SOPHIA GABUAT CBEA-01-902A

CASE 1 – UNION DIME SAVINGS BANK

The head teller at the Union Dime Savings Bank in New York took advantage of an error correction
routine built into the computer system to embezzle $1.5 million over a period of three years. The head
teller was responsible for training new tellers in the operation of the bank’s on-line system. Because
these trainees made numerous errors, the head teller explained his entries to several accounts each day
using the error-correction routine as necessary to correct the errors of these trainees. Toward the end
of the embezzlement period he was making upwards of fifty supervisory corrections per day to support
a $30,000 per day gambling addiction. The following controls were prescribed for the system:

A. A daily review of all supervisory transactions was made by a control clerk at the center.
Although the control clerk had been told to look for an unusual volume of corrections,
such a condition for this branch did not cause any alarm because the condition had
existed since the first day the clerk performed the review.
B. A report of all supervisory corrections sent to the branch manager each day was ignored
by that individual because he did not understand the purpose of the report.
C. The head teller was required to take a vacation each year, but problems that arose
during his absence because of the defalcation were saved for him to resolve upon his
return.
D. Exceptions turned up by the auditors when they confirmed account balances were taken
to the head teller for resolution. Blaming the errors on recently hired tellers, he would
correct the misposting with the error-correction routine.

Requirements:

1. Discuss the relevance of the controls that were prescribed.

2. Describe the reviews and tests of compliance that might have detected the fraud.
SOPHIA GABUAT CBEA-01-902A
RELEVANCE OF THE CONTROLS:

1. The person in-charge for reviewing all the transactions is not properly doing his job. A
daily reviewing of transactions is used to correct all the mistakes and help to identify any
unusual transactions that might be caused by fraud or accounting errors. The Control
clerk should ask about the unusual volume of errors in the first place and seek
explanation of it to the head teller because if it is done earlier, it will prevent or avoid
theft or defalcation of cash.
2. A Branch Manager is responsible for overseeing and coordinating all operations of a
branch. Their duties include hiring staff and  providing training, coaching, development
and motivation for bank personnel. They also oversee the security and cash-handling. A
branch manager must also show strong attention to detail and seeing that they ignored
the unusual supervisory correction makes him/her unfit or not capable of the position.
He/she must take note also that tolerating or ignoring this problem will give courage to
the head teller or other employees to continuously do irregularities or misappropriation
of cash. If the branch manager knows his/her duties and has concern for his/her branch,
he/she should question the report made by the control clerk and must do some
investigation.
3. Mandatory vacation gives the company a chance to evaluate different positions and
usually this vacation is unannounced so that they don’t have time to prepare to fix their
wrong doings. A problem may also surface while the person is gone such as improperly
cash handling and theft. However, in the case of the head teller, they give him a chance
to embezzle more money because they need to wait for him to return before they can
resolve the problem.
4. The auditors that examine the balances and give exceptions to the head teller and
blame the newly hired tellers for the voluminous corrections are not exercising due
professional care and have no independent mental attitude. An auditor must have a
questioning mind or approach the audit with heightened level of professional
skepticism.
5. Another cause of the problem is the lack of employees who have knowledge in
troubleshooting or correcting the errors. If there is only one person in-charge in trouble
shooting or correcting the errors there is a big opportunity to embezzle or to easily
circumvent the internal control by manipulation. Perceived opportunities to commit
fraud exist when there is no segregation of duties among employees

REVIEWS AND TESTS OF COMPLIANCE THAT MIGHT HAVE DETECTED THE FRAUD:

1. Reviews of Bank’s Organizational Control

SOPHIA GABUAT CBEA-01-902A
 Reviewing of key employee’s job description
 Review of Employee Performance and make sure they follow procedures. This will help
ensure that they are following the correct procedures and meeting the organization's
expectations. Also, inquiring of key employees in the internal control structure as to
their understanding of roles and responsibilities.
 Determine if all the access of users of system (user ID) is approved by head of user
department and branch manager. The auditor should obtain the list of user IDs that it
must be kept in a register in user departments and branches in details including
employee name, designation, employee number, date of joining, user ID allotted, date
of creation of user ID, date of deletion of user ID, signature of the user, and the auditor
has to determine for each user what the permissions and privileges to the different
department they have.
 Reviewing organization operating and accounting manuals and other means of
disseminating internal control objectives
 Reviewing deficiencies identified, and organization’s investigation, resolution, and
remediation of identified deficiencies.
 Determine if the security features have been enabled and parameters have been set to
values consistent with the security policy of the organization such as availability of
original license of operating system, operating system media and related manuals and
user guidance issued and provided through EDP department or vendor in user
departments and branches.
 The auditor shall observe if the computer operator's room is organized, inspect
cleanliness, and ensure to keep the server room visibility low and make sure that the
program or files are safe from being lost.
 Observe the operators to verify if they adhere to the Procedures (SOP) during the
equipment operation
 Review design specifications schedules, look for the written evidence of approval, and
determine if the design specifications comply with the standards.
 By assessing the operations, the auditor can pinpoint if the procedures are being done
correctly. It also assures the quality of process and limits the opportunity for errors, and
prohibited use of programs and files.

2. Reviews of Bank’s Standard Operating Procedures (SOP)

SOPHIA GABUAT CBEA-01-902A
 Ensure that you communicate your SOPs to all parties involved to ensure compliance.
This will help to avoid any confusion or ambiguity. It also ensure they are well
documented and readily available; both digitally and physically.
 Determine the extent of the responsibilities of the management internal audit user’s
quality assurance, and data processing during the system design development and
maintenance.
 Reviewing procedures (SOP), Management has established to identify if it is being
followed and know its effectiveness.
 Review system development work papers to determine if the appropriate levels of
authorization were obtained for each phase.
 Examine the selected flowchart, decision tables, costing sheets to verify that standards
programming, conventions and procedures are being followed.
 Interview representatives of the users and accounting departments for evidence of the
level of their participation in the system development process.
 Review appropriate documents and related approvals for evidence that the user and
accounting departments have an adequate understanding of systems inputs, processing
procedures, control, and system outputs.
 For selected applications development during the accounting period, review technical
and output documentation for written evidence of approval by technical supervisors,
management and users.
 Review the selection of the system development standards manual that covers review
and approval Requirements.
 For selected applications development during the accounting period, review technical
and output documentation for written evidence of approval by technical supervisors,
management and users
 Examine discrepancy report for evidence of appropriate correction of errors.
 Test the conversion by tracing record data form the original files to the new files and
also form the new files to the original files.
 Verify that all emergency changes with the associated root cause are reviewed by senior
management on a timely basis.
 Review corrective controls to prevent reoccurrence of change.
-Review controls over the execution of the emergency program.
 Assess the operations of the system, and procedural controls and manual to establish
the fairness and appropriateness of the standards.
 Review and evaluate the procedure for maintenance of existing applications.