Information system ethics

5 6

CH

AP

TE

R 3

C H A P T E R 3

Information systems ethics

LEARNING OBJECTIVES

After studying this chapter, you should be able to:• Discuss the concepts of ethics, governance and accountability in the business environ-

ment.• Describe the ethics framework within which accountants work.• Relate the ethics expectations of the market.• Examine the ethics environment faced by accountants.• Identify different ethics risks.• Appreciate the significance of regulatory reforms which impact upon the accountant.• Understand the approach adopted by the rest of the book in addressing the concepts of

ethics, corporate governance and accountability as introduced in the ethics framework.• Describe the different perspectives that can be adopted for an ethical problem.• Consider the role of moral development in making ethical decisions.• Describe and apply the ethical decision-making model.• Consider some areas in which ethical problems may emerge for businesses that use

accounting information systems (AIS).• Describe some of the different perspectives of computer crime.• Explain what is meant by spam, phishing, hacking, identity theft and money laundering.• Consider potential ways to reduce the risk of computer crime.

‘The day Arthur Andersen loses the public trustis the day we go out of business.’

Steve Samek, Country Managing Partner, Arthur Andersen US, 1999,in Toffler, BL 2003, Final accounting, ambition, greed,

and the fall of Arthur Andersen, p. 1.

5 7C H A P T E R 3 | I N F O R M A T I O N S Y S T E M S E T H I C S

IntroductionRecalling the statement made on the firm’s Independence and

Ethical Standards CD-ROM in 1999, Barbara Ley Toffler, former

partner-in-charge of the Ethics and Responsible Business

Practices Division of Arthur Andersen United States (1995–99),

wrote:

It is Arthur Andersen’s lack of accountability that has

inspired me to write this book. As an observer of cor-

porate cultures, I believe strongly that the suicide of

Arthur Andersen — and the assault on the investing

public’s trust — could have been avoided had people

paid attention to the danger signs flashing everywhere in

the late 1990s . . . [This] is a book about what it was like

to work at a respected company as its culture began to

decay. It is also about what happens when the values of

an organisation begin to distort your own.

The book, Ethics, governance and accountability: a professional

perspective, is a timely reminder for accountants and auditors of

their roles in the competitive, highly regulative and complex

business environment. The book has one theme: the long-term

viability of a fair market is dependent on the effective and ethical

interactions of individuals, the governance body, organisations

and regulators. The ethical dispositions of individuals underpin

behaviours, which, collectively, provide the framework for ethical

cultures, sound values and good leadership, resulting in a fair and

transparent system of accountability and responsible practices.

This is the ethics framework that affects us all. Hence, the book

aims to build the basic foundation for ethics, applicable for

accountants and finance professionals in business. The book

offers a rich base of knowledge, theories and principles, which

are relevant for the ethics framework.

This chapter aims to provide the background to contextual

matters concerning accountants. It sets the scene for readers to

appreciate the significance and value of ethics in the corporate

environment. An ethics framework is introduced, showing how

ethics, corporate governance and accountability are interrelated

and support the functioning of a fair market. We shall explore the

risks and supports of the ethics framework for business. Within

the framework, we will identify the typical issues that accountants

and the accounting profession need to address. The

typical issues are dynamic in nature, and a discussion of the

current demands for accountability will provide an insight.

Following a historic surge of corporate collapses in the early

years of the 21st century, the accounting profession has

embarked on regulatory and other reforms in response to the

increasing amount of public scrutiny.

PART A: An ethics framework

5 8

WHAT IS ETHICS, GOVERNANCE AND

ACCOUNTABILITY?Ethics is about choices. It is a concept that signifies how we act in order to make the ‘right’choice, and produce ‘good’ behaviour. It encompasses a thorough (and objective) examin-ation of principles, values, duties and norms, the consideration of available choices oralternatives in order to make the right decision and the strength of character to act inaccordance with the decision. Ethics concerns individuals, groups, institutions and society.

Governance and accountability are about relationships. The word governance refers toauthority and control. Governance means the strategy, method and manner in which agroup of people (the governance body) directs, controls and manages an organisation. Thegovernance body of a corporation normally rests with the board of directors and seniormanagement, who possess the authority to govern or control. With authority comesresponsibility. Accountability is the responsibility of those charged with governance toaccount for their choices, decisions and actions.

Corporate governance has been around for many years, and has traditionally beendefined as ‘the way a corporation is directed and controlled to maximise shareholders’value’. However, recent corporate events and the apparent failures of the governance systemhighlight the need to review not only systems and structures, but also relationships,cultures, ethics and leadership within organisations. The latest debates on corporate gover-nance focus on the following issues:

• the structures of boards and committees, including independence of directors, commit-tees, required expertise, appointment, compensation, performance assessment, and theiraccountability to shareholders, regulators and the public

• the relationships between the board, management, the shareholders, the auditors and theemployees

• transparency and fairness in disclosure of financial reporting matters, the audit function,the independence of auditors, their engagement and reporting matters

• treatment and the rights of shareholders and stakeholders

• ethics, compliance and cultural issues within organisations

• shareholders’ and stakeholders’ interests.

What is right for individuals is highly subjective. How to define and perhaps develop anequitable balance in dealing with governance matters (such as between conformance andperformance) is a delicate issue. You will realise that ethics, corporate governance andaccountability are all interrelated within an ethics framework.

The ethics framework for businesses

Figure 3.1 shows a schematic of the ethics framework for businesses. Three forces operate inthe framework. They are the market (which includes the environment), the business entityand the regulatory regime. The ethics framework shows the interactive relationships amongparties within each of these forces and among the forces. The market provides the resourcesand opportunities (and threats) for the entity to operate in a competitive world. The entityoperates as an ongoing concern for the interests of its owners and forms a part of the mar-ketplace. The government, industry regulators and professional organisations, on the otherhand, provide support and oversight functions to the market and its entities. Interested par-ties such as the Australian Shareholder Associations, the unions and the Australian Instituteof Company Directors are subgroups that pursue the interests and voice the concerns oftheir members to exert influence on all three forces.


The actions and performance of an entity can be seen by market participants such asshareholders, fund providers, and other stakeholders, including customers and the generalpublic. The performance of the entity is also under the oversight of the regulatory regime.The market responds to the actions of entities and regulatory authorities and increasesdemand for relevant information, responsible behaviour, safety, protection of the environ-ment, with the long-term expectations of returns and security. The regulatory regimecorrects and minimises opportunities for malpractice by enacting legal restrictions andlegislative reforms, and through persuading the industry and related professional organ-isations to introduce stronger self-regulatory standards and rules.

Within the entity, the governing body defines the overall strategy and implements controlsystems to exercise proper governance. Three levels of ethics are found within an entity: theethics of the governing body (and its management), workplace ethics and individual(employee) ethics.

Figure 3.1 A schematic for an ethics framework

The entity The regulatory regimeThe market

Owners,

shareholders, other

fund providers

The government and

regulators

Other

stakeholders,

customers,

the public

Industry standards

and norms

Professional

standards and

norms

Individual

upbringing and

families

Directors' and management's

ethics, leadership and governance

(chapter 5)

Workplace ethics and culture

(chapters 11 and 12)

Individual ethics:

• ethical sensitivity (all)

• ethical priorities, values

a nd understanding of

principles, theories

(chapters 2 and 3)

• ethical/moral

development –

capability to make

ethical decisions

(chapters 2, 3 and 4)

• ethical courage to act.

Integrative issue:

social + environmental

(chapters 8 and 9)

Integrative issue:

earnings management +

frauds

(chapters 6 and 7)

Integrative issue:

independence

(chapter 10)

�

6 0

ETHICS OF THE GOVERNING BODY

The ethics of the governing body and its management concern the priorities given to theformulation of goals, mission and overall direction in the interests of the shareholders andstakeholders, thus implementing them into policies, procedures and control systems. Thegoverning body of an entity is typically represented by the board of directors, the seniormanagement and relevant board committees. The primary responsibility of the directors andmanagement is to provide and facilitate good corporate governance practices, and to satisfykey corporate drivers for both performance and conformance. Corporate governance is notonly about structures and processes, but also strategies for addressing stakeholder needs, inthe form of products, services and information. Governance is characterised by an entity’spriorities in values and leadership.

ETHICS OF THE WORKPLACE

The ethics of the workplace are influenced by the visibility of the values and leadershippractised by the governing body. Workplace ethics can be characterised by the transparencyof information and operation, open communication between levels, equitable treatmentamong and within subgroups and a generally supportive workplace environment. Work-place ethics concerns the implementation of governance polices and procedures, whilemonitoring the soft issues of ‘unwritten norms’ or cultures. The existence of a code of con-duct, for example, is an incomplete feature when there is a lack of constant review regardingits adequacy, or when there is no monitoring procedure (i.e. supporting mechanism whenan individual within an entity enforces the code or disciplinary measures when an indi-vidual breaches the code). Whistle-blowing programs, workplace conflicts, bribes or otherconflicts of interests are issues which must be addressed in order to provide the contexts forethical behaviour in a healthy workplace.

The ethics of the governing body and workplace ethics shape the entity’s culture throughtheir interactions and support. Culture in turn influences individuals.

INDIVIDUAL ETHICS

Individual ethical behaviour is influenced by four interrelated components, according toJames Rest. Individuals must be capable of identifying ethical problems (ethical sensi-tivity); appreciating the values and priorities through their understanding of principles,rules, norms and theories (ethical priorities); developing their individual sets of rea-soning and judgment (ethical judgment); and developing the strength of character to actupon such decisions (ethical courage). So when an individual employee encounters asituation, he or she (1) acknowledges the ethical dimensions of the problem; (2) assessesavailable principles, rules and norms; (3) evaluates the adequacy of existing policies, prac-tices and workplace standards; and (4) acts. All four components have to be present,according to James Rest, to result in ethical behaviour.

ETHICAL EXPECTATIONS OF THE MARKETSThe growth of Australia’s markets and financial services industry has been rapid andsustained. Statistics have shown that nearly one in two Australian adults now directlyown shares, which is the highest proportion in the world, ahead of the United States,United Kingdom, Canada, Germany and New Zealand, in both direct and indirect shareownership. Different from Europe, Australia’s market profile is also increasingly skewedtowards retail investors. Millions of Australian investors are eager to help fund their


retirement through some kind of equity ownership. Three out of four workingAustralians invest in superannuation, and over five million Australians use financialadvisers. This growth in market size and coverage inevitably means that many investorsare participating for the first time in financial markets, which they may not entirely oradequately understand. During the late 1990s, many inexperienced financial servicesconsumers bought a complicated range of products and services and were caught out,losing their life savings.

The market, including owners and investors, public stakeholders and the general public,has certain ethical expectations. The market’s support for an entity depends upon thecredibility of the entity’s corporate commitments and reputation, and the strength of itscompetitive advantage. Credibility depends on the trust that stakeholders place in theentity’s activities, and trust, in turn, depends upon the values underlying such corporateactivities. Stakeholders increasingly expect an entity’s activities to show respect for theirvalues and interests. This respect for stakeholder values and interests determines the ethicalstanding and success of a corporation. The Johnson & Johnson example shows the impor-tance of respect for stakeholder values and interests.

With an increasing amount of interest in corporate activities and accountability, thepublic expectations of businesses and the professions have become far more concernedwith stakeholder interests and ethical matters than has been the case in the past.Directors, executives and business managers, who serve the often conflicting interests of

Johnson & Johnson and others

Crisis may strike a company unexpectedly. A huge amount of blame can be placed on acompany if it fails to respond properly to a crisis. In 1982, Tylenol commanded 35 percent of America’s over-the-counter analgesic market, contributing about 15 per cent ofJohnson & Johnson’s profits. Unfortunately, an individual succeeded in lacing the drugwith cyanide and seven people died as a result. After that incident, there was panic aboutTylenol and the market value fell by $1 billion. When the same situation occurred in1986, the company acted quickly. It recalled all Tylenol products from every outlet, notjust the outlets where the products had been tampered with. The company also decidedthe product should not be re-established until something had been done to providebetter product protection. As a result, tamper-proof packaging was developed. The costwas high and the lost production and destroyed goods of the recall were considerable.However, the company won praise for its quick and appropriate action, and achieved thestatus of consumer champion. Within five months of the disaster, the company regained70 per cent of its market share for the drug. The company had succeeded in preservingthe long-term value of the brand and its loyalty.

Contrast that with the case of Bridgestone/Firestone in 2001. In Washington, it paidUS$41.5 million in settlement to fend off lawsuits by states over defective tyres thecompany recalled in late 2000. The United States investigators had documented 271deaths from thousands of accidents involving the tyres and the Attorneys-general raiseddoubts as to whether Bridgestone/Firestone and Ford were aware of the problems withthe tyres long before the recall was announced.

Can you think of any other real-life cases similar to these?

I N P R A C T I C E

6 2

shareholders directly, and the public indirectly, must be aware of the public’s ethical

expectations, and manage the related ethics risks accordingly. More than just to provide

financial outcomes, their awareness must be combined with traditional values and

incorporated into a framework for ethical decision making and action. Otherwise, just as

with Enron and Arthur Andersen, the credibility, reputation and, eventually, competitive

advantage of capital markets — as well as the organisation, management and the

profession — will suffer.

In the aftermath of the corporate failures in the early 2000s, the general community has

been caught up with extensive financial and other injuries. The collapse of HIH, one of

Australia’s largest home-building market insurers, left the building industry in turmoil.

Home owners were left without compulsory home warranty insurance, owners of residential

dwellings found that cover for defective building work had vanished, and builders were

unable to operate because they could not obtain builders’ warranty insurance. Thousands of

other individual cases of hardship also emerged. For example, about 200 permanently dis-

abled people no longer received their regular payments from HIH. A 50-year-old school

principal who had developed a brain tumour, and who had relied on an income protection

insurance policy, found his monthly cheque from HIH was dishonoured and his policy

worthless. Corporate collapses and the extensive damages to the community were a wake-

up call for ethics in business.

In summary, market participants have ethical expectations from both the entity and its

accounting and finance personnel.

Table 3.1 illustrates some of the ethical expectations of the market.

Table 3.1 The right angle of a triangle means nothing to me

EXAMPLES OF ETHICAL EXPECTATIONS BY THE MARKET

Market

participants

Ethical expectations of the

entity Accountants’ or executives’ roles

Owners,

shareholders

and fund

providers

• Ongoing viability

• Reputation and credibility

• Integrity of information

and returns

• Accountability.

• Effective governance and objective risk

management process

• Integrity in financial management

• Transparency, objectivity and disclosure.

Other public

stakeholders,

employees,

and individuals

etc.

• Product safety and product

quality

• Socially responsible

activities

• Fairness and equity

• Honesty and respect for

the public interest

• Professional and other

developments

• Open communications

• Fair compensation.

• Understand corporate social responsibility

and triple bottom line reporting

• Integrity in judgments for operations,

financial and other business dealings

• Ensure compliance with standards, legal

and regulatory matters

• Maintain integrity and the duty of care

• Undertake corrective actions in cases of

wrongdoings

• Implement and monitor codes and whistle-

blowing programs.

�


THE ACCOUNTANT IN THE ETHICS FRAMEWORKAccountants provide skilful services. These services have developed from a traditionalfinancial focus to a broad range of services including auditing, advisory, assurance andconsultative roles, on matters which have economic outcomes, in the short or longterm. Accountants therefore may assume responsibilities in any part of the ethicsframework, providing services either as an employee, a financial expert or an indepen-dent service provider.

Accountants as the moral agent

Accountants are also said to be the moral agents of organisations, and provide an objec-tive account of matters in a fiduciary relationship. They are relied upon because oftheir professional status and ethical standards. Hence, within an entity, accountants havea duty towards their employer, loyalty to the governing body and management, and theresponsibility to ensure such duties are performed with the objectivity, integrity andethics of a professional person. Accountants providing independent services, such as inauditing, have a duty to their own employers, while maintaining an independent butcordial relationship with their clients.

One complication of the accountant’s role in public accounting firms is the relation-ship between the accountant and the client. The cosy relationship, which oftendevelops as a result of an accountant’s increasing assistance to management in the formof consultancy and other services, may in turn jeopardise the perceived independenceof the accountant as an auditor. It has been reported that, over the period 1992–2002,the total audit fees paid by the Australian Stock Exchange (ASX) top 100 companiesgrew by 99 per cent, while the total non-audit fees paid by these companies to theiraudit firms grew by 501 per cent. The Australian Securities and Investments Com-mission (ASIC) also reported in 2002 that audit firms were earning substantial fees fornon-audit services and that most companies lacked robust processes for ensuring thatthe independence of audit was not prejudiced by the provision of non-audit services.The spate of audit and financial disclosure reforms in the Corporate Law EconomicReform Program (Audit Reform and Audit Disclosure) Act 2004 is partly the result of theextensive nature of auditor involvements in their audit clients, which has led to thealleged failure of objectivity and integrity in major corporate collapses. Although thereare historical and economic reasons in support of the broadening of services providedby accountants and auditors, the evidence presented after recent corporate collapses hasrendered stringent rules for audit independence inevitable.

On the other hand, accountants employed within an organisation can be challengedwith matters that are not necessarily financial in nature, but which have ethical impli-cations. For example, an operational disaster which leads to human injuries involvesfinancial compensation and the accountant may either be aware of the situation or partof the investigation. Or, an accountant may be involved in alerting a management tointernal fraudulent activities, which could expose the organisation to potential financiallosses. Outside the entity, accountants may be involved in providing professionalforecasts and analyses, or undertaking investigative projects to evaluate investmentproposals. Accountants representing the regulatory regime contribute to the under-standing, development and interpretation of the law, industry and professional

6 4

standards, with possible involvements in forensic issues. In sum, the roles of account-ants in the ethics framework are diverse and complex.

All accountants are expected to observe the standards of care, professionalism andethical behaviour as part of their primary professional duty to safeguard the publicinterest. This, of course, is an extremely simplistic description of the principles regardingaccountants’ roles in the ethics framework. The complex ethical positions of theaccountant are briefly discussed here.

The impact of competitive pressures andenvironmental concerns

The development of the global market has given rise to the free flow of capital, goodsand services throughout the world. Corporations try to combat competitive pressurethrough greater productivity and lower costs. Questionable behaviour, undertaken toincrease short-term profitability, such as in the case of Bridgestone/Firestone, does notoutweigh the risk of long-term reputation damage. There are also increasing concernsregarding environmental matters, excessive management compensation and bad businessjudgments. These issues, together with the corporate collapses and financial scandals,have led to the general public becoming less trusting of business executives and pro-fessionals, such as accountants and auditors. Some of these cases are illustrated in thefollowing section.

Ethical problems faced by accountants

Accountants are educated to possess the competence and skills to deliver their services inthe public interest. They are regarded as professionals who have a fiduciary relationshipwith those whom they service. Accounting bodies traditionally exercise a self-regulatorysystem in order to ensure that members safeguard the public interest by performing theirtasks professionally, competently, ethically, responsibly and with due care.

As shown in figure 3.1, accountants, like other individuals employed within anentity, be it commercial or professional in nature, are subject to the same complexframework of relationships and influences. Furthermore, the requirement of allegiancetowards professional standards and behaviour means that accountants must regard thepublic interest as their top priority. Any conflicts between the public interest and self-

interest, loyalty to the entity and its governing body, may result in ethical dilemmasand possibly lapses. A choice has to be made. The choice made may even have veryfar-reaching consequences.

In a professional environment, such as within an accounting firm, an accountant’s rolerequires performance under tight budget and timelines, maintaining relationships withclients and firm management, and applying strict accounting rules and professionalstandards. Hence, the ethics framework for an accountant working in a professionalentity can be both demanding and complex, resulting in ethical issues to be faced byindividual accountants.

The technology market bubble of the late 1990s and its puncturing in 2000 occurredalongside major collapses in corporate governance. Those who had contributed to theaccounting scandals also contributed to the loss of public confidence in the accountingprofession. High profile collapses such as Enron, WorldCom, Global Crossing, AdelphiaCommunications and Tyco in the United States, HIH, One.Tel and Harris Scarfe, in


Australia, were largely the result of a period of disguise, restatement of the financialstatements and a general disregard of ethics and integrity by business management, theboard and the accountants involved. Parallel to this was great concern regarding the fairnessof the operation of a market system where shareholders, employees in general, and pen-sioners lost large sums, while those running companies, exercising bad business and ethicaljudgments, had enriched themselves with massive compensation pay-outs.

Some argued that the catalyst for these events was the fierce battle by many managersand directors to meet investors’ expectations that the company in which they purchasedshares would report a steady stream of high and ever-increasing quarterly profits andrevenues. In the struggle to deliver results, management, as well as investment bankersand analysts, with lawyers working alongside, lost sight of their responsibility andaccountability. Some auditors also lost their autonomy and good judgment, and blurredthe line between right and wrong. On too many occasions professionals in our largestand most respected accounting firms yielded to management pressure, permittingmisleading financial information to be published.

To some extent, there have been some lapses in the way accounting firms have structuredcompensation policies and other incentives, rewarding those partners who generated thegreatest amount of new auditing or consulting assignments rather than those who deliveredthe best quality audit work.

The following examples show how accountants have been involved in ethical lapses.• A forensic audit by PricewaterhouseCoopers at HealthSouth, an Alabama-based rehabili-

tative clinic, reported a revised fraud of US$4.6 billion on 22 January 2004, representingfraudulent accounting entries from 1996 to 2002, incorrect accounting for goodwill andother aggressive accounting in that period to March 2003. Fifteen former executives,including five former chief financial officers, have pleaded guilty to charges related to thefraud. Former auditors at Ernst & Young, and former investment bankers at UBSWarburg, were said to have known about the fraud even as they signed off on financialstatements and sold HealthSouth securities to the public.

• Parmalat Finanziaria, the parent company of the Italian dairy group, has removed Deloitte& Touche SpA and Grant Thornton SpA as auditors following the discovery of a phoneyasset certificate in the Cayman Islands. Two accountants at GT SpA were arrested onsuspicion of falsely certifying Pamalat’s balance sheets. Both firms were cited in a classaction suit brought on behalf of United States investors.

• Former HIH Insurance financial executive Bill Howard was the first person convictedfor his role in the HIH collapse when he was sentenced in the New South WalesSupreme Court to a three-year suspended jail term in December 2003. He admittedhe received AUD$124 000 in bribes to organise payments to companies linked withBrad Cooper, including a $737 500 payment from HIH, which HIH was not obligedto make. It was alleged that when Cooper made an offer to ‘look after’ Howard, inreturn for retrieving funds from HIH, the HIH executives had their hands full tryingto keep the company afloat. They asked Howard to ‘deal’ with Cooper. When Howardwas asked at the HIH Royal Commission as to the reason for his action, he said, ‘Idon’t know. I think I just gave in to the incessant battering ... I have been punting allmy life’.

• Alan Hodgson, the CFO at Harris Scarfe, admitted that for about five years he had ineffect been keeping two sets of books. He had artificially increased the company’s profitsin the monthly financial reports, as well as the half-yearly and annual financial statementsfor the board and the Australian Stock Exchange (ASX). Hodgson stood to gain nothingfrom his actions other than the ‘approval’ of those around him. When the executive

6 6

chairman said he wanted to achieve a particular profit margin, Alan interpreted it as an

order to do whatever it took to get that margin. Hodgson was sentenced in 2001 to a six-

year jail sentence, with a non-parole period of three years.

These examples are just some of those appearing in the media about the corporate

collapses in recent years, other than Enron and WorldCom. Many of the cases had similar

features: a strong and dominating leader, a dysfunctional board, an aggressively results-

driven corporate culture, manipulation of accounts, and accounting personnel caught in the

middle, trying to balance the pressure to perform and to maintain their own position,

possibly within an ethics lapse situation.

THREATS TO ETHICS, CORPORATE

GOVERNANCE AND ACCOUNTABILITYIn light of the current environment of competition and drive for performance, accountants,

auditors and other finance executives face issues which pose threats to their ability to

maintain their ethical position and implement good governance practices. The sources of

threats can include:

• stakeholders — where one group of stakeholders has an unfair advantage over other groups

• products or services — where the poor quality of products or performance of service

compromises the standards (e.g. of safety and health)

• organisational culture, norm and objectives — where there is a lack of responsible

leadership, combined with a self-interested culture and objectives being defined by the

‘bottom-line’ and short-term financial benefits for individuals

• social status and reputation — professional and organisational misconduct where the

organisation or the industry acts in a way perceived to be detrimental to society, leading

to loss of credibility.

In describing the ‘bill our brains out’ culture of Arthur Andersen, Barbara Toffler

referred to the fact that, by the late 1990s, all of the firm’s employees were expected to

be ‘masters of creativity’ when it came to figuring out ways to sell more services —

auditing or consulting — to clients. There were regular meetings of SOAR teams (‘Sales

Opportunities and Resources’), ‘Crown Jewel’ teams and ‘Elephant Target’ teams. They

were there to exploit every possible void. Everyone from auditors, internal auditors, tax

specialists and consultants attended these meetings. Over the course of an hour or two,

the status of a client’s account would be reviewed, and then everyone would pitch in

with ideas about how to increase revenue. ‘It was all about cross-selling — offering the

soup, the nuts, and everything in between . . . the meetings also had the effect of

increasing the pressure.’ Such a culture of pressure on individual employees led to the

only way to get ahead, or to keep up, was to compromise quality. ‘So that’s what we did,’

wrote Toffler.

Ethics threats or risks can be defined as the risk of failure to achieve a certain

expected standard of behaviour. An ethics risk for the professional accountant is the risk

of failing to achieve the standards of behaviour expected of him or her. Such standards

of behaviour are assumed within a fiduciary relationship, a professional arrangement, an

accredited affiliation with a profession, or criteria established in a code of ethics or a set

of mission statements.


Some examples of ethics risks from different sources are described in table 3.2.

Table 3.2 shows that ethics risks can be embedded in a variety of relationships, hence thesources of ethics risks classifications include individuals, organisations, groups, productsand objectives. Some ethics risks originate from a self-interest motive, in which individualsand organisations attempt to maximise their own benefits or avoid losses.

Threats to accountability at Barings and NAB

In August 1994, Barings’ internal auditors had issued a report highlighting ‘significant

general risk’ that Nick Leeson could circumvent controls, as he had responsibility over

both trading and settlement activities. Although the warning has created tremendous

pressures, the management wrote, ‘Leeson should continue to take an active role in the

detailed operation of both the front desk and the back office’. Leeson’s ability to generate

large profits was emphasised. In February 1995, the 233-year-old British investment

bank collapsed.

A decade later, a similar case occurred in the National Australia Bank (NAB),

although it reacted swiftly to correct the situation. NAB lost AUD$360 million on

currency options trading, as a result of poor operational and monitoring controls.

PricewaterhouseCoopers (PwC), which conducted the investigation into the activities,

reported that there were inadequate or non-existent controls which allowed trading

losses to be concealed. Moreover, warnings signs were ignored. PwC reported that the

concealment of the true trading position began as early as 1998. The traders

‘smoothed’ profits and losses by shifting them from one day to the next. It was a

practice not dissimilar to Nick Leeson’s at Barings — a lack of internal checking,

concealing true transactions through the timing difference of recording, a lack of

reconciliations, and a disregard for breaches of trading limits by management —

practices that appeared to have been acceptable to NAB and Barings. Responsibility

was ‘passed on, rather than assumed’.

KPMG, which also reviewed the case, said that the NAB’s culture or ‘tone at the top’

was a key to understanding how the losses developed. The focus was on procedure

manuals (rather than the substance of the issues) and said that the board must accept

that it is ultimately responsible for the culture that kept it in the dark.

NAB announced the departure of its executive general manager of risk management,

alongside the earlier departure of its former chairman and chief executive — a casualty

list of 10 so far.

I N P R A C T I C E

6 8

Table 3.2

Ethics risks can also derive from incompetence. Here, competence includes both

technical competence and ethical competence. A failure to understand the nature of a trans-

action which results in a wrong judgment of accounting policies (e.g. capitalising expenses)

is an error caused by technical incompetence, leading to inappropriate financial statements

being furnished. An inability to withstand the influence and pressure of management to

manipulate the earnings figures is an example of ethical incompetence. Both cases would

result in an unethical conduct (i.e. misleading users of the financial statements). Although it

is difficult to distinguish between the two, and indeed they overlap sometimes, an ethical

problem often arises from an error of judgment. Worse still is when, in some cases, an inten-

tional error is committed to conceal an unintentional error. In terms of ethics, it is called a

‘slippery slope’, as seen in many corporate collapse cases — in HIH, One.Tel and Harris

Scarfe, or in the collapse of the Barings Bank in the early 1970s.

EXAMPLES OF ETHICS RISKS UNDER EACH SOURCE

Nature Stakeholders

Products/

services

Culture, norms

and objectives

Social status and

reputation

Self-interest Institutional

investors’

pressure for

earnings /

forecast targets

leading to

earnings

management

Concealing

prohibitive nature

of products

(e.g. ill effects of

drugs to protect

profit)

Maximising

bonus and

commission by

manipulating

accounts and

budgets by

senior staff

Building

monopolised

services (e.g.

anti-trust

practices, low-

balling by

accounting firms)

Incompetence

(technical or

ethical)

Failure to manage

staff disputes

leading to

employee fraud

Failure to

acknowledge

product safety

standards

resulting in

customer injuries

Wrong tone set

at the top, non-

compliance

culture leading to

staff tendency to

cut corners

Failure of

accountants or

auditor to apply

standards of

integrity and

objectivity in

financial

reporting

Conflict of

interests

Conflicts between

shareholders and

management

leading to

misleading

information

released to the

public

Extensive non-

audit services

rendered by

auditors leading

to compromised

audits being

performed

Inappropriate

handling of

complaints or

staff concerns

leading to

whistle-blowing

situations

Failure to

discharge

fiduciary duties

in an independent

and objective

manner by

accounting firms

�


CORPORATE COLLAPSES AND THE NEED TO RESTORE CREDIBILITY AND TRUSTRecent corporate collapses did not happen in a vacuum. Gittens (2002) argues that theprevalence of materialism in many developed countries is the key motivation of fraudsters.Motivations for material advantages and pursuits of self-interests are shown by economicand political agendas, the growth in compensation for executives and the apparent decliningethical standards among company directors and auditors. The chairman of the AustralianSecurities and Investments Commission (ASIC) also lamented the extent of managementgreed, the failure of boards to exercise good corporate governance practices such asremuneration payouts, and the record level fees and commissions earned by analysts andaccountants on advisory services.

In July 2003, the International Federation of Accountants (IFAC) released a researchreport entitled, Rebuilding public confidence in financial reporting — an international perspective.The report concluded that the financial scandals experienced in recent times were symp-toms of deeper problems and not the prime cause of the loss of credibility. The researchreported the following key findings:

• Methods of ensuring the effectiveness of corporate ethics codes and active monitoring areneeded.

• Financial management and controls are a prime concern for corporate management.

• Incentives and awareness of financial misstatements are required in order to reduce suchopportunities.

• Board oversight of management must be improved.

• Attention to potential threats to auditor independence and corporate governance issues isneeded.

• The effectiveness of audit quality processes should be monitored.

• Compliance with codes of conduct should be monitored.

• The regulatory, standard setting and financial reporting processes and practices should bestrengthened.

In sum, the findings concern ethics, adequacy of financial management, reportingmechanisms, audit quality and strengthening of governance regimes. As the IFAC researchreport quite rightly put it, there are ‘deeper problems’ faced by accountants and auditors.Such deeper problems are the impediments and threats which jeopardise the objectivity andintegrity of all parties in the supply chain of financial management and corporate governance.

As the bubble economy encouraged corporate management to adopt increasingly creative

accounting practices to deliver the kind of predictable and robust earnings and revenue growth

demanded by investors, governance fell by the wayside. All too often, those whose mandate

was to act as a gatekeeper were tempted by misguided compensation policies to forfeit their

autonomy and independence.

Source: The American Assembly (2003), The Future of the Acting Prof Report, 103rd American Assembly, Columbia University, New York.

Never in its history has the accounting profession been subject to such criticism and chal-lenges, which eroded public confidence and led to the sweeping changes in legislation andgovernment intervention. From the enactment of the Sarbanes–Oxley Act in 2002, as wellas the Public Company Accounting Oversight Board in the United States, we witnessed thepublication of numerous papers of reforms and research reports. In Australia, the morerecent developments are:

7 0

• CLERP Discussion Paper No. 9: CLERP (Audit Reform and Corporate Disclosure) Act 2004• the ASX Corporate Governance Principles and Best Practice Guidelines 2003• Standard Australia’s Australian Standards for Corporate Governance, which includes

Good Governance Principles, Fraud and Corruption Control, Organisational Codes ofConduct, Corporate Social Responsibility, and Whistleblower Protection Programs forEntities. These standards were issued in 2003 as AS8000 Standards.

• the HIH Royal Commission reports (three volumes), which detail the problems andrecommendations for parties such as the accounting profession, governments, auditors,corporate managers and board of directors.In an address in March 2004 to the Institute of Chartered Accountants in Australia, the

Acting Chairman of ASIC emphasised the priorities of ASIC in 2004. The address reiteratedthe increased responsibilities of ASIC, which are to maintain, facilitate and improve the per-formance of the financial system and the entities within it, which includes reducing businesscosts and improving the efficiency and development of the economy. The collapse of entitiessuch as HIH, Enron and WorldCom have moved regulatory reforms higher up the publicagenda, particularly as they relate to disclosure and audit.

An example of these is the regulation S1013D(1) of the Financial Services Reform Act 2001(FSRA), which requires the issuer of financial services products, including superannuationfunds, to disclose ‘the extent to which labour standards, or environmental, social or ethicalconsiderations are taken into account in the selection, retention or realisation of the invest-ment’. Another example is the CLERP (Audit Reform and Corporate Disclosure) Act 2004,which strengthens the obligations of auditors to report breaches of the law to ASIC. ASICregards the administration of the Financial Services Reform Act, CLERP (Audit Reform andCorporate Disclosure) Act 2004 and surveillance programs as its priorities. All three havemajor implications for the role of accountants and finance professionals.

The introduction of the financial services reform (FSR) regime set new standards, whichmeant that the entire financial sector was brought under a consistent set of regulations.There is a harmonised licensing system, disclosure and conduct framework and a singleregime for financial product disclosure. The CLERP (Audit Reform and Corporate Disclo-sure) Act 2004, on the other hand, is the government’s response to the series of corporategovernance and accounting failures.

Examples of the CLERP (Audit Reform and Corporate Disclosure) Act 2004 provisionsinclude:• expanding the role of the Financial Reporting Council, which is to be responsible also for

the oversight of the accounting and auditing standards-setting regime• providing legal underpinning for auditing standards• strengthening auditor independence, including requiring rotation of audit partners of

listed company clients after five years• providing greater protection for those who report breaches of the law to ASIC• enhancing disclosure and accountability to shareholders, including on executive and

director remuneration• introducing a new duty for financial services licensees to manage conflicts of interest.

As stressed by the acting chairman in his address, one of the foundations of good gover-nance is the provision of adequate, timely and reliable information about corporate perfor-mance. This is the responsibility of those who direct and control the corporation, its financepersonnel and the experts brought in under the law as independent judges — that is, theauditors. Auditors, in particular, have always faced the dilemma of trying to reconcile acommercial service provider-client relationship with the responsibility of a watchdog or a‘contracted regulator’ of corporate financial reporting. The two roles conflict and are not


equally supported. All the commercial incentives support the service provider role, and very

little, if anything, has supported the watchdog role. The CLERP (Audit Reform and Corpo-

rate Disclosure) Act 2004 tries to redress the balance, and supports the public responsibility

or ‘watchdog’ aspect of auditing. Not only that, in the opinion of the acting chairman, a

clear market expectation now is that auditors should be bloodhounds, not just watchdogs.

It expects auditors to take the initiative where they discern something amiss — to find and

reveal what is hidden.

To remain a profession, therefore, accounting must address issues ranging from the

underlying potential problems or conflicts created by the consolidation of the financial

industry to the need to restore its credibility by critically re-examining its fundamental

values and roles.

WHY LEARN ETHICS?The accounting profession has suffered a series of setbacks with the financial collapse of busi-

ness firms involved in financial fraud without detection from their auditors. Critics usually

cite a breakdown in the ethical standards and behaviour of accountants as a contributing

factor in such scandals. Consequently, a number of organisations recommend the inclusion of

ethics into business curriculums. For example, The National Commission on Fraudulent

Financial Reporting 1987 (Treadway Commission) recommends the inclusion of ethics edu-

cation in business curriculums to help prevent, detect, and deter fraudulent reporting. The

two major Australian accounting bodies (CPA Australia and the Institute of Chartered

Accountants Australia) and universities now include ethics in their educational programs.

The phrase ‘ethics education’ has a variety of connotations. For some, it means instruc-

tion toobey the law, while for others it is improving moral character. Critics of ethics

education argue that a student’s moral standards have been fully developed and firmly

entrenched by traditional institutions such as church and family by the time they reach

university. The university curriculum, therefore, is unlikely to influence students’ attitudes.

However, supporters of ethics education claim that changing students’ habits, beliefs and

values is not, and should not be, a primary function of a course in ethics. The primary

function should be to teach ethical systems of analysis, not moral standards of behaviour.

The goal of ethics education is not related to value-shaping, but to helping the fundamen-

tally dcent, well-intentioned student by introducing skills to deal effectively with ethical

challenges. Ethics education will not convert a ‘deviant’ to a ‘virtuous human being’, but stu-

dents with good instincts and a genuine concern for others will be able to detect issues more

perceptively, think about them more carefully and to understand more clearly the reasons

for acting morally. Therefore, one goal of this chapter is to provide you with a framework to

identify, analyse and resolve ethical problems. Whether or not you choose to utilise these

skills in your professional life is a separate issue.

NORMATIVE THEORIES OF ETHICSIn this section we identify and classify three approaches to ethical judgment, which will not

only help you to understand the language of normative ethics but also provide a framework

for moral discourse in later chapters. As you read through the following material you should

bear in mind that theories of ethics are not based on utopian notions of idealistic living —

they reflect the way people make decisions in their everyday lives.

7 2

A normative theory is represented by a value judgment on what ‘should’ or ‘ought’ to

happen, it is not concerned with what does happen. For example, fidelity as a normative

principle suggests that people should always be truthful even if deception is common or

usual practice. In ethics, a normative theory provides a principle, standard or value on how

we ought to behave toward others by considering the right and wrong of our actions. Ethics

is about doing good instead of harm and it does this by setting a standard of virtuous

conduct. Therefore, a normative ethical theory provides a principle on how we ought to

behave irrespective of current social norms and practices. Understanding principles of good

behaviour is important if we are to make ethical decisions and behave appropriately.

It is customary to divide normative ethical theories into two broad classifications, conse-

quential and non-consequential. Consequential theories define good in terms of its

consequences, thus giving rise to the term consequential. The best-known example of a

consequential theory is utilitarianism. In contrast to consequential theories we have non-

consequential theories, which define good not by its consequences, but by its intrinsic

value, regardless of whether its obedience produces undesirable outcomes. For a non-

consequentialist, an act or decision is right because it is the right thing to do. The best-

known examples of non-consequential theories are the rights and justice theories. Each of

these theories is discussed on the following pages.

Consequential theories of ethics

In ethical decision making, even the best intentions are of little value unless an ethical

outcome is achieved. Proponents of this view support the notion that consequences are

important for assessing the moral worth of an act or decision. In general terms, consequen-

tial theories determine right from wrong based on the results or consequences of the action

or decision, and if the good consequences outweigh the bad consequences, the decision or

action is morally correct. There are a variety of consequential theories; in this chapter we

examine the theory of utilitarianism.

The theory of utilitarianism

The theory of utilitarianism is concerned with making decisions that promote human

welfare. According to this theory, the ethical alternative is the one that maximises good

consequences over bad consequences. Expressed as a guiding principle, something is

morally good to the extent that it produces the greatest balance of good consequences over

bad consequences for the greatest number of people. The principle is commonly expressed

as ‘the greatest benefit for the greatest number’. This should not be confused with producing

the greatest total benefit, but the action that produces the greatest benefit after allowing for

total costs.

Jeremy Bentham (1784–1832), the father of utilitarian ethics, defined utilitarianism as the

greatest happiness principle. The greatest happiness principle measures good and bad conse-

quences in terms of happiness and pain. To this end, acts are right to the extent that they

promote happiness (which makes life more content) and avoid pain (which makes life

worse). The terms happiness and pain have broad meaning and encompass all aspects of

human welfare, including pleasure and sadness, health and sickness, satisfaction and

disappointment, positive and negative emotions, achievement and failure, and knowledge

and ignorance.


Applying the utilitarian principle is a procedural process involving five simple steps.They are:1. Define the problem.2. Identify the stakeholders affected by the problem.3. List the alternative courses of action for resolving the problem.4. Identify and calculate the short- and long-term costs and benefits (pain and happiness)

for each alternative course of action.5. Select the course of action that yields greatest sum of benefits over costs for the greatest

number of people.The theory of utilitarianism is attractive because it fits neatly into people’s intuitive criteria

for deciding moral problems. People make crude comparisons between their likes and dis-likes every day and are quick to point out the benefits and harms of proposed actions. Forexample, a proposal to introduce fees for education will immediately conjure up notions ofaffordability and accessibility. Utilitarianism is appealing to many people because it takes apragmatic, commonsense, and even unphilosophical, approach to ethics. Actions are rightto the extent that they benefit people. Alternatively, actions that produce more benefits thanharms are right, and those that do not, are wrong. Therefore, the advantage of utilitarianismlies in its simplicity and defensibility. This comparative cost–benefit approach to ethicaldecision making provides a straightforward method of analysing and resolving ethical prob-lems. Once resolved, decisions can be explained and justified with utilitarian reasoning.

LIMITATIONS OF UTILITARIANISM

The cognitive process required for utilitarian decision making appears similar to the cost–benefit analysis that is normally applied in business decisions. However, there are threeimportant distinctions between the application of the utility principle and the traditionalcost–benefit analysis: the nature of the consequences, the measurability of the consequencesand stakeholder analysis.

The nature of the consequencesIn analysing the consequences of the various alternative courses of action, we must becareful not to consider consequences in strict economic terms. As stated above, costs andbenefits are defined as pain and happiness, which encompass all aspects of human welfareand emotions. Consequences in utilitarian analysis are not restricted to financial matters.This does not mean that economic outcomes should be ignored, but should receive thesame consideration as non-economic outcomes. The problem for most accountants, andbusiness people generally, is that they are inclined to focus on the economic outcomes andignore other non-quantifiable variables. This typically occurs in business where cost–benefitanalyses are measured predominantly in economic terms and for their impact on the profitmotive. The comfort and objectivity associated with measurable outcomes tempts people tofavour quantifiable criteria and, in doing so, ignore non-quantifiable variables, even thoughthey may be sometimes more important. This kind of faulty analysis displays a quantitativebias that may exclude other more attractive courses of action that rely more heavily on non-quantifiable outcomes.

The measurability of consequencesThe utilitarian principle assumes that we can somehow measure and add the quantities ofhappiness produced by an action and subtract them from the quantities of measured pain,thereby enabling the selection of a course of action that produces the greatest net happiness.However, not all benefits and harms have an easily determined unitary or monetary value.How can sadness, pleasure or contentment be measured? Even when unitary measurement

7 4

is possible, the relative weighting given to outcomes will vary with different people. What isgood for one person may be harmful to another. It is likely that two people applying autilitarian analysis to the same problem will arrive at different conclusions simply because ofthe way in which outcomes are measured and weighted. Fortunately for accountants, they,more than many other professions, possess the skills for measuring and assigning values touncertain outcomes.

Stakeholder analysis

Proper application of the utility principle requires a deliberation of the consequences on allpeople affected (stakeholders) including, but not restricted to, the decision maker. Whereasthe typical cost–benefit analysis in business considers the impact of the consequencesprimarily in terms of the entity or person that is making the decision. Other stakeholdersare considered only in so far as it affects the business entity. A utilitarian analysis goesbeyond that of the decision maker and seeks to maximise net happiness to as many stake-holders as possible. An act that promotes self-interest at the expense of others is unethicalon utilitarian grounds.

Non-consequential theories of ethicsThe alternative to consequential theories such as utilitarianism are non-consequentialtheories. A non-consequentialist affirms that duties must be obeyed regardless of the out-comes, hence the term non-consequentialism. A non-consequentialist would argue that theend does not justify the means and the intention to do the right thing is more importantthan the result. The question here is what is the right thing? We examine two examples ofnon-consequential theories: the theory of rights and the theory of justice.

The theory of rightsThe rights principle stems from the belief that people have an inherent worth as humanbeings that must be respected. Therefore, according to the theory of rights, a good decisionis one that respects the rights of others. Conversely, a decision is wrong to the extent that itviolates another person’s rights. When confronted with a moral dilemma, considerationmust be given to the rights of the individuals involved and ensure that decisions respect therights of others.

Having rights or entitlements, such as freedom of speech, is worthless unless individualsare free to pursue their entitlements unhampered. For example, in Australia people have aright to speak freely on all matters of their choosing. This right imposes an ethical obligationon others to ensure that the right to speak freely is respected. Similarly, in education,lecturers have a right to be heard; in turn, this right imposes an obligation on students toensure that those who want to listen, can. Therefore, not only does the rights principle givedue recognition to individual rights, but it also imposes an obligation on individuals not tointerfere with others’ privilege to pursue and enjoy their rights.

NATURAL RIGHTS

In general, rights can be divided in two categories: rights that exist independently of anylegal structure and rights that are created by social agreement. The former are known asnatural rights, and these rights are commonly referred to as human rights or constitutionalrights. A detailed discussion of the various natural rights is beyond the scope of this book;however, a list of the rights that are commonly advocated in western societies includes:• freedom of choice — the right to be able to make decisions without fear of reprisal


• right to the truth — the right to be accurately informed of all matters that affect decisions

• right to privacy — the right to live life as one chooses

• freedom of speech — the right to speak freely and be heard

• right to life — the right to be protected from injury, including safety in the workplace

• right to due process — the right to a fair hearing

• right to what is agreed — the right to have promises and contracts honoured.

Drawing from this list, the right to the truth is central to the function of accounting. Thepublic, particularly users of financial statements, has a right to truthful and accurate financialinformation when making choices on alternative investment strategies. This right imposes amoral obligation on the accountant and the reporting entity to prepare and issue, true andfair financial reports. Upholding the integrity of the financial reports is critical if members ofthe accounting profession are to respect the users’ right to make fully informed choices.

LEGAL RIGHTS AND CONTRACTUAL RIGHTS

The second category of rights consists of rights created by agreement, which include legalrights and contractual rights. It is this type of right that is important in the accountant–employer and the accountant–client relationship. Accountants are employed by companies orcommissioned by clients for their expert knowledge and skills. In return for their professionalservices, accountants are financially rewarded with fees or a salary. The contractual relationshipbetween the parties means that clients and employers have a legal right to expect professionaland competent service. In turn, accountants have a corresponding legal duty to perform theirtasks to the best of their ability within the constraints of their expertise. If an accountant doesnot possess the requisite skill to perform the task properly, he or she has a professional andmoral obligation to seek specialist advice or, if necessary, decline the task. A list of the rightsand corresponding duties peculiar to the accounting profession are presented in table 3.3.

Table 3.3

Stakeholder rights and the accountant’s

corresponding duties

Value Stakeholder Stakeholder rights Accountant’s duties

Privacy Clients and employers

The right to expect that information regarding their activities will not be disclosed to a third party.

To ensure that all information discovered in the course of their work is not disclosed to a third party without the stakeholder’s express permission.

Competence Clients and employers

The right to receive a service that is expertly applied.

The duty to maintain expertise and apply their skills diligently.

Wellbeing Clients, employers and the public

The right to expect that the service provided by the accountant will advance the stakeholder’s best interests.

The duty to ensure that accountants subordinate their self-interest in favour of their client or employer and to avoid any relationship or event that may compromise objective judgment.

�

7 6

You will observe from your perusal of table 3.3 that a corresponding duty imposed by aright can fall on all members of a group as well as individuals. For example, the duty of aprofessional accountant to ‘respect peers’ imposes an obligation on all members of theaccounting profession. Accountants should be mindful that their responsibilities extend notonly to individual clients, employers and other accountants, but also to the public and thecommunity of accountants. The values discussed in table 3.3 are embedded in the JointCode of Professional Conduct.

LIMITATION OF THE RIGHTS PRINCIPLE

One problem associated with the rights principle is that it does not always provide satisfac-tory solutions to many problems. Difficulties arise when the dilemma involves a conflictamong two or more equally compelling rights. Take, for example, a situation involving aclient behaving illegally. Which right has priority: the client’s right to privacy or the public’sright to the truth? Unfortunately, the theory does not prioritise or give weight to the variousrights — it merely states that individuals have rights that must be respected. Therefore,there is no clear way to address problems of conflicting rights. This lack of hierarchy is amajor problem of the rights principle.

The theory of justiceUnderstanding the theory of justice is complicated by the various notions of justice. Ineveryday language, justice is often described as fairness, which refers to the correlationbetween contributions and rewards. However, fairness alone does not adequately define theconcept of justice as there is as much subjectivity in fairness as there is in justice. Forinstance, what one person may think is fair or just, another may not. Other forms of justiceinclude equality, which assumes that all people have equal worth, procedural justice,which is concerned with due process and compensatory justice, which aims to redress theloss from a wrongful act. A comprehensive theory incorporating the various domains ofjustice has yet to be developed. Until such time, the justice principle and its application willhave different meanings in different contexts. In this chapter, we focus our discussion on theprinciple of distributive justice.

Respect for

peers

Members of the

accounting

profession

The right to expect that their

reputation as competent and

trustworthy professionals is

not discredited by the

behaviour of their peers.

The duty to ensure that their

behaviour does not

adversely affect the good

reputation of the accounting

profession.

Truth Users of

accounting

information

The right to receive

complete, accurate and

truthful financial

information.

The duty to comply with

accounting standards in the

preparation of accounting

reports and to be prepared

to depart from accounting

standards if compliance will

produce misleading

statements.

Stakeholder rights and the accountant’s

corresponding duties

Value Stakeholder Stakeholder rights Accountant’s duties


DISTRIBUTIVE JUSTICE

Disputes between people often arise because one person accuses another of unfair treatment orfailing to accept a fair share of responsibilities. Resolving these types of disputes means that wemust compare, weigh up and strike a balance between the conflicting claims. This compara-tive approach to problem solving is based on the principle of distributive justice, which isprimarily concerned with the fair and equal distribution of benefits and burdens. The theoryof justice, based on the principle of distributive justice, focuses on how fairly our decisionsand actions distribute benefits and burdens among members of the group. An unfair distri-bution of benefits and burdens is an unjust act and an unjust act is a morally wrong act.

Applying the justice principle to the resolution of an ethical problem is a three-stepprocess. First, the decision maker identifies the benefits and burdens that are likely to resultfrom a proposed action and decision; second, the benefits and burdens are assigned to thestakeholders affected by the action or decision; and third, a judgment is made to determinewhether the distribution of benefits and burdens is fair and equal to the people affected.What constitutes a fair allocation will depend on the circumstances. A fair distribution ofbenefits and burdens does mean an equal distribution. The third step implies a reasonableallocation or sharing of both benefits and burdens among the stakeholders. Benefits andburdens that are singularly allocated to different stakeholders is unacceptable. For example,a decision that results in the allocation of benefits to one stakeholder and burdens to adifferent stakeholder is unjust.

You may have noticed the similarities between utilitarianism and justice. Both systems ofanalysis require a comparative approach to ethical decision making. While the two theorieshave parallel processes, it is a mistake to assume that utilitarianism and justice are similar.The difference lies in the respect afforded to people as individual beings. Justice is con-cerned with individual fairness and liberties, whereas utilitarianism is concerned with totalnet happiness. Utilitarianism supports the maximisation of utility but is indifferent to thedistribution of benefits to individuals, particularly the minority. By definition, a utilitarianact is one that maximises total net happiness to the majority. Therefore, harm to the min-ority can be justified on utilitarian grounds so long as there is a net benefit to the majority.In some cases, the rights and wellbeing of some individuals may be disadvantaged for thebenefit of the majority. There are many examples of racism and exploitation, such asdepriving Aboriginal people of their land rights, which have occurred because of the greaterhappiness rule.

LIMITATIONS OF JUSTICE PRINCIPLE

Applying the justice principle is as problematic as defining it, particularly when the decisionaffects the wellbeing of others. The difficulty in applying the justice principle becomesapparent when the rights of some may have to be sacrificed in order to ensure a more equi-table distribution of benefits. For example, in business many employers have institutedaffirmative action policies designed to reduce the effects of past discrimination on womenand minorities in employment. The ‘glass ceiling’ is a term that is commonly used todescribe the barriers that women face in reaching senior positions within organisations. Thepreferential treatment afforded to men means that women are under-represented in seniorranks. Under affirmative action, companies must establish policies to correct this deficiency.However, awarding jobs or promotions to women or minorities, based solely in the interestsof affirmative action is arguably another form of discrimination — reverse discrimination.More qualified people may be passed over for less qualified people. If discrimination iswrong in the first instance, it couldn’t possibly be right in the second instance.

7 8

In conclusion, we must be careful to distinguish just results from just procedures.

Procedural justice deals with rules or procedures that result in fair and just outcomes.

Procedures should be well defined and communicated and corresponding rules should

be administered fairly and impartially enforced. Doling out rewards in accordance with

procedures that have been unjustly determined is as morally wrong as an unfair distri-

bution of benefits.

Why three normative theories of ethics?

The theories described in this chapter represent well-accepted theories that can be

applied in the day-to-day decision making in every day life and the world of business

and accounting. Being aware of a broad range of ethical theories provides alternative

approaches to analysing a situation with moral implications. A range of theories provides

insights from a number of perspectives — this is generally not achievable from a single

theory. However, a range of theories provides different perspectives to the same problem

and, in doing so, is likely to improve the decision maker’s awareness and understanding

of the ethical issues involved in the dilemma. An overview of the theories described in

this chapter is presented in table 3.4.

Table 3.4

Applying the normative theories of ethics

Understanding ethical theories such as the ones presented in this chapter is beneficial for

two reasons. First, the principles derived from normative ethical theories serve as the

criteria for judging the moral rightness of an act or decision (after the event); and

second, ethical principles provide a structured approach for making ethical decisions

(before the event). At this point we provide you with an example demonstrating the

application of the normative ethical theories in an accounting related problem. See ‘In

practice: Cooking up a venture’.

Summary of the normative theories of ethics

Utilitarianism Rights Justice

TYPE Consequential Non-consequential Non-consequential

PRINCIPLE Maximising the

wellbeing of the

majority

Respecting individual

rights

Fair and equal

distribution of

benefits and burdens

DECISION RULE An ethical decision is

one that produces the

greatest benefit to the

greatest number of

people.

An ethical decision is

one that does not

impinge on the rights

of another.

An ethical decision is

one that produces the

fairest overall

distribution of

benefits and burdens.

�


Cooking up a venture

Vincent is desperate to secure an additional loan to fend off insistent creditors. Vincentbelieves he can secure a loan from the bank so long as he can support his claims with apositive financial report. Vincent asked his public accountant, Jane, to ‘cook the books’so that the financial statements appear more favourable than they really are. Vincentasked Jane to do whatever she could to make the reports appear as favourable as poss-ible. Vincent emphasised, ‘whatever it takes’. When Jane questioned his motives, Vin-cent became apprehensive and threatened to withdraw Jane’s services unless shecomplied with his request.

Jane was left contemplating her choices; she may either accept or reject Vincent’srequest. What should Jane do?

Utilitarianism

According to the utilitarian principle, the ethical solution is the course of action that pro-duces the greatest net benefit to the greatest number of stakeholders. We begin our utili-tarian analysis by listing the possible consequences and stakeholders affected for eachalternative course of action:

IF JANE COMPLIES WITH VINCENT’S DEMAND

POSITIVE CONSEQUENCES NEGATIVE CONSEQUENCES

• The probability of Vincent receiving aloan will be enhanced.

• Jane’s integrity as a professionalaccountant will suffer.

• Vincent and the bank will benefit finan-cially if the loan is used to improve theprofitability of the business.

• Based on the revised financial reports,the loan carries an unknown risk. Vin-cent and the bank will be financiallypoorer if Vincent defaults on the loan.

• Jane will retain Vincent as a client andher billings will not diminish.

IF JANE REJECTS VINCENT’S DEMAND

POSITIVE CONSEQUENCES NEGATIVE CONSEQUENCES

• Jane’s integrity and her reputationremain intact.

• Jane may lose Vincent as a client (thiscould also be a positive outcome) andreduce her billings.

• The bank is protected from an invest-ment that carries an unknown risk.

• Based on the existing financial reports,Vincent is unlikely to raise the loan. Hemust find alternative methods to fendoff the creditors.

• Vincent will avoid further financialstress from servicing an additional loan.

• Vincent may avoid additional financiallosses if the loan does not improve theprofitability of the business.

I N P R A C T I C E

8 0

Challenges to ethical behaviour

There are many reasons why good people make bad decisions. In this section, we briefly

examine three factors that challenge ethical behaviour. The first reason returns us to the

issue raised earlier in this chapter: why learn ethics? The traditional notions of accounting

education and practice possess a mechanistic perspective that focuses on techniques rather

than the broader questions of human values and morality. The lack of attention given to eth-

ical values means that accountants lack the skill or sensitivity to recognise and deal with

ethical issues when they arise. The implication for accountants is that ethical issues are inad-

vertently overlooked because they focus too much on technical issues. It may not be that

people in business are devoid of moral values, but that they are deficient in tools of ethical

analysis, which allow them to reconcile their responsibilities as professionals and indi-

viduals. People basically want to do the right thing, but who lack the intellectual back-

ground and the attendant moral courage to actively and forcefully defend their views. With

ethics education, accountants will be able to identify predicaments when they arise, deter-

mine how to resolve problems and, more importantly, provide them with the rationale and

vocabulary to take and defend their ethical positions.

Choosing an ethical alternative based on the consequences will often depend on the

probability of the outcomes occurring. Unfortunately, the uncertainty or the lack of

predicability of outcomes is a major problem with utilitarian analysis. In this dilemma,

we must consider the likelihood of the loan improving the profitably of the business. If

the subsequent outlay from obtaining the loan is successful, the majority of stakeholders

(Vincent, the bank, creditors, employees and Jane) will be better off. If the subsequent

outlay is unsuccessful, the majority of stakeholders will be financially poorer. The

success of the investment is difficult to determine from the facts stated above; however,

the probability of a successful return on investment must be questioned when the

acquisition of the loan relies on questionable financial reports. On the basis that an

adequate return on investment is unlikely, the majority of stakeholders will be worse off

if Jane complies with Vincent’s demand to ‘cook the books’. Therefore, Jane should

reject Vincent’s request.

Rights

Individuals have a right to the truth. In accounting, this means users of financial state-

ments have a right to receive true and accurate financial reports and accountants have a

corresponding duty to prepare the financial reports accordingly. To do otherwise is

unethical. Therefore, Jane should refuse Vincent’s request to cook the books as she has

an ethical obligation to prepare the financial statements in accordance with the appli-

cable accounting regulation to ensure as far as practicable the truthfulness of the

reports.

Justice

Jane must identify the benefits and burdens that are likely to result from her decision

and assess the fairness of the distribution of such benefits and burdens to the various

stakeholders. In this case, Vincent will benefit from the acquisition of the loan that he

may not have otherwise acquired. On the other hand, the bank must shoulder the burden

of an investment that is riskier than the financial reports indicate. This is clearly unfair,

as one party, Vincent, receives the benefits, and a different party, the bank, is shoul-

dering the burden. Jane must, once again, refuse Vincent’s request.


Contextual factors in the workplace are the second reason why people make bad decisions.

Professionals must often balance competing demands from superiors, peers and subordinates

while simultaneously pursuing organisational goals which can often temper the quality of

ethical decision making at work. The organisational context can influence the direction of

either higher or lower levels of ethical decision making. Workplace pressures, often driven by

the profit motive, can sometimes compromise personal and ethical values. Accountants will

make morally defendable decisions only if the business environment, particularly superiors,

supports that view. As employees, accountants will give the ‘official position’, rather than

their individual judgment. This sometimes explains why people make decisions at work that

are quite different from their personal decisions, which are unaffected by job concerns.

The third reason why people make questionable decisions is selfishness. Selfishness, also

known as psychological egoism, is a theory that describes human nature. In this context,

psychological egoism explains how people do behave rather than how they should behave.

According to this view, people in their natural state are selfish and motivated by self-preserva-

tion and self-gain. Egoists (selfish people) are driven by self-interest and their actions are motiv-

ated by the desire to achieve their own interests without concern for others. The problem with

the pursuit of self-interest is that it is sometimes at odds with the interests of other parties.

Questionable acts such as discrimination and dishonesty may be justified if they promote self-

interest.

When analysed further, acts of self-interest are not always self-serving acts. In many

instances, the egoist will consider others because ultimately their relationship will become

mutually advantageous. An egoist will seek to further the interests of others if it is believed

that reciprocity will advance the egoist’s self-interest. Advocates of egoism claim that if

everyone adopts a policy of pursuing self-interest, then eventually everyone is better off. If

societal interest is equal to the sum of individual interests, the promotion of self-interest

adds to the total value of societal interest.

ETHICAL DECISION MAKINGHaving classified some of the different models for analysing behaviour (the ethical models)

and the perspective that will be applied within each of these models (stages of moral

development), a framework is needed in which to apply them. Being aware of the ethical

perspectives is just one part of making an ethical decision. This section discusses the different

stages of ethical decision making and how the previously discussed ethical perspectives can

be applied to ethical decision-making scenarios. The stages to go through when making an

ethical decision are:

1. Identify the facts.

2. Define the issue(s).

3. Identify the principles that can be applied.

4. Identify possible actions and the stakeholders affected by these actions.

5. Compare steps 3 and 4.

6. Select a course of action.

7. Implement the selected course of action.

PART B: Ethics, fraud and computer crime

8 2

1. WHAT ARE THE FACTS?

The first step is to identify the main facts of the case you are dealing with. This can includethe identification of stakeholders who are involved in the decision, actions leading up to thedecision and any other information relevant to making an informed decision.

2. DEFINE THE ISSUE

Based on the facts of the case identified in step 1, what is the ethical issue you are dealingwith? Note that a case could have more than one ethical issue involved.

3. WHAT PRINCIPLES CAN BE USED TO SOLVE THE ISSUE?

Having identified the ethical issues, principles or sources of authority for solving the ethicalissue must be sought. It is at this point that the different perspectives discussed previouslywill come into the ethical decision-making model. The decision maker will identify thedifferent sources of authority and principles that are relevant to resolution of the ethicalissues identified in step 3.

4. WHAT ARE THE ALTERNATIVE COURSES OF ACTION AND THE

STAKEHOLDERS AFFECTED BY THESE ACTIONS?

The next step is to identify all the possible alternatives. At this point the best alternative isnot being selected. Rather, the aim of this stage is to be aware of what possibilities exist forresolving the ethical problem. Do not be restrictive at this point: all possible courses ofaction should be listed. How the different courses of action affect the different stakeholdersidentified in stage 1 of the decision-making process is also of interest. Therefore, each alter-native needs to be evaluated from the perspective of the different stakeholders. Does thealternative produce a desirable outcome for the stakeholder? Why?

5. HOW DO THE PRINCIPLES MATCH UP WITH THE ALTERNATIVE ACTIONS?

At the fifth stage, the interest lies in matching up the courses of action with the ethical prin-ciples. The fundamental question at this point is whether the alternatives are consistent withthe principles identified in step 4. The answer to this question will very much depend onthe ethical sources identified in step 4, because a deontological approach could yielddifferent results to a teleological approach.

6. SELECT THE MOST APPROPRIATE ACTION

With the alternatives to the ethical principle mapped, the best needs to be selected. Again,the selection of the ‘best’ alternative will very much depend on whether a deontological orteleological perspective is taken. Is the concern which alternative has the best course ofaction or which produces the best result? Will the best outcome be chased regardless of theactions required to achieve it? Again, the answers here will depend on the ethical perspec-tive of the individual.

7. IMPLEMENT THE DECISION

Having evaluated the alternatives, mapped them against ethical principles and selected themost desirable option, that option now needs to be implemented. Afterwards, the personand organisation may be interested in any feedback from the decision. For example, if thedecision was to restructure the production line and replace all workers with machines, wastheir negative feedback in the print media? Does this affect the likelihood of repeating thedecision in the future?


ETHICAL ISSUES FOR BUSINESSES WITH AN AISThink of some of the recent events you may have experienced as a customer — forexample visiting the doctor or consulting an accountant — that require you to divulgepersonal information. Implicit in this is the expectation that the doctor or accountantwill use the information ethically. For example, you would not expect your family doctorto discuss details of your ailments and problems at the next dinner party he or sheattends. Likewise, you would expect your accountant to keep details of your financialposition and wealth to himself or herself and not discuss it with other clients. In each ofthese cases there is an expectation that the professional acquiring the information fromthe client will use it only for the purpose for which it has been gathered. Commercialenterprises face similar ethical expectations when dealing with their customers. From anorganisation’s perspective, the issue of ethics is one that will not disappear. As we moveincreasingly to an electronic business environment, the issue becomes even moreprevalent.

Customer protection and privacyPrivacy and trust are two big issues for those people and organisations that interact withan organisation. Many people place great value on their privacy. Consider for examplethe controversy when in 1986 the Australian government proposed the introduction ofthe ‘Australia Card’: a national identity card that would see each Australian allotted aunique number that would be used in all dealings. Such cards are used throughout theworld for a variety of purposes including greater government efficiency, reducing socialsecurity fraud and improving border control. Their effectiveness in achieving these aimsis debatable. The primary argument for the Australia Card was a reduction in tax evasionand avoidance, along with the benefit of rationalised record keeping. The Australia Cardproposal raised many public concerns about the individual’s right to privacy. Potentially,such a system would allow a massive pooling of data about an individual. Data on thecard’s owner can also be stored in a smart card chip. Provisions were in place to protectthe use of the data associated with each person’s unique number but some questionedtheir effectiveness. Social concerns related to the card included that Australia could,given the correct combination of political and social factors, become an authoritarianstate with extensive tracking of individuals. Additionally, concerns emerged that ‘mergeddata’ — the data pooled from several databases — could be misinterpreted and that datamay not be secure. The Australia Card was never introduced, the proposal being twicerejected by the senate.

Privacy issues centre around the questions of:

• What happens to my personal information once I give it to you?

• Who can access my personal information?

• How secure is my personal information?

Consider Blockbuster Video in the United States. Blockbuster Video maintains an exten-sive database of borrowers and the videos that they hire. Profiling these data enables Block-buster to categorise its customers based on the types of movies that they hire. This gaveBlockbuster a profile on their customers that had many third-party marketers desperate for apiece of the action. Here, a set of simple transaction data can be sorted and filtered to yieldinsightful perspectives on customers that would be worth money to the organisation. This is

8 4

a quandary for those in the area of AIS: as technology develops, making data gathering andanalysis easier and more sophisticated, the issue of what is best for the company versus whatis best for the customers presents itself. This is discussed further in the section on managers.

Another example is that of Lotus Development Corporation, which planned to release aCD-ROM containing the names, addresses, demographic information and purchase behav-iour of 120 million consumers. The proposal caused unrest and was eventually scrappeddue to privacy issues.

A final example of privacy of information can be gleaned from a recent incident thatinvolved Telstra, the major telecommunications provider in Australia. In August 2002 theHerald Sun reported that Telstra had inadvertently published hundreds of silent numbers intheir paper and Web-based telephone directories. Outsourcing of directory production wasattributed as the cause of the error. This error was seen as concerning, since the articlestated that many professionals — for example lawyers, doctors, psychiatrists — have silentnumbers for professional reasons.

An AIS captures, verifies, stores, sorts, and reports data relating to an organisation’sactivities. Electronic AIS allow organisations to gather much more information aboutpeople than was possible in the more traditional environment. Indeed, the details ofany interaction with the AIS can be captured and this information can then be used inmany ways.

The person interacting with the AIS is not necessarily aware of what information is beingcaptured or how it will be used. This raises some ethical concerns for those who design anduse information systems. The organisation has both ethical and legal responsibilities torespect people’s right to privacy and this affects how they can capture and use information.

Consider organisations’ use of websites. Businesses are increasingly turning to the Webto advertise and sell their products. E-commerce offers efficient transactions, customerconvenience (the ability to shop whenever and from wherever they like) and thepotential to reach to a broader marketplace. A business can also capture extensive infor-mation about visitors to its website. When users visit a website they leave behindelectronic footprints, which enable the site owner to identify what site they came from,what they did while on the site and where they went after viewing the site. Based onthese data, viewers can be profiled and advertising targeted to meet user interests, needsand preferences.

A second issue stemming from e-commerce is what happens to the data aboutconsumers after they have been gathered. Organisations can do data mining andcustomer profiling and what troubles ethicists is that this can happen without the userbeing aware of it: there is often no explicit seeking of consent to the gathering and use ofthe data. Consumer advocates see this as an invasion of privacy that can lead to a lack oftrust on the part of the consumer. This lack of trust has big implications for the futuredevelopment of e-commerce. Additionally, the customer profiling may not necessarilygenerate an accurate picture of the customer.

One company that has been particularly successful in offering products that assistorganisations in monitoring and responding to usage of their website is DoubleClick.DoubleClick makes extensive use of cookies: small files stored on a computer’s harddrive that keep a record of websites viewed, viewing preferences, user profiles and so on.Developed ostensibly to allow websites to display in the most user-friendly format, basedon the operating system used, browser type and so on, cookies can also helporganisations to gather data about the people that access their websites. For example, acookie can:• ensure the browser does not display ads the user has already seen


• ensure ads are shown in a particular sequence

• track whether a user has visited the site before

• track the previous and next sites the user visits.

This information can, for example, allow advertisers to measure the effectiveness

of their ads by tracking which ones are bringing users to their website to purchase or

register.

Through the tracking of IP addresses, as well as gathering the details of users as they

log on and purchase from Web-based store interfaces, companies are able to build up

relatively comprehensive profiles of a customer, including interests, purchasing patterns

and viewing patterns on the Web. This information can then be used to target online

advertisements and banner displays that appear when the user accesses a particular page.

Through these technologies DoubleClick offers a way for organisations to target online

advertising to specific customers, thus increasing the relevance of banner advertising and

adding to revenue through increased sales.

It is clear that this raises some ethical issues, particularly privacy issues, that directly

affect customers of an organisation. If a consumer makes a purchase through an online

store or accesses a website, are they aware that information is being gathered about

them, a profile being developed that could be used in future marketing efforts? If not,

then is it right for the organisation to gather this information? These are very real issues

for information systems professionals that extend to the AIS domain, especially as the

development of electronic commerce sees the AIS playing a major role in supporting

online consumer activities. The controversy surrounding DoubleClick’s plan to merge

its extensive customer information, gathered by cookies, with a database maintained

by a marketing firm brought privacy and the use of information to the forefront of the

e-commerce debate.The central issues in the debate were the potential use of customer

data for purposes other than those they had originally been gathered for and the ability

to profile customers based on those data. Such was the concern that in January 2000

legal action was initiated against DoubleClick, becoming a class action in May 2000.

The action alleged breaches of various American statutes. In March 2001 a federal judge

dismissed the suit against DoubleClick.

Before moving on to look at security of data, read AIS Focus 3.1 (see page 86) which

describes how microchips have been implanted in animals, to allow lost animals to be

tracked and returned to their owners. It even describes how people have been ‘micro-

chipped’, allowing identification for entry into nightclubs, purchasing drinks and aiding

in the care of sufferers of diseases such as Alzheimer’s. This raises some interesting issues

for privacy. If people were to be microchipped, then their movements could be tracked

with extreme accuracy — even to the point of knowing the order aisles were walked

down in the supermarket. For businesses, such information about the habits of people

could prove extremely profitable. However, with this come the ethical issues of privacy

and freedom. Your answer to these issues will very much depend on how you perceive

the threat to privacy from technology. For the customers, incidences where personal data

are disclosed do the most damage to their image of a company. This can occur by acci-

dent or through hacking into the system (discussed later). Either way, it is these indirect

costs related to loss of customer trust that will effect an organisation in the largest way,

crippling market share and confidence.

8 6

A I S F O C U S 3 . 1

C h i p p i n g a w a y o u r p r i v a c y

G r a h a m P h i l l i p s

Wmicro-chipped.

Heywhy couldn’t mum, dad and the kids?

Well, laugh no more. Chip implants seem to be catching on. And the day mightn’away when you’ll be having yourself computerised.

Indeed the day mightn’t be far away when it becomes compulsory, to help in the fiagainst terrorism.

America’s powerful Food and Drug Administration has just apprnology in hospitals.

By implanting micrately identify the patient just by running a scanner over them.receive a readout of the person’s recent medical history. Now, no doubt, there are grbenefits in this for some people.Sufferers of Alzheimer’s disease who can’t rscanned and identified easily if found wandering.

And the chips might also be useful for people suffering cancerthrough quite complex chemotherapy and other treatment regimes.

procedures, making mix-ups less likely.But you have to wonder how long it will be before an implanting craze spr

the hospital — and what it will mean for individual privacy.Recently, for instance, nightclubbers in Spain had chips implanted in their left arms.Getting this hardwar

they just walked past a scanner at the entrance and straight to the bar. And the bionic barflies’ chip implants mean they can also buy a drink in a blink.

No precious imbibing time wasted pulling out cash and waiting round for change. Thebartender simply scans their chip and the drinks are automatically added to the bill.

In a morSolutions, is hoping gun owners will go for an insert in the hand.

That way personalised smart guns could be developed: weapons that would only firthe gun’s owner was the one pulling the trigger.

The system would work via a scanner in the gun interrogating the chip in the shooter’If the gun finds the wrong person is holding it, it simply doesn’t fire.Police officers and security guards could be fitted with the system.That way, no one could steal their weapons and use them against them.The big catch with having a chip implanted in your body is that you can’

when you leave work or the nightclub.And so you are effectively walking around with a permanent ID tag on you.Anyone with a scanner could point it at you and identify you.Shops fi

way work out better ways to sell you more stuff.


SECURITY

Data and the programs that maintain or use data must be kept secure. One reason, asdiscussed, is to respect the privacy rights of individuals. Measures need to be in place toensure that data cannot be accessed by unauthorised personnel or copied or used for illegit-imate purposes. Well-defined user access rights and user activity logs can be ways ofworking towards such aims.

Another aspect to consider is the protection of the quality of the data, that is, to makesure that the data are accurate. Customers generally have the right to view data that anorganisation holds about them to make sure that they are correct.

CONSENT

Information about users of an AIS can be gathered:• without the consent of the individual (though this may be illegal and/or unethical)• with the informed consent of the individual• with the implied consent of the individual.

There is a big difference among these three scenarios. A common concern is whether it isethical to gather data about someone without his or her knowledge or consent. Some wouldsay that such acts are tantamount to electronic espionage and constitute a violation of aperson’s basic right to privacy. Gathering information without the person’s consent wouldappear to be prohibited under Australia’s Privacy Act. Implied consent refers to the individualconsenting to the information gathering through their subsequent actions. For example, ifyou complete a page on a website that asks for your personal details and you click the ‘next’button to proceed to the next screen, your actions imply that you agree to forward thisinformation on to the website owner. At no stage were you asked for an express statementof consent. An express statement of consent would occur where the information is enteredinto the fields on the screen and then, as you click on the ‘next’ button, a box appearsasking if you wish to proceed and informing you that if you do proceed your details will begathered by the website owner.

So far, no one has suggested kids be chipped, but a school in Japan has recently intro-duced a wearable, rather than implantable, version of the chip.

These allow the teachers to better keep an eye on the children and work out who is andisn’t at school.

Legoland in Denmark has wearable chips too.They say they’re to prevent kids getting lost, but critics claim they’re used by Lego to

track the children and sell them more stuff.But the biggest question is, will a computer chip in the arm become compulsory for all of us?If the implants turn out to be safe, and society has begun to accept them for some pur-

poses, having everyone chipped would certainly have benefits.The entire population would essentially have super-ID cards implanted in them 24 hours

a day.Today it may sound like a far-fetched sci-fi plot.But so did the idea of compulsory fingerprinting and face scanning a few years ago.Yet, that now happens to anyone who wants to visit America — in the name of the fight

against terrorism.Compulsory chip implants would just be another step in the same direction.GRAHAM PHILLIPS is a science writer and reporter on ABC TV’s Catalyst.

Source: Herald Sun 2004, ‘Chipping away our privacy’, 21 October, p. 21.

8 8

There is a big difference between express and implied consent. Some may argue that byagreeing to use a website and entering information you are giving consent for that infor-mation to be gathered. Others would argue that the only form of true consent is that whichis expressly obtained from the subject of the information.

PRIVACY LAWS AND STANDARDS

There are laws that govern privacy in Australia. One such example is the Privacy Act 1988

(Cth), which is a piece of federal legislation enacted in order to create standards for thegathering, collection and use of personal information. Section 14 of the Privacy Act outlines11 principles of information privacy. Principle 1 states:

1. Personal information shall not be collected . . . for inclusion in a record or in a generally

available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a

function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

The privacy principles are summarised in figure 3.2.

Figure 3.2 Information privacy principles from the Privacy Act 1988 (Cth) s. 14

Source: Privacy Act 1988, s. 14.

Principle Description Explanation

1 Collection of information

Information can only be collected in lawful ways and for lawful purposes and the information gathered must relate to the lawful purpose.

2 Solicitation The person gathering information shall inform the subject of the purpose of the gathering of information, whether it is required by law and who the information may be legally forwarded to.

3 Solicitation The person gathering information should gather it in a nonintrusive manner and ensure that the information is complete and up to date.

4 Storage Information shall be stored in such a manner that it is protected from loss, damage, unauthorised access or general misuse.

5 Record keeping Records shall be kept detailing the nature, purpose and types of personal information being stored, including storage time and access rights.

6 Access An individual who is the subject of information records is, subject to legal limitations, allowed to view the information that is kept about them.

7 Alteration Record keepers shall ensure that personal records are kept accurate, relevant, up to date and not misleading.

8 Accuracy in use Where information is being used, the record keeper shall ensure the information being used is accurate for that purpose.

9 Relevant use Information that is kept shall only be used for the purpose that it was gathered.

10 Usage Relevant use must be followed unless there are extreme grounds for not doing so, such as subject consent for nonrelevant use, life-threatening circumstances, law enforcement or legal obligation.

11 Disclosure The information shall not be disclosed to a third party unless such disclosure was made known to the subject at the time the information was solicited, the subject consented to disclosure, or grounds such as those referred to in principle ten exist.

�


The principles apply to federal government agencies as well as to organisations, which are

defined to include individuals, body corporates, partnerships, other unincorporated associ-

ations and trusts.

The Internet Industry Association (IIA) is a registered company in Australia and acts as a

regulatory body for organisations involved in the Internet within Australia. The IIA believes

that industry must adhere to ethical privacy practices to create consumer confidence and

enable the long-term success of e-commerce. It also supports the adoption of an information

gathering approach based on informed consent, rather than the surreptitious gathering of

information about users. The IIA has set out to create standards for industry members to

protect users of the Internet, particularly children, increase the similarity of Australian and

European standards and provide a general industry best practice when dealing with issues

of electronic privacy. The code applies to IIA members, with membership of the IIA an

option for businesses that provide Internet services from Australia, operate an Internet-

related business or possess a direct or indirect interest in the Internet.

The IIA’s privacy principles correlate quite strongly with the sections of the Privacy Act

discussed previously so the IIA code is only summarily described here (see figure 3.3).

Figure 3.3 IIA code of practice privacy principles

Source: IIA 2001, Internet industry privacy code of practice, sec. 6.

Access to technology

An additional issue for customers is their ability to access technology, particularly as organ-

isations move towards the e-commerce environment. Access to computer technology can

vary depending on socioeconomic conditions and geographic location. An issues brief

prepared for the federal government cites findings that place Australia as the country with

the third-highest level of Internet access in the world, at 43.9 per cent, behind only the

United States (56 per cent) and Sweden (56 per cent). However, despite the wide adoption

of the technology by Australian households, there are factors that restrict access to Internet

technology. These are identified by Curtin as:

• Age. The research indicates that young people are more likely to have Internet access.

Principle Description

1 Collection of information

2 Use of information

3 Data quality

4 Data security

5 Openness

6 Access and correction

7 Identifiers

8 Anonymity

9 Transborder data flows

10 Sensitive information

�

9 0

• Family structure. The traditional nuclear family structure of two parents and children isthe most likely to have Internet access, followed by couples without children and single-parent households.

• Income. There is a clear delineation between those with and without home Internet accessbased on the level of income, with the wealthier people more likely to have access.

• Education. Higher education tends to be associated with Internet access.

• Geography. There is a constant gap between city and country residents having access to acomputer and also to the Internet. Farms in particular have a lower Internet access rate.

Other issues for those in rural areas include the degree of choice they have in choosing anInternet service provider and higher costs for access. As businesses move towards an e-com-merce environment, with 46 per cent of businesses using the Internet as a part of their busi-ness processes and a maximum of 48 per cent of users using the Internet for e-commercerelated activities (for example checking account balances, transferring funds and paying billsonline), issues of equitable access and costs could become a concern. Curtin concludes thatthe Internet in Australia, ‘has built upon, and may exacerbate, inequalities that already existin Australian society . . . a range of social, economic and technical barriers will have to beaddressed’.

ManagersManagers working with the AIS have a duty to ensure that the system is being usedappropriately. They need to ensure that their systems and organisations comply with federaland state laws relating to privacy and the usage of information. This includes monitoring thecreation of, access to and use and alteration of information. Managers also need to ensurecompliance with internal privacy policies and practices. Top management sets the tone andexample for ethical practice, which then carries through the rest of the organisation.Managers that set the example of ethical use of information and the ethical gathering ofinformation promote similar behaviour from their colleagues. Setting an example is thus animportant part of promoting ethical behaviour in the organisation.

As end-user computing has placed more power in the users’ hands and the use oforganisationwide databases has increased, managing the AIS resources properly has becomean increasingly important issue. Information systems managers in particular have responsi-bilities for ensuring that the data and programs within the organisation are adequatelyprotected. Straub & Collins identify three main issues confronting managers:

• the creation of workable systems that do not breach intellectual property rights (e.g.ensuring that all software is properly licensed)

• gaining information from external sources (such as external databases) without breachingcopyright

• gaining and distributing information on individuals without breaching their right to pri-vacy.

The establishment of internal controls can be a useful step in achieving these aims.Controls that could be relevant in meeting legislative requirements, as well as promoting theethical use of data, include password-restricted access, user logs for sensitive information,and thorough audit trails.

Passwords are a way of restricting access to authorised users and can also prevent white-collar crime, which is discussed later. Further to having passwords in place, policies on theformat and changing of passwords should exist, promoting regular changing of passwords.Logs should also be kept for unsuccessful access attempts. While some of these may belegitimate errors by authorised users, others could suggest unauthorised access attempts.


Control matrices should also be established that restrict what information different users areable to view and logs should be maintained on who views what information. The classicexample is the restriction on who can access payroll information within the organisation.Obviously, as a matter of respect to employees and their privacy, only a select group ofpeople should be privy to this information. Attempts to access or change these data shouldbe logged, to create an audit trail and promote ethical use of them.

Organisations such as credit providers also have the responsibility of ensuring that allinformation is correct. Failure in this regard can have severe consequences for the customer,especially if a credit report is released that says the customer is a risk when he or she is not.While there are also statutory provisions relating to obligations in this area, there is also anethical obligation to ensure that data about the customer are accurately recorded and prop-erly maintained.

Many organisations have also responded to concerns about privacy by creating a newposition within the organisation called the chief privacy officer (CPO). The position of CPOwill typically involve responsibility for drafting organisation privacy policies, enforce thepolicies and guidelines and create an organisational awareness of the issues associated withprivacy. They can also act as a mediator between legislators and the organisation, attemptingto convince them of their good corporate practices. Recall the DoubleClick case discussedpreviously in this chapter and how there were some concerns about perceptions of reducedindividual privacy through the data that DoubleClick gathered. Jules Polonetsky wasappointed as the CPO of DoubleClick. Polonetsky describes his role as ensuring that peopleare aware of DoubleClick policies and that it follows the policies that it tells people it does.

Some of the ways that the CPO can have an impact on an organisation include creatingprivacy manuals, developing an organisational awareness of privacy issues, developing pro-cedures for handling information and the establishment of policies and procedures thatmust be followed before sharing data with third parties. However, the reality is that manymanagers involved with the AIS and making decisions related to it are bound as members ofthe company. What they as individuals think is the right thing to do may be different fromwhat the corporate reality demands. This is a unique position in which managers will oftenfind themselves when confronted with ethical problems. Several theories have been pro-posed to help managers work through such scenarios. Each of these theories is describedbriefly, based on a paper by Smith & Hasnas.

Stockholder theory. This compels managers to act in the best interest of the owners of thecompany: the stockholders. This implies an emphasis on maximising profit and the corpor-ation acting within the confines of applicable laws and regulations.

Stakeholder theory. The focus shifts beyond the owners, taking under its wing all thoseparties that play a role in the company’s success or who are affected by the company’s oper-ations. This includes shareholders but can also include suppliers, customers, employees,residents of the local community and other such interested parties.

Social contract theory. This takes a broader view of the corporation, placing it within awider society. The corporation gains its authority to operate through society’s sanction; how-ever, this is theoretically only forthcoming if the actions of the corporation benefit society asa whole. The sanction for operations is not automatic and can be withdrawn if society isdisadvantaged by the corporation or the corporation deceives society.

These three theories have been suggested as perspectives that managers can take whenconfronted with ethical issues. Think back to Blockbuster Video’s plan to sell its database ofcustomer contact details and movie-watching preferences. An analysis of the proposal undereach of these perspectives would have provided different issues for resolution and poten-tially different courses of action.

9 2

EmployeesSome of the ethical issues that confront the employee within an organisation centre aroundprivacy and the use of organisational resources. The organisation is challenged with encour-aging ethical conduct by employees and treating employees ethically.

Is it ethical to use organisational resources for nonwork purposes and is it ethical fororganisations to monitor such usage? Research by Healy & Iles reveals that 72 per cent oforganisations allow their employees unrestricted use of the Internet for both work and per-sonal activities and that 24 per cent of employees use work Internet facilities for entertain-ment purposes. On the other hand organisations may be concerned about the misuse ofwork resources. Many organisations arrive at a compromise, allowing an amount of time forpersonal use of IT facilities such as email and Internet browsing. Many take steps to limit oreliminate nonwork usage. There is, however, a fine line between ensuring the productiveand efficient use of resources and intruding on an employee’s privacy.

Many organisations set up firewalls to restrict employee Web browsing to work-relatedsites. Alternatively, the organisation can maintain a log that tracks individual usage of theInternet, including user identification details, the sites visited and the time spent on sites.Some employees would argue that such monitoring of Internet usage is an invasion ofprivacy and a sign of a lack of trust on the part of the organisation. Another alternative is thescreening of employee emails, with organisations arguing that it is motivated by the need toaddress concerns over employee productivity and potential misbehaviour.

Another step that many organisations take in order to help ensure that staff use ITresources ethically is the prescription of a code of conduct. Healy & Iles observed that inresponse to the corporate use of the Internet, client–server technologies and end-user com-puting, organisations have broadened the scope of their codes of conduct that govern howIT resources are to be used. Some of the ethical issues are:

• confidentiality of information

• ownership and control of information

• nonwork-related use of resources (particularly the Web) at work

• surveillance of employees’ use of technology

• business’s objectives in connection with codes of conduct.

Data from the UK suggest the use of a code of conduct is common across most industriesas well as across organisations of varying size. Of course, the prescription of a code of con-duct is only effective if it is actually monitored and enforced. For example, simply stating ina code of conduct that IT resources are not to be used for nonwork-related purposes is notsufficient. The organisation also needs to have mechanisms to detect nonwork use and mustbe seen as enforcing these policies with appropriate sanctions when breaches are detected.This can be a challenge for many organisations, especially large ones.

Additionally, these policies need to relate to the key issues associated with employee useof the IT resources. One would be that employees are not to use personal data gathered andstored by the AIS in a manner that is inconsistent with its original purpose. Surprisingly,only one-third of UK companies that had an IT use policy included clauses relating to theuse of data within the system.

One factor that has been found to promote ethical behaviour among employees is that oforganisational self-esteem. This refers to how well a person identifies and fits with thefirm, its beliefs, culture, philosophy and operating style. An employee will form ideas abouthow well they fit in with the organisation and how competent and valuable they are to theorganisation. Hsu & Kuo cite examples of research that has found employees with a highlevel of organisational self-esteem are more likely to act ethically.


Deindividuation is another factor identified as influencing how employees act. Deindivid-uation refers to how anonymous a person perceives their actions to be. A high level of dein-dividuation would be expected for employees who use systems that do not require uniquelog ons or user identification, since their actions are not able to be traced. The greater thedegree of identification and tracing within a system the lower the degree of deindividuationand the higher the likelihood that employees will act ethically.

Employees who become aware of unethical behaviour within the organisation face adilemma whether to report the behaviour. Reporting unethical behaviour is known aswhistleblowing. It raises some interesting issues. While the person reporting the unethicalbehaviour is often doing so because they believe that what is happening is wrong andsomeone higher up in the organisation should be made aware of it so they can act on it,they are often confronted with several obstacles. As Cohan says, ‘subordinates who maywant to “blow the whistle” may be thwarted by an intimidating corporate culture, or simplybecause of the hierarchical structure that effectively forecloses adverse information from get-ting to senior management’. An example of these obstructions to whistleblowing activitiescan be seen in a case study of the demise of Enron, where it is documented that, ‘Enron hada corporate climate in which anyone who tried to challenge questionable practices ofEnron’s former chief financial officer ... faced the prospect of being reassigned or losing abonus’. Employees in such an environment can be intimidated into keeping silent about anyunethical behaviour that may be occurring, for fear of demotion, pay cuts, job loss orreprisal and alienation by colleagues.

Consider an employee who suspects that spare parts from an engine company’s storeroomare being stolen by the inventory manager and sold to customers for a cheaper price thanthe company would normally charge for such parts. If the staff member was to report this tothe manager above the inventory manager, there is a very real prospect that this report couldbe lost or watered down, thus never being investigated fully. Management’s inclination,largely as a result of the traditionally hierarchical structure employed in medium-to-largecorporations, is to report good news to their superiors and suppress or water down any badnews. This can occur for several reasons, including the fear on the part of the manager ofnegative reactions that may affect career progress and employment stability, as well asimpression management: wanting to look good in the eyes of a superior. This can lead to theignorance or dilution of whistleblowing actions and potentially create an environmentwhere whistleblowing is actively discouraged. These corporate cultures create great chal-lenges for employees contemplating whistleblowing.

It is discussed earlier how organisations can establish a code of conduct to promote theethical use of IT resources by staff. While this is an extremely common technique forencouraging ethical behaviour, it is interesting to note that employees do not see this as aneffective way of influencing how they use the IT resources of the business. This could berelated to how well the policies are actually enforced within the organisation. Simply havinga policy that sits in the filing cabinet and is never acted upon will obviously not have astrong influence on employee behaviour and the ethical use of IT resources.

Information systems staff

Information systems staff have several ethical responsibilities, including ensuring thesecurity and privacy of data held by the organisation. There have been cases recently whereorganisations have sold old computers and storage devices without properly removing datastored on them. The purchaser of the computer and hardware received a lot more than theybargained for and, in the process, people’s private details were at risk of disclosure beyond

9 4

their intended source. IT staff who are responsible for maintaining and upgrading ITresources must ensure that devices being disposed of — either by sale or rubbish dump —are properly cleaned of all data or destroyed, leaving them in an unreadable state.

Apart from the data themselves, the programs that maintain or use organisational dataneed to be protected from improper or unethical use. Many programs developed within anorganisation will represent proprietary knowledge and may contain business rules that are asource of competitive advantage. Organisations need to take measures to ensure this intel-lectual property (IP) is safely kept within the organisation and does not fall in to the handsof competitors.

Information systems staff should also take responsibility for the organisation’s adherenceto licensing agreements and the protection of IP that is contained within the various soft-ware packages used in the organisation. This can include making sure software is onlyinstalled on authorised machines and that the number of installations matches the numberof site licences held, as well as protecting both the programs and the data that reside withinthem from unauthorised copying.

COMPUTER CRIME AND FRAUDSome examples of computer crime and fraud are described in the following but the list is byno means an exhaustive one. This section concludes with some strategies for reducing theexposure to computer crime and fraud, with many of these relating back to the ethicsmaterial that was covered previously.

WHAT IS COMPUTER CRIME?We all have our own concept of computer crime and, if asked, could probably arrive atsome cogent definition. Take a moment to jot down a few points on what you thinkconstitutes computer crime. No doubt you thought of concepts such as fraud and theft: forexample credit card fraud, hacking into systems and manipulating payroll systems.Computer crime can appear in many guises. For example, each of the following could beclassified as computer crime:

• sending a virus to crash a computer system

• using a computer to acquire funds illegally

• using illegally obtained data files for self gain

• intercepting a message sent by a third party.

It is, therefore, difficult to define computer crime concisely. Generally, crimes committedthrough a computer or where a computer is the target would fall under the banner of com-puter crime.

SPAM Spam is the sending of unsolicited emails or junk email. Spam is a problem for severalreasons. From a user’s perspective, the spam mail can clog up valuable space in an emailaccount. Spam is a common technique for spreading viruses: it can contain attachmentsthat, when executed, are damaging to a system. The content of spam is also sometimesoffensive to those receiving it, for example invitations to purchase drugs and links to adult-oriented sites.


Spam is also potentially dangerous to organisations, through the damage it can cause totheir reputation and image. Typically, the creators of spam send their messages through theservers of well-known organisations. The receiver of the email will often be tricked by thistechnique, believing it to be a bona fide email from that organisation.

Organisations can also suffer from spam through the effects it has on their email serverand the computer system generally. Large volumes of spam can slow down a server, whilespam emails that contain viruses can damage an organisation’s computer resources.

As a result, spam is an issue of importance to the organisation and the individual.

The Spam Act 2003 (Cth) was introduced on 11 April 2004 in Australia to regulate the useof email. Under the Spam Act, the Australian Communications Authority (ACA) is vestedwith the responsibility of policing spam. The Spam Act also applies to SMS text messages onmobile phones. Because of the international nature of email and consequently spam,Australia has also entered into various agreements with other nations, in a bid to coopera-tively deal with the problem. These include:

• The bilateral memorandum of understanding between Australia and Korea

• Memorandum of understanding among Australia, the UK and the United States

• Australia–Thailand joint statement on telecommunications and IT.

PHISHING AND IDENTITY FRAUD

Phishing is a technique of online deception that has users go to a fraudulent website and leavepersonal details. The information is then used for identity theft and deception. In the UnitedStates more than US$2.4 billion has been stolen from users on the Internet, with 17 per cent ofthe theft attributed to identity theft, which includes phishing schemes. Banks are a commontarget, with the perpetrators setting up sites that resemble the URL of the genuine site. Forexample, if a bank had the URL www.bank1.com.au, the site created by the phishers might bewww.bank1.org.au. At first glance, especially to an uninitiated user, these site addresses seem tobe the same, so the user unwittingly clicks on the address ending in org.au: the phisher’s site.The fraudulent site will resemble the bank’s genuine site, so no suspicion is raised. Any detailssubmitted by the user will be sent to the creators of the phishing site.

This is a real threat for organisations. Websites are relatively easy to create and domainnames are easy to acquire. This leaves organisations vulnerable to phishing scams thatdamage customer trust in the organisation and e-commerce, as well as denting the organ-isation’s image. Organisations can overcome some of the risks involved through informationabout IT usage and policies and ensuring that customers are aware of the policies. Forexample, one could be that the organisation will never request personal details by email orwill not communicate at all with users by email. Users aware of this policy would hopefullybe alarmed by attempts at phishing.

Naturally, this relies on both the organisation having clear communication policies inplace, as well as the organisation’s customers being aware of such policies.

HACKING

Hacking is gaining unauthorised access to a system. There are many examples of hackersgaining access to high profile systems, e.g. NASA’s system. Hacking is a threat, particularlyfor large and prominent organisations that, by virtue of their position, become targets forhackers. The increased use of the Internet, combined with the higher levels of IT sophisti-cation in adolescents, has made hacking an increased threat. Recognising hacking as a riskto their system, many organisations are now hiring hackers to test the exposures of theirsystem. The term given to this activity is ‘penetration testing’, which, while familiar to the

9 6

large banks, is a new concept for other organisations just venturing into the world oftelecommunications.

The hacking issue is seen as being particularly real as businesses head towards integratedenvironments, with interorganisational network connections becoming increasinglycommon. In this integrated environment, companies must ensure their suppliers, partnersand other third parties are meeting security benchmarks. A company’s security is only asstrong as the weakest link in its network.

The challenge for organisations is to take reasonable measures to protect their systemsfrom unauthorised access. In Australia, guidance can be sought on how to do this fromAustralian standard 7799.2:2003 — information security management — specification forinformation security management systems. This standard provides a benchmark for assessingexposure to hacking. Certification of compliance with the Australian standards is available fororganisations. A list of officially certified organisations is available through the website of theInternational Information Security Management Systems User Group. Information aboutcomparable standards for information protection is available from this site. Alternative waysof gaining confidence in a website and its data transmission were also developed by Dun &Bradstreet and KPMG, who designed a digital certification product, while WebTrust and Ver-isign also offer online protection for organisations and their e-commerce customers.

The distinction that needs to be drawn in this section is that of ethical and unethicalhacking. Ethical hackers are employed by organisations to test systems for exposures andsecurity weaknesses, with the hacker generally working to instructions from the organ-isation. Unethical hacking is the sort that generally makes the headlines in the newspapers:it is the unauthorised and illegal access to a system.

IDENTITY THEFT

An example of identity theft reported recently in The Age involved a virus that steals theidentity details of users of the National Australia Bank (NAB) website. This article isreproduced in AIS Focus 3.2. In this example the details are being gained throughviruses that are planted on the user’s computer and triggered when certain conditions aremet or certain events occur. In this case, the user logging on to the NAB websitetriggered the capturing and sending of their personal details. The consequences of thisare that the user is potentially exposed to fraudulent use of their financial resourcesbecause others now have details that can gain access to their online accounts and theirpersonal details are now known by unauthorised persons. Additionally, such instanceshave a negative impact on the bank as well, with corporate image and reputation, as wellas the image of online banking, taking some damage.

A I S F O C U S 3 . 2

T r o j a n t a r g e t s N A B o n l i n e c u s t o m e r s

B y O n l i n e S t a f f

S e p t e m b e r 1 7 , 2 0 0 4 – 1 2 : 0 0 P M

A Trojan that attempts to steal online banking information frAustralia Bank has been reported by the anti-virus firm, Sophos.

Sophos’s tech lead in the Asia Pacific, Paul Ducklin, said it could be sprdirectly sent to PCs which have been already commandeered by malicious attackers.


MONEY LAUNDERING

The move towards a cashless society has come with the development of e-commerce. Credit

cards have become a common form of paying for online transactions. With this has come

the risk of identity theft and credit card fraud, through techniques such as phishing and

hacking, which have been discussed. Partly in response to these concerns, electronic cash

has developed as a means of funding electronic transactions. It is similar in concept to

physical cash: the customer buys electronic tokens, which function as cash in the electronic

world. These tokens can then be electronically exchanged for goods and services provided

by a vendor, who can then convert the tokens back in to cash. These can offer a form of

security to e-customers because they do not have to divulge details of credit cards over the

Web. Instead, the e-tokens can be purchased for cash and used in place of the credit card

when executing transactions. However, there have been concerns raised by the federal

government about improper uses of e-cash technology, with a paper issued by the Science,

Technology, Environment and Resources Group raising the prospect of e-cash being used as

a tool for money laundering and tax evasion.

What is fraud?

Fraud is an act of deception committed by someone against another entity, usually with the

intent of either causing damage to the victim or bringing benefit to the perpetrator. White-

collar crime can be described as deliberately misusing one’s employer’s resources or assets

for personal enrichment. Christensen & Byington identify 12 ways that white-collar crime

can be committed: fraud/conspiracy; bribery; kickbacks; price-fixing; embezzlement;

violations of securities laws (such as insider trading); illegal political contributions; tax

issues; bid-rigging; forgery; corporate theft and fraudulent financial reporting.

‘Troj/IBank-A is an internet banking trojan which attempts to steal confidential bankinginformation and send it to a remote location,’ the company said in an advisory on its web-site.

‘Once the Trojan has installed itself on a computer it lurks in the background waiting forthe right moment to pounce,’ said Graham Cluley, senior technology consultant for Sophos.

‘As soon as it sees the user is logging onto the National Australia Bank’s website it grabstheir account id and password and sends it to remote hackers.’

Sophos said when first run Troj/IBank-A copied itself to the Windows folder as audld.exeand to the Windows system folder as wmbem.exe.

It adds the following registry entries so that these executables are run whenever theinfected computer is started up:

HKLM\Softwear\Microsoft\Windows\CurrentVersion\Run\WinUpdate=

%SYSTEM\wmbem.exeHKCU\Software\Microsoft\Windows NT\Current Version\Windows\run=%WIN-DOWS%\audld.exe

Additionally, the pathname of audld.exe is added to a new run= line in the [Windows]section of %WINDOWS%\Win.ini, to run audld.exe on startup and a registry entryHKLM\SOFTWARE\Wmbem\may be created.

Source: The Age 2004, ‘Trojan targets NAB online customers’, 17 September, http://theage.com.aulartic1esl2004l09/17/1095320943628.html.

9 8

As the list demonstrates, white-collar crime can occur in many different forms. Similarly,fraud can occur within an organisation in many different ways. Table 3.5 is by no means anexhaustive list but is an indicator of some of the ways that fraud can occur.

Table 3.5 Examples of fraud

a. Kiting refers to the practice of inflating cash balances by exploiting the delay between a cheque being written

and being cleared. A cheque may be written from account A and deposited in account B. It will be recognised

immediately as a deposit in account B but not as a withdrawal in account A until it has cleared through the

bank. This will inflate the overall cash balance.

Source: Developed from Albrecht, WS & Albrecht, C 2004, Fraud examination and prevention, Thomson South Western,

Ohio; Singleton, T, King, B, Messina, FM & Turpen, RA 2003, ‘Pro-ethics activities: do they really

reduce fraud?’, The Journal of Corporate Accounting and Finance, vol. 14, no. 6, pp. 85–94.

There are several possible ways to act fraudulently in the world of information systems.Consider some of the following as a basis to work from:

• The payroll manager who places a nonexistent staff member on the payroll and collectshis or her salary in addition to his or her own

• The programmer who adjusts a payroll program so that one cent from every pay everyweek goes to an account he or she has created

Fraud type Business process affected Example

Asset theft Payment cycle

Revenue cycle

Revenue cycle

Paying fictitious vendors.

Misappropriation of incoming cash —

e.g. lapping — will affect accounts

receivable and cash and potentially

related accounts such as discounts.

Goods returned by customers are not

recorded.

Perquisites Payment cycle Personal items paid for by company.

Artificial revenue

inflation

Revenue cycle Creating fictitious invoices.

Inappropriate cutoffs or recognition

criteria applied to sales.

Asset valuation Revenue cycle Recognising asset revaluations as

revenue.

Creating nonexistent debtors.

Kiting.a

Valuation of inventory at wrong amount.

Capitalising inappropriate expenses.

Misclassifying work in process as

finished goods.

Payroll Payment cycle Paying nonexistent employees.

Siphoning money from employees’ pay.

Expense manipulation Payment cycle Capitalising expenses that should be

recognised immediately as expenses.

�


• The hacker who gains credit card numbers with the intent of using them for personal gain

• The person who creates a website purporting to be that of a large organisation and gainsprivate customer details (including bank account details) through the site.

Fraud is a real problem for organisations and the advent of e-commerce has heightenedconsumer and organisational awareness of the very real risk that fraud presents. Variousdiscussions of fraud refer to the notion of a ‘fraud triangle’, which says that for fraud tooccur three things are necessary: a reason, pressure and an opportunity.

• The reason is the way that the individual justifies their fraudulent activity, for examplethe bank teller who takes some cash home on a Friday night and bets it on a ‘surething’ at the races on Saturday may justify their activities on the basis that no one willget hurt and if the horse wins the original amount of money can be returned and noone will ever know the difference. In effect the teller was only borrowing, albeitslightly unethically.

• The pressure for fraud can come from various sources, including the individual’spersonal life and work environment. For example, pressure at home on the bankteller, with mortgage payments rapidly approaching and credit cards approachingtheir credit limit, may provide the financial pressure for the teller to take the cashand wager it on the ‘sure thing’ at Saturday’s races. Another example could be thecorporate accountant who is under pressure to achieve target results, so as not todisappoint the sharemarket. Consequently, he or she creates fictitious sales to boostrevenue and bolster the value of inventory and assets with some judicious revalu-ations. These are two examples of pressures that led to fraud: the first personal andthe second job-related pressure.

• The opportunity refers to the individual’s perceived ability to carry out the fraud and con-ceal the fraudulent activity. In the bank teller case, the opportunity was there because theteller could take the money on Friday night and return it on Monday and no one wouldbe any the wiser. After all sure things do not lose . . . do they?

Research studies have found that the incidence of fraud tends to be related to theethical environment of the organisation. This makes ethics and the promulgation ofethical values and practices important to the organisation. They can be promotedthrough, for example, codes of conduct and professional registration. Codes of conductor ethical standards provide guidelines for acceptable behaviour. For example, ethicalguidelines exist to guide auditors when making client acceptance decisions, whendetermining the level of nonaudit service fees and on what gifts from the client can beaccepted. Similarly, the Australian Computer Association has a code of conduct for itsmembers to follow.

Membership of a profession carries benefits, for example professions are typically in pos-session of a base of knowledge that is valued in society (for example doctors, accountants),their professional authority is recognised in the wider community that they serve, they havea professional culture and ethical codes that govern their actions. Codes of ethics can beboth formal and informal and enforced by the self and by the professional body. Forexample, the professional accounting bodies hold disciplinary meetings for allegations ofbreaches of the codes of conduct. For professionals who consider themselves a part of theprofessional group, as a CA or CPA would, the prospect of being disciplined and potentiallyexcluded from the group is generally a strong enough means of ensuring behaviour inaccordance with the professional code of ethics.

Organisations can therefore help induce ethical behaviour by having employees who aremembers of professional bodies that enforce a professional and ethical code of conduct, or

1 0 0

by creating and enforcing their own ethical code of conduct, to which the employee signsup when joining the organisation.

SALES FRAUD/E-COMMERCE

Some hypothetical examples of sales fraud/e-commerce fraud are discussed in this section.In the exercises at the end of the chapter you have the opportunity to develop some controlplans that could be applied to reduce the risk of these occurring.

Example 1: Paying nonexistent suppliers/false invoices

John MacIntosh, a payment clerk for Deep Water, creates a company called ABCEnterprises. ABC Enterprises then proceeds to issue invoices to Deep Water, where Johnis responsible for paying them. Several invoices, valued at several thousands of dollars,are processed and paid by Deep Water, with the money going to MacIntosh.

Example 2: Credit fraud

Susan Falmer purchases items on line, using credit card numbers that she has obtainedillegally through a phishing scheme she established a few years ago. She purchases the itemson credit and then sells them to customers over the Web at prices much less than retail.Because the credit card details were stolen, Susan never incurs any of the debts. Thecompany selling the goods to Susan never incurs any debt because credit transactions areguaranteed by credit card companies.

Example 3: Nonexistent sales

The end of the financial year is fast approaching and GHI Ltd is slightly below itsbudgeted forecasted sales, which were released to the stockmarket with mid-yearearnings figures. Recognising the poor signal that lower-than-expected earnings wouldsend to the market, the chief financial officer of GHI Ltd instructs the financialaccountant to push forward some sales, recognising them in the current period, eventhough the inventory is yet to be shipped. For GHI this has several benefits: it increasesits sales figures and its asset base also increases through the higher accounts receivable.The accountant responds by calling up some pending sales orders on the system andaltering their status, thus recognising them as sales.

Example 4: Nonexistent customers

Brad is the accounts receivable manager at Tee Up Ltd, a seller of golf-related accessories.A keen golfer himself, Brad would like to use the products of Tee Up but is unable toafford them. To overcome this difficulty Brad creates fictitious customers on the accountsreceivable master list, with addresses that correspond to those of his close friends. AsBrad orders goods through these customers the goods are shipped to the addresses,where Brad collects the goods. Payment is never received from Brad for the goods.Instead he either records the goods returned by the customer due to damage (damagedreturns do not go to inventory but are written off as an expense), writes the account offas a bad debt or clears the accounts receivable amount owing through noncash entriessuch as allowances and returns.

WHAT CAN ORGANISATIONS DO?There are several ways that organisations can manage their exposure to computer crimeand fraud. Establishing a sound corporate governance structure that pursues a strongcontrol environment and thoroughly designed general and application controls is a good

1 0 1C H A P T E R 3 | I N F O R M A T I O N S Y S T E M S E T H I C S

starting point. However, these formal controls are not the only tools available to the

organisation. Other mechanisms for reducing the risk of computer crime and fraud are

discussed in the following.

The emphasis for organisations wanting to reduce the threat of fraud appears to be to

have a strong ethical culture that starts at the top of the organisation, having appropriate

reporting and monitoring mechanisms that are followed up on, providing ethical

training and facilitating employee reporting of fraud (or whistleblowing).

One informal but effective approach is to know your employees. This means not simply

knowing their names when you meet them in the lunchroom for coffee. Rather, it means

being aware of who they are, their background and so on. This can help identify potential

instances of fraud. For example, seeing the employee who has typically ridden to work on a

20-year-old bicycle drive through the employee car park in a brand new shiny red Porsche

would hopefully lead you to ask some questions: how did you get the car? While changes in

lifestyle will not typically be as extravagant as the illustration given, monitoring employees

for changes in lifestyle and habits can be an effective red flag for detecting fraud in the

organisation.

Similarly, policies that force employees to take annual leave on a regular basis can be an

effective means of detecting fraud. Why? An employee carrying out fraudulent activities will

not want to leave their job for any period of time for fear that someone else will discover

their actions. As discussed, this can be a common technique that is effective for detecting

fraud in cash-handling areas of the organisation, where there is a risk of activities such as

lapping occurring.

Other potential red flags identified by Singleton et al. are listed in table 3.6. The factors

relate to either the employee or the company level.

Table 3.6 Fraud red flags

Source: Adapted from exhibit 2 in Singleton, T, King, B, Messina, FM & Turpen, RA 2003, ‘Pro-ethics activities:

do they really reduce fraud?’, The Journal of Corporate Accounting and Finance, vol. 14, no. 6, p. 89.

The role of the internal and external auditor can be critical in preventing and detecting

fraud and, somewhat ironically, one of the best tools available for both of these parties for

detecting fraud is the computer. The range of analytical techniques, searching power and

processing tools that a computer can possess make the analysis of a large volume of tran-

sactional data relatively simple to accomplish, especially when combined with modern

computer-assisted audit techniques.

Employee red flags Company red flags

Financial pressure

Vices

Extravagant lifestyle

Not happy with organisation

Internal performance pressure

Unexplained work hours

Lacking internal controls

No follow-up in internal and external audits

Falling employee morale

Changing lifestyle of employee

Unusual expenses

Unexplained losses

�

Documents

Information system ethics