This brief paper outlines how spreadsheets were used as one of the vehicles for John Rusnak's fraud and the revenue control lessons this case gives us.
If potential weaknesses or risks in a system are detected, they must be followed up.
The internal audit and risk managers in Allfirst were criticised for failing to follow up indications of risk - sometimes because of a lack of understanding of the business areas concerned and sometimes because they placed too much reliance on the (corrupted) key controls and failed to use the corroborative records available to them.
These failures were, it should be noted, symptoms of weak or non-existent management control and corporate governance.
2009, EuSpRIG, July