RENELLE HABAC CBEA-01-902A

CASE 1 – UNION DIME SAVINGS BANK

The head teller at the Union Dime Savings Bank in New York took advantage of an error correction
routine built into the computer system to embezzle $1.5 million over a period of three years. The head
teller was responsible for training new tellers in the operation of the bank’s on-line system. Because
these trainees made numerous errors, the head teller explained his entries to several accounts each day
using the error-correction routine as necessary to correct the errors of these trainees. Toward the end
of the embezzlement period he was making upwards of fifty supervisory corrections per day to support
a $30,000 per day gambling addiction. The following controls were prescribed for the system:

a) A daily review of all supervisory transactions was made by a control clerk at the center.
Although the control clerk had been told to look for an unusual volume of corrections,
such a condition for this branch did not cause any alarm because the condition had
existed since the first day the clerk performed the review.
b) A report of all supervisory corrections sent to the branch manager each day was ignored
by that individual because he did not understand the purpose of the report.
c) The head teller was required to take a vacation each year, but problems that arose
during his absence because of the defalcation were saved for him to resolve upon his
return.
d) Exceptions turned up by the auditors when they confirmed account balances were taken
to the head teller for resolution. Blaming the errors on recently hired tellers, he would
correct the misposting with the error-correction routine.

Requirements:

1. Discuss the relevance of the controls that were prescribed.

2. Describe the reviews and tests of compliance that might have detected the fraud.

RELEVANCE OF THE CONTROLS:

1. The control clerk disregards the unusual volume of corrections. A daily review of transactions
allows identifying or correcting problems such as mistakes made in every transaction and
irregularities that may result in theft. Any unusual differences also need to be explained.
2. The branch manager is not performing his/her duties properly because he/she
supposedly directs and supervises the staff and day-to-day operations. However, he/she just
ignored the unusual volume of corrections which means he/she is not fit for the position.
3. Most financial crimes require constant attention, even diligence, on the part of the perpetrators.
A policy of mandatory vacation time can deter employees from even considering any
impropriety. Employees fear that any financial misdeeds will be detected during their absence.
However, in this case that the head teller is on vacation they were just giving him an opportunity
to embezzle more money because they were just waiting for him to return to resolve the
problem.
4. Blaming the newly hired teller and giving an exception to the head teller will show that the
auditor is not practicing professional care, fairness and integrity.
RENELLE HABAC CBEA-01-902A
REVIEWS AND TESTS OF COMPLIANCE:
 Implement a constant monitoring system to catch and prevent incidents of data
theft/breach.
 Conduct a thorough background check. Also check all personnel before giving copies of
the company’s documents.
 Make sure you turn on your network encryption and encrypt data when stored or sent
online. Encryption converts your data into a secret code before you send it over the
internet. This reduces the risk of theft, destruction or tampering.
 Reviewing deficiencies identified, and organization’s investigation, resolution, and
remediation of identified deficiencies
 Require two signatures for checks written on bank and investment accounts. This
prevents unapproved withdrawals and payments.
 Testing transactions as appropriate.
 Sharing findings, concerns, and recommendations with senior management and/or the
board of directors.
 Determining that the company has taken corrective action on identified vulnerabilities
in a timely manner.
 Reviewing discoveries of fraud and violations of laws and regulations as raised by the
internal audit function.
 Adopting dual control wherein the work of one (1) person is to be verified by a second
person to ensure that the transaction is properly authorized, recorded and settled.
 Restricting access to information assets by classifying information as to degree of
sensitivity and criticality and identifying information owners or personnel with authority
to access particular classifications based on job responsibilities and the necessity to
fulfill one’s duties
 Reviews of operating performance and exception reports. For example, senior
management regularly should review reports showing financial results to date versus
budget amounts, and the loan department manager should review weekly reports on
delinquencies or documentation exceptions.
 Appropriate level of management should approve and authorize all transactions over a
specified limit, and authorization should require dual signatures.
 Reviewing of operating performance and exception reports. For example, senior
management regularly should review reports showing financial results to date versus
budget amounts, and the loan department manager should review weekly reports on
delinquencies or documentation exceptions
 Approvals and authorization for transactions and activities. For example, an appropriate
level of management should approve and authorize all transactions over a specified
limit, and authorization should require dual signatures
 Segregating of duties to reduce a person’s opportunity to commit and conceal fraud or
errors. For example, assets should not be in the custody of the person who authorizes or
records transactions.
RENELLE HABAC CBEA-01-902A
 Requiring officers and employees in sensitive positions be absent for two consecutive
weeks each year.
 Designing and using of documents and records to help ensure that transactions and
events are recorded. For example, using pre-numbered documents facilitates
monitoring.
 Safeguarding for the access to and use of assets and records. To safeguard data
processing areas, for example, a bank should secure facilities and control access to
computer programs and data files.
 Independent checking on whether jobs are getting done and recorded amounts is
accurate. Examples of independent checks include account reconciliation, computer-
programmed controls, management review of reports that summarize account
balances, and user review of computergenerated reports.