behaviour. An ethics risk for the professional accountant is the risk of failing to achieve the standards of behaviour expected of him or her. Such standards of behaviour are assumed within a fiduciary relationship, a professional arrangement, an accredited affiliation with a profession, or criteria established in a code of ethics or a set of mission statements. 66

IN PRACTICE Threats to accountability at Barings and NAB In August 1994, Barings’ internal auditors had issued a report highlighting ‘significant general risk’ that Nick Leeson could circumvent controls, as he had responsibility over both trading and settlement activities. Although the warning has created tremendous pressures, the management wrote, ‘Leeson should continue to take an active role in the detailed operation of both the front desk and the back office’. Leeson’s ability to generate large profits was emphasised. In February 1995, the 233-year-old British investment bank collapsed. A decade later, a similar case occurred in the National Australia Bank (NAB), although it reacted swiftly to correct the situation. NAB lost AUD$360 million on currency options trading, as a result of poor operational and monitoring controls. PricewaterhouseCoopers (PwC), which conducted the investigation into the activities, reported that there were inadequate or non-existent controls which allowed trading losses to be concealed. Moreover, warnings signs were ignored. PwC reported that the concealment of the true trading position began as early as 1998. The traders ‘smoothed’ profits and losses by shifting them from one day to the next. It was a practice not dissimilar to Nick Leeson’s at Barings — a lack of internal checking, concealing true transactions through the timing difference of recording, a lack of reconciliations, and a disregard for breaches of trading limits by management — practices that appeared to have been acceptable to NAB and Barings. Responsibility was ‘passed on, rather than assumed’. KPMG, which also reviewed the case, said that the NAB’s culture or ‘tone at the top’ was a key to understanding how the losses developed. The focus was on procedure manuals (rather than the substance of the issues) and said that the board must accept that it is ultimately responsible for the culture that kept it in the dark. NAB announced the departure of its executive general manager of risk management, alongside the earlier departure of its former chairman and chief executive — a casualty list of 10 so far.

Some examples of ethics risks from different sources are described in table 3.2. Table 3.2 shows that ethics risks can be embedded in a variety of relationships, hence the sources of ethics risks classifications include individuals, organisations, groups, products and objectives. Some ethics risks originate from a self-interest motive, in which individuals and organisations attempt to maximise their own benefits or avoid losses.

CHAPTER 3 | INFORMATION SYSTEMS ETHICS

Table 3.2 ◗

EXAMPLES OF ETHICS RISKS UNDER EACH SOURCE Products/ services

Culture, norms and objectives

Social status and reputation

Institutional investors’ pressure for earnings / forecast targets leading to earnings management

Concealing prohibitive nature of products (e.g. ill effects of drugs to protect profit)

Maximising bonus and commission by manipulating accounts and budgets by senior staff

Building monopolised services (e.g. anti-trust practices, lowballing by accounting firms)

Incompetence (technical or ethical)

Failure to manage staff disputes leading to employee fraud

Failure to acknowledge product safety standards resulting in customer injuries

Wrong tone set at the top, noncompliance culture leading to staff tendency to cut corners

Failure of accountants or auditor to apply standards of integrity and objectivity in financial reporting

Conflict of interests

Conflicts between shareholders and management leading to misleading information released to the public

Extensive nonaudit services rendered by auditors leading to compromised audits being performed

Inappropriate handling of complaints or staff concerns leading to whistle-blowing situations

Failure to discharge fiduciary duties in an independent and objective manner by accounting firms

Nature

Stakeholders

Self-interest

Ethics risks can also derive from incompetence. Here, competence includes both technical competence and ethical competence. A failure to understand the nature of a transaction which results in a wrong judgment of accounting policies (e.g. capitalising expenses) is an error caused by technical incompetence, leading to inappropriate financial statements being furnished. An inability to withstand the influence and pressure of management to manipulate the earnings figures is an example of ethical incompetence. Both cases would result in an unethical conduct (i.e. misleading users of the financial statements). Although it is difficult to distinguish between the two, and indeed they overlap sometimes, an ethical problem often arises from an error of judgment. Worse still is when, in some cases, an intentional error is committed to conceal an unintentional error. In terms of ethics, it is called a ‘slippery slope’, as seen in many corporate collapse cases — in HIH, One.Tel and Harris Scarfe, or in the collapse of the Barings Bank in the early 1970s. 68

CORPORATE COLLAPSES AND THE NEED TO RESTORE CREDIBILITY AND TRUST Recent corporate collapses did not happen in a vacuum. Gittens (2002) argues that the prevalence of materialism in many developed countries is the key motivation of fraudsters. Motivations for material advantages and pursuits of self-interests are shown by economic and political agendas, the growth in compensation for executives and the apparent declining ethical standards among company directors and auditors. The chairman of the Australian Securities and Investments Commission (ASIC) also lamented the extent of management greed, the failure of boards to exercise good corporate governance practices such as remuneration payouts, and the record level fees and commissions earned by analysts and accountants on advisory services. In July 2003, the International Federation of Accountants (IFAC) released a research report entitled, Rebuilding public confidence in financial reporting — an international perspective. The report concluded that the financial scandals experienced in recent times were symptoms of deeper problems and not the prime cause of the loss of credibility. The research reported the following key findings: • Methods of ensuring the effectiveness of corporate ethics codes and active monitoring are needed. • Financial management and controls are a prime concern for corporate management. • Incentives and awareness of financial misstatements are required in order to reduce such opportunities. • Board oversight of management must be improved. • Attention to potential threats to auditor independence and corporate governance issues is needed. • The effectiveness of audit quality processes should be monitored. • Compliance with codes of conduct should be monitored. • The regulatory, standard setting and financial reporting processes and practices should be strengthened. In sum, the findings concern ethics, adequacy of financial management, reporting mechanisms, audit quality and strengthening of governance regimes. As the IFAC research report quite rightly put it, there are ‘deeper problems’ faced by accountants and auditors. Such deeper problems are the impediments and threats which jeopardise the objectivity and integrity of all parties in the supply chain of financial management and corporate governance. As the bubble economy encouraged corporate management to adopt increasingly creative accounting practices to deliver the kind of predictable and robust earnings and revenue growth demanded by investors, governance fell by the wayside. All too often, those whose mandate was to act as a gatekeeper were tempted by misguided compensation policies to forfeit their autonomy and independence. Source: The American Assembly (2003), The Future of the Acting Prof Report, 103rd American Assembly, Columbia University, New York.

Never in its history has the accounting profession been subject to such criticism and challenges, which eroded public confidence and led to the sweeping changes in legislation and government intervention. From the enactment of the Sarbanes–Oxley Act in 2002, as well as the Public Company Accounting Oversight Board in the United States, we witnessed the publication of numerous papers of reforms and research reports. In Australia, the more recent developments are: CHAPTER 3 | INFORMATION SYSTEMS ETHICS

• CLERP Discussion Paper No. 9: CLERP (Audit Reform and Corporate Disclosure) Act 2004 • the ASX Corporate Governance Principles and Best Practice Guidelines 2003 • Standard Australia’s Australian Standards for Corporate Governance, which includes Good Governance Principles, Fraud and Corruption Control, Organisational Codes of Conduct, Corporate Social Responsibility, and Whistleblower Protection Programs for Entities. These standards were issued in 2003 as AS8000 Standards. • the HIH Royal Commission reports (three volumes), which detail the problems and recommendations for parties such as the accounting profession, governments, auditors, corporate managers and board of directors. In an address in March 2004 to the Institute of Chartered Accountants in Australia, the Acting Chairman of ASIC emphasised the priorities of ASIC in 2004. The address reiterated the increased responsibilities of ASIC, which are to maintain, facilitate and improve the performance of the financial system and the entities within it, which includes reducing business costs and improving the efficiency and development of the economy. The collapse of entities such as HIH, Enron and WorldCom have moved regulatory reforms higher up the public agenda, particularly as they relate to disclosure and audit. An example of these is the regulation S1013D(1) of the Financial Services Reform Act 2001 (FSRA), which requires the issuer of financial services products, including superannuation funds, to disclose ‘the extent to which labour standards, or environmental, social or ethical considerations are taken into account in the selection, retention or realisation of the investment’. Another example is the CLERP (Audit Reform and Corporate Disclosure) Act 2004, which strengthens the obligations of auditors to report breaches of the law to ASIC. ASIC regards the administration of the Financial Services Reform Act, CLERP (Audit Reform and Corporate Disclosure) Act 2004 and surveillance programs as its priorities. All three have major implications for the role of accountants and finance professionals. The introduction of the financial services reform (FSR) regime set new standards, which meant that the entire financial sector was brought under a consistent set of regulations. There is a harmonised licensing system, disclosure and conduct framework and a single regime for financial product disclosure. The CLERP (Audit Reform and Corporate Disclosure) Act 2004, on the other hand, is the government’s response to the series of corporate governance and accounting failures. Examples of the CLERP (Audit Reform and Corporate Disclosure) Act 2004 provisions include: • expanding the role of the Financial Reporting Council, which is to be responsible also for the oversight of the accounting and auditing standards-setting regime • providing legal underpinning for auditing standards • strengthening auditor independence, including requiring rotation of audit partners of listed company clients after five years • providing greater protection for those who report breaches of the law to ASIC • enhancing disclosure and accountability to shareholders, including on executive and director remuneration • introducing a new duty for financial services licensees to manage conflicts of interest. As stressed by the acting chairman in his address, one of the foundations of good governance is the provision of adequate, timely and reliable information about corporate performance. This is the responsibility of those who direct and control the corporation, its finance personnel and the experts brought in under the law as independent judges — that is, the auditors. Auditors, in particular, have always faced the dilemma of trying to reconcile a commercial service provider-client relationship with the responsibility of a watchdog or a ‘contracted regulator’ of corporate financial reporting. The two roles conflict and are not 70

equally supported. All the commercial incentives support the service provider role, and very little, if anything, has supported the watchdog role. The CLERP (Audit Reform and Corporate Disclosure) Act 2004 tries to redress the balance, and supports the public responsibility or ‘watchdog’ aspect of auditing. Not only that, in the opinion of the acting chairman, a clear market expectation now is that auditors should be bloodhounds, not just watchdogs. It expects auditors to take the initiative where they discern something amiss — to find and reveal what is hidden. To remain a profession, therefore, accounting must address issues ranging from the underlying potential problems or conflicts created by the consolidation of the financial industry to the need to restore its credibility by critically re-examining its fundamental values and roles.

WHY LEARN ETHICS? The accounting profession has suffered a series of setbacks with the financial collapse of business firms involved in financial fraud without detection from their auditors. Critics usually cite a breakdown in the ethical standards and behaviour of accountants as a contributing factor in such scandals. Consequently, a number of organisations recommend the inclusion of ethics into business curriculums. For example, The National Commission on Fraudulent Financial Reporting 1987 (Treadway Commission) recommends the inclusion of ethics education in business curriculums to help prevent, detect, and deter fraudulent reporting. The two major Australian accounting bodies (CPA Australia and the Institute of Chartered Accountants Australia) and universities now include ethics in their educational programs. The phrase ‘ethics education’ has a variety of connotations. For some, it means instruction toobey the law, while for others it is improving moral character. Critics of ethics education argue that a student’s moral standards have been fully developed and firmly entrenched by traditional institutions such as church and family by the time they reach university. The university curriculum, therefore, is unlikely to influence students’ attitudes. However, supporters of ethics education claim that changing students’ habits, beliefs and values is not, and should not be, a primary function of a course in ethics. The primary function should be to teach ethical systems of analysis, not moral standards of behaviour. The goal of ethics education is not related to value-shaping, but to helping the fundamentally dcent, well-intentioned student by introducing skills to deal effectively with ethical challenges. Ethics education will not convert a ‘deviant’ to a ‘virtuous human being’, but students with good instincts and a genuine concern for others will be able to detect issues more perceptively, think about them more carefully and to understand more clearly the reasons for acting morally. Therefore, one goal of this chapter is to provide you with a framework to identify, analyse and resolve ethical problems. Whether or not you choose to utilise these skills in your professional life is a separate issue.

NORMATIVE THEORIES OF ETHICS In this section we identify and classify three approaches to ethical judgment, which will not only help you to understand the language of normative ethics but also provide a framework for moral discourse in later chapters. As you read through the following material you should bear in mind that theories of ethics are not based on utopian notions of idealistic living — they reflect the way people make decisions in their everyday lives. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

A normative theory is represented by a value judgment on what ‘should’ or ‘ought’ to happen, it is not concerned with what does happen. For example, fidelity as a normative principle suggests that people should always be truthful even if deception is common or usual practice. In ethics, a normative theory provides a principle, standard or value on how we ought to behave toward others by considering the right and wrong of our actions. Ethics is about doing good instead of harm and it does this by setting a standard of virtuous conduct. Therefore, a normative ethical theory provides a principle on how we ought to behave irrespective of current social norms and practices. Understanding principles of good behaviour is important if we are to make ethical decisions and behave appropriately. It is customary to divide normative ethical theories into two broad classifications, consequential and non-consequential. Consequential theories define good in terms of its consequences, thus giving rise to the term consequential. The best-known example of a consequential theory is utilitarianism. In contrast to consequential theories we have nonconsequential theories, which define good not by its consequences, but by its intrinsic value, regardless of whether its obedience produces undesirable outcomes. For a nonconsequentialist, an act or decision is right because it is the right thing to do. The bestknown examples of non-consequential theories are the rights and justice theories. Each of these theories is discussed on the following pages.

Consequential theories of ethics In ethical decision making, even the best intentions are of little value unless an ethical outcome is achieved. Proponents of this view support the notion that consequences are important for assessing the moral worth of an act or decision. In general terms, consequential theories determine right from wrong based on the results or consequences of the action or decision, and if the good consequences outweigh the bad consequences, the decision or action is morally correct. There are a variety of consequential theories; in this chapter we examine the theory of utilitarianism.

The theory of utilitarianism The theory of utilitarianism is concerned with making decisions that promote human welfare. According to this theory, the ethical alternative is the one that maximises good consequences over bad consequences. Expressed as a guiding principle, something is morally good to the extent that it produces the greatest balance of good consequences over bad consequences for the greatest number of people. The principle is commonly expressed as ‘the greatest benefit for the greatest number’. This should not be confused with producing the greatest total benefit, but the action that produces the greatest benefit after allowing for total costs. Jeremy Bentham (1784–1832), the father of utilitarian ethics, defined utilitarianism as the greatest happiness principle. The greatest happiness principle measures good and bad consequences in terms of happiness and pain. To this end, acts are right to the extent that they promote happiness (which makes life more content) and avoid pain (which makes life worse). The terms happiness and pain have broad meaning and encompass all aspects of human welfare, including pleasure and sadness, health and sickness, satisfaction and disappointment, positive and negative emotions, achievement and failure, and knowledge and ignorance. 72

Applying the utilitarian principle is a procedural process involving five simple steps. They are: 1. Define the problem. 2. Identify the stakeholders affected by the problem. 3. List the alternative courses of action for resolving the problem. 4. Identify and calculate the short- and long-term costs and benefits (pain and happiness) for each alternative course of action. 5. Select the course of action that yields greatest sum of benefits over costs for the greatest number of people. The theory of utilitarianism is attractive because it fits neatly into people’s intuitive criteria for deciding moral problems. People make crude comparisons between their likes and dislikes every day and are quick to point out the benefits and harms of proposed actions. For example, a proposal to introduce fees for education will immediately conjure up notions of affordability and accessibility. Utilitarianism is appealing to many people because it takes a pragmatic, commonsense, and even unphilosophical, approach to ethics. Actions are right to the extent that they benefit people. Alternatively, actions that produce more benefits than harms are right, and those that do not, are wrong. Therefore, the advantage of utilitarianism lies in its simplicity and defensibility. This comparative cost–benefit approach to ethical decision making provides a straightforward method of analysing and resolving ethical problems. Once resolved, decisions can be explained and justified with utilitarian reasoning.

LIMITATIONS OF UTILITARIANISM The cognitive process required for utilitarian decision making appears similar to the cost– benefit analysis that is normally applied in business decisions. However, there are three important distinctions between the application of the utility principle and the traditional cost–benefit analysis: the nature of the consequences, the measurability of the consequences and stakeholder analysis. The nature of the consequences In analysing the consequences of the various alternative courses of action, we must be careful not to consider consequences in strict economic terms. As stated above, costs and benefits are defined as pain and happiness, which encompass all aspects of human welfare and emotions. Consequences in utilitarian analysis are not restricted to financial matters. This does not mean that economic outcomes should be ignored, but should receive the same consideration as non-economic outcomes. The problem for most accountants, and business people generally, is that they are inclined to focus on the economic outcomes and ignore other non-quantifiable variables. This typically occurs in business where cost–benefit analyses are measured predominantly in economic terms and for their impact on the profit motive. The comfort and objectivity associated with measurable outcomes tempts people to favour quantifiable criteria and, in doing so, ignore non-quantifiable variables, even though they may be sometimes more important. This kind of faulty analysis displays a quantitative bias that may exclude other more attractive courses of action that rely more heavily on nonquantifiable outcomes. The measurability of consequences The utilitarian principle assumes that we can somehow measure and add the quantities of happiness produced by an action and subtract them from the quantities of measured pain, thereby enabling the selection of a course of action that produces the greatest net happiness. However, not all benefits and harms have an easily determined unitary or monetary value. How can sadness, pleasure or contentment be measured? Even when unitary measurement CHAPTER 3 | INFORMATION SYSTEMS ETHICS

is possible, the relative weighting given to outcomes will vary with different people. What is good for one person may be harmful to another. It is likely that two people applying a utilitarian analysis to the same problem will arrive at different conclusions simply because of the way in which outcomes are measured and weighted. Fortunately for accountants, they, more than many other professions, possess the skills for measuring and assigning values to uncertain outcomes. Stakeholder analysis Proper application of the utility principle requires a deliberation of the consequences on all people affected (stakeholders) including, but not restricted to, the decision maker. Whereas the typical cost–benefit analysis in business considers the impact of the consequences primarily in terms of the entity or person that is making the decision. Other stakeholders are considered only in so far as it affects the business entity. A utilitarian analysis goes beyond that of the decision maker and seeks to maximise net happiness to as many stakeholders as possible. An act that promotes self-interest at the expense of others is unethical on utilitarian grounds.

Non-consequential theories of ethics The alternative to consequential theories such as utilitarianism are non-consequential theories. A non-consequentialist affirms that duties must be obeyed regardless of the outcomes, hence the term non-consequentialism. A non-consequentialist would argue that the end does not justify the means and the intention to do the right thing is more important than the result. The question here is what is the right thing? We examine two examples of non-consequential theories: the theory of rights and the theory of justice.

The theory of rights The rights principle stems from the belief that people have an inherent worth as human beings that must be respected. Therefore, according to the theory of rights, a good decision is one that respects the rights of others. Conversely, a decision is wrong to the extent that it violates another person’s rights. When confronted with a moral dilemma, consideration must be given to the rights of the individuals involved and ensure that decisions respect the rights of others. Having rights or entitlements, such as freedom of speech, is worthless unless individuals are free to pursue their entitlements unhampered. For example, in Australia people have a right to speak freely on all matters of their choosing. This right imposes an ethical obligation on others to ensure that the right to speak freely is respected. Similarly, in education, lecturers have a right to be heard; in turn, this right imposes an obligation on students to ensure that those who want to listen, can. Therefore, not only does the rights principle give due recognition to individual rights, but it also imposes an obligation on individuals not to interfere with others’ privilege to pursue and enjoy their rights.

NATURAL RIGHTS In general, rights can be divided in two categories: rights that exist independently of any legal structure and rights that are created by social agreement. The former are known as natural rights, and these rights are commonly referred to as human rights or constitutional rights. A detailed discussion of the various natural rights is beyond the scope of this book; however, a list of the rights that are commonly advocated in western societies includes: • freedom of choice — the right to be able to make decisions without fear of reprisal 74

• • • • • •

right to the truth — the right to be accurately informed of all matters that affect decisions right to privacy — the right to live life as one chooses freedom of speech — the right to speak freely and be heard right to life — the right to be protected from injury, including safety in the workplace right to due process — the right to a fair hearing right to what is agreed — the right to have promises and contracts honoured. Drawing from this list, the right to the truth is central to the function of accounting. The public, particularly users of financial statements, has a right to truthful and accurate financial information when making choices on alternative investment strategies. This right imposes a moral obligation on the accountant and the reporting entity to prepare and issue, true and fair financial reports. Upholding the integrity of the financial reports is critical if members of the accounting profession are to respect the users’ right to make fully informed choices.

LEGAL RIGHTS AND CONTRACTUAL RIGHTS The second category of rights consists of rights created by agreement, which include legal rights and contractual rights. It is this type of right that is important in the accountant– employer and the accountant–client relationship. Accountants are employed by companies or commissioned by clients for their expert knowledge and skills. In return for their professional services, accountants are financially rewarded with fees or a salary. The contractual relationship between the parties means that clients and employers have a legal right to expect professional and competent service. In turn, accountants have a corresponding legal duty to perform their tasks to the best of their ability within the constraints of their expertise. If an accountant does not possess the requisite skill to perform the task properly, he or she has a professional and moral obligation to seek specialist advice or, if necessary, decline the task. A list of the rights and corresponding duties peculiar to the accounting profession are presented in table 3.3. Table 3.3 ◗

Stakeholder rights and the accountant’s corresponding duties Value

Stakeholder

Stakeholder rights

Accountant’s duties

Privacy

Clients and employers

The right to expect that information regarding their activities will not be disclosed to a third party.

To ensure that all information discovered in the course of their work is not disclosed to a third party without the stakeholder’s express permission.

Competence

Clients and employers

The right to receive a service that is expertly applied.

The duty to maintain expertise and apply their skills diligently.

Wellbeing

Clients, employers and the public

The right to expect that the service provided by the accountant will advance the stakeholder’s best interests.

The duty to ensure that accountants subordinate their self-interest in favour of their client or employer and to avoid any relationship or event that may compromise objective judgment.

CHAPTER 3 | INFORMATION SYSTEMS ETHICS

Stakeholder rights and the accountant’s corresponding duties Value

Stakeholder

Stakeholder rights

Accountant’s duties

Respect for peers

Members of the accounting profession

The right to expect that their reputation as competent and trustworthy professionals is not discredited by the behaviour of their peers.

The duty to ensure that their behaviour does not adversely affect the good reputation of the accounting profession.

Truth

Users of accounting information

The right to receive complete, accurate and truthful financial information.

The duty to comply with accounting standards in the preparation of accounting reports and to be prepared to depart from accounting standards if compliance will produce misleading statements.

You will observe from your perusal of table 3.3 that a corresponding duty imposed by a right can fall on all members of a group as well as individuals. For example, the duty of a professional accountant to ‘respect peers’ imposes an obligation on all members of the accounting profession. Accountants should be mindful that their responsibilities extend not only to individual clients, employers and other accountants, but also to the public and the community of accountants. The values discussed in table 3.3 are embedded in the Joint Code of Professional Conduct.

LIMITATION OF THE RIGHTS PRINCIPLE One problem associated with the rights principle is that it does not always provide satisfactory solutions to many problems. Difficulties arise when the dilemma involves a conflict among two or more equally compelling rights. Take, for example, a situation involving a client behaving illegally. Which right has priority: the client’s right to privacy or the public’s right to the truth? Unfortunately, the theory does not prioritise or give weight to the various rights — it merely states that individuals have rights that must be respected. Therefore, there is no clear way to address problems of conflicting rights. This lack of hierarchy is a major problem of the rights principle.

The theory of justice Understanding the theory of justice is complicated by the various notions of justice. In everyday language, justice is often described as fairness, which refers to the correlation between contributions and rewards. However, fairness alone does not adequately define the concept of justice as there is as much subjectivity in fairness as there is in justice. For instance, what one person may think is fair or just, another may not. Other forms of justice include equality, which assumes that all people have equal worth, procedural justice, which is concerned with due process and compensatory justice, which aims to redress the loss from a wrongful act. A comprehensive theory incorporating the various domains of justice has yet to be developed. Until such time, the justice principle and its application will have different meanings in different contexts. In this chapter, we focus our discussion on the principle of distributive justice. 76

DISTRIBUTIVE JUSTICE Disputes between people often arise because one person accuses another of unfair treatment or failing to accept a fair share of responsibilities. Resolving these types of disputes means that we must compare, weigh up and strike a balance between the conflicting claims. This comparative approach to problem solving is based on the principle of distributive justice, which is primarily concerned with the fair and equal distribution of benefits and burdens. The theory of justice, based on the principle of distributive justice, focuses on how fairly our decisions and actions distribute benefits and burdens among members of the group. An unfair distribution of benefits and burdens is an unjust act and an unjust act is a morally wrong act. Applying the justice principle to the resolution of an ethical problem is a three-step process. First, the decision maker identifies the benefits and burdens that are likely to result from a proposed action and decision; second, the benefits and burdens are assigned to the stakeholders affected by the action or decision; and third, a judgment is made to determine whether the distribution of benefits and burdens is fair and equal to the people affected. What constitutes a fair allocation will depend on the circumstances. A fair distribution of benefits and burdens does mean an equal distribution. The third step implies a reasonable allocation or sharing of both benefits and burdens among the stakeholders. Benefits and burdens that are singularly allocated to different stakeholders is unacceptable. For example, a decision that results in the allocation of benefits to one stakeholder and burdens to a different stakeholder is unjust. You may have noticed the similarities between utilitarianism and justice. Both systems of analysis require a comparative approach to ethical decision making. While the two theories have parallel processes, it is a mistake to assume that utilitarianism and justice are similar. The difference lies in the respect afforded to people as individual beings. Justice is concerned with individual fairness and liberties, whereas utilitarianism is concerned with total net happiness. Utilitarianism supports the maximisation of utility but is indifferent to the distribution of benefits to individuals, particularly the minority. By definition, a utilitarian act is one that maximises total net happiness to the majority. Therefore, harm to the minority can be justified on utilitarian grounds so long as there is a net benefit to the majority. In some cases, the rights and wellbeing of some individuals may be disadvantaged for the benefit of the majority. There are many examples of racism and exploitation, such as depriving Aboriginal people of their land rights, which have occurred because of the greater happiness rule.

LIMITATIONS OF JUSTICE PRINCIPLE Applying the justice principle is as problematic as defining it, particularly when the decision affects the wellbeing of others. The difficulty in applying the justice principle becomes apparent when the rights of some may have to be sacrificed in order to ensure a more equitable distribution of benefits. For example, in business many employers have instituted affirmative action policies designed to reduce the effects of past discrimination on women and minorities in employment. The ‘glass ceiling’ is a term that is commonly used to describe the barriers that women face in reaching senior positions within organisations. The preferential treatment afforded to men means that women are under-represented in senior ranks. Under affirmative action, companies must establish policies to correct this deficiency. However, awarding jobs or promotions to women or minorities, based solely in the interests of affirmative action is arguably another form of discrimination — reverse discrimination. More qualified people may be passed over for less qualified people. If discrimination is wrong in the first instance, it couldn’t possibly be right in the second instance. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

In conclusion, we must be careful to distinguish just results from just procedures. Procedural justice deals with rules or procedures that result in fair and just outcomes. Procedures should be well defined and communicated and corresponding rules should be administered fairly and impartially enforced. Doling out rewards in accordance with procedures that have been unjustly determined is as morally wrong as an unfair distribution of benefits.

Why three normative theories of ethics? The theories described in this chapter represent well-accepted theories that can be applied in the day-to-day decision making in every day life and the world of business and accounting. Being aware of a broad range of ethical theories provides alternative approaches to analysing a situation with moral implications. A range of theories provides insights from a number of perspectives — this is generally not achievable from a single theory. However, a range of theories provides different perspectives to the same problem and, in doing so, is likely to improve the decision maker’s awareness and understanding of the ethical issues involved in the dilemma. An overview of the theories described in this chapter is presented in table 3.4. Table 3.4 ◗

Summary of the normative theories of ethics Utilitarianism

Rights

Justice

TYPE

Consequential

Non-consequential

PRINCIPLE

Maximising the wellbeing of the majority

Respecting individual rights

Fair and equal distribution of benefits and burdens

DECISION RULE

An ethical decision is one that produces the greatest benefit to the greatest number of people.

An ethical decision is one that does not impinge on the rights of another.

An ethical decision is one that produces the fairest overall distribution of benefits and burdens.

Applying the normative theories of ethics Understanding ethical theories such as the ones presented in this chapter is beneficial for two reasons. First, the principles derived from normative ethical theories serve as the criteria for judging the moral rightness of an act or decision (after the event); and second, ethical principles provide a structured approach for making ethical decisions (before the event). At this point we provide you with an example demonstrating the application of the normative ethical theories in an accounting related problem. See ‘In practice: Cooking up a venture’. 78

IN PRACTICE Cooking up a venture Vincent is desperate to secure an additional loan to fend off insistent creditors. Vincent believes he can secure a loan from the bank so long as he can support his claims with a positive financial report. Vincent asked his public accountant, Jane, to ‘cook the books’ so that the financial statements appear more favourable than they really are. Vincent asked Jane to do whatever she could to make the reports appear as favourable as possible. Vincent emphasised, ‘whatever it takes’. When Jane questioned his motives, Vincent became apprehensive and threatened to withdraw Jane’s services unless she complied with his request. Jane was left contemplating her choices; she may either accept or reject Vincent’s request. What should Jane do? Utilitarianism

According to the utilitarian principle, the ethical solution is the course of action that produces the greatest net benefit to the greatest number of stakeholders. We begin our utilitarian analysis by listing the possible consequences and stakeholders affected for each alternative course of action: IF JANE COMPLIES WITH VINCENT’S DEMAND POSITIVE CONSEQUENCES

NEGATIVE CONSEQUENCES

• The probability of Vincent receiving a loan will be enhanced.

• Jane’s integrity as a professional accountant will suffer.

• Vincent and the bank will benefit financially if the loan is used to improve the profitability of the business.

• Based on the revised financial reports, the loan carries an unknown risk. Vincent and the bank will be financially poorer if Vincent defaults on the loan.

• Jane will retain Vincent as a client and her billings will not diminish. IF JANE REJECTS VINCENT’S DEMAND POSITIVE CONSEQUENCES

NEGATIVE CONSEQUENCES

• Jane’s integrity and her reputation remain intact.

• Jane may lose Vincent as a client (this could also be a positive outcome) and reduce her billings.

• The bank is protected from an investment that carries an unknown risk.

• Based on the existing financial reports, Vincent is unlikely to raise the loan. He must find alternative methods to fend off the creditors.

• Vincent will avoid further financial stress from servicing an additional loan. • Vincent may avoid additional financial losses if the loan does not improve the profitability of the business.

CHAPTER 3 | INFORMATION SYSTEMS ETHICS

Choosing an ethical alternative based on the consequences will often depend on the probability of the outcomes occurring. Unfortunately, the uncertainty or the lack of predicability of outcomes is a major problem with utilitarian analysis. In this dilemma, we must consider the likelihood of the loan improving the profitably of the business. If the subsequent outlay from obtaining the loan is successful, the majority of stakeholders (Vincent, the bank, creditors, employees and Jane) will be better off. If the subsequent outlay is unsuccessful, the majority of stakeholders will be financially poorer. The success of the investment is difficult to determine from the facts stated above; however, the probability of a successful return on investment must be questioned when the acquisition of the loan relies on questionable financial reports. On the basis that an adequate return on investment is unlikely, the majority of stakeholders will be worse off if Jane complies with Vincent’s demand to ‘cook the books’. Therefore, Jane should reject Vincent’s request. Rights

Individuals have a right to the truth. In accounting, this means users of financial statements have a right to receive true and accurate financial reports and accountants have a corresponding duty to prepare the financial reports accordingly. To do otherwise is unethical. Therefore, Jane should refuse Vincent’s request to cook the books as she has an ethical obligation to prepare the financial statements in accordance with the applicable accounting regulation to ensure as far as practicable the truthfulness of the reports. Justice

Jane must identify the benefits and burdens that are likely to result from her decision and assess the fairness of the distribution of such benefits and burdens to the various stakeholders. In this case, Vincent will benefit from the acquisition of the loan that he may not have otherwise acquired. On the other hand, the bank must shoulder the burden of an investment that is riskier than the financial reports indicate. This is clearly unfair, as one party, Vincent, receives the benefits, and a different party, the bank, is shouldering the burden. Jane must, once again, refuse Vincent’s request.

Challenges to ethical behaviour There are many reasons why good people make bad decisions. In this section, we briefly examine three factors that challenge ethical behaviour. The first reason returns us to the issue raised earlier in this chapter: why learn ethics? The traditional notions of accounting education and practice possess a mechanistic perspective that focuses on techniques rather than the broader questions of human values and morality. The lack of attention given to ethical values means that accountants lack the skill or sensitivity to recognise and deal with ethical issues when they arise. The implication for accountants is that ethical issues are inadvertently overlooked because they focus too much on technical issues. It may not be that people in business are devoid of moral values, but that they are deficient in tools of ethical analysis, which allow them to reconcile their responsibilities as professionals and individuals. People basically want to do the right thing, but who lack the intellectual background and the attendant moral courage to actively and forcefully defend their views. With ethics education, accountants will be able to identify predicaments when they arise, determine how to resolve problems and, more importantly, provide them with the rationale and vocabulary to take and defend their ethical positions. 80

Contextual factors in the workplace are the second reason why people make bad decisions. Professionals must often balance competing demands from superiors, peers and subordinates while simultaneously pursuing organisational goals which can often temper the quality of ethical decision making at work. The organisational context can influence the direction of either higher or lower levels of ethical decision making. Workplace pressures, often driven by the profit motive, can sometimes compromise personal and ethical values. Accountants will make morally defendable decisions only if the business environment, particularly superiors, supports that view. As employees, accountants will give the ‘official position’, rather than their individual judgment. This sometimes explains why people make decisions at work that are quite different from their personal decisions, which are unaffected by job concerns. The third reason why people make questionable decisions is selfishness. Selfishness, also known as psychological egoism, is a theory that describes human nature. In this context, psychological egoism explains how people do behave rather than how they should behave. According to this view, people in their natural state are selfish and motivated by self-preservation and self-gain. Egoists (selfish people) are driven by self-interest and their actions are motivated by the desire to achieve their own interests without concern for others. The problem with the pursuit of self-interest is that it is sometimes at odds with the interests of other parties. Questionable acts such as discrimination and dishonesty may be justified if they promote selfinterest. When analysed further, acts of self-interest are not always self-serving acts. In many instances, the egoist will consider others because ultimately their relationship will become mutually advantageous. An egoist will seek to further the interests of others if it is believed that reciprocity will advance the egoist’s self-interest. Advocates of egoism claim that if everyone adopts a policy of pursuing self-interest, then eventually everyone is better off. If societal interest is equal to the sum of individual interests, the promotion of self-interest adds to the total value of societal interest.

PART B: Ethics, fraud and computer crime

ETHICAL DECISION MAKING Having classified some of the different models for analysing behaviour (the ethical models) and the perspective that will be applied within each of these models (stages of moral development), a framework is needed in which to apply them. Being aware of the ethical perspectives is just one part of making an ethical decision. This section discusses the different stages of ethical decision making and how the previously discussed ethical perspectives can be applied to ethical decision-making scenarios. The stages to go through when making an ethical decision are: 1. Identify the facts. 2. Define the issue(s). 3. Identify the principles that can be applied. 4. Identify possible actions and the stakeholders affected by these actions. 5. Compare steps 3 and 4. 6. Select a course of action. 7. Implement the selected course of action. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

1. WHAT ARE THE FACTS? The first step is to identify the main facts of the case you are dealing with. This can include the identification of stakeholders who are involved in the decision, actions leading up to the decision and any other information relevant to making an informed decision.

2. DEFINE THE ISSUE Based on the facts of the case identified in step 1, what is the ethical issue you are dealing with? Note that a case could have more than one ethical issue involved.

3. WHAT PRINCIPLES CAN BE USED TO SOLVE THE ISSUE? Having identified the ethical issues, principles or sources of authority for solving the ethical issue must be sought. It is at this point that the different perspectives discussed previously will come into the ethical decision-making model. The decision maker will identify the different sources of authority and principles that are relevant to resolution of the ethical issues identified in step 3.

4. WHAT ARE THE ALTERNATIVE COURSES OF ACTION AND THE STAKEHOLDERS AFFECTED BY THESE ACTIONS? The next step is to identify all the possible alternatives. At this point the best alternative is not being selected. Rather, the aim of this stage is to be aware of what possibilities exist for resolving the ethical problem. Do not be restrictive at this point: all possible courses of action should be listed. How the different courses of action affect the different stakeholders identified in stage 1 of the decision-making process is also of interest. Therefore, each alternative needs to be evaluated from the perspective of the different stakeholders. Does the alternative produce a desirable outcome for the stakeholder? Why?

5. HOW DO THE PRINCIPLES MATCH UP WITH THE ALTERNATIVE ACTIONS? At the fifth stage, the interest lies in matching up the courses of action with the ethical principles. The fundamental question at this point is whether the alternatives are consistent with the principles identified in step 4. The answer to this question will very much depend on the ethical sources identified in step 4, because a deontological approach could yield different results to a teleological approach.

6. SELECT THE MOST APPROPRIATE ACTION With the alternatives to the ethical principle mapped, the best needs to be selected. Again, the selection of the â&#x20AC;&#x2DC;bestâ&#x20AC;&#x2122; alternative will very much depend on whether a deontological or teleological perspective is taken. Is the concern which alternative has the best course of action or which produces the best result? Will the best outcome be chased regardless of the actions required to achieve it? Again, the answers here will depend on the ethical perspective of the individual.

7. IMPLEMENT THE DECISION Having evaluated the alternatives, mapped them against ethical principles and selected the most desirable option, that option now needs to be implemented. Afterwards, the person and organisation may be interested in any feedback from the decision. For example, if the decision was to restructure the production line and replace all workers with machines, was their negative feedback in the print media? Does this affect the likelihood of repeating the decision in the future? 82

ETHICAL ISSUES FOR BUSINESSES WITH AN AIS Think of some of the recent events you may have experienced as a customer — for example visiting the doctor or consulting an accountant — that require you to divulge personal information. Implicit in this is the expectation that the doctor or accountant will use the information ethically. For example, you would not expect your family doctor to discuss details of your ailments and problems at the next dinner party he or she attends. Likewise, you would expect your accountant to keep details of your financial position and wealth to himself or herself and not discuss it with other clients. In each of these cases there is an expectation that the professional acquiring the information from the client will use it only for the purpose for which it has been gathered. Commercial enterprises face similar ethical expectations when dealing with their customers. From an organisation’s perspective, the issue of ethics is one that will not disappear. As we move increasingly to an electronic business environment, the issue becomes even more prevalent.

Customer protection and privacy Privacy and trust are two big issues for those people and organisations that interact with an organisation. Many people place great value on their privacy. Consider for example the controversy when in 1986 the Australian government proposed the introduction of the ‘Australia Card’: a national identity card that would see each Australian allotted a unique number that would be used in all dealings. Such cards are used throughout the world for a variety of purposes including greater government efficiency, reducing social security fraud and improving border control. Their effectiveness in achieving these aims is debatable. The primary argument for the Australia Card was a reduction in tax evasion and avoidance, along with the benefit of rationalised record keeping. The Australia Card proposal raised many public concerns about the individual’s right to privacy. Potentially, such a system would allow a massive pooling of data about an individual. Data on the card’s owner can also be stored in a smart card chip. Provisions were in place to protect the use of the data associated with each person’s unique number but some questioned their effectiveness. Social concerns related to the card included that Australia could, given the correct combination of political and social factors, become an authoritarian state with extensive tracking of individuals. Additionally, concerns emerged that ‘merged data’ — the data pooled from several databases — could be misinterpreted and that data may not be secure. The Australia Card was never introduced, the proposal being twice rejected by the senate. Privacy issues centre around the questions of: • What happens to my personal information once I give it to you? • Who can access my personal information? • How secure is my personal information? Consider Blockbuster Video in the United States. Blockbuster Video maintains an extensive database of borrowers and the videos that they hire. Profiling these data enables Blockbuster to categorise its customers based on the types of movies that they hire. This gave Blockbuster a profile on their customers that had many third-party marketers desperate for a piece of the action. Here, a set of simple transaction data can be sorted and filtered to yield insightful perspectives on customers that would be worth money to the organisation. This is CHAPTER 3 | INFORMATION SYSTEMS ETHICS

a quandary for those in the area of AIS: as technology develops, making data gathering and analysis easier and more sophisticated, the issue of what is best for the company versus what is best for the customers presents itself. This is discussed further in the section on managers. Another example is that of Lotus Development Corporation, which planned to release a CD-ROM containing the names, addresses, demographic information and purchase behaviour of 120 million consumers. The proposal caused unrest and was eventually scrapped due to privacy issues. A final example of privacy of information can be gleaned from a recent incident that involved Telstra, the major telecommunications provider in Australia. In August 2002 the Herald Sun reported that Telstra had inadvertently published hundreds of silent numbers in their paper and Web-based telephone directories. Outsourcing of directory production was attributed as the cause of the error. This error was seen as concerning, since the article stated that many professionals — for example lawyers, doctors, psychiatrists — have silent numbers for professional reasons. An AIS captures, verifies, stores, sorts, and reports data relating to an organisation’s activities. Electronic AIS allow organisations to gather much more information about people than was possible in the more traditional environment. Indeed, the details of any interaction with the AIS can be captured and this information can then be used in many ways. The person interacting with the AIS is not necessarily aware of what information is being captured or how it will be used. This raises some ethical concerns for those who design and use information systems. The organisation has both ethical and legal responsibilities to respect people’s right to privacy and this affects how they can capture and use information. Consider organisations’ use of websites. Businesses are increasingly turning to the Web to advertise and sell their products. E-commerce offers efficient transactions, customer convenience (the ability to shop whenever and from wherever they like) and the potential to reach to a broader marketplace. A business can also capture extensive information about visitors to its website. When users visit a website they leave behind electronic footprints, which enable the site owner to identify what site they came from, what they did while on the site and where they went after viewing the site. Based on these data, viewers can be profiled and advertising targeted to meet user interests, needs and preferences. A second issue stemming from e-commerce is what happens to the data about consumers after they have been gathered. Organisations can do data mining and customer profiling and what troubles ethicists is that this can happen without the user being aware of it: there is often no explicit seeking of consent to the gathering and use of the data. Consumer advocates see this as an invasion of privacy that can lead to a lack of trust on the part of the consumer. This lack of trust has big implications for the future development of e-commerce. Additionally, the customer profiling may not necessarily generate an accurate picture of the customer. One company that has been particularly successful in offering products that assist organisations in monitoring and responding to usage of their website is DoubleClick. DoubleClick makes extensive use of cookies: small files stored on a computer’s hard drive that keep a record of websites viewed, viewing preferences, user profiles and so on. Developed ostensibly to allow websites to display in the most user-friendly format, based on the operating system used, browser type and so on, cookies can also help organisations to gather data about the people that access their websites. For example, a cookie can: • ensure the browser does not display ads the user has already seen 84

• ensure ads are shown in a particular sequence • track whether a user has visited the site before • track the previous and next sites the user visits. This information can, for example, allow advertisers to measure the effectiveness of their ads by tracking which ones are bringing users to their website to purchase or register. Through the tracking of IP addresses, as well as gathering the details of users as they log on and purchase from Web-based store interfaces, companies are able to build up relatively comprehensive profiles of a customer, including interests, purchasing patterns and viewing patterns on the Web. This information can then be used to target online advertisements and banner displays that appear when the user accesses a particular page. Through these technologies DoubleClick offers a way for organisations to target online advertising to specific customers, thus increasing the relevance of banner advertising and adding to revenue through increased sales. It is clear that this raises some ethical issues, particularly privacy issues, that directly affect customers of an organisation. If a consumer makes a purchase through an online store or accesses a website, are they aware that information is being gathered about them, a profile being developed that could be used in future marketing efforts? If not, then is it right for the organisation to gather this information? These are very real issues for information systems professionals that extend to the AIS domain, especially as the development of electronic commerce sees the AIS playing a major role in supporting online consumer activities. The controversy surrounding DoubleClick’s plan to merge its extensive customer information, gathered by cookies, with a database maintained by a marketing firm brought privacy and the use of information to the forefront of the e-commerce debate.The central issues in the debate were the potential use of customer data for purposes other than those they had originally been gathered for and the ability to profile customers based on those data. Such was the concern that in January 2000 legal action was initiated against DoubleClick, becoming a class action in May 2000. The action alleged breaches of various American statutes. In March 2001 a federal judge dismissed the suit against DoubleClick. Before moving on to look at security of data, read AIS Focus 3.1 (see page 86) which describes how microchips have been implanted in animals, to allow lost animals to be tracked and returned to their owners. It even describes how people have been ‘microchipped’, allowing identification for entry into nightclubs, purchasing drinks and aiding in the care of sufferers of diseases such as Alzheimer’s. This raises some interesting issues for privacy. If people were to be microchipped, then their movements could be tracked with extreme accuracy — even to the point of knowing the order aisles were walked down in the supermarket. For businesses, such information about the habits of people could prove extremely profitable. However, with this come the ethical issues of privacy and freedom. Your answer to these issues will very much depend on how you perceive the threat to privacy from technology. For the customers, incidences where personal data are disclosed do the most damage to their image of a company. This can occur by accident or through hacking into the system (discussed later). Either way, it is these indirect costs related to loss of customer trust that will effect an organisation in the largest way, crippling market share and confidence. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

AIS FOCUS

3.1

Chipping away our privacy Graham Phillips W micro-chipped. Hey why couldn’t mum, dad and the kids? Well, laugh no more. Chip implants seem to be catching on. And the day mightn’ away when you’ll be having yourself computerised. Indeed the day mightn’t be far away when it becomes compulsory, to help in the fi against terrorism. America’s powerful Food and Drug Administration has just appr nology in hospitals. By implanting micr ately identify the patient just by running a scanner over them. receive a readout of the person’s recent medical history. Now, no doubt, there are gr benefits in this for some people. Sufferers of Alzheimer’s disease who can’t r scanned and identified easily if found wandering. And the chips might also be useful for people suffering cancer through quite complex chemotherapy and other treatment regimes. procedures, making mix-ups less likely. But you have to wonder how long it will be before an implanting craze spr the hospital — and what it will mean for individual privacy. Recently, for instance, nightclubbers in Spain had chips implanted in their left arms. Getting this hardwar they just walked past a scanner at the entrance and straight to the bar. And the bionic bar flies’ chip implants mean they can also buy a drink in a blink. No precious imbibing time wasted pulling out cash and waiting round for change. The bartender simply scans their chip and the drinks are automatically added to the bill. In a mor Solutions, is hoping gun owners will go for an insert in the hand. That way personalised smart guns could be developed: weapons that would only fir the gun’s owner was the one pulling the trigger. The system would work via a scanner in the gun interrogating the chip in the shooter’ If the gun finds the wrong person is holding it, it simply doesn’t fire. Police officers and security guards could be fitted with the system. That way, no one could steal their weapons and use them against them. The big catch with having a chip implanted in your body is that you can’ when you leave work or the nightclub. And so you are effectively walking around with a permanent ID tag on you. Anyone with a scanner could point it at you and identify you. Shops fi way work out better ways to sell you more stuff.

So far, no one has suggested kids be chipped, but a school in Japan has recently introduced a wearable, rather than implantable, version of the chip. These allow the teachers to better keep an eye on the children and work out who is and isn’t at school. Legoland in Denmark has wearable chips too. They say they’re to prevent kids getting lost, but critics claim they’re used by Lego to track the children and sell them more stuff. But the biggest question is, will a computer chip in the arm become compulsory for all of us? If the implants turn out to be safe, and society has begun to accept them for some purposes, having everyone chipped would certainly have benefits. The entire population would essentially have super-ID cards implanted in them 24 hours a day. Today it may sound like a far-fetched sci-fi plot. But so did the idea of compulsory fingerprinting and face scanning a few years ago. Yet, that now happens to anyone who wants to visit America — in the name of the fight against terrorism. Compulsory chip implants would just be another step in the same direction. GRAHAM PHILLIPS is a science writer and reporter on ABC TV’s Catalyst. Source: Herald Sun 2004, ‘Chipping away our privacy’, 21 October, p. 21.

SECURITY Data and the programs that maintain or use data must be kept secure. One reason, as discussed, is to respect the privacy rights of individuals. Measures need to be in place to ensure that data cannot be accessed by unauthorised personnel or copied or used for illegitimate purposes. Well-defined user access rights and user activity logs can be ways of working towards such aims. Another aspect to consider is the protection of the quality of the data, that is, to make sure that the data are accurate. Customers generally have the right to view data that an organisation holds about them to make sure that they are correct.

CONSENT Information about users of an AIS can be gathered: • without the consent of the individual (though this may be illegal and/or unethical) • with the informed consent of the individual • with the implied consent of the individual. There is a big difference among these three scenarios. A common concern is whether it is ethical to gather data about someone without his or her knowledge or consent. Some would say that such acts are tantamount to electronic espionage and constitute a violation of a person’s basic right to privacy. Gathering information without the person’s consent would appear to be prohibited under Australia’s Privacy Act. Implied consent refers to the individual consenting to the information gathering through their subsequent actions. For example, if you complete a page on a website that asks for your personal details and you click the ‘next’ button to proceed to the next screen, your actions imply that you agree to forward this information on to the website owner. At no stage were you asked for an express statement of consent. An express statement of consent would occur where the information is entered into the fields on the screen and then, as you click on the ‘next’ button, a box appears asking if you wish to proceed and informing you that if you do proceed your details will be gathered by the website owner. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

There is a big difference between express and implied consent. Some may argue that by agreeing to use a website and entering information you are giving consent for that information to be gathered. Others would argue that the only form of true consent is that which is expressly obtained from the subject of the information.

PRIVACY LAWS AND STANDARDS There are laws that govern privacy in Australia. One such example is the Privacy Act 1988 (Cth), which is a piece of federal legislation enacted in order to create standards for the gathering, collection and use of personal information. Section 14 of the Privacy Act outlines 11 principles of information privacy. Principle 1 states: 1. Personal information shall not be collected . . . for inclusion in a record or in a generally available publication unless: (a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and (b) the collection of the information is necessary for or directly related to that purpose. 2. Personal information shall not be collected by a collector by unlawful or unfair means.

The privacy principles are summarised in figure 3.2.

Principle

Description

Explanation

Collection of information

Information can only be collected in lawful ways and for lawful purposes and the information gathered must relate to the lawful purpose.

Solicitation

The person gathering information shall inform the subject of the purpose of the gathering of information, whether it is required by law and who the information may be legally forwarded to.

Solicitation

The person gathering information should gather it in a nonintrusive manner and ensure that the information is complete and up to date.

Storage

Information shall be stored in such a manner that it is protected from loss, damage, unauthorised access or general misuse.

Record keeping

Records shall be kept detailing the nature, purpose and types of personal information being stored, including storage time and access rights.

Access

An individual who is the subject of information records is, subject to legal limitations, allowed to view the information that is kept about them.

Alteration

Record keepers shall ensure that personal records are kept accurate, relevant, up to date and not misleading.

Accuracy in use

Where information is being used, the record keeper shall ensure the information being used is accurate for that purpose.

Relevant use

Information that is kept shall only be used for the purpose that it was gathered.

Usage

Relevant use must be followed unless there are extreme grounds for not doing so, such as subject consent for nonrelevant use, lifethreatening circumstances, law enforcement or legal obligation.

Disclosure

The information shall not be disclosed to a third party unless such disclosure was made known to the subject at the time the information was solicited, the subject consented to disclosure, or grounds such as those referred to in principle ten exist.

Figure 3.2 â&#x2014;&#x2014; Information privacy principles from the Privacy Act 1988 (Cth) s. 14 Source: Privacy Act 1988, s. 14.

The principles apply to federal government agencies as well as to organisations, which are defined to include individuals, body corporates, partnerships, other unincorporated associations and trusts. The Internet Industry Association (IIA) is a registered company in Australia and acts as a regulatory body for organisations involved in the Internet within Australia. The IIA believes that industry must adhere to ethical privacy practices to create consumer confidence and enable the long-term success of e-commerce. It also supports the adoption of an information gathering approach based on informed consent, rather than the surreptitious gathering of information about users. The IIA has set out to create standards for industry members to protect users of the Internet, particularly children, increase the similarity of Australian and European standards and provide a general industry best practice when dealing with issues of electronic privacy. The code applies to IIA members, with membership of the IIA an option for businesses that provide Internet services from Australia, operate an Internetrelated business or possess a direct or indirect interest in the Internet. The IIAâ&#x20AC;&#x2122;s privacy principles correlate quite strongly with the sections of the Privacy Act discussed previously so the IIA code is only summarily described here (see figure 3.3).

Principle

Description

Collection of information

Use of information

Data quality

Data security

Openness

Access and correction

Identifiers

Anonymity

Transborder data flows

Sensitive information

Figure 3.3 â&#x2014;&#x2014; IIA code of practice privacy principles Source: IIA 2001, Internet industry privacy code of practice, sec. 6.

Access to technology An additional issue for customers is their ability to access technology, particularly as organisations move towards the e-commerce environment. Access to computer technology can vary depending on socioeconomic conditions and geographic location. An issues brief prepared for the federal government cites findings that place Australia as the country with the third-highest level of Internet access in the world, at 43.9 per cent, behind only the United States (56 per cent) and Sweden (56 per cent). However, despite the wide adoption of the technology by Australian households, there are factors that restrict access to Internet technology. These are identified by Curtin as: â&#x20AC;˘ Age. The research indicates that young people are more likely to have Internet access. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

• Family structure. The traditional nuclear family structure of two parents and children is the most likely to have Internet access, followed by couples without children and singleparent households. • Income. There is a clear delineation between those with and without home Internet access based on the level of income, with the wealthier people more likely to have access. • Education. Higher education tends to be associated with Internet access. • Geography. There is a constant gap between city and country residents having access to a computer and also to the Internet. Farms in particular have a lower Internet access rate. Other issues for those in rural areas include the degree of choice they have in choosing an Internet service provider and higher costs for access. As businesses move towards an e-commerce environment, with 46 per cent of businesses using the Internet as a part of their business processes and a maximum of 48 per cent of users using the Internet for e-commerce related activities (for example checking account balances, transferring funds and paying bills online), issues of equitable access and costs could become a concern. Curtin concludes that the Internet in Australia, ‘has built upon, and may exacerbate, inequalities that already exist in Australian society . . . a range of social, economic and technical barriers will have to be addressed’.

Managers Managers working with the AIS have a duty to ensure that the system is being used appropriately. They need to ensure that their systems and organisations comply with federal and state laws relating to privacy and the usage of information. This includes monitoring the creation of, access to and use and alteration of information. Managers also need to ensure compliance with internal privacy policies and practices. Top management sets the tone and example for ethical practice, which then carries through the rest of the organisation. Managers that set the example of ethical use of information and the ethical gathering of information promote similar behaviour from their colleagues. Setting an example is thus an important part of promoting ethical behaviour in the organisation. As end-user computing has placed more power in the users’ hands and the use of organisationwide databases has increased, managing the AIS resources properly has become an increasingly important issue. Information systems managers in particular have responsibilities for ensuring that the data and programs within the organisation are adequately protected. Straub & Collins identify three main issues confronting managers: • the creation of workable systems that do not breach intellectual property rights (e.g. ensuring that all software is properly licensed) • gaining information from external sources (such as external databases) without breaching copyright • gaining and distributing information on individuals without breaching their right to privacy. The establishment of internal controls can be a useful step in achieving these aims. Controls that could be relevant in meeting legislative requirements, as well as promoting the ethical use of data, include password-restricted access, user logs for sensitive information, and thorough audit trails. Passwords are a way of restricting access to authorised users and can also prevent whitecollar crime, which is discussed later. Further to having passwords in place, policies on the format and changing of passwords should exist, promoting regular changing of passwords. Logs should also be kept for unsuccessful access attempts. While some of these may be legitimate errors by authorised users, others could suggest unauthorised access attempts. 90

Control matrices should also be established that restrict what information different users are able to view and logs should be maintained on who views what information. The classic example is the restriction on who can access payroll information within the organisation. Obviously, as a matter of respect to employees and their privacy, only a select group of people should be privy to this information. Attempts to access or change these data should be logged, to create an audit trail and promote ethical use of them. Organisations such as credit providers also have the responsibility of ensuring that all information is correct. Failure in this regard can have severe consequences for the customer, especially if a credit report is released that says the customer is a risk when he or she is not. While there are also statutory provisions relating to obligations in this area, there is also an ethical obligation to ensure that data about the customer are accurately recorded and properly maintained. Many organisations have also responded to concerns about privacy by creating a new position within the organisation called the chief privacy officer (CPO). The position of CPO will typically involve responsibility for drafting organisation privacy policies, enforce the policies and guidelines and create an organisational awareness of the issues associated with privacy. They can also act as a mediator between legislators and the organisation, attempting to convince them of their good corporate practices. Recall the DoubleClick case discussed previously in this chapter and how there were some concerns about perceptions of reduced individual privacy through the data that DoubleClick gathered. Jules Polonetsky was appointed as the CPO of DoubleClick. Polonetsky describes his role as ensuring that people are aware of DoubleClick policies and that it follows the policies that it tells people it does. Some of the ways that the CPO can have an impact on an organisation include creating privacy manuals, developing an organisational awareness of privacy issues, developing procedures for handling information and the establishment of policies and procedures that must be followed before sharing data with third parties. However, the reality is that many managers involved with the AIS and making decisions related to it are bound as members of the company. What they as individuals think is the right thing to do may be different from what the corporate reality demands. This is a unique position in which managers will often find themselves when confronted with ethical problems. Several theories have been proposed to help managers work through such scenarios. Each of these theories is described briefly, based on a paper by Smith & Hasnas. Stockholder theory. This compels managers to act in the best interest of the owners of the company: the stockholders. This implies an emphasis on maximising profit and the corporation acting within the confines of applicable laws and regulations. Stakeholder theory. The focus shifts beyond the owners, taking under its wing all those parties that play a role in the company’s success or who are affected by the company’s operations. This includes shareholders but can also include suppliers, customers, employees, residents of the local community and other such interested parties. Social contract theory. This takes a broader view of the corporation, placing it within a wider society. The corporation gains its authority to operate through society’s sanction; however, this is theoretically only forthcoming if the actions of the corporation benefit society as a whole. The sanction for operations is not automatic and can be withdrawn if society is disadvantaged by the corporation or the corporation deceives society. These three theories have been suggested as perspectives that managers can take when confronted with ethical issues. Think back to Blockbuster Video’s plan to sell its database of customer contact details and movie-watching preferences. An analysis of the proposal under each of these perspectives would have provided different issues for resolution and potentially different courses of action. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

Employees Some of the ethical issues that confront the employee within an organisation centre around privacy and the use of organisational resources. The organisation is challenged with encouraging ethical conduct by employees and treating employees ethically. Is it ethical to use organisational resources for nonwork purposes and is it ethical for organisations to monitor such usage? Research by Healy & Iles reveals that 72 per cent of organisations allow their employees unrestricted use of the Internet for both work and personal activities and that 24 per cent of employees use work Internet facilities for entertainment purposes. On the other hand organisations may be concerned about the misuse of work resources. Many organisations arrive at a compromise, allowing an amount of time for personal use of IT facilities such as email and Internet browsing. Many take steps to limit or eliminate nonwork usage. There is, however, a fine line between ensuring the productive and efficient use of resources and intruding on an employee’s privacy. Many organisations set up firewalls to restrict employee Web browsing to work-related sites. Alternatively, the organisation can maintain a log that tracks individual usage of the Internet, including user identification details, the sites visited and the time spent on sites. Some employees would argue that such monitoring of Internet usage is an invasion of privacy and a sign of a lack of trust on the part of the organisation. Another alternative is the screening of employee emails, with organisations arguing that it is motivated by the need to address concerns over employee productivity and potential misbehaviour. Another step that many organisations take in order to help ensure that staff use IT resources ethically is the prescription of a code of conduct. Healy & Iles observed that in response to the corporate use of the Internet, client–server technologies and end-user computing, organisations have broadened the scope of their codes of conduct that govern how IT resources are to be used. Some of the ethical issues are: • confidentiality of information • ownership and control of information • nonwork-related use of resources (particularly the Web) at work • surveillance of employees’ use of technology • business’s objectives in connection with codes of conduct. Data from the UK suggest the use of a code of conduct is common across most industries as well as across organisations of varying size. Of course, the prescription of a code of conduct is only effective if it is actually monitored and enforced. For example, simply stating in a code of conduct that IT resources are not to be used for nonwork-related purposes is not sufficient. The organisation also needs to have mechanisms to detect nonwork use and must be seen as enforcing these policies with appropriate sanctions when breaches are detected. This can be a challenge for many organisations, especially large ones. Additionally, these policies need to relate to the key issues associated with employee use of the IT resources. One would be that employees are not to use personal data gathered and stored by the AIS in a manner that is inconsistent with its original purpose. Surprisingly, only one-third of UK companies that had an IT use policy included clauses relating to the use of data within the system. One factor that has been found to promote ethical behaviour among employees is that of organisational self-esteem. This refers to how well a person identifies and fits with the firm, its beliefs, culture, philosophy and operating style. An employee will form ideas about how well they fit in with the organisation and how competent and valuable they are to the organisation. Hsu & Kuo cite examples of research that has found employees with a high level of organisational self-esteem are more likely to act ethically. 92

Deindividuation is another factor identified as influencing how employees act. Deindividuation refers to how anonymous a person perceives their actions to be. A high level of deindividuation would be expected for employees who use systems that do not require unique log ons or user identification, since their actions are not able to be traced. The greater the degree of identification and tracing within a system the lower the degree of deindividuation and the higher the likelihood that employees will act ethically. Employees who become aware of unethical behaviour within the organisation face a dilemma whether to report the behaviour. Reporting unethical behaviour is known as whistleblowing. It raises some interesting issues. While the person reporting the unethical behaviour is often doing so because they believe that what is happening is wrong and someone higher up in the organisation should be made aware of it so they can act on it, they are often confronted with several obstacles. As Cohan says, ‘subordinates who may want to “blow the whistle” may be thwarted by an intimidating corporate culture, or simply because of the hierarchical structure that effectively forecloses adverse information from getting to senior management’. An example of these obstructions to whistleblowing activities can be seen in a case study of the demise of Enron, where it is documented that, ‘Enron had a corporate climate in which anyone who tried to challenge questionable practices of Enron’s former chief financial officer ... faced the prospect of being reassigned or losing a bonus’. Employees in such an environment can be intimidated into keeping silent about any unethical behaviour that may be occurring, for fear of demotion, pay cuts, job loss or reprisal and alienation by colleagues. Consider an employee who suspects that spare parts from an engine company’s storeroom are being stolen by the inventory manager and sold to customers for a cheaper price than the company would normally charge for such parts. If the staff member was to report this to the manager above the inventory manager, there is a very real prospect that this report could be lost or watered down, thus never being investigated fully. Management’s inclination, largely as a result of the traditionally hierarchical structure employed in medium-to-large corporations, is to report good news to their superiors and suppress or water down any bad news. This can occur for several reasons, including the fear on the part of the manager of negative reactions that may affect career progress and employment stability, as well as impression management: wanting to look good in the eyes of a superior. This can lead to the ignorance or dilution of whistleblowing actions and potentially create an environment where whistleblowing is actively discouraged. These corporate cultures create great challenges for employees contemplating whistleblowing. It is discussed earlier how organisations can establish a code of conduct to promote the ethical use of IT resources by staff. While this is an extremely common technique for encouraging ethical behaviour, it is interesting to note that employees do not see this as an effective way of influencing how they use the IT resources of the business. This could be related to how well the policies are actually enforced within the organisation. Simply having a policy that sits in the filing cabinet and is never acted upon will obviously not have a strong influence on employee behaviour and the ethical use of IT resources.

Information systems staff Information systems staff have several ethical responsibilities, including ensuring the security and privacy of data held by the organisation. There have been cases recently where organisations have sold old computers and storage devices without properly removing data stored on them. The purchaser of the computer and hardware received a lot more than they bargained for and, in the process, people’s private details were at risk of disclosure beyond CHAPTER 3 | INFORMATION SYSTEMS ETHICS

their intended source. IT staff who are responsible for maintaining and upgrading IT resources must ensure that devices being disposed of — either by sale or rubbish dump — are properly cleaned of all data or destroyed, leaving them in an unreadable state. Apart from the data themselves, the programs that maintain or use organisational data need to be protected from improper or unethical use. Many programs developed within an organisation will represent proprietary knowledge and may contain business rules that are a source of competitive advantage. Organisations need to take measures to ensure this intellectual property (IP) is safely kept within the organisation and does not fall in to the hands of competitors. Information systems staff should also take responsibility for the organisation’s adherence to licensing agreements and the protection of IP that is contained within the various software packages used in the organisation. This can include making sure software is only installed on authorised machines and that the number of installations matches the number of site licences held, as well as protecting both the programs and the data that reside within them from unauthorised copying.

COMPUTER CRIME AND FRAUD Some examples of computer crime and fraud are described in the following but the list is by no means an exhaustive one. This section concludes with some strategies for reducing the exposure to computer crime and fraud, with many of these relating back to the ethics material that was covered previously.

WHAT IS COMPUTER CRIME? We all have our own concept of computer crime and, if asked, could probably arrive at some cogent definition. Take a moment to jot down a few points on what you think constitutes computer crime. No doubt you thought of concepts such as fraud and theft: for example credit card fraud, hacking into systems and manipulating payroll systems. Computer crime can appear in many guises. For example, each of the following could be classified as computer crime: • sending a virus to crash a computer system • using a computer to acquire funds illegally • using illegally obtained data files for self gain • intercepting a message sent by a third party. It is, therefore, difficult to define computer crime concisely. Generally, crimes committed through a computer or where a computer is the target would fall under the banner of computer crime.

SPAM Spam is the sending of unsolicited emails or junk email. Spam is a problem for several reasons. From a user’s perspective, the spam mail can clog up valuable space in an email account. Spam is a common technique for spreading viruses: it can contain attachments that, when executed, are damaging to a system. The content of spam is also sometimes offensive to those receiving it, for example invitations to purchase drugs and links to adultoriented sites. 94

Spam is also potentially dangerous to organisations, through the damage it can cause to their reputation and image. Typically, the creators of spam send their messages through the servers of well-known organisations. The receiver of the email will often be tricked by this technique, believing it to be a bona fide email from that organisation. Organisations can also suffer from spam through the effects it has on their email server and the computer system generally. Large volumes of spam can slow down a server, while spam emails that contain viruses can damage an organisation’s computer resources. As a result, spam is an issue of importance to the organisation and the individual. The Spam Act 2003 (Cth) was introduced on 11 April 2004 in Australia to regulate the use of email. Under the Spam Act, the Australian Communications Authority (ACA) is vested with the responsibility of policing spam. The Spam Act also applies to SMS text messages on mobile phones. Because of the international nature of email and consequently spam, Australia has also entered into various agreements with other nations, in a bid to cooperatively deal with the problem. These include: • The bilateral memorandum of understanding between Australia and Korea • Memorandum of understanding among Australia, the UK and the United States • Australia–Thailand joint statement on telecommunications and IT.

PHISHING AND IDENTITY FRAUD Phishing is a technique of online deception that has users go to a fraudulent website and leave personal details. The information is then used for identity theft and deception. In the United States more than US$2.4 billion has been stolen from users on the Internet, with 17 per cent of the theft attributed to identity theft, which includes phishing schemes. Banks are a common target, with the perpetrators setting up sites that resemble the URL of the genuine site. For example, if a bank had the URL www.bank1.com.au, the site created by the phishers might be www.bank1.org.au. At first glance, especially to an uninitiated user, these site addresses seem to be the same, so the user unwittingly clicks on the address ending in org.au: the phisher’s site. The fraudulent site will resemble the bank’s genuine site, so no suspicion is raised. Any details submitted by the user will be sent to the creators of the phishing site. This is a real threat for organisations. Websites are relatively easy to create and domain names are easy to acquire. This leaves organisations vulnerable to phishing scams that damage customer trust in the organisation and e-commerce, as well as denting the organisation’s image. Organisations can overcome some of the risks involved through information about IT usage and policies and ensuring that customers are aware of the policies. For example, one could be that the organisation will never request personal details by email or will not communicate at all with users by email. Users aware of this policy would hopefully be alarmed by attempts at phishing. Naturally, this relies on both the organisation having clear communication policies in place, as well as the organisation’s customers being aware of such policies.

HACKING Hacking is gaining unauthorised access to a system. There are many examples of hackers gaining access to high profile systems, e.g. NASA’s system. Hacking is a threat, particularly for large and prominent organisations that, by virtue of their position, become targets for hackers. The increased use of the Internet, combined with the higher levels of IT sophistication in adolescents, has made hacking an increased threat. Recognising hacking as a risk to their system, many organisations are now hiring hackers to test the exposures of their system. The term given to this activity is ‘penetration testing’, which, while familiar to the CHAPTER 3 | INFORMATION SYSTEMS ETHICS

large banks, is a new concept for other organisations just venturing into the world of telecommunications. The hacking issue is seen as being particularly real as businesses head towards integrated environments, with interorganisational network connections becoming increasingly common. In this integrated environment, companies must ensure their suppliers, partners and other third parties are meeting security benchmarks. A company’s security is only as strong as the weakest link in its network. The challenge for organisations is to take reasonable measures to protect their systems from unauthorised access. In Australia, guidance can be sought on how to do this from Australian standard 7799.2:2003 — information security management — specification for information security management systems. This standard provides a benchmark for assessing exposure to hacking. Certification of compliance with the Australian standards is available for organisations. A list of officially certified organisations is available through the website of the International Information Security Management Systems User Group. Information about comparable standards for information protection is available from this site. Alternative ways of gaining confidence in a website and its data transmission were also developed by Dun & Bradstreet and KPMG, who designed a digital certification product, while WebTrust and Verisign also offer online protection for organisations and their e-commerce customers. The distinction that needs to be drawn in this section is that of ethical and unethical hacking. Ethical hackers are employed by organisations to test systems for exposures and security weaknesses, with the hacker generally working to instructions from the organisation. Unethical hacking is the sort that generally makes the headlines in the newspapers: it is the unauthorised and illegal access to a system.

IDENTITY THEFT An example of identity theft reported recently in The Age involved a virus that steals the identity details of users of the National Australia Bank (NAB) website. This article is reproduced in AIS Focus 3.2. In this example the details are being gained through viruses that are planted on the user’s computer and triggered when certain conditions are met or certain events occur. In this case, the user logging on to the NAB website triggered the capturing and sending of their personal details. The consequences of this are that the user is potentially exposed to fraudulent use of their financial resources because others now have details that can gain access to their online accounts and their personal details are now known by unauthorised persons. Additionally, such instances have a negative impact on the bank as well, with corporate image and reputation, as well as the image of online banking, taking some damage.

AIS FOCUS

3.2

Trojan targets NAB online customers By Online Staff September 17, 2004 – 12:00PM A Trojan that attempts to steal online banking information fr Australia Bank has been reported by the anti-virus firm, Sophos. Sophos’s tech lead in the Asia Pacific, Paul Ducklin, said it could be spr directly sent to PCs which have been already commandeered by malicious attackers.

‘Troj/IBank-A is an internet banking trojan which attempts to steal confidential banking information and send it to a remote location,’ the company said in an advisory on its website. ‘Once the Trojan has installed itself on a computer it lurks in the background waiting for the right moment to pounce,’ said Graham Cluley, senior technology consultant for Sophos. ‘As soon as it sees the user is logging onto the National Australia Bank’s website it grabs their account id and password and sends it to remote hackers.’ Sophos said when first run Troj/IBank-A copied itself to the Windows folder as audld.exe and to the Windows system folder as wmbem.exe. It adds the following registry entries so that these executables are run whenever the infected computer is started up: HKLM\Softwear\Microsoft\Windows\CurrentVersion\Run\WinUpdate= %SYSTEM\wmbem.exe HKCU\Software\Microsoft\Windows NT\Current Version\Windows\run=%WINDOWS%\audld.exe Additionally, the pathname of audld.exe is added to a new run= line in the [Windows] section of %WINDOWS%\Win.ini, to run audld.exe on startup and a registry entry HKLM\SOFTWARE\Wmbem\may be created. Source: The Age 2004, ‘Trojan targets NAB online customers’, 17 September, http://theage.com.aulartic1esl2004l09/17/ 1095320943628.html.

MONEY LAUNDERING The move towards a cashless society has come with the development of e-commerce. Credit cards have become a common form of paying for online transactions. With this has come the risk of identity theft and credit card fraud, through techniques such as phishing and hacking, which have been discussed. Partly in response to these concerns, electronic cash has developed as a means of funding electronic transactions. It is similar in concept to physical cash: the customer buys electronic tokens, which function as cash in the electronic world. These tokens can then be electronically exchanged for goods and services provided by a vendor, who can then convert the tokens back in to cash. These can offer a form of security to e-customers because they do not have to divulge details of credit cards over the Web. Instead, the e-tokens can be purchased for cash and used in place of the credit card when executing transactions. However, there have been concerns raised by the federal government about improper uses of e-cash technology, with a paper issued by the Science, Technology, Environment and Resources Group raising the prospect of e-cash being used as a tool for money laundering and tax evasion.

What is fraud? Fraud is an act of deception committed by someone against another entity, usually with the intent of either causing damage to the victim or bringing benefit to the perpetrator. Whitecollar crime can be described as deliberately misusing one’s employer’s resources or assets for personal enrichment. Christensen & Byington identify 12 ways that white-collar crime can be committed: fraud/conspiracy; bribery; kickbacks; price-fixing; embezzlement; violations of securities laws (such as insider trading); illegal political contributions; tax issues; bid-rigging; forgery; corporate theft and fraudulent financial reporting. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

As the list demonstrates, white-collar crime can occur in many different forms. Similarly, fraud can occur within an organisation in many different ways. Table 3.5 is by no means an exhaustive list but is an indicator of some of the ways that fraud can occur. Table 3.5 ◗ Examples of fraud

Fraud type

Business process affected

Example

Asset theft

Payment cycle Revenue cycle

Paying fictitious vendors. Misappropriation of incoming cash — e.g. lapping — will affect accounts receivable and cash and potentially related accounts such as discounts. Goods returned by customers are not recorded.

Revenue cycle

Perquisites

Payment cycle

Personal items paid for by company.

Artificial revenue inflation

Revenue cycle

Creating fictitious invoices. Inappropriate cutoffs or recognition criteria applied to sales.

Asset valuation

Revenue cycle

Recognising asset revaluations as revenue. Creating nonexistent debtors. Kiting.a Valuation of inventory at wrong amount. Capitalising inappropriate expenses. Misclassifying work in process as finished goods.

Payroll

Payment cycle

Paying nonexistent employees. Siphoning money from employees’ pay.

Expense manipulation

Payment cycle

Capitalising expenses that should be recognised immediately as expenses.

a. Kiting refers to the practice of inflating cash balances by exploiting the delay between a cheque being written and being cleared. A cheque may be written from account A and deposited in account B. It will be recognised immediately as a deposit in account B but not as a withdrawal in account A until it has cleared through the bank. This will inflate the overall cash balance. Source: Developed from Albrecht, WS & Albrecht, C 2004, Fraud examination and prevention, Thomson South Western, Ohio; Singleton, T, King, B, Messina, FM & Turpen, RA 2003, ‘Pro-ethics activities: do they really reduce fraud?’, The Journal of Corporate Accounting and Finance, vol. 14, no. 6, pp. 85–94.

There are several possible ways to act fraudulently in the world of information systems. Consider some of the following as a basis to work from: • The payroll manager who places a nonexistent staff member on the payroll and collects his or her salary in addition to his or her own • The programmer who adjusts a payroll program so that one cent from every pay every week goes to an account he or she has created 98

• The hacker who gains credit card numbers with the intent of using them for personal gain • The person who creates a website purporting to be that of a large organisation and gains private customer details (including bank account details) through the site. Fraud is a real problem for organisations and the advent of e-commerce has heightened consumer and organisational awareness of the very real risk that fraud presents. Various discussions of fraud refer to the notion of a ‘fraud triangle’, which says that for fraud to occur three things are necessary: a reason, pressure and an opportunity. • The reason is the way that the individual justifies their fraudulent activity, for example the bank teller who takes some cash home on a Friday night and bets it on a ‘sure thing’ at the races on Saturday may justify their activities on the basis that no one will get hurt and if the horse wins the original amount of money can be returned and no one will ever know the difference. In effect the teller was only borrowing, albeit slightly unethically. • The pressure for fraud can come from various sources, including the individual’s personal life and work environment. For example, pressure at home on the bank teller, with mortgage payments rapidly approaching and credit cards approaching their credit limit, may provide the financial pressure for the teller to take the cash and wager it on the ‘sure thing’ at Saturday’s races. Another example could be the corporate accountant who is under pressure to achieve target results, so as not to disappoint the sharemarket. Consequently, he or she creates fictitious sales to boost revenue and bolster the value of inventory and assets with some judicious revaluations. These are two examples of pressures that led to fraud: the first personal and the second job-related pressure. • The opportunity refers to the individual’s perceived ability to carry out the fraud and conceal the fraudulent activity. In the bank teller case, the opportunity was there because the teller could take the money on Friday night and return it on Monday and no one would be any the wiser. After all sure things do not lose . . . do they? Research studies have found that the incidence of fraud tends to be related to the ethical environment of the organisation. This makes ethics and the promulgation of ethical values and practices important to the organisation. They can be promoted through, for example, codes of conduct and professional registration. Codes of conduct or ethical standards provide guidelines for acceptable behaviour. For example, ethical guidelines exist to guide auditors when making client acceptance decisions, when determining the level of nonaudit service fees and on what gifts from the client can be accepted. Similarly, the Australian Computer Association has a code of conduct for its members to follow. Membership of a profession carries benefits, for example professions are typically in possession of a base of knowledge that is valued in society (for example doctors, accountants), their professional authority is recognised in the wider community that they serve, they have a professional culture and ethical codes that govern their actions. Codes of ethics can be both formal and informal and enforced by the self and by the professional body. For example, the professional accounting bodies hold disciplinary meetings for allegations of breaches of the codes of conduct. For professionals who consider themselves a part of the professional group, as a CA or CPA would, the prospect of being disciplined and potentially excluded from the group is generally a strong enough means of ensuring behaviour in accordance with the professional code of ethics. Organisations can therefore help induce ethical behaviour by having employees who are members of professional bodies that enforce a professional and ethical code of conduct, or CHAPTER 3 | INFORMATION SYSTEMS ETHICS

by creating and enforcing their own ethical code of conduct, to which the employee signs up when joining the organisation.

SALES FRAUD/E-COMMERCE Some hypothetical examples of sales fraud/e-commerce fraud are discussed in this section. In the exercises at the end of the chapter you have the opportunity to develop some control plans that could be applied to reduce the risk of these occurring. Example 1: Paying nonexistent suppliers/false invoices John MacIntosh, a payment clerk for Deep Water, creates a company called ABC Enterprises. ABC Enterprises then proceeds to issue invoices to Deep Water, where John is responsible for paying them. Several invoices, valued at several thousands of dollars, are processed and paid by Deep Water, with the money going to MacIntosh. Example 2: Credit fraud Susan Falmer purchases items on line, using credit card numbers that she has obtained illegally through a phishing scheme she established a few years ago. She purchases the items on credit and then sells them to customers over the Web at prices much less than retail. Because the credit card details were stolen, Susan never incurs any of the debts. The company selling the goods to Susan never incurs any debt because credit transactions are guaranteed by credit card companies. Example 3: Nonexistent sales The end of the financial year is fast approaching and GHI Ltd is slightly below its budgeted forecasted sales, which were released to the stockmarket with mid-year earnings figures. Recognising the poor signal that lower-than-expected earnings would send to the market, the chief financial officer of GHI Ltd instructs the financial accountant to push forward some sales, recognising them in the current period, even though the inventory is yet to be shipped. For GHI this has several benefits: it increases its sales figures and its asset base also increases through the higher accounts receivable. The accountant responds by calling up some pending sales orders on the system and altering their status, thus recognising them as sales. Example 4: Nonexistent customers Brad is the accounts receivable manager at Tee Up Ltd, a seller of golf-related accessories. A keen golfer himself, Brad would like to use the products of Tee Up but is unable to afford them. To overcome this difficulty Brad creates fictitious customers on the accounts receivable master list, with addresses that correspond to those of his close friends. As Brad orders goods through these customers the goods are shipped to the addresses, where Brad collects the goods. Payment is never received from Brad for the goods. Instead he either records the goods returned by the customer due to damage (damaged returns do not go to inventory but are written off as an expense), writes the account off as a bad debt or clears the accounts receivable amount owing through noncash entries such as allowances and returns.

WHAT CAN ORGANISATIONS DO? There are several ways that organisations can manage their exposure to computer crime and fraud. Establishing a sound corporate governance structure that pursues a strong control environment and thoroughly designed general and application controls is a good 100

starting point. However, these formal controls are not the only tools available to the organisation. Other mechanisms for reducing the risk of computer crime and fraud are discussed in the following. The emphasis for organisations wanting to reduce the threat of fraud appears to be to have a strong ethical culture that starts at the top of the organisation, having appropriate reporting and monitoring mechanisms that are followed up on, providing ethical training and facilitating employee reporting of fraud (or whistleblowing). One informal but effective approach is to know your employees. This means not simply knowing their names when you meet them in the lunchroom for coffee. Rather, it means being aware of who they are, their background and so on. This can help identify potential instances of fraud. For example, seeing the employee who has typically ridden to work on a 20-year-old bicycle drive through the employee car park in a brand new shiny red Porsche would hopefully lead you to ask some questions: how did you get the car? While changes in lifestyle will not typically be as extravagant as the illustration given, monitoring employees for changes in lifestyle and habits can be an effective red flag for detecting fraud in the organisation. Similarly, policies that force employees to take annual leave on a regular basis can be an effective means of detecting fraud. Why? An employee carrying out fraudulent activities will not want to leave their job for any period of time for fear that someone else will discover their actions. As discussed, this can be a common technique that is effective for detecting fraud in cash-handling areas of the organisation, where there is a risk of activities such as lapping occurring. Other potential red flags identified by Singleton et al. are listed in table 3.6. The factors relate to either the employee or the company level. Table 3.6 â&#x2014;&#x2014; Fraud red flags

Employee red flags

Company red flags

Financial pressure

Lacking internal controls

Vices

No follow-up in internal and external audits

Extravagant lifestyle

Falling employee morale

Not happy with organisation

Changing lifestyle of employee

Internal performance pressure

Unusual expenses

Unexplained work hours

Unexplained losses

Source: Adapted from exhibit 2 in Singleton, T, King, B, Messina, FM & Turpen, RA 2003, â&#x20AC;&#x2DC;Pro-ethics activities: do they really reduce fraud?â&#x20AC;&#x2122;, The Journal of Corporate Accounting and Finance, vol. 14, no. 6, p. 89.

The role of the internal and external auditor can be critical in preventing and detecting fraud and, somewhat ironically, one of the best tools available for both of these parties for detecting fraud is the computer. The range of analytical techniques, searching power and processing tools that a computer can possess make the analysis of a large volume of transactional data relatively simple to accomplish, especially when combined with modern computer-assisted audit techniques. CHAPTER 3 | INFORMATION SYSTEMS ETHICS

101