Highlighted Cases Flashcards
(1) Do you accept the explanation for the emission scandal at VW, based on normalization of deviance? Why or why not?
Yes: I accept this explanation because the culture at VW, as described, promoted aggressive, result-oriented behavior while discouraging dissent or failure. This kind of environment can indeed lead to normalization of deviance, where employees may feel compelled to bend or break rules to meet unrealistic targets without fear of immediate repercussion because such behavior has gradually become accepted or overlooked. This explanation aligns with the testimonies of many employees and industry experts about VW’s high-pressure, top-down management style.
No: I do not accept this explanation entirely because while normalization of deviance may explain why the engineers felt pressured to cheat, it does not absolve the responsibility of the senior management. Leaders set the tone and culture of an organization, and a decade-long deception of this magnitude would be difficult to sustain without some level of tacit approval or willful ignorance from higher management. The systemic nature of the cheating suggests a broader issue than just a few deviant engineers.
(1) Identify three specific actions that the new CEO and key board member must take to begin to change the corporate culture at VW.
- Implement Transparent Ethical Standards: The new leadership should introduce and enforce a clear and transparent code of ethics that promotes integrity, accountability, and ethical behavior across all levels of the organization. Regular ethics training and a whistle-blower protection program should be established to encourage employees to report unethical behavior without fear of retaliation.
- Foster Open Communication: Encourage a culture of open communication where employees at all levels feel safe to voice their concerns, challenges, and failures. This can be achieved through regular town hall meetings, anonymous feedback channels, and ensuring that management is approachable and receptive to feedback.
- Promote Diverse Leadership: To avoid the perpetuation of a narrow-minded and aggressive culture, the new leadership should promote diversity in hiring and leadership positions. This includes bringing in leaders and managers with diverse backgrounds, experiences, and perspectives who value collaboration, inclusivity, and ethical decision-making.
(1) Do you believe that Bosch should also be sanctioned and/or fined for their role in aiding VW in this deception? Why or why not?
Yes: Bosch should be sanctioned and/or fined if it is proven that they knowingly supplied VW with the engine control units designed to cheat emissions tests. Suppliers have a responsibility to ensure their products are used ethically and legally. If Bosch was aware of VW’s intentions and still provided the components, they are complicit in the fraud and should be held accountable to prevent future misconduct.
No: Bosch claims that it is not responsible for how its components are integrated into vehicles by customers. If Bosch provided standard engine control units without specific knowledge or involvement in VW’s cheating scheme, then it would be unjust to sanction or fine them. The responsibility would lie solely with VW for misusing the components. However, thorough investigations are necessary to determine Bosch’s level of involvement and knowledge before any actions are taken.
(1) Discuss Bosch’s Involvement with knowledge of misuse, and the warning to VW.
If Bosch knew about VW’s illegal use of their software and failed to take adequate measures to prevent it, this indicates a level of complicity.
Bosch did warn VW against using the software illegally. However, whether Bosch took any steps beyond issuing a warning remains crucial to determining their liability.
(1) Should investigation of the scandal at Toshiba continue until all involved parties are outed and punished? What are the pros and cons of such an action?
Pros:
Accountability: Continuing the investigation ensures that all individuals involved in the scandal, regardless of their level in the company, are held accountable for their actions. This could help deter future misconduct.
Restoration of Trust: Thoroughly addressing all involved parties can help restore investor and public trust in Toshiba and other Japanese corporations by demonstrating a commitment to transparency and ethical behavior.
Corporate Culture Change: Identifying and punishing all responsible parties can drive a significant change in corporate culture, emphasizing ethical behavior and compliance with laws and regulations.
Cons:
Resource Intensive: Prolonged investigations can be resource-intensive, both in terms of time and money. This can divert attention and resources away from the company’s recovery and future growth.
Impact on Morale: Continuous investigation and punishment could negatively impact employee morale and productivity, particularly if employees feel they are working in an environment of constant scrutiny.
Reputation Damage: Extended media coverage of the scandal and ongoing investigations can continue to damage the company’s reputation, potentially causing long-term harm to its brand and market value.
(1) Do you think that the practice of appointing outside panels to perform investigations should continue, or can you develop a better solution to enforce corporate compliance with laws and generally accepted accounting principles?
Continue with Reforms:
The practice of appointing outside panels can continue but with significant reforms to address current shortcomings:
Independent Oversight: Ensure that panels are truly independent and not subject to the influence of the company’s board of directors. This could involve appointing panel members from a pool of experts vetted by an independent regulatory body.
Expanded Scope: Allow panels to define their scope of investigation without interference from the company’s board, ensuring that no area is off-limits.
Fiduciary Duty: Impose a fiduciary duty on panel members to shareholders, similar to the duty of company directors, to ensure they act in the best interests of the company and its investors.
Legal Authority: Provide panels with the legal authority to compel the production of documents and testimony from company employees.
Alternative Solutions:
Strengthening Internal Audit Functions: Enhance the role and independence of internal audit departments to identify and address issues before they escalate.
Regulatory Oversight: Increase the role of regulatory bodies in overseeing corporate compliance, including regular audits and inspections.
Whistleblower Protections: Strengthen protections and incentives for whistleblowers to encourage reporting of misconduct without fear of retaliation.
Mandatory External Audits: Require regular external audits by reputable third-party firms with no prior affiliations with the company to ensure unbiased assessments.
(1) What measures do you think should be considered at the national level to improve transparency and gain the trust of foreign investors in Japan?
Enhancing Corporate Governance:
Board Independence: Mandate a higher proportion of independent directors on corporate boards to ensure unbiased oversight and decision-making.
Diverse Representation: Encourage diversity in board composition, including gender, international experience, and industry expertise, to bring a broader range of perspectives.
Regular Training: Implement mandatory corporate governance and ethics training for all board members and senior executives.
Improving Regulatory Framework:
Stricter Compliance Laws: Enforce stricter compliance laws and regulations with significant penalties for violations to deter unethical behavior.
Regular Reporting: Require more frequent and detailed financial reporting and disclosures to enhance transparency and allow investors to make informed decisions.
Enhanced Oversight: Strengthen the role of regulatory bodies such as the Financial Services Agency (FSA) in monitoring corporate practices and enforcing compliance.
Encouraging Ethical Business Practices:
Whistleblower Protections: Implement robust protections for whistleblowers, including anonymous reporting channels and legal safeguards against retaliation.
Corporate Social Responsibility (CSR): Promote CSR initiatives that emphasize ethical business practices, environmental sustainability, and social responsibility as core components of corporate strategy.
Public Accountability: Establish public forums and channels for investors and stakeholders to hold companies accountable, including regular town hall meetings and investor relations sessions.
International Standards:
Adoption of Global Best Practices: Encourage Japanese companies to adopt global best practices in corporate governance and transparency, such as those outlined by the International Corporate Governance Network (ICGN) and the OECD Principles of Corporate Governance.
International Collaboration: Foster collaboration between Japanese regulatory bodies and international organizations to share knowledge and implement best practices for corporate governance and transparency.
(2) With 20-20 hindsight, what could each side have done differently to improve the outcome of this major project?
Bridgestone:
Ensure Consistent Leadership: Maintaining stable leadership, particularly in the CIO position, could have provided consistent direction and oversight for the project.
Adequate Project Staffing: Bridgestone should have staffed the project with employees who had a thorough understanding of its legacy systems and business processes to facilitate better communication and decision-making.
Staged Implementation: Insisting on a high-risk flash cutover was not advisable. Bridgestone should have considered a phased implementation to mitigate risks and address issues incrementally.
Thorough Testing: Conducting extensive testing prior to the system going live could have identified and resolved many of the issues that arose post-launch.
Clear Communication: Improved communication with IBM regarding expectations, requirements, and concerns could have led to better alignment and problem-solving.
IBM:
Realistic Scheduling and Budgeting: Providing a more realistic project timeline and budget could have set more achievable expectations and reduced pressure on both sides.
Qualified Personnel: Assigning personnel with the necessary skills and experience to the project could have improved the quality of the implementation.
Risk Management: Adhering to its recommendations against a high-risk flash cutover and ensuring all known bugs were resolved before the system went live could have prevented many issues.
Transparent Communication: Being transparent about the project status and potential issues throughout the process could have built trust and facilitated better decision-making.
(2) Which company’s reputation was harmed more by the publicity surrounding this project? What might have been done to better protect this company’s reputation?
Bridgestone:
Reputation Impact: As the client, Bridgestone’s reputation was likely harmed more due to the public perception of mismanagement and failure to implement a critical system that directly affected its operations and customer service.
Protecting Reputation: Bridgestone could have protected its reputation by ensuring better project management, maintaining consistent leadership, and avoiding public disputes. Additionally, they could have proactively communicated their efforts to resolve the issues and their commitment to customer satisfaction.
IBM:
Reputation Impact: IBM, as the service provider, also faced reputational damage due to allegations of incompetence, fraud, and failure to deliver on contractual obligations.
Protecting Reputation: IBM could have protected its reputation by adhering to best practices in project management, ensuring qualified personnel were assigned to the project, and being transparent about project challenges and their efforts to address them. They could have also worked more collaboratively with Bridgestone to resolve issues before they escalated into a public legal battle.
(2) At the time of this writing, the case has not been decided. Do research online to find out how things turned out.
Outcome: As of the latest available information, Bridgestone and IBM reached a confidential settlement agreement in December 2015. The terms of the settlement were not publicly disclosed, but the settlement allowed both companies to avoid a prolonged and costly legal battle.
Implications: The settlement indicates that both parties likely recognized the mutual benefit of resolving the dispute outside of court to avoid further reputational damage and financial costs. It also suggests that they may have found common ground or a compromise to address the issues raised in the lawsuit.
(2)Do you think that the penalty for violation of the internal control provision and the books and records provision of the FCPA is stiff enough to motivate companies to implement systems capable of detecting bribes? Is it possible that some organizations tolerate lax internal control so managers have as much freedom as possible in running their business? What changes, if any, would you suggest to the FCPA?
Penalty Effectiveness:
The penalty of $3.9 million, while significant, may not be enough to deter large companies like SAP with billions in revenue from tolerating lax internal controls. The potential profits from such schemes can far outweigh the penalties imposed.
To increase deterrence, penalties could be proportional to the company’s annual revenue, ensuring that they are substantial enough to motivate compliance regardless of company size.
Tolerance of Lax Controls:
Some organizations may indeed tolerate lax internal controls to give managers more freedom, particularly if they prioritize short-term gains over long-term compliance and ethical behavior.
This tolerance can create a culture where unethical practices are overlooked, leading to significant risks and legal issues.
Suggested Changes to FCPA:
Increase Penalties: Implement penalties that are proportional to the company’s revenue or profits to ensure they are substantial enough to act as a deterrent.
Mandatory Audits: Require regular, independent audits of internal controls and financial records to ensure compliance with FCPA.
Whistleblower Incentives: Strengthen protections and incentives for whistleblowers to report unethical practices without fear of retaliation.
Executive Accountability: Hold senior executives personally accountable for lapses in internal controls and compliance, potentially including fines and prison sentences for willful negligence.
(2) When an organization implements a major accounting software package, it also inherits the system of internal control that is built into the software—good, bad, or indifferent. What can be done if it is discovered, months after the software has been purchased and installed, that the software is lacking in good internal control?
Conduct a Thorough Audit:
Perform a comprehensive audit of the software’s internal controls to identify specific weaknesses and vulnerabilities.
Engage external auditors or consultants with expertise in internal controls and compliance to provide an unbiased assessment.
Implement Manual Controls:
Until the software’s internal controls can be improved, implement additional manual controls to mitigate risks. This could include additional reviews, approvals, and reconciliations.
Enhance Software Controls:
Work with the software vendor or a third-party developer to customize and enhance the internal control features of the software. This could include adding validation checks, segregation of duties, and approval workflows.
Training and Awareness:
Train employees on the importance of internal controls and the specific manual controls being implemented. Raise awareness about the risks of weak controls and the role of each employee in mitigating these risks.
Regular Monitoring and Updates:
Establish a process for regular monitoring and updating of internal controls to ensure they remain effective as the organization and its environment evolve.
(2)IT workers have a key role in designing and implementing the internal controls associated with systems that automate the processing of business transactions, such as the payment of suppliers, employees, and business partners and the receipt of payments from customers. What can IT workers do to prepare themselves for this responsibility? Who should the IT workers collaborate with when evaluating or designing the automated internal controls of a computer-based information system?
Preparation for IT Workers:
Education and Training:
Obtain certifications such as Certified Information Systems Auditor (CISA) or Certified Internal Auditor (CIA) to gain expertise in internal controls and auditing.
Attend training sessions and workshops on internal controls, compliance, and risk management.
Stay Informed:
Keep up-to-date with the latest developments in internal controls, cybersecurity, and regulatory compliance through continuous learning and professional development.
Practical Experience:
Gain hands-on experience by working on projects that involve the design and implementation of internal controls in various business systems.
Collaboration:
Internal Audit and Compliance Teams:
Collaborate closely with internal audit and compliance teams to understand the specific control requirements and ensure they are adequately addressed in the system.
Finance and Accounting Departments:
Work with finance and accounting departments to understand the financial processes and risks, ensuring that the controls align with the organization’s financial policies and procedures.
External Auditors:
Engage with external auditors to gain insights into best practices and to ensure that the controls meet industry standards and regulatory requirements.
Business Process Owners:
Collaborate with business process owners to understand the day-to-day operations and identify areas where controls are most needed.
Legal and Regulatory Teams:
Work with legal and regulatory teams to ensure that the controls comply with all applicable laws and regulations.
(3) What advantages does the use of an MSSP offer a small retailer such as Fairplay? Can you think of any potential drawbacks of this approach? Is there a danger in placing too much trust in an MSSP? Explain.
Advantages:
Expertise: MSSPs provide access to certified security experts with specialized knowledge and experience that a small retailer like Fairplay might not be able to afford or attract.
Cost-Effective: Outsourcing to an MSSP can be more cost-effective than maintaining an in-house IT security team, as it avoids the costs associated with hiring, training, and retaining skilled IT professionals.
Advanced Technology: MSSPs offer advanced, cloud-based security technologies and services, such as next-generation firewalls and ongoing security monitoring, that enhance the overall security posture of the retailer.
Compliance: MSSPs can help ensure compliance with industry standards such as PCI DSS by conducting gap analyses and providing recommendations for achieving compliance.
Scalability: MSSPs can scale their services according to the retailer’s needs, accommodating growth and changes in the business environment.
Drawbacks:
Dependency: Relying heavily on an MSSP can lead to dependency, where the retailer may lack internal expertise and capabilities to manage security independently.
Security Risks: If the MSSP itself is compromised, it can pose significant security risks to the retailer, as the MSSP has access to sensitive information and critical systems.
Lack of Control: The retailer may have less control over its security policies and practices, which could lead to misalignment with its specific needs and priorities.
Communication Issues: There may be communication challenges between the retailer and the MSSP, leading to potential misunderstandings and delays in addressing security incidents.
Trust Considerations:
While MSSPs offer valuable services, placing too much trust in them can be dangerous. Retailers should maintain a level of oversight and regularly audit the MSSP’s performance and security practices. Establishing clear contracts, service level agreements (SLAs), and regular communication can help mitigate the risks of over-reliance on an MSSP.
(3) Data breaches at major retailers, such as Neiman Marcus, Target, and others, in recent years have shown that compliance with the PCI DSS is no guarantee against an intrusion. If you were a member of Fairplay’s management team, what additional actions would you take to protect your customer’s credit card data?
Beyond Compliance: While PCI DSS compliance is important, Fairplay should go beyond compliance to implement a robust security strategy.
Encryption: Ensure that all credit card data is encrypted both in transit and at rest to protect it from unauthorized access.
Tokenization: Use tokenization to replace sensitive credit card information with unique identification symbols that retain essential information without compromising security.
Continuous Monitoring: Implement continuous monitoring and real-time threat detection to identify and respond to security incidents promptly.
Employee Training: Conduct regular security awareness training for all employees to ensure they understand security policies, recognize potential threats, and follow best practices.
Regular Audits: Perform regular security audits and vulnerability assessments to identify and address potential weaknesses in the systems and processes.
Multi-Factor Authentication (MFA): Implement MFA for accessing critical systems and data to add an extra layer of security.
Incident Response Plan: Develop and maintain a comprehensive incident response plan to quickly and effectively respond to data breaches and security incidents.
Vendor Management: Ensure that all third-party vendors and partners follow stringent security practices and conduct regular audits of their compliance.
