Quote: Not Concerned about General Ledger Changes

Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.

2 changes that were submitted by developers on her behalf.

2 changes she didn’t know anything about, so she didn’t consider them her problem.

This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.

 

Background

Let me back up and give you some context.

I was at her desk to update her ACL desktop software. Years ago, I wrote some scripts for her that saved her several hours each time she had to load some data into General Ledger.

For those who may not know what the General Ledger (GL) is, it’s the main accounting record of a company or organization. All the money flows through the GL (or should) and it’s a critical system that much be kept under strict controls; it’s one of the reasons we do SOX auditing).

I had emailed her the day before that I would be updating her ACL software and asked her to move all of the previous ACL reports she had run to another folder. After the update, I wanted her to run the scripts I wrote for her to make sure everything still works, and didn’t want to overwrite any previous reports.

When I arrived, I asked her if she read my email and followed the instructions. She said no, she didn’t understand the 2 emails I sent her.

I told her I only sent 1 email and asked her to show me the emails she was talking about.

Strange Emails

She showed me 2 emails that were automatically generated by our change control system when someone enters a ticket to change a production system. As you guessed, the system involved was the GL.

The reason she received these emails is that she was tagged as the owner/requester of the ticket.

The emails said that 2 changes would be made to 2 different records in the GL. The system wasn’t being changed, but the data was (it wasn’t clear in the ticket what data was being changed).

I told I didn’t send those emails, and that those tickets looked strange, but she said she wasn’t concerned about them, and since she didn’t understand them, she was just going to delete them and forget about them. She didn’t remember requesting the changes.

I suggested that if she wasn’t going to call the developers who submitted the tickets and request an explanation (she refused), she should at least forward them to her manager and tell him that she never requested the tickets.

She replied, “Oh, that would be a waste of time, as my manager won’t understand them either.”

Even if that is true, I suggested she send them to her manager anyway, because…at the very least, she alerted her management, and it becomes his issue to deal with.

“The last thing you want to do is ignore them,” I said.

She shrugged her shoulders, and we proceeded to do the ACL update, which went fine.

The End

In the end, I doubt she did anything except delete the emails. She’s the type of person who likes to keep a low profile and not rock the boat.

She’s also the kind of person who can’t tell whether an email is sent from someone she knows (me) or from a system.

The kind of person who comes to work every day, puts blinders on, and focuses only on the tasks at hand, without giving any thought to the bigger picture, or how what she does, doesn’t do, or ignores might contribute to a major failure further down in the process.

Go figure.

 

 

 

 

 

4 Comments

Filed under Audit, Case Files, Quote of the Weak, Security, Security Scope

4 responses to “Quote: Not Concerned about General Ledger Changes

  1. Pingback: Software Components NOT Removed from Servers | ITauditSecurity

  2. Audit Monkey

    This is not an uncommon problem. There are too many people working in finance and accounting functions who do not understand double entry book keeping and the need for controls.

    Like

  3. Audit Monkey

    I should have added that usually Senior Management would have a handle on things. Hopefully.

    Like

    • Hey Monkey,
      It’s been a while. In this case, senior mgmt might have a handle on things, but if this person doesn’t speak up, this one might sneak by. Which could happen even with mgmt watching.

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.