If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him. As long as he had the email receipts, or would there be an argument that he should have known differently and shouldn't have replied on the other directors assertion that it had been pen tested.
> If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him.
No.
If the OP was not in a position yo know if they had pen tested, and the director said that they had, maybe, but in this case AFAICT the OP was in a position to know, the director was not except through the OP, and the director dictated a statement that was “more political”, not a correction of fact, that the OP knew to be inaccurate, and the OP dutifully put it into the document intended for the customer and while in parallel repeating concerns about its truthfulness to the director.
I think this is the way to go as well. He might have simply said he wasn't at the firm when the pentesting was carried out and he would search for the documentation. He should have sent emails to his managers about where he could obtain the initial pentesting documentation.
