> If you refuse and it's an actual emergency with the real CFO, it might be a career limiting move, if you don't get fired.
This is really the crux of it: senior management needs to take the lead setting up policies which are efficient enough not encourage people to try to bypass them and the culture that everyone in the company should feel comfortable telling the CEO “I’m not allowed to do that”. This is possible but it has to be actively cultivated.
I've had a CFO that didn't talk to tech people except through proxy have a "tell your mom to pass the potatoes" style meeting with his secretary as medium. Yes I stood there he talked to his secretary and repeated what each of us said 5 feet away from each other. This was a large bank.
I've had a general council yell with spittle at me because I suggested that it was probably a bad thing that the IT Dept was effectively acting as power of attorney for the company by doing digital signing for him and he should probably learn how to do it himself for legal reasons.
When you get to choose a potentially career limiting move by speaking to a CFO or a freedom limiting move by doing a potentially illegal thing they say... It may be a good idea to do the first one unless you're in really bad situation with work availability.
If they can throw you under a bus because you raise a valid issue, what are the chances they'll protect you when some fraud paperwork gets signed by the IT dept (so you).
I'm just saying the problem is basically systemic. Powerful people in charge are going to do what they are going to do. Very few will voluntarily place restriction upon themselves even for their own good. The person that sent the money probably did it because the CFO had a history of acting like a child/irrationally/short fuse.
Very few CEOs are going to make people feel comfortable telling them no.
My anecdotes were to illustrate its widespread if I've personally encountered it multiple times. Also just to entertain.
Yes, that’s why I described it as a management responsibility. That kind of dominance culture is very common and it basically ensures this kind of stuff will keep happening, similar to how all of the phishing training in the world is largely cancelled out by not requiring partners and vendors to have better email practices. It might take that CFO featuring in a crime like this one to get their attitude to change.
Just as every major company now sends out fake phishing emails, we'll need to normalise sending out fake emergency emails from your boss saying that you need to transfer money somewhere.
It might not matter in the extreme case as there could always be a sufficiently serious emergency that will force their hand to bypass every policy. e.g. if they get a National Security Letter.
That’s not Joe CPA’s problem, though, beyond verifying that the men in black have valid government ID. If the FBI raids your office, you’re not the one in trouble for it.
Let’s not ascribe too much power to those, either: NSLs can compel release of certain types of information but they can’t force you to do things like transfer money or even disclose the contents of private messages.
This is really the crux of it: senior management needs to take the lead setting up policies which are efficient enough not encourage people to try to bypass them and the culture that everyone in the company should feel comfortable telling the CEO “I’m not allowed to do that”. This is possible but it has to be actively cultivated.