My Turn - Achieving the American Dream
Page 6
Part of the requirements of the Security SOP instructs users to have their own accounts. It’s common practice and makes sense. As stated earlier, if users share accounts, it’s difficult to determine who is doing what. At Biokinz, it’s known that IT shares accounts. There are also a handful of privileged accounts where everyone knows the password. So, even if the password is changed, it’s the same people who receive it. Oftentimes, when Chris is talking to someone at their desk, they point to something on their computer, and he is able to see that they are using one of those shared accounts for daily activities.
But when he meets the auditors, he doesn’t disclose this information. They are here to check the SOP, and theoretically everyone has their own individual account. They just don’t know that there are other generic accounts that people use as well as having their own. If they checked the last time the network administer logged into the network using his own credentials and see that it was about a week ago, they would probably wonder how he’s working. So when asked who has the password to one of the domain admin accounts, Chris’s reply is “I think it’s Paul.” It’s true. Paul does have the password but he doesn’t supply the list of all the other people who also have it. One of these domain accounts’ passwords has apparently not been changed for several years and is shared even among contractors. It’s not the complete truth, but it’s not a lie either.
Chris’s instructions are to just answer the questions and to not elaborate. Don’t disclose anything that you’re not asked to. He has been coached on this and seems to be handling the audits relatively well. When asked about missing signatures on a security access request form, Chris says he thinks he had email approval and asks if that will work. They reply yes.
He has no idea, though, if they have email approval or not. It’s just the first thing that comes to his mind. After meeting with the auditors, Chris meets with Paul. They discuss the situation and come up with a plan. Here’s what they decide to do: They interrupt email service to the company. Since it will only be about a five-minute interruption, no one will know. Emails will just be delayed for this short period of time. Then they make some network and email server modifications. They roll back the clock on the email server and modify the names in the “To:” and “From:” email. As a result of these measures, they have a completely fabricated email which depicts approval.
During this process, Chris asks Paul who the email should come from. He says the Director of Drug Safety, Amy.
“But what if she doesn’t agree to this?”
“A couple of things, Chris. First she wants approval just as much as everyone. And second, you dated this email several months ago. She’s not going to remember if she really sent it or not. It can be worded in a vague way and the truth is most of us are not going to remember.”
“Well that’s true. With all the emails I get, I certainly can’t recall how I responded to all of them.”
“Plus if you are shown an email with your email address in the “From” address, it will be tough to dispute, and you can probably be convinced that you did indeed send the email.”
“Won’t she check her old ones?”
“She can but what we will do is place a copy of the email in her sent items. Preferably her archive folder if she has one. I’ll handle that piece. Just show the auditors the email.”
“Okay,” Chris replies a little hesitantly. He likes Amy and does not feel comfortable with what they are about to do. But if you look at it from a bigger picture, she’s one person standing in the way of several folks making a lot of money. In addition, she’s probably playing the game as well, just like all the other managers.
To make it look more official, he first shows the auditors the electronic copy in his email inbox. It’s the same email record that they placed in Amy’s sent folder. Then he asks if they want a printed copy or if looking at his screen is sufficient. Of course they ask for a printed copy, so he prints one.
It’s difficult to trace a manufactured email. And do they really want to? Sure they can go to tape backups but this can also be addressed. Everything can be traced but if a tape is missing or corrupt, what can you do? Throw a magnet on the tape and the problem’s solved. This type of thing happens in IT. There is one instance where Chris heard that they were asked to go to tape. But all the tapes that they went to weren’t valid. Nothing was on them. So if someone from IT makes a “mistake,” what can an auditor do? They wouldn’t be able to collaborate anything that they were searching for. In any case, it’s not a major violation. Signatures are missed on a form, so he doesn’t think the inquiry will go any further. Plus Paul is constantly working them.
Chris is being coached by a veteran. So even if he has an issue in fielding an inquiry, he can always check-in with his boss on how to recover or just pass the inquiry to him. It’s kind of comforting having the option to pass it to someone with more experience.
For most of the SOX controls related to IT, Finance is just going through the motions for sign-off. They don’t really understand what they’re signing. Chris can explain it a couple of times but, for the most part, it’s not grasped.
The bottom line is that they just need to pass the audits. It’s similar to drug approval in that way. Without it, none of them would be working. They’d all be looking for new jobs. Most importantly, the Board would lose millions of dollars as would upper management. And now that Chris has been given a chunk of shares, he also has several hundred thousand at stake.
Biokinz passes every audit. In the past, they were written up but only for minor infractions which were remediated fairly easy. Today, if they come across a major issue, it’ll be dealt with differently and, of course, Paul will step-in.