Case Scenario:
Greg Schwartz, an internal auditor for Ajax Products Company, is pursuing a graduate degree on a part-time basis. Greg and another graduate student, Linda Stephens, have been given an assignment to produce a database for an accounting information systems class. Greg's company has a site license for a relational database management system on a local area network (LAN). Linda is a full-time student with no access to the needed database management system.
Greg invites Linda to work at his office after hours to complete the project. He greets her at the security desk, cosigns her identification card, and leads her to his office. Linda has studied data communications and is eager to gain some experience. Greg describes to Linda how to access the database management systems on the LAN. He first enters his user ID and password to gain access to the LAN, and then he lets Linda enter the commands to start the database management system. Linda misunderstands Greg's instructions and mistakenly types a transposed set of characters. The computer responds with the message, "Access Code?" Greg comments that he's never had to do that before and leans over and types his password.
The computer screen flickers, and then a colorful display of the company's logo appears above the words "Welcome to Ajax Company's Executive Information System." Instinctively, Linda presses the enter key and the computer screen presents a menu listing of ten files and programs available, including such entries as "Budgets," "Plans," and "Benefits." Greg comments that he's unfamiliar with that menu and asks Linda if she remembers what she typed when she signed on. "What ever you told me to type," she replies. Curious, Greg selects "Benefits" and, after a moment, a list of the top company officers appears on the screen along with a summary of their salary and benefits packages, plus an entry for the projected bonus for the current year. Greg is somewhat shocked to see substantial bonuses. By quickly paging down, he discovers that the total in the bonus category for 12 executives is in the high six figures.
Because Ajax is a privately held company, none of the data would be released to the public. What is shocking and disturbing to Greg is that the company recently announced a workforce reduction plan that will reduce the workforce by 6 percent in the coming weeks. Greg says to Linda, "This is the company that parades its Code of Ethics in public, with the CEO constantly talking of honesty, integrity, and fairness." Greg recovers his poise in a moment and remarks, "I don't think this is the system we want." He types "BYE" and exits the executive information system. Once back at the LAN system prompt, he types the commands he had described to Linda and gets access to the LAN version of the database management system they needed. They work for several hours to develop the database. Greg and Linda then save the file, sign off the system, and go home.
Later that night, Greg muses about what he had seen and the fact that Linda, an outsider to the firm, had also seen the information. If he reports the breach in the computer security system, it will be suspected that he has seen confidential information. If he doesn't report the breach, someone else may get access to the sensitive data and take advantage of the information. Greg also knows that the LAN operating system audit log will show that he gained access to the executive information system. He is responsible for reviewing the log and reporting unauthorized accesses and access attempts. He is also uncertain as to whether his access to the executive information system is actually a security breach. Internal audit has routinely been given access to all applications and data due to its job function. He also knows at least two long-term employees whose jobs will be terminated due to the workforce reduction.
Greg also wonders how the Institute of Internal Auditors' Code of Ethics applies in this case. He recalls that, in Standard of Conduct II, the Code suggests that internal auditors should be loyal to their employer. However, internal auditors should avoid actions that violate the law. In addition, as it says in Standard of Conduct VIII, he knows that the internal auditor should refrain from disclosing information for personal benefit or in a way that will damage the employer.