Contractual arrangements...

As of the 1^st January 2011, the Trade Practices Amendment (Australian Consumer Law) Act (No.1) 2010 introduced new laws dealing largely with unfair terms in consumer contracts.  This amendment provides additional protection to consumers, by giving courts the power to find that a term is unfair and as such void. 

In February 2009 social networking website Facebook made changes to their terms of use which went unnoticed until one user complained about them on a blog.  The change in terms gave Facebook perpetual and irrevocable ownership of user information.  It is difficult for me to comprehend how websites have gotten away with this for so long; this case is especially shocking as the website could have made economic gains from the sale or use of user’s private content in advertising.

More on Facebook change of terms and conditions...  

But just how much notice should websites be required to provide their users?  In the case of Joe Douglas vs. United States District Court (More here) it was held that simply posting a revised contract on a website suffices. Whilst it may not be practical to require a website operator with often thousands of users to personally alert each user to these changes it is important to consider the rights of both parties. The practicality issues faced by website operators can be balanced to also meet the needs of users through such requirements as a public notice on the home page of websites, or perhaps the sending out of a generic automated email advice to all users. 

Download that...

MegaUpload, a company incorporated in Hong Kong with operations all over the world, allowed the public to share illegal copies of films and music etc. US authorities have made a number of overseas arrests based on accusations of facilitating and profiting from copyright infringement under Californian/US law. 

The digital age allows businesses to trade globally at a rapid rate which generates a number of issues when applying traditional laws.  Traditionally jurisdiction laws have extended to activities that take place within a country; they have not encompassed illegal activities on foreign soil. The MegaUpload case has seen the United States moving to re-define the boundaries of state jurisdiction, where US laws apply simply because a transaction occurs on a server based in the United States. 

More about the Megaupload case..  

The outcomes of this case can only cause confusion and stress for businesses using these facilities.  The possible precedents set in the MegaUpload case are terrifying for major business and could have far reaching consequences for international users of US-based cloud computing services.  Businesses could stand to lose large amounts of company data inturn causing significant economic loss. 

Current laws need to catch up with the times in order to properly protect the data stored in these facilities.  A new approach to needs to be introduced which balances the needs of public demand as well as the interest of the owners of works.  Mechanisms should be put in place to monitor what users are sharing.  If this means a small flow on cost to users it is a small price to pay. 

Risky business...

In the case of Boutique Technology the following aspects, with relevance to COBIT 4.1, resulted in fraudulent behavior:

1. Poor governance over processes:

• Alan’s (CEO) complete disregard for policy and procedure - may filter down to staff and affect morale
• No formal procedures for recruitment – no contracts to state pay rates, start and end dates etc
• Only three staff looking after accounting, finance and human resource functions – lack of segregation of duties

2. Lack of IT architecture and controls –

• No direct supervisor for the software development team – leaves team fairly much to their own devices
• The company uses software created by the employees/software produced trialed internally – employees could manipulate the programs

3. Lack of monitoring and evaluation – No mention of monitoring of staff/processes or internal audit and definite lack of supervisory positions.   

This case reflects some issues relating to fraud present in a workplace I was involved in.  Lack of governance, specifically policy and procedure relating to payroll meant there was no approvals process, resulting in a lack of segregation of duties.   Employees therefore had unlimited access to the system and a number of ‘ghost’ employees were created resulting in money being siphoned from the organization. 

In smaller organizations there are limits on what processes can be utilized to overcome fraud.  It is not necessarily practical for organizations of this size to have IT architecture boards or internal audit committees.  I would recommend the following practical solutions to the CEO of Boutique Technology:

• Governance:
• Development of a clear business strategy
• Formal recruitment procedures and approval processes for accounting, finance and human resources functions. 
• IT:
• Align IT objectives with business strategy through the introduction of an IT governance framework
• Monitoring/Evaluation:
• Hire qualified IT executives and provide direct supervision for the software development team
• Monitoring processes and internal audit team to assess risk

No business too small....

WhizBiz Pty Ltd is a small online trading company, which currently lacks IT governance framework.  The Director believes based on the size of the company that COBIT 4.1 is irrelevant to the organization. 

COBIT 4.1, however, and other similar frameworks, are essential in an organization as they help to bridge the gaps between business risks, technical issues, control needs and performance measurement requirements through the implementation of a solid IT structure.  IT Governance assists an organization through the domains of: Planning & Organization, Acquisition & Implementation, Delivery & Support and Monitoring. 

 

 It confuses me how a company that trades online and utilizes considerable amounts of IT data can consider the need for a CIO irrelevant to their business.  Employing qualified staff is essential in achieving strategic objectives, especially where complex systems are involved.  Given the nature of the organization and their reliance on IT facilities it is essential that the organization has a CIO to oversee the IT function. 

COBIT 4.1 is meant simply as a starting point for organizations but may be manipulated to suit different business models.  Whilst such frameworks can be costly to put in place the benefits generally exceed the costs. It is essential that organizations put in place proper IT governance frameworks to support their businesses and provide security for their intellectual property.  Without such guidelines businesses risk the occurrence of fraudulent activities and the potential loss of valuable business information. 

WhizBiz should engage the services of consultants to put in place suitable IT guidelines based on COBIT 4.1 or similar framework. Whizbiz also need to employ suitable professionals whose expertise would help to support the proper functioning of the new IT guidelines. 

The secrets behind an effective Corporate Plan..

To have an effective Corporate Plan an organization relies on three key elements to assist in achieving its strategic objectives; the people, the IT system and finance. 

• People: It is integral that the people involved in an organization are educated in and support the Corporate Plan and the policies and procedures that underpin it.
• IT System: The implementation of IT objectives that are aligned with business strategy and facilitated by necessary controls is integral for the security of information
• Finance: It is important that organizations have the financing to put in place proper governance, controls and employ qualified workers to support the organization in achieving strategic objectives.    

One example of where all three of these key elements were not working effectively is the Queensland Health debacle. The IT systems failed firstly with the payroll system, which caused a general feeling of disillusionment amongst employees. Then based on already poor morale and lack of IT controls present the ‘Tahitian Prince’ took advantage and siphoned millions from the organization.  

For more on the Queensland Health Debacle

The overall cause, however, of these events was the organization’s lack of IT governance, such as the COBIT framework.  The implementation of such a framework is integral to the success of an organization.  Whilst COBIT may not be practical for every business, it is a starting point for organizations.