The case study focused on one of the biggest losses the financial world has ever seen. It surfaced on February, 2002, when Allied Irish and Allfirst suffered a (670) million dollar foreign exchange trading loss at the hands of a thirty-seven year old foreign exchange trader by the name of John Rusnak who was employed by Allfirst for (7) years. During 2001, Rusnak made bad trading decisions with regard to the increase in the value of the Japanese Yen and instead of confessing his problem to management, he tried to cover it up by fraudent means, which consitsed of falsified option trades & fake confirmations and acting as a proprietary trader. He took advantage of weak and inexperienced employees in the Treasury groups and when his losses became to high, he tried to make up for them by selling deep currency options to raise quick cash. But this did not work out because the company had to pay the client when the options matured. In the end, it was confirmed that the losses may have been directly Rusnaks responsibilty but it was Allies’s fault because if the proper controls were in place, a situation of this magnitude would never have taken place.
Concepts: There was a variety of concepts used in this case. Security are policies and technical measures used to prevent unauthorized access, alternation, theft or physical damage to information systems. Controls are all methods, policies and procedures that ensure protection of the organization’s assets, accuracy and reliability of its records and operational adherance to management standards. General controls are overall controls that establish a framework for controlling the design, security and use of computer programs throughout an organization. Application controls are those which are unique to each computerized application. Data Security controls are those which ensure that data files on either disk or tape are not subject to unauthorized access, change or destruction. Administrative controls are formalized standards, rules, procedures and disciplines to ensure that the organization’s controls are properly executed and enforced. Online Transaction Processing is a transaction processing mode in which transactions entered online are immediately processed by the computer. Authentication gives each party in the transaction the ability to identify the other party. Message Integrity is the ability to ascertain that a transmitted message has not been copied or altered. Digital Signature is a digital code that can be attached to an electronically transmitted message to uniquely identify its contents and sender. Digital Certificate is an attachment to an electronic message to verify the identity of the sender and to provide the receiver with the means to encode a reply. Risk Assessment is determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. It is also used to determine the cost/benefit of a control. Data Quality Audit is a survey or sample of files to determine accuracy and completeness of data in an informations system. Data Cleansing corrects errors and inconsistencies in data to increase accuracy so that they can be used in a standard company-wide format. were to occur. MIS Audit identifies all the controls that govern individual information systems and assesses their effectiveness. Walkthrough is a review of specification or design document by a small group of people carefully selected based on the skills needed for the particular objectives being tested. Debugging is the process of discovering and eliminating the errors and defects in the program code.
Discussion: On February, 2002, due to a lack of proper security measures and controls, Allied Irish and Allfirst suffered a (670) million dollar foreign exchange trading loss at the hands of a thirty-seven year old foreign exchange trader by the name of John Rusnak who was employed by Allfirst for (7) years. During 2001, Rusnak made bad trading decisions with regard to the increase in the value of the Japanese Yen and instead of confessing his problem to management, he tried to cover it up by fraudent means, which consitsed of falsified option trades & fake confirmations and acting as a proprietary trader. He then tried to make up for his losses by selling deep currency options to raise quick cash. But this did not work out because the company had to pay the client when the options matured. In the end, it was confirmed that the losses may have been directly Rusnaks responsibilty but it was Allies’s fault because if the proper controls were in place, a situation of this magnitude would never have taken place. There were major weaknesses at Allfirst and Allied Irish. Firstly, their employees in the Treasury department were inexperienced and they lacked the proper training and had poor supervision, which in any case would lead to laziness. In addition, Rusnak was allowed to trade while on vacation, which in itself is a direct violation of company policy. According to industry standards, when a trade is made it should always be accompanied by a hedge to guard against losses; however, there were no controls in place that ensured that these hedges were ever purchased. Thirdly, all traders have limits as to the amount of trades they can do at a given time, yet Rusnak was allowed to perform trades although he was well above his limit. Fourthly, there was no segmentation of duties between those of the front office, trading desk or back office. According to the case, there were many management, organization and technology factors that contributed to these weaknesses. For example, AIB had installed Opics in the back office at Allfirst, but did not install the its sister software called Tropics at it’s front office. AIB was fully aware that these systems work hand in hand and in order for them to work effectively, they would have to ensure that both systems were in place. Also, AIB used Crossnar Matching Service, which automatically electrically confirms both sides of a trade in two minutes; but did not implement the system at Allfirst and as a result, they would have to call to validate a trade. This had a negative effect on them because if they had a trade with a bank in Japan they would have to call at either midnight or 1 am in order to speak with someone in their back office. Management is responsible for developing the control structure and quality standards for the organization. When they chose to look the other way instead of dealing with Rusnak when they were warned by Smith and others, they contributed indirectly to his fraudelent behavior. Also, when Rusnak realized that the Monte Carlo was inadequate, he told management but they turned him down for budgetary reasons. As with management, the characteristics of the organization play a large role in determining its approach to quality assurance and control issues. As it was the duty of the organization to create high levels of security and quality in information systems, they too contributed to theses weaknesses because the proper systems were put in place in AIB, but they did not feel the need to proper implement the same at Allfirst. So, in this regard, they too contributed to the weaknesses. There are a number of technologies for promoting system quality and security. With technologies such as data security software, they should have been able to detect any unusual events from occuring, but as these were not in place at that time, they also contributed to the weaknessed of AIB and Allfirst. Undoubtably, the person responsible for the Rusnak trading losses was Rusnak himself. However, he did not work alone. For every person that allowed him to short cut control measures so that he could cover up the losses, they too are responsible. For example, the person who was persuaded to go home and not call Japan to confirm the trade cost the company millions because of their negligence. Also, those persons who allowed him to give them information that he compiled on his own computer instead of them doing it themselves have also contributed to his fraudulent behavior and are also liable. Management also played a huge role in this situation because they knew that he was trading over his limit and they knew that he had a position in Yen of more than one billion dollars, but didn’t question anything because according to them they were making money so there wasn’t a problem if some rules had to be broken in order to achieve profits. Lastly, AIB and Allfirst are also liable because AIB knew that it had not implemented the proper control measures to protect its organization against fraud. They are also at fault because when Rusnak was trying to make money with what was called synthetic loans, AIB executives had to approve them, which meand that they had to know that something was wrong with what Rusnak was doing. It is evident that the proper information systems were not in place. As this is the age of technology, there are many computerized systems that were created to ensure that proper control measures are carried out. If the proper general and application controls were in place, then Rusnak’s scheme would have been caught from its inception. General controls are essential for a company because they not only establish a framework for controlling the design and security, but it also regulates the use of computer programs throughout the organization. Application programs are equally important as they are comprised of specific controls unique to each computerized application. Firstly, Software and Hardware controls could have been implemented to monitor the use of the system software and prevent unauthorized access of software programs, system software, and computer programs. In addition, they would have also insured that the computer hardware is physically secure and to check for equipment malfunction. Secondly, they could have implemented computer operations controls and data security controls that would assists the company’s control system by overseeing the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. Also, it would have assisted them by ensuring that valuable business data files on either disk or tape are not subject to unautyhorized access, change, or destruction while they are in use or storage. Thirdly, there are implementation and administrative controls that could have been implemented to audit the systems development process at various points to ensure that the process is properly controlled and managed. In addition, they would have formalized standards, rules, procedures, and control disciplines to ensure that the organization’s general application controls are properly executed and enforced. There are also other systems such as debt security controls and administrative controls that would have ensured that non authorized users had no access to certain files and that proper procedures were in place to ensure that the organization’s controls are properly executed. In that way, when those fake confirmations were put into the system, they would have been automatically kicked out. Online transaction processing could have also prevented this type of situation by processing transactions as soon as they are entered into the system. If this was in place, then they would not have had to stay late to call Japan to confirm the trades because the system would have automatically confirmed them. They could have implemented authentication that would have been able to assist them with the identity of the other party on the confirmation. There are also other security measures such as a message integrity system that could have alerted them to what was going on years earlier. In addition, they could have created a digital certificate that would not only have identified the person with whom the transaction is being conducted, but also it would allow them to reply to the sender. If these information systems were implemented, Rusnak’s scheme could have been prevented. If these informations systems were put in place, Rusnek would have been either prevented or caught earlier on because these systems were created to minimize the risk of errors or fraudulent manipulation of the organized assets’s. If I were responsible for designing new information systems fro AIB and Allfirst, I would first determine which controls are required by identifying all of the control points and control weaknesses and performing a risk assessment. Then, I would perform a data quality audit and MIS audit to determine how to effectively safeguard systems without making them unusable. When this part of my strategy is complete, I would then begin part (2) by implementing the proper controls to ensure that this type of situtation nevers occurs again. These controls would include all methods, policies, and organization’a assets, the accuracy and reliability of accounting records, and adherence to management and industry standards. In order to do this I would implement general controls to handle the overall design, security, and use of computers, programs and files for their information technology infrastructure. This would include physical hardware controls, system software controls, data files security controls, computer operations controls, controls over the implementation process and administrative disciplines. In addition to the general controls, I would also implement application controls because it focuses on the completeness and accuracy of input, updating and maintenance, and the validity of the information in the system. Before I complete the new systems, I would perform a data cleansing and debugging process to eliminate any errors and lastly I would conduct a walkthrough that would consist of qualified professionals so that the systems could be tested. Once these measures have been put into place, Allfirst and AIB’s control problems would be solved.
You can order a high-quality custom essay, term paper, research paper, thesis, dissertation, speech, book report or book review from our professional custom writing service. We have employed more than 500 highly qualified Ph.D. and Master's academic writers to provide students with professional academic writing help. Feel free to contact our company right now!
Tuesday, February 10, 2009
Allied Banks
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.