What is a segregation of duties matrix?

Segregation of duties (SoD) is a central issue for enterprises to ensure compliance with laws and regulations. The importance of SoD arises from the consideration that giving a single individual complete control of a process or an asset can expose an organization to risk. Enforcing SoD is, thus, an important control element to support the achievement of an effective risk management strategy.1, 2, 3

This article, which contains conclusions derived from real-world SoD experience, is divided into two parts: applied methodology and implementation issues.

Applied Methodology

The traditional approach to SoD mandates separation between individuals performing different duties. Duties, in this context, may be seen as classes, or types, of operations.

The basic concept underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:

• Authorization or approval of related transactions affecting those assets
• Custody of assets
• Recording or reporting of related transactions4

In IT Control Objectives for Sarbanes-Oxley, 3rd Edition—a fourth duty—the verification or control duty is listed as potentially incompatible with the remaining three duties. This fourth duty encompasses operations that verify and review the correctness of operations made by other individuals, whether they are custody, recording or authorization operations.5 Some of the core SoD elements are actors, duties, risk, scope, activities, roles, systems and applications, and user profiles.

Actors
When proper SoD is applied, actors performing incompatible duties are different entities. Such entities may be single individuals or groups. Requiring segregation to be applied between individuals or between collective entities gives rise to the following different levels of segregation, depending on the organizational constraints that are required for SoD to be recognized as such:

• SoD by individuals (individual-level SoD)—This is the traditional and most basic level of segregation. In this case, SoD is accomplished by having different duties performed by different individuals, such as clerks being authorized by their manager to make a payment.
• SoD by functions or organizational units (unit-level SoD)—At this level, different functions perform the separated duties. For example, the sales department might prepare an offering, which is then signed off by the operations department or the risk management function.
• SoD by companies (company-level SoD)—At this level, operations must be performed by different legal entities. For example, investments made by a subsidiary might require authorization by the controlling company. Third-party audits may be viewed as an example of company-level SoD as well.

Incompatibilities
In the relevant literature about SoD,6 duties and their incompatibilities have (unsurprisingly) been extensively analyzed. The most widely adopted SoD model requires separation between authorization (AUT), custody (CUS), recording (REC) and verification (VER).

Given the lack of consensus about best practices related to SoD, another viewpoint proposes a simplified approach.7 It divides custody and recording duties from authorization duties and introduces a third category of duties: the authorization of access grants. In this model, agents may perform operations related to different duties on the same assets as long as they are authorized by a second person. This model embraces some common practices, e.g., a clerk receiving cash payments and entering related data in a computer application.

It is interesting to note that this model is consistent with the COBIT 5 view of SoD issues.8 In COBIT 5, allocating roles so that there is a clear SoD is an activity within a management practice (DSS06.03), which takes direction from a governance practice (EDM04.02). Roles, responsibilities and levels of authority are established, agreed upon and communicated through a second management practice (APO01.02).

From those considerations, it can be assumed that, for efficiency and for economic reasons, an effective SoD may be achieved by relaxing the requirements for separation between operational duties, such as custody and recording, as long as they are subject to independent authorization or verification.9 Note that, in some cases, such segregation is simply impossible to achieve, e.g., when a recording operation creates an automatic payment (thus giving rise to a custody duty). In some cases, separation may not be required between control duties such as authorization and verification, which are often delegated to the same authority.

Whenever such simplifications are introduced, some may be concerned that SoD is weakened to the point that it becomes ineffective. To address such concerns, compensating controls can be introduced after thorough risk analysis10 to reduce the vulnerabilities in ineffectively segregated functions, which include the risk of errors, omissions, irregularities and deficiencies in process quality. For example, if recording and custody are combined, independent authorization and verification (e.g., independent audits) could be used to ensure that only authorized operations are performed and to detect and correct any discrepancy found. When proper SoD cannot be enforced, the need for compensating controls is widely recognized in current practice among enterprises and institutions.11, 12

Risk and Risk Scenarios
To properly assess SoD risk derived from conflicting duties, a sound risk assessment process is needed.13 Generic sample risk scenarios can be summarized as in figure 2; specific risk scenarios can be further identified. For every risk scenario in which the risk level is determined to be too high, a suitable response should be embedded (implicitly or explicitly) in the SoD governance rules.

Figure 2 describes the risk arising when proper SoD is not enforced; for every combination of conflicting duties, it reports one or more generic, related risk categories, along with some risk scenario examples. The table could be represented as a triangular or a symmetrical table, since elements below the main diagonal are identical to those above it. This derives from the observation that if c(X,Y) denotes duty X conflicting with duty Y, then it can be assumed that c(X,Y) is equivalent to c(Y,X), while c(X,X) would violate the principles of SoD. The first observation means that one can assume that, for example, given that custody is incompatible with authorization due to the risk of embezzlement, then, for the same reason, authorization is incompatible with custody: the cell at row CUS, column AUT and the cell at row AUT, column CUS should be identical. The second observation means that, for example, custody is always compatible with custody, so c(CUS, CUS) cannot be true and the corresponding cell can be safely omitted from the matrix.

Governance is not included in figure 2 since risk factors due to lack of governance are less specific and more difficult to match with single duties (nonetheless, they may have high impacts on businesses). Lack of governance may result in general inconsistencies or a possibly fraudulent attribution of conflicting duties to the same actor.

An effective SoD mitigates all risk deriving from the risk scenarios presented in figure 2. Still, SoD governance may benefit from introducing further controls to reduce risk to acceptable levels. For example, third-party audits by a separate function (e.g., internal audit) or an external entity (e.g., external audit) may be beneficial. In this case, a function-level or company-level SoD may be used, for example, to assess effectiveness of individual-level SoD. This is a secondary level of controls that provides assurance about the effectiveness of existing SoD controls.

Scope
In the literature about SoD, there is not much discussion about scoping SoD requirements. But scoping is a central topic for the correct assessment of SoD within an organization. In fact, checking SoD among all actors against all activities in a complex enterprise, aside from being impractical, would be meaningless.

Assets as Scoping Boundaries
The first scoping considerations involve assets. Duties that are related to an asset should be segregated.14 An individual may be in charge of different duties as long as they do not involve the same asset. This kind of SoD is allowed in some SoD models.15

Again, SoD may be accomplished on different levels. In some cases, segregation is effective even when some conflict is apparently in place. For example, two employees may be in charge of recording and authorizing transactions on the same set of assets, provided that, for every single asset, one employee records the transaction’s data and the other employee authorizes the operation.

In this case, if assets are, for instance, accounts receivable, two employees can both record the account receivable data and authorize transactions. For every single account receivable, one employee records the data and the other employee authorizes the related transaction; roles can be inverted between the two employees when a second account receivable is processed. The traditional form of segregation leaves all authorizations to an individual (e.g., the department manager) and custody or recording operations to a second individual.16

Therefore, the first scoping rule is that duties must be segregated for every single asset to avoid conflicts (as in the first example in which two employees exchange their duties). More commonly, particularly in medium or large enterprises, duties are segregated with respect to a set of assets (as in the second example, in which authorization for paying accounts receivable is performed by the department manager).

Processes as Scoping Boundaries
A second boundary may be created by the processes that transform the assets or their status. Again, such boundaries must be assessed to determine if they introduce any residual risk. “Considering processes and [risk factors] outside of the system are just as important as those inside the system, if one wants to look at fraud risk holistically.”17 For example, a manager may authorize payments for accounts receivable; the same manager might use the same data coming from accounts receivable to draft a report to be shared with the company’s executives.

In the first case, there are two assets involved: the accounts receivable and the related amount of money. The manager performs an authorization duty. In the second case, there are still two assets: the accounts receivable and the report. But in this scenario, the manager performs a recording duty. Processes are separate, but they are related to an asset they have in common. The second process carries some risk related to SoD due to conflicting activities on the same asset. Duties can be seen, then, as properly separated if there is a set of controls on each process so that the risk is properly mitigated (e.g., authorizations are independently verified and reconciled and reports are independently checked against accounts receivable).

Thus, it can be said that in SoD, the scope may be limited to a process or a set of processes that creates an asset or transforms it, bringing the asset itself from one stable state to another stable state.

In summary, the scope in which to look for SoD conflicts can be defined by the assets that are involved and by a set of processes that operates on them.

Applying scoping rules to demarcate the playing field can provide numerous advantages during the implementation phase. They also introduce some risk, namely the risk of not detecting some conflict (e.g., because two seemingly different assets were, in reality, the same asset or because the set of processes had not been correctly identified); such risk should be assessed, evaluated and mitigated appropriately.18

Implementation Issues

In such a process description, one can easily attribute duties to the three actors involved: the accountant, who performs a custody duty or possibly a recording duty; the manager, who authorizes payment, which is an authorization duty; and the person in charge of payments, who performs a custody duty. There are no individuals performing two different duties; there are two individuals performing the same duty (a custody duty). There are no conflicts.

Process descriptions may be described at a closer level of detail in the enterprises. The previously discussed process is depicted in figure 4.

In this case, duties cannot be matched directly to activities. Each of the actors in the process executes activities, which apparently relate to different duties. For example, the accountant who receives a payment performs a series of checks against order details before sending the invoice to the manager for approval, possibly suspending the invoice until any discrepancy has been fixed. Such checking activity may be viewed as an authorization duty or a verification/control duty. Similarly, the person in charge of payments performs some checks before fulfilling the payment request.

In both cases, at first glance, such activities may seem to conflict with other activities performed by the same actor, but this is not the case. Such conflicts can be seen as purely formal, since they are caused by the form that a procedure has taken (i.e., the level of detail) and not by the very essence of the activities themselves. Preliminary activities requiring verifications from every actor involved are the very reason to invoke SoD: They provide a consistent set of checks and balances that ensures that operations abide by rules and procedures.

Mapping Activities With Duties
A visual depiction of processes can be used as the basis to build a matrix of activities, which are then checked for incompatibilities.19 Those who evaluate SoD on processes written at this high level of detail should consider doing the following:

1. Alter the process description by grouping or removing activities in order to hide details that are not relevant to SoD.
2. Keep all the activities in the matrices, but label any formal conflict as such; do not raise any exception to the rules of SoD in case of formal conflicts.

The first choice has the advantage in that it reduces the size of the matrices. On the downside, it is detached from the approved representation of processes, requires some preliminary effort, and may introduce errors or oversimplifications. The second alternative generates huge matrices, but keeps them aligned with the existing representation of processes and to their practical implementation.

Both of these methods were tested, and it was found that the first one was more effective. Matrices were more manageable. Since the number of activities was reduced, this approach led to a more effective and focused examination of possible SoD conflicts when validating results with the process owners. Not all false conflicts were eliminated, though. In some cases, conflicting activities remained, but the conflict was on only a purely formal level.

Managing Conflicts
Detected conflicts can be managed by modifying processes, e.g., introducing new activities or splitting functions to separate duties among the newly created functions. Eliminating some conflicts may be impractical or too expensive sometimes; in such cases, risk should be assessed and properly managed.20, 21

The SoD implementation tested for this article listed more than 80 potential SoD conflicts, along with the compensating controls that had been applied to reduce risk to acceptable levels.

Roles and Role Engineering
In the model discussed in this article, actors are defined as entities playing a role. Roles may be generic (e.g., requester) or specific (e.g., purchasing department manager). Either way, they are associated with one or more process activities.

Role engineering is a discipline in itself, aimed at defining a common set of roles that can be used to assign to users grants and privileges on applications in a consistent and repeatable way.22 Role-based access control (RBAC) follows some common models, as described by the American National Standards Institute (ANSI) standard 359-2004.23

Role-engineering processes may follow two main approaches: a top-down approach (i.e., a business-driven approach in which roles are defined based on the users’ job descriptions) or a bottom-up approach (i.e., roles are inferred by examining existing grants and permissions on systems and applications). The latter technique is often known as role mining. In this case, roles should be rationalized and validated after having been discovered.

Top-down and bottom-up approaches may be used simultaneously to complement each other, giving rise to the third common alternative, the hybrid approach, which is often claimed to be the most valid approach.24, 25 The implementation examined in this article used a hybrid-like approach to match the business view of user activities with the actual permissions granted on systems and applications. On the top-down side of the approach, the organization was analyzed to determine what the roles were for every department, function or office involved. Then, roles were matched with actors described in process-flow diagrams and procedures. This resulted in the ability to match individuals in the process flow with a specific job description within the organization.

Systems and Applications
The access rights granted to individuals were assessed to gather information about systems and applications. This is a (bottom-up) role-mining activity, which was performed by leveraging the identity management product chosen for the implementation of the identity management system.

There was also a second source of information about applications and systems. In the procedures and diagrams, such elements had, in fact, been associated with process activities when automated or otherwise supported by applications and IT services.

For example, for all employees in a given office, role mining contained a list of the permissions they had been granted on the applications that support the enterprise architecture of the company. Then, the actual permissions provided to users on applications and systems (from role mining) was compared to the intended use of IT services (from procedures and diagrams). In cases of mismatch, it was possible to check if excessive grants had been provided to users or if process and activity descriptions were inaccurate and needed to be updated.

Roles can be composed hierarchically; in this case, simpler roles act as building blocks that must be combined to form a single role. For example, an accountant may have a role built as a composition of generic building blocks, such as employee; less-generic blocks, such as member of the financial department; and specific blocks that are closely related to the accountant role.

Profiles
The term “user profile” is used throughout technical literature with different meanings. In this article, a user profile is defined as a set of permissions granted on a single application or system. Profiles are related to roles, which means that from the perspective of applications and systems, a role can be thought of as a collection of user profiles.

The hybrid approach provides some clear benefits:

• Grants on the applications can be matched with roles, leading to optimal and consistent attribution of grants to the users.
• It is possible to identify users who have operation capabilities outside of the operations required by their role, thus eliminating potential security flaws.
• Unnecessary and redundant roles can be detected and eliminated.
• User profiles can be designed more effectively based on role-mining results.

In implementing roles with the support of an identity management system, a balance has to be achieved when legacy systems are involved. The conflict is between keeping all profile details and the grants associated with systems and applications on one side and keeping the complete user profile on the applications and systems on the other side. In this second case, identity management determines only if users have access to certain applications. (Such profiles are called “Yes/No” profiles, meaning that a user is either authorized or not authorized to access an application.)

Detecting Conflicts on the Rise
Conflicts originate from the attribution of conflicting duties to the same actor. This may happen because activities related to two conflicting duties have been associated with the same role (e.g., custody, authorization). In this case, conflicts are introduced while designing processes, procedures and roles. In practice, conflicts arise more frequently because two conflicting roles are attributed to the same individual while creating or modifying the individual’s account. Moreover, in the case of a profile change, an individual may be asked to temporarily play two roles in order to guarantee a smooth transition from the previous role to the next.

In such cases, SoD rules may be enforced by a proper configuration of rules within identity management tools. Such rules can detect a conflicting assignment in the creation or modification phase and report such violations. A more complex and flexible set of rules is needed if dynamic RBAC is to be applied.

Conclusion

SoD is a control and, as such, should be viewed within the frame of risk management activities. This key element must be kept in mind when assessing potential conflicts and designing rules.

Processes must be thoroughly analyzed and some choices have to be made to detect and resolve potential conflicts. If any conflicts are left, some compensating control must be put in place to properly manage the associated risk.

Role engineering plays a significant role in supporting SoD rules within an identity management system, as it enforces access rights and detects conflicts as they happen. Finally, and most important, SoD requires a clear understanding of actors, roles and potential conflicts. As Kurt Lewin said, “There’s nothing more practical than a good theory.”26

Endnotes

1 Singleton, T.; “What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities,” ISACA Journal, vol. 6, 2012
2 Ghosn, A.; “Segregation of Duties,” American Institute of Certified Public Accountants, 2014, https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Auditing/InternalControl/Pages/value-strategy-through-segregation-of-duties.aspx
3 Ernst & Young, “A Risk-based Approach to Segregation of Duties,” Insights on Governance, Risk and Compliance, May 2010, www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_duties.pdf
4 ISACA, IT Control Objectives for Sarbanes-Oxley: Using COBIT 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd Edition, USA, 2014
5 Ibid.
6 Kobelsky, K.; “A Conceptual Model for Segregation of Duties: Integrating Theory and Practice for Manual and IT-supported Processes,” International Journal of Accounting Information Systems, 15(4), 2014a, p. 304-322
7 ISACA, COBIT 5: Enabling Processes, USA, 2012
8 Kobelsky, K.; “Enhancing IT Governance With a Simplified Approach to Segregation of Duties,” ISACA Journal, vol. 4, 2014
9 Hare, J.; “Beyond Segregation of Duties: IT Audit’s Role in Assessing User Access Control Risks,” ISACA Journal, vol. 5, 2009
10 Yale University, “Segregation of Duties,” 17 November 2008, www.yale.edu/auditing/balancing/segregation_duties.html
11 Office of Risk and Internal Controls Service, Control Awareness Bulletin—The Use of Compensating Controls, Dartmouth College, 17 February 2012, www.dartmouth.edu/~rmi/documentsunprotect/theuseofcompensatingcontrols.pdf
12 Op cit, Hare
13 Op cit, ISACA, 2014
14 Op cit, Kobelsky, 2014
15 ISACA, IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition, USA, 2006
16 Op cit, Hare
17 Ibid.
18 Op cit, ISACA, 2006
19 Op cit, Singleton
20 Op cit, Ernst & Young
21 Vanamali, S.; “Role Engineering: The Cornerstone of RBAC,” ISACA Journal, vol. 3, 2008
22 ANSI-INCITS, “ANSI/INCITS 359-2004,” Information Technology—Role-Based Access Control, American National Standards Institute (ANSI) and InterNational Committee for Information Technology Standards (INCITS), 2004
23 Ibid.
24 Colantonio, A.; Role Mining Techniques To Improve RBAC Administration, Rome, Italy, 2011
25 Kern, A.; M. Kuhlmann; A. Schaad; J. Moffett; Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, SACMAT ‘02, p. 43-51, Monterey, California, USA, 2002
26 Kurt Lewin, 1890-1947, was a German-born American social psychologist known for his theory that human behavior is a function of an individual’s psychological environment. Encyclopaedia Britannica, www.britannica.com/biography/kurt-lewin

Stefano Ferroni, CISM, ISO 27001 LA, ITIL Expert
Is a senior consultant and trainer in the information and communications technology services and solutions business unit at Beta 80 Group (Italy). He concentrates on the telecommunications and finance industries. His areas of expertise include IT governance and compliance, information security, and service management. He has contributed to and guided many ISACA white papers. He can be reached at .

Page 2

We face moral questions in four “spheres,” or roles: as a person, as an economic agent, as a company leader and beyond a firm’s boundaries.1 Although the world of work has existed for a long period of time, perhaps since the beginning of human existence, the idea of a business as a separate sphere was crystallized only as the work roles became more apparent and structured, as in the agricultural society, then in the industrial age and, more recently, in the knowledge economy. Moral dialogue on the role of a firm within and beyond its boundaries is more recent than dialogue on the role of a person in private life. As the economy keeps evolving, nuances, if not the character of ethical dilemma, take on new colors. The purpose of this column is to explore moral questions in the new, technology-dominant economy.

In dealing with the ethics of business firms, we are often guided by Freeman’s separation thesis,2 which says that people tend to treat an issue as a business decision distinctly separate from the same issue as a moral decision. Perhaps the comfort level of the decision maker is high when the two are dealt with separately. However, in as much as this makes the exercise less messy, the discreteness both simplifies and marginalizes the uncertainty and fuzziness of ethics.3 A natural order of treatment here should be a joint, concurrent, integrated debate on both the business and ethical issues.

Perhaps it was easier in the distant past to separate a business decision from its ethical side. But this is not feasible in most situations anymore. A decision has ethical consequences and, in turn, dealing with such ethical consequences could result in a reconsideration of the business decision. As if this is not complicated enough, the decision scenario becomes even more challenging as we bring the societal implications into consideration. If a hypothetical organization were an entity isolated from society, ethical considerations would probably have a well-defined boundary. However, the inevitable presence of the society in the background weighs in, often heavily, on the moral grounds. In the past, a business’s impact on society was probably not as vivid, but in recent decades, the recognition that the ethics of a business entity could widely impact the society is evident. Businesses should—and most of them probably do—project ethical consciousness to bring society into its consequential decisions. From environmental pollution to lead-contaminated potable water,4 an economic entity can no longer disregard the societal threads in its moral fabric.

Business, Society and Technology

In the distant past, technology was often visualized in the form of an artifact, an idea, a product or a process. The invention of the wheel or the printing press was likely driven in the absence of an explicit consideration of its moral consequences to society. There was the separation of technology from its potential use in the consideration of ethics. Even the economywide considerations of ethical consequences of an artifact were neutral or socially controlled. From this perspective, one tends to think of technology or its artifact as value neutral. For example, one might argue that a printing press is value neutral and its value in use depends on its user.

In reality, however, technological innovations influence society and often shape the behavior of humanity over time. Thus, “the assumption that artifacts [of technology] are separate and either outside the influence of humans or completely within the purview of human wishes misses the intersection of society and technology where the two are not separate.”5 In fact, technological innovations of recent decades have been heavily value laden for the society and, as a consequence, the intersection of society and technology has become a critical component of ethical analysis. The most graphic example of this is the scrimmage between privacy rights and the desire to bring people together on a given platform such as Facebook.

The interconnectedness of society and technology is often incubated in businesses, where research and development of technology—especially applied research—produces avenues for future cash flows.

The motivations for enterprises such as Facebook, Twitter and LinkedIn are sourced in specific business applications of technology, although the broader technology may have its birthplace somewhere else (e.g., Stanford University [California, USA] or the Massachusetts Institute of Technology [MIT], USA). One could presume that it is the business that should weigh in on the powers of the technology (it is “playing with”) on society as a whole as far into the future as possible. In this manner, the triad of business, society and technology is often driven by what a business or an industry does in the technology space.

Putting the corporate world in charge of assessing ethical dilemmas is not without risk. Ogburn’s cultural lag thesis helps explain the puzzle. According to Ogburn, material culture advances more rapidly than nonmaterial culture.6 Advances in technology belong to the material culture, while the technology’s ethical consequences reside in the nonmaterial culture. So the application of technology through products happens much faster in the material culture than the moral dialogue on the use of technology in the nonmaterial culture (figure 1). In an examination of whether technology has introduced new ethical problems, Marshall asserts, and I agree, that the cultural lag now appears to have greatly accelerated.7

Marshall puts forth three reasons why ethical systems lag behind technology development. The material world moves fast for these reasons:

1. Concentration of equipment, resources and information on the single-minded research and development efficiency (for the sake of economic goals)
2. The race to seek patents and get products to markets first
3. The discovery and application of natural laws of the physical world, which can be engineered in controlled, experimental environments (devoid of moral questions)

And the development of ethical systems is slower because:

1. The development of ethical guidelines does not take place in a controlled environment.
2. There may not be any direct financial rewards for the introduction of a dominant ethical perspective.
3. The social forces that an ethical system would seek to influence are not as controllable as physical aspects of the world.8

A balanced view would also suggest that corporate leaders cannot necessarily anticipate well in advance the societal influence and consequent moral questions related to the technology “genie” they let out of the bottle at a rapid pace. Compounding the issue is that the problems surrounding the use—or misuse—of technology lie in a lack of understanding of technology’s inherently social and moral dimensions.9

Rethinking the Moral Dilemma

Clearly, there are technology forces afoot that make technology more than just a sleeping partner on the ethics landscape. Here is how this is happening. While some innovations in information technology come from software and hardware, the most visible contributor these days is electronic communication. Ever since the launch of the Internet, much has changed because of the innumerable options to do things remotely. This includes innovations in the categories of offshore outsourcing, cloud computing, social networking, mobile devices, near-field communications, and the Internet of Things. Global connectivity and access from anywhere, anytime provide the high-octane energy to not just surpass brick-and-mortar businesses, but to perform even more impressively. Online banks with no physical branch presence; Uberization; gaming and animation; YouTube, Whatsapp and other friends-and-family networks; supply chains reshaped by the drone delivery systems; and driverless cars—these are just a few examples of how the business models are being turned upside down. The material world dominates the scene and imposes a sense of urgency.

Everything that is hung on the Internet—a loosely connected network of networks—brings the virtual presence of information resources, global access, massive scaling, real-time transaction capabilities, and huge amounts of structured and unstructured data. While the opportunities are massive, so are the ethical challenges.

Who Is in Charge?

So, the loaded questions are these: Who is in charge? Who will guard and guide the moral frontiers? Or, can we expect the moral issues to get sorted out organically over time? Looking at lawmakers and regulators for proactive solutions seems somewhat fruitless for two reasons. Like corporate leaders, they also do not know what will emerge around the corner. Additionally, law making—even translating current law to include technology in its fold—has been difficult and slow. The regulators are struggling to put their arms around drone use while the industry is chugging along with its experiments to get ready for tomorrow.

Another viable candidate would be the corporate leaders, to the extent they can anticipate and are willing take on the nonmaterial culture relevant to their mission. But their firm’s economic goals may keep them from giving priority to expanding into the nonmaterial consequences of their actions beyond the threshold requirements of the current laws and regulations. And yet, there are hopeful signs; for example, it is reported that Facebook has adopted the practice of deleting those accounts suspected in a crime so that further damage to society may not occur. For research use, Yahoo has committed to the release of the largest-ever cache of data of some 20 million anonymous users so that we can learn how large numbers of people behave online.10 And Alphabet will expand how it applies Europe’s right-to-be-forgotten for search engines to comply with the stricter privacy requirements of the European Union (EU).11

The picture is even more complex when you consider the fact that, as illustrated by Sony’s case, the corporate existence can be closely connected to cyberwars among nations (North Korea and the US in Sony’s case). The ownership of a nonmaterial cultural issue thus becomes cloudy. Should the US government act on Sony’s hack, or should Sony autonomously respond to the compromise inflicted upon it by a foreign government? On worldwide societal issues of ethics, drawing the boundary around a firm, a community, a nation or even a continent fails to yield any meaningful control. The case of net neutrality illustrates this point well. Net neutrality refers to equal access rights to all users of the Internet, regardless of the user, the access mode or nature of use. The idea behind net neutrality is similar to the expectations of common carriers, such as the utilities that control infrastructures. The only, and yet the most impactful, difference is that net neutrality refers to the virtual world that lives on the Internet and affects almost all human beings and organizations around the globe.

In the past, the moral dialogue on the physical equivalent of net neutrality was vividly present in the regulation of utilities. Marshall referred to the overarching issue as control of essential facilities. He hinted that technological advances may “affect the meaning of dominance and the role of free market forces,” and questioned if there is a point at which dominance of a market becomes so much a part of our essential culture that it would shift the status of a pervasive resource to that of a public trust.12 It appears that only the government could control issues of net neutrality through regulation; however, there are too many governments around the globe to control a seamless global resource and differences in their attitudes and behavior are problematic. The Facebook initiative to provide access to basic Internet resources (through its Free Basic app) to the disadvantaged has been rejected by the Indian courts suggesting the initiative compromises net neutrality.13 So the jury is out on how we as a one-world community will deal with net neutrality issues. If this is any indication of what lies in the future, we are destined to face greater challenges and difficult, almost unsolvable, ethical puzzles.

Endnotes

1 Badaracco, J. L., Jr.; “Business Ethics: Four Spheres of Executive Responsibility,” California Management Review, Spring 1992, p. 64-79
2 Freeman, R. D. E.; “The Politics of Stakeholder Theory,” Business Ethics Quarterly, vol. 4, 1994, p. 409-422
3 Martin, K. E.; R. E. Freeman; “The Separation of Technology and Ethics in Business Ethics,” Journal of Business Ethics, vol. 53, 2004, p. 353-364
4 The city of Flint, Michigan, USA, is currently enmeshed in this dilemma, which borders on a major crisis.
5 Op cit, Martin and Freeman, p. 354
6 Ogburn, W. F.; Social Change with Regard to Cultural and Original Nature, B. W. Huebsch, Inc, USA, 1966
7 Marshall, K. P.; “Has Technology Introduced New Ethical Problems?,” Journal of Business Ethics, vol. 19, 1999, p. 81-90
8 Ibid, p. 84
9 Buchholz, R. A.; S. B. Rosenthal, “Technology and Business: Rethinking the Moral Dilemma,” Journal of Business Ethics, vol. 41, p. 45-50
10 Dwoskin, E.; “Yahoo Releases Largest-ever Cache of Internet Data,” The Wall Street Journal, 14 January 2016, www.wsj.com/articles/yahoo-releases-largest-ever-cache-of-internet-data-1452819412
11 Barr, A.; S. Schechner; “Google Bends to European Pressure on Right to be Forgotten Rule,” The Wall Street Journal, 11 February 2016, www.wsj.com/articles/google-bends-to-european-pressure-on-right-to-be-forgotten-rule-1455231966
12 Op cit, Marshall, p. 88.
13 Soni, A.; “India Deals Blow to Facebook in People-powered ‘Net Neutrality’ Row,” The Guardian, 8 February 2016, www.theguardian.com/technology/2016/feb/08/india-facebook-free-basics-net-neutrality-row

Vasant Raval, DBA, CISA, ACMA
Is a professor of accountancy at Creighton University (Omaha, Nebraska, USA). The coauthor of two books on information systems and security, his areas of teaching and research interest include information security and corporate governance. Opinions expressed in this column are his own and not those of Creighton University. He can be reached at .