Ethics in IT — Week 1 · Ch. 2
Ethics for IT Professionals
What separates a worker from a professional — and what comes with that distinction.
13 slides ~15 minutes ETH-02 · The Factionless
By the end of this module, you will distinguish a worker from a professional, map the five professional relationships, compare four professional codes, identify the compliance laws that bind IT, and analyze the SAP FCPA case.
Slide 2 of 13
Worker vs. Professional
Same job description, different ethical position. The line is not legal — it is professional.
IT Worker
Primary obligation: employer.
Knowledge: adequate for assigned tasks.
Ethics: employer policy + applicable law.
Conflict resolution: follow employer direction.
Autonomy: limited, defined by job description.
IT Professional
Primary obligation: employer + client + profession + public + society.
Knowledge: ongoing competence obligation.
Ethics: professional codes in addition to law and policy.
Conflict resolution: codes take precedence when employer direction violates them.
Autonomy: greater — with corresponding responsibility.
Why it matters: a worker who is "just following orders" still bears legal liability but lower ethical liability. A professional who follows orders that violate professional codes carries the full ethical weight, even if the employer told them to do it.
Slide 3 of 13
Five Dimensions of Professional Difference
The gap widens at every dimension. Each one adds obligations a worker doesn't carry.
Slide 4 of 13
Five Professional Relationships
The IT professional sits at the center of five distinct obligations. Each carries its own duties and conflicts.
Employer
Day-to-day. Honest reporting, confidentiality.
Client
Whom you serve. Honesty when client & employer differ.
Supplier
Source ethically. No gifts that compromise.
User
Least power, most exposure. Don't deceive.
Society
Broadest. Last in priority daily, first in ethics.
Slide 5 of 13
When Relationships Conflict
In daily work, employer comes first. In ethical conflict, the priority inverts.
Slide 6 of 13
Professional Codes
Four codes shape IT ethics. They overlap on principles and diverge on enforcement.
ACM
Code of Ethics & Professional Conduct (2018). Broadest scope: public welfare, privacy, anti-discrimination, avoiding harm.
IEEE
Code of Ethics (2020). Engineering and systems focus: public safety paramount, competence, conflict of interest disclosure.
AITP
Code of Ethics & Standards of Conduct. IT management focus: obligations to management, colleagues, profession, society.
PMI
Code of Ethics & Professional Conduct (2006). Four values: Responsibility, Respect, Fairness, Honesty.
Common ground: all four require honesty, competence, avoiding harm to the public, declaring conflicts of interest, and refusing instructions that compromise the profession.
Slide 7 of 13
Enforcement Spectrum
All four codes have aspirational language. Only one has a tooth.
Practical takeaway: the strength of a code's enforcement doesn't change the strength of its ethical claim. A weak-enforcement code that you've adopted still binds you ethically — the consequence is just different.
Slide 8 of 13
Compliance Laws That Govern IT
Four laws every IT professional should know — and recognize when they apply.
SOX (Sarbanes-Oxley, 2002)
Domain: financial reporting at public companies. IT implication: systems supporting financial reporting must be auditable. IT professionals involved in financial fraud face criminal liability.
HIPAA (1996)
Domain: healthcare data privacy and security. IT implication: covered entities must implement required safeguards; violations bring civil and criminal penalties.
FCPA (Foreign Corrupt Practices Act)
Domain: bribery of foreign government officials. IT implication: IT professionals who enable or conceal bribery through systems (accounting, approvals) are personally liable.
CFAA (Computer Fraud & Abuse Act)
Domain: unauthorized computer access. IT implication: governs what IT professionals can and cannot do with systems — including systems they administer for others.
Slide 9 of 13
Compliance ≠ Ethics
Compliance is the floor. Ethics is the ceiling. The gap between them is where professionalism lives.
The professional move: doing what the law allows but the code prohibits is satisfying compliance and failing ethics. The reverse — refusing what the law allows because the code prohibits it — is the professional standard.
Slide 10 of 13
Case Study: SAP FCPA Violation
$220M settlement in 2021. The IT systems were the deception infrastructure.
The facts: SAP SE, the German enterprise software company, paid $220 million in 2021 to resolve FCPA charges. SAP subsidiaries had paid bribes to government officials in South Africa and several other countries to secure government software contracts. The payment mechanism involved creating fake entities and falsely characterizing the payments in accounting systems.
The IT angle: IT professionals were directly involved in maintaining the systems that processed, classified, and concealed the payments. Some were aware of the nature of the transactions; others implemented systems without understanding what they were being used for. Either way: their work product was the deception infrastructure.
$220M
DOJ + SEC settlement (2021).
Multiple countries
South Africa primary; several others involved.
Slide 11 of 13
The Three IT Roles That Failed
No single villain. Three layers of professional obligation, missed at each layer.
IT Architects
What they did: built systems that could process payments to shell entities without adequate controls or audit trails.
Obligation failed: systems should be designed with controls that make fraud difficult, not easy.
IT Staff Processing Transactions
What they did: processed payments classified in ways they may have known were inaccurate.
Obligation failed: not to falsify records, and to refuse instructions that require falsification.
Compliance IT Staff
What they did: maintained reporting systems that did not flag the pattern.
Obligation failed: ensure compliance systems function effectively, not as theater.
The pattern: at each layer, an IT professional could have refused the instruction that compromised the integrity of the system. None did. The system worked because everyone individually decided not to be the one to break it.
Slide 12 of 13
What Would You Do?
A small anomaly. A clean career. A choice.
You are an IT professional at SAP maintaining the expense and payment approval system. You notice that a significant number of payments to a particular vendor in South Africa are being approved using an expedited override code that bypasses normal documentation requirements. The payments are coming from a business unit manager you have never interacted with. What professional obligation applies?
Investigate
Anomalous override use is a flag. The professional obligation includes ensuring the system functions as designed — investigating anomalies isn't optional.
Escalate
Internal escalation to compliance, audit, or legal — before deciding what action to take. Don't carry the dilemma alone.
Refuse
If asked to maintain or extend the override mechanism, the professional code obligation is to refuse, even at career cost. "I was told to" is not a defense.
Slide 13 of 13
Module 2 Summary
Ethics for IT Professionals — key takeaways.
1Worker vs Professional — the line is not legal, it's ethical. Professionals carry obligations beyond the employment relationship.
2Five professional relationships: employer, client, supplier, user, society. Five separate obligation streams that can conflict.
3Daily priority inverts under conflict. Society comes last in daily practice but first in ethics when relationships collide.
4Four codes (ACM, IEEE, AITP, PMI) — PMI is the only one with strong individual consequence (PMP revocation).
5Four laws (SOX, HIPAA, FCPA, CFAA) — know which apply to your role, and recognize that personal liability follows the work product.
6Compliance ≠ ethics. Compliance is the floor; ethics is the ceiling. The gap is where professional judgment lives.
7SAP lesson: distributed responsibility = distributed failure. At every layer, a professional could have refused. None did. The system worked because each person decided not to break it.
8"I was told to" is not a defense. The professional standard is: refuse the instruction that compromises the code, even at career cost.
Next up: Module 3 — Cyberattacks and Cybersecurity Ethics. Reasonable assurance, the four core security tradeoffs, and the Sony Pictures breach as a case study.