Many of the problems computer auditors deal with are ethical in nature. Post-contract and post-implementation problems are cases in point. Unfortunately, we are unaware or ignorant of this aspect of many problems. Consequently, we can reach only a partial solution at best. Such a solution will eventually blow up; then the professional’s future and company’s reputation and prosperity may be ruined.
Ideally, solutions sought are not only technically efficient, financially viable and legally admissible, but also ethically acceptable, socially desirable and ecologically sustainable. To this end, we need not only the technical know-how (auditing and IT knowledge and skills) and a deep understanding of the common ethical principles (called requisite competence), but also a shift of the conception of risk and a new tool for decision analysis due to the so-called misinterpretation of risk and the flawed education across science and technology (called additive).
Take the following example and solution to see how ethics affect the role of the auditor. Chuck is a senior manager at A1 Computer Audit assigned to take charge of the project contracted to provide a total system audit for Modern Clothing Boutique and his team discovered some errors in the inventory control function. Knowing that these errors, though unlikely to occur, could lead to vital damages, Chuck faces a dilemma: keep quiet or blow the whistle.
Keeping quiet saves him the trouble of facing a furious boss and an unhappy client. Relativism permits that course of action. But a sense of duty as an employee and as a professional worries him. Then the extra cost for rectifying the erroneous specification before implementation becomes the problem.
Chuck argued to his boss that on utilitarian grounds, the extra cost will far exceed the potential damage to A1’s reputation, the cost of potential lawsuits, the ruin to the relationship with Modern Clothing or loss of its business, possible morale issues, loss of customer trust (including that of Modern Clothing), and damage to the brand name. On deontological grounds, knowingly implementing a project with inherent weakness is an act of dishonesty, a violation of the company’s code of conduct and a deviation from fair trade practices. After Chuck approached the issue with his manager using this explanation, the boss’s attitude seemed to soften.
To the worried client, Chuck argued on deontological grounds: Modern Clothing should bear equal responsibility because the contract was signed by both Modern Clothing and A1. In relativistic terms, A1 does not have to reveal the problem, but has run the altruistic extra mile for being honest and ethical. In consequentialist terms, the extra cost is negligible compared to the potential loss of business and the potential interruption to operation. If the hidden errors materialize, they will have to be added to the cost for amending and repairing the system in the future.
Both A1 and Modern Clothing agree to amend the design and the contract and equally share the extra cost.
Read Wanbil Lee’s recent Journal article:
“Risk and Ethics in Cyberspace,” ISACA Journal, volume 6, 2015.