Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.
2 changes that were submitted by developers on her behalf.
2 changes she didn’t know anything about, so she didn’t consider them her problem.
This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.
Background
Let me back up and give you some context.
I was at her desk to update her ACL desktop software. Years ago, I wrote some scripts for her that saved her several hours each time she had to load some data into General Ledger.
For those who may not know what the General Ledger (GL) is, it’s the main accounting record of a company or organization. All the money flows through the GL (or should) and it’s a critical system that much be kept under strict controls; it’s one of the reasons we do SOX auditing).
I had emailed her the day before that I would be updating her ACL software and asked her to move all of the previous ACL reports she had run to another folder. After the update, I wanted her to run the scripts I wrote for her to make sure everything still works, and didn’t want to overwrite any previous reports.
When I arrived, I asked her if she read my email and followed the instructions. She said no, she didn’t understand the 2 emails I sent her.
I told her I only sent 1 email and asked her to show me the emails she was talking about.
Strange Emails
She showed me 2 emails that were automatically generated by our change control system when someone enters a ticket to change a production system. As you guessed, the system involved was the GL.
The reason she received these emails is that she was tagged as the owner/requester of the ticket.
The emails said that 2 changes would be made to 2 different records in the GL. The system wasn’t being changed, but the data was (it wasn’t clear in the ticket what data was being changed).
I told I didn’t send those emails, and that those tickets looked strange, but she said she wasn’t concerned about them, and since she didn’t understand them, she was just going to delete them and forget about them. She didn’t remember requesting the changes.
I suggested that if she wasn’t going to call the developers who submitted the tickets and request an explanation (she refused), she should at least forward them to her manager and tell him that she never requested the tickets.
She replied, “Oh, that would be a waste of time, as my manager won’t understand them either.”
Even if that is true, I suggested she send them to her manager anyway, because…at the very least, she alerted her management, and it becomes his issue to deal with.
“The last thing you want to do is ignore them,” I said.
She shrugged her shoulders, and we proceeded to do the ACL update, which went fine.
The End
In the end, I doubt she did anything except delete the emails. She’s the type of person who likes to keep a low profile and not rock the boat.
She’s also the kind of person who can’t tell whether an email is sent from someone she knows (me) or from a system.
The kind of person who comes to work every day, puts blinders on, and focuses only on the tasks at hand, without giving any thought to the bigger picture, or how what she does, doesn’t do, or ignores might contribute to a major failure further down in the process.
Go figure.
ITauditSecurity 
Pingback: Software Components NOT Removed from Servers | ITauditSecurity
This is not an uncommon problem. There are too many people working in finance and accounting functions who do not understand double entry book keeping and the need for controls.
LikeLike
I should have added that usually Senior Management would have a handle on things. Hopefully.
LikeLike
Hey Monkey,
It’s been a while. In this case, senior mgmt might have a handle on things, but if this person doesn’t speak up, this one might sneak by. Which could happen even with mgmt watching.
LikeLike