We have the potential in our professions to encounter unethical and illegal uses of technology and data. In this column, Eileen Strider describes a situation in which you suspect a dishonest use of information in a system you're testing. What do you do?
Many information technology trade journals are publishing articles about the recent corporate accounting shenanigans. They are asking interesting questions about the role of IT executives, managers, and professionals in these matters. Some write that Chief Information Officers (CIOs) should be held accountable for how financial information is recorded and reported. I think this could get you fired, especially if the CIO reports to the Chief Financial Officer, who may order you in not-so-nice words to keep your nose out of his job. Having the word "information" in your title doesn't appoint you the "information police." On the other hand, what is an IT professional's responsibility when it comes to the use of technologies? I'm sure others' opinions will differ widely from my own. I do, however, consider this an important topic for us to debate as quality assurance and testing professionals.
Here's a hypothetical scenario. You are regression testing the next release of your company's general ledger system when you discover a change in how the system handles special journal entries. The previous release required the comments field to be completed explaining the reason for the journal entry—this is standard accounting practice. The previous release also logged the user ID of the person submitting the journal entry. But the new version you are testing allows you to complete a journal entry with no explanation in the comment field and the logging function seems to have been disabled. You probably are not a CPA; however, you've tested this system enough in the past to recognize that this is not the way journal entries are typically processed. Your suspicion is raised by the results of your testing. What do you do?
You could pretend you didn't notice and do nothing. You could record this as a bug as you do any other bug. You could bring it to your manager's attention. You could talk to an auditor about it. You could ask the finance manager responsible for the general ledger about this change in the handling of journal entries. You could bring it to the controller's attention or the CFO's attention. You could decide that your company is behaving unethically and quit before they end up on the front page of the newspaper.
In keeping with my own values, I would feel obligated to talk to someone in management about this. I would start with the generous interpretation that this change was an unintended mistake. I would try to find out if this is the case. If I find out otherwise or am stonewalled, then I have to make another decision about whether to escalate my concerns and, if so, to whom. I think it's not only fair but also important to assess the impact on myself of escalating my concern. If I escalate the issue and after all good faith attempts, I am convinced that this was an intentional change to provide a way to move funds around while hiding the reasons and obscuring the audit trail, I would have a really big decision to make about staying with the company or leaving.I once encountered a similar situation. A technology I inherited had been configured in a way that people outside the company could access the technology for criminal use. If this happened, the company could incur a substantial financial liability. The technical staff discovered this situation while replacing the hardware with newer technology. They reported it to me as their manager. I suspected that it was originally set up so that some employees could use the technology as a personal benefit with no record of the benefit being reported. But I had no hard evidence of this. I was very nervous about bringing the issue to my boss. How a company handles raising these issues tells you a lot about the values and integrity of a company's executives. I recommended to my boss that we reconfigure the hardware to prevent access from outside the company. Fortunately for me, he agreed and the matter was settled with integrity. This boss taught me what he called "The Newspaper Test." It goes like this: "If your mother were to pick up tomorrow's paper and read about your handling of this situation, would she be proud of you?"
We have the potential in our professions to encounter unethical and illegal uses of technology and data. We don't have to go looking for them; sometimes they just fall into our laps in the normal course of our work. The question is then, "What do I do next?" The answer may be simple or complex. But even if the answer is plain, it may not be easy to do.