Update on the PhD

Hmmm.  Well today was meant to be a really productive day in which I dealt with all the outstanding issues, wrote papers, read papers and set up my PC.

PC got in the way through a case of destruction of MX records, and so I got half an article read (Tversky & Kahnemann 1974).  I also have to update the interview protocol for the ARC project.  There is a bit of fun going on at the moment in the context of exactly trying to define what an ‘IS audit’ is.  Grrr. 

Still I am adamant that I will get somewhere with this – look out for a short paper on cognitive psychology and its relationship with user expertise.  Now I really should go and do some proper work.  It is my intention to use this blog a bit more to pick up this material around technology dominance and so on.  Let’s see how that goes.

ITGI Roundtable Conference article now available

I see that ITGI has posted the transcript of the roundtable we did back in September 2008 or so.  It covers off some of the leading lights in IT Governance in Brisbane – and then I’m there as well:

  • Tony Hayes, FCPA, Queensland Government, Australia
  • Micheal Axelsen, FCPA, Director, Applied Insight Pty Ltd., Australia (that would be me)
  • Ashley Goldsworthy, AO, OBE, FTSE, FCIE, FCPA, Professor, Australia
  • Duncan Martin, CISA, ACA, CIA, CPA, Chief Financial Officer, The Rock Building Society Ltd., Australia
  • Glen McMurtrie, CISA, CBM, CFE, Principal Internal Auditor, Department of Communities, Australia
  • Simon Middap, Group Manager, ICT and Projects, ENERGEX Ltd., Australia
  • John Thorp, CMC, I.S.P., The Thorp Network Inc., Canada

It reads fairly well – I do remember it as an interesting conversation. 

The transcript is available on www.itgi.org and is available as a pdf here.


Satyam: A warning to IT outsourcers everywhere

Well holidays are nearly over.  The beard lasted two weeks or so before I decided to go back to my good old cleanshaven self.  At least I know now that I’m about two weeks from a dreadful beard and three weeks from a really bad one.

First topic that catches my eye at the moment is the Satyam issue.  I nearly choked on my weet bix the other day reading about the absolute gall of the Satyam conglomerate by basically making up 90% of their cash reserves.  I think it may be a lesson for people that outsourcing to another country may seem good on paper (that is, cheaper), but when its entire governance regime is completely different there are going to be some hurdles that just can’t be met.

It will be interesting to see if this becomes a house of cards and all the other IT outsourcers out there are doing pretty much the same thing.  I noticed incidentally that the auditors, PWC, are suddenly distancing themselves from their Indian affiliate.  It will highlight the role of the auditors, once again, as watchdogs not bloodhounds, and further that it is virtually impossible for an auditor to find out something if a Director is looking to hide facts and lie.

Still I’ll not be surprised to discover that there is a major case to answer at PWC for an audit that clearly missed something. And of course Ernst & Young gave this bald-faced liar an award as entrepreneur of the year not all that long ago.  I have a theory that it is incompatible to have an audit and assurance role and to hold that role at the whim of the very people who can cause such an audit to be based upon a pack of lies – it isn’t going to be helpful to hide behind standards and process reviews when a bad outcome like this happens.

And still, I wouldn’t be an audit partner under the current regime for quids.

As for people who are IT outsourcing as well as offshoring, I’m sure they’ve got a bit of a tight knot where their stomach used to be hoping that their IT outsourcer is not doing the same thing (or, if they are with Satyam, how the hell they’re going to extract themselves from the mess).

Image from Flickr User jill – glossy veneer.  Some Rights Reserved.

, , ,

Can employers tell us what we can do in our private, online social networking, lives?

If your employer tells you to ‘stop doing that, you’ll go blind’ online, do you have to stop doing it? 

Short answer:  yes, with a but. 

As I specialise in long answers though – see below.  Caveat – I’m not a lawyer.  This probably misses a ton of stuff cos I’ve shortened it from the original, much longer, draft.  This is just for discussion, comment, and thought provocation at the moment.  It also has far too many Battlestar Galactica references. 

At law it is generally well recognised that employees have several duties of care that they owe to their employer . There are three core duties of an employee to their employer that have a clear link to an employee’s online social networking activities:

  • to work with care and diligence,
  • to obey all lawful and reasonable orders, and
  • to act with good faith and fidelity.

There are essentially two types of employee: a standard employee (on a time-service contract) and a professional or staff employee (on a task-performance contract) . Professional and staff employees, and especially those employees with client-facing roles, are generally held to a higher standard, particularly where their actions may tarnish the employer’s image.

The employee has a positive duty to be efficient, and to avoid negligence in carrying out the work. In the context of online social networking, an employee might breach this duty where their use of such tools affected their efficiency (for example, through cyberslacking) or using a social networking tool in an inappropriate way (for example, to store client material or to carry on client conversations).

An employee must also obey the ‘lawful and reasonable’ orders of their employer, taking all reasonable steps to carry out the tasks promised under the contract of employment. Criminal acts outside of the workplace may prevent the employee from carrying out their duties, and thus breach this duty. So if you joined an illegal OSN, or advocated criminal behaviour in an OSN (use your imagination but it probably involves terrorism, nazis, or pavlova) it might be difficult to keep doing your fracking job (sorry – Battlestar Galactica reference).

It is likely though that the activity would need to be very much at odds with the employee’s role for summary dismissal or discipline to be justified.

Employees do have a duty to act with good faith and fidelity (see especially Blyth Chemicals Ltd v Bushnell 1933 ). Employees must not act in a manner that is in conflict with the interests of their employer.

As part of this duty of good faith and fidelity, the employee must not disclose information where disclosure of such private information (for example, profits and losses, customers, methods and techniques, etc) might help a competitor. It is likely, for instance, that posting a blog topic about business strategy, or the file notes from an internal meeting, would breach the duty. The duty operates to limit the employee’s ability to comment upon the business of the employer.

I was flabbergasted to find though that in the Cockatoo Docks Case (1946) it was found that an employer was justified in summarily dismissing an employee who wrote an article in a Labor Party newspaper that was critical of his employer. Try that one on today! Although it is not likely that this decision would be followed today, there are clear parallels to be drawn with online social networking activities.

The biggest issue for bloggers and Facebookers everywhere? Tarnishing corporate image.

For this duty to be beached there generally needs to be a relevant link with the employer such as a uniform. In Rose v Telstra Corporation 1998 it was acknowledged that employers ‘do not have an unfettered right to sit in judgment on the out of work behaviour of their employees. An employee is entitled to a private life.’

In the context of online social networking, presumably this connection would exist where the employee discloses the name of their current employer, or where the individual is in a senior client-facing role so as to be likely to be identified from their profile by a customer or prospective customer.

Some employers use things such as AWA’s etc to prevent, for example, a mining company employer stopping an employee joining a group that is protesting the mining company’s actions.

As a general principle, employers seeking to rely upon this power of control must set out their expectations very clearly, and ensure that the employee has consented to such contractual terms and that the expectations have been brought to the employee’s notice. In particular, the duty that an employee owes to act in good faith and with fidelity operates so that the employee should not ‘tarnish the business’s image’. The business’s expectations of its employees however must be very clear if the employer seeks to control their employees’ actions in private.

Personally I’m coming to the view that if it’s your private blog or Facebook, keep your employer’s name out of it – it’ll be sweeter for all that way.

Image from Flickr User Akbar SimonseSome Rights Reserved.

Using email well

A couple of months ago, Jan Barned, our erstwhile policy advisor on the ITM CoE, sent around an email from Jane O’Connor, the new editor of InTheBlack, that talked of the virtues of having ’email-free’ days in the office.

Most of us on the CoE had a slightly different view, particularly since what tends to happen is that if you have an email-free day, the next day is spent picking up the pieces of all the emails you missed the previous day.

Our mostly tongue-in-cheek responses ended up in the September ITB:

September 2008:  Downtime – a day away

In case you are wondering why there is a reference in Shauna’s and my email to a ‘Danish Rock band’.,  This is because, taking my own advice that I’m giving at the social networking workshop in October to use Google Alerts, I’d just received an email to alert me to the fact that my daughter may perhaps have joined a Danish rockband (it’s an occupational hazard, given the surname – I’m less Danish than Jock ‘Tag the Haggis’ McTavish).  This amused me somewhat, as she is only three and unlikely to join a rock band unless Dora the Explorer was the lead singer.

There are three types of email:  Email that is really a ‘for your action (fya)’, email that is really a ‘for your information (fyi)’ and email that is perhaps intended to amuse (‘ZOMG TMI’).

Such an email falls into the third category of email:  useless anecdotes intended to amuse.

I thought the article was genuinely amusing in its final form, not least because our emails came back to bite us in an unedited form :).