Section B – TWO questions ONLY to be attempted
Shop Reviewers Online (SRO) was founded in 2010 by Amy Needham. She felt that many customers buying from online stores were misled by advertising and that too often, purchased products turned out to be unreliable, faulty or failed to meet the customers’ expectations. Amy believed that the online retail industry was increasingly acting unethically, caring only for profits at the expense of the needs and expectations of customers.
Consequently, she set up SRO to ‘provide an unbiased review of online stores to ensure the customer has all available information’. The company offers reviews of current online stores and provides direct links for customers to shop at the stores featured on its site. The reviews include price comparisons, provided by SRO, as well as general reviews provided by registered users of the site. The company has two main revenue streams. The first is advertising revenue from online stores who place advertisements on the SRO site. The second revenue stream is commission from sales by online stores to customers who have clicked on the sponsored links provided on the SRO website. This commission is only paid by stores who have entered into such a commission arrangement with SRO.
SRO relies upon its website being available online 24 hours a day, 7 days a week. For this reason it has backup servers running concurrently with the main servers on which data is processed and stored. The servers are directly linked so that any update to the main servers automatically occurs on the backup. The servers are all housed in the same computer centre in the company head office. The computer centre has enhanced its security by implementing a fingerprint recognition system for controlling access to the site. However, as the majority of staff at headquarters are IT personnel, and often temporary staff are hired to cover absentees, the fingerprint recognition system is not comprehensive and, to save time, is often bypassed. Similarly, to save time needed to set up new permanent staff with passwords to access the company’s systems, a general ‘administrator’ user has been created, with the password ‘password’. Many temporary staff access the system in this way.
SRO has an intelligent software application which constantly searches the internet for product price changes, uploading these into the reviews of the online store in question. Sometimes, however, there have been problems. Usually this is when the application has not recognised an outdated page and has replaced the correct latest price with an old price found on the outdated page. Furthermore, this intelligent software application needs permanent continual access to the internet, and SRO has identified a problem with its firewall which has prevented the software application from sometimes updating the internal systems. For this reason, it has removed the firewall protection to help ensure that the correct up-to-date prices of all online stores are shown on the website.
SRO rarely generates other elements of reviews (such as product experience), leaving this to registered users of the site. However, it will, occasionally, submit its own review to help boost a store which pays a higher commission rate than its competitors. SRO is always honest in its reviews, but the more reviews a store has, the higher up the search list it appears, when a customer searches for a specific product.
Registered users can submit as many reviews as they wish. Unregistered users may also submit reviews, which will be published under the name ‘anonymous’, but these reviewers will be unable to comment on the reviews of others. SRO checks reviews for appropriate content, but does not contact the store to verify the accuracy of the review.
SRO is about to undertake an audit of the adequacy of its general and application IT controls. In addition, SRO is currently undertaking an internal ethical governance audit, which has identified two main areas of concern:
(1) Commercial conflicts of interest
As mentioned earlier, SRO’s business objective is to ‘provide an unbiased review of online stores to ensure the customer has all available information’. However, the audit has revealed that both SRO’s revenue streams may cause an ethical dilemma with regards to this objective.
(2) Company offices
SRO has little need for traditional offices, as it does not have a direct customer-facing role. It mainly requires IT technicians to support its automated services. The company has carried out research which suggests that the IT skills it requires could be sourced at a much lower rate overseas. It is considering relocation to one such country. This country has low rates of corporation tax and cheaper labour costs. However, the country itself is poorly regulated and does not have legislation concerning the quality of information systems or the security of data contained within them, particularly relating to personal data. The culture of the country is such that accepting unauthorised payments for services is also not unusual. Whilst SRO does not condone this in its code of conduct, it is aware that such issues exist in the country under consideration.
Required:
Evaluate the adequacy of the general and application controls in place within SRO, with respect to its information technology and information systems. Suggest any improvements you consider to be necessary.
SRO has recognised the importance of the need for functioning systems at all times, and so have ensured that a backup is available. This is key, as any loss of functionality will affect its ability to operate, given that the entire operations are carried out online. However, there are some problems with its general controls, which could severely disrupt business.
General controls
These are controls which relate to the computer environment and, hence, could affect any or all applications in use. These may be policies with regards to the treatment of hardware or procurement, for example, or could be specific security procedures which are in place. SRO appears to recognise the need for general controls by having a separate computer centre, with secure access, a firewall and a password system to protect against unauthorised access. However, despite this recognition, there are a number of areas where the general controls are inadequate.
The computer centre is not secured despite the capability to do so. The reason given is not sufficient to risk security controls for. Although the ‘majority of staff’ at headquarters are IT support personnel, there are still some staff who should not have access to the computer centre. Indeed, not all IT staff need access to the main servers. Temporary staff should not fulfil roles which are strategically important and so, to risk the entire operations by providing them with unrestricted access, SRO is not showing adequate control. Similarly, the use of a general user id and simple password means that they have access not just to the hardware, but to the entire system too. The user id and password would be simple to guess should anyone be attempting to hack into the system. SRO must immediately revert to the fingerprint access system, and must ensure that all staff are aware of the importance of preventing unauthorised access. The ‘administrator’ user should be removed immediately, and only those with administrator rights should be afforded them in conjunction with their unique user id. Temporary staff should be issued with unique user ids so that SRO can ascertain who has carried out any transactions on the system. In addition, users should be reminded of the necessity of changing passwords regularly and not writing them down anywhere. This could be enforced in training and by the provision of a procedures document.
The firewall has been turned off to allow the intelligent software to upload its finding onto SRO’s system. Unfortunately, turning off the firewall not only allows this to happen, it also opens the systems to the threat of hackers. The firewall should be immediately re-installed. If it is finding difficulties with the application, it may be that there is a security risk with that. This should be thoroughly investigated and corrected.
SRO has taken precautions to have a backup system in place as contingency against disasters. However, the system should be in a remote location, rather than in the same location as the main servers. If there were a fire, for example, both the main servers and the backup servers would be affected. Similarly, by having a direct link between the servers, any data corruption or unauthorised access would affect both the servers and their backups. There should be a slight time delay in the connection to prevent this from happening, so immediately a problem is detected the link could be terminated, allowing the backup to be unaffected.
The controls mentioned above would affect all systems. There are some controls which affect only specific applications used by the organisation. These are known as application controls and help ensure that transactions are authorised, and are completely and accurately recorded, processed and reported.
Application controls
There are some issues with the application controls on the review system, which form a threat to the accuracy and reliability of the information provided on the system.
The intelligent software itself appears to provide out-of-date information and there is, currently, no way of assessing whether this is the case. A verification check may be necessary to ascertain the date of the initial posting of information and whether this is earlier or later than the date of information already held.
The reviews posted by users may, or may not, be a fair representation of the service offered. SRO does not verify that the information is correct, nor do they verify whether the users are who they claim to be. Indeed, the ability for users to post anonymously means that they could post whatever they like. There is a possibility that the users may be employed by the stores being reviewed, and giving positive reviews in order to benefit from them. Alternatively, they may be posting negative reviews about their competitors, again compromising the reliability and independence of the reviews. If this were happening, and were to be discovered, it could threaten the entire existence of SRO. It may be that a control needs to be included whereby reviewers can only submit a review if there has been an actual transaction with the store. Similarly, the stores should have the opportunity to respond to a review, made simpler if there is a transaction identifier available.
Overall, it appears that, despite having many of the tools in place, SRO is not using them adequately. Procedures should be clearly defined and adhered to in order to protect from such risks.
Assess the corporate governance and ethical dilemmas identified by SRO in its possible relocation to the foreign country and discuss the implications of these on organisational mission, purpose and strategy.
There are two areas of concern identified by SRO:
Commercial conflicts of interest
SRO’s business objective is to ‘provide an unbiased review of online stores to ensure the customer has all available information’. So, to meet this objective they should focus on both the terms ‘unbiased’ and ‘all available information’. The fact that SRO provides some reviews itself, which, although honest, seek to show certain stores in a positive light, goes against this objective.
The dilemma for SRO is that the online stores themselves provide both sets of revenue streams for SRO. It is in SRO’s interest that the reviews are accurate, otherwise they will lose its users who rely on SRO for an honest and truthful review. Should they use another comparison site, or shop around themselves, SRO will no longer gain commission or advertising revenue. However, if the reviews are negative, it is also unlikely that the store in question will advertise in future on SRO’s site and commission sales will also fall, as users of SRO’s site will not follow links towards a store with negative reviews.
SRO either needs to change its business objective to remove the terms ‘unbiased’ and ‘all available information’, or they need to consider how to do this whilst maintaining their revenue streams. Ideally, the provision of honest reviews should encourage the stores to provide a good service at all times and then this would no longer be an issue.
Relocating company operations
SRO is considering moving its operations to an overseas country with tax and cost benefits. Whilst this may seem to be an attractive option from a financial perspective, there are other elements which should be considered.
The dilemma is that the benefits obtained financially may be counteracted by operational problems. The country they are considering relocating to is poorly regulated and does not have legislative controls with regards to the quality of information systems or security of data contained within them, even for personal data. This could lead to the risk of loss of personal data of the registered users, which could cause great reputational damage, should it occur. SRO has already recognised some control issues with its systems and it is likely that these would be worsened in a poorly regulated country
It is mentioned that the country’s culture is such that accepting unauthorised payments is considered acceptable, even if it is not publicly acknowledged. SRO would have the dilemma of whether to behave within the culture of the country, even though such business behaviour may be seen as illegal or considered unethical in its home nation, or whether to take a stance against it, and thus put themselves at a competitive disadvantage. The latter would be in line with their current code of conduct, but it may be difficult to convince locally sourced staff of this.
Given that Amy created the company quite recently, in 2010, with the aim of overcoming the unethical behaviour she perceived to exist in the online retail industry, it would appear that both of the dilemmas considered above would risk the entire paradigm of the company, its reason for existence.