Comment by refulgentis
2 days ago
I respect the spirit, but I can't think of a system of controls, or a matroyshka doll of sign-offs, that ends up with the small bank CEO not being able to give orders, at least, without the bank being O(1000s) of employees as opposed to...10s, optimistically.
The general mechanism to prevent abuse is that the person giving the order is distinct from the person performing the action. This ensures that a second set of eyes inspects the order and notes any inconsistencies. Such a control was lacking in this case.
I understand the general concept of two people enabling a sign off system.
However, I'm absolutely unconvinced the CEO of a small bank wouldn't be able to convince a subordinate in an office of 20, max, to "verify it has no inconsistencies" rather than "gee this sure does seem stupid"
The CEO can give orders, but there should be literally no way for a single person to transfer that much money without approval.
Even our accounting system is integrated with a vendor management platform that first verifies the recipient is a known vendor, and tied to the banking part that actually issues an ACH/wire transfer such that it can't happen until approved.
The fact that there's essentially zero governance at a bank is unacceptable.
> but I can't think of a system of controls that ends up with the CEO not being able to give orders unilaterally most of the time
The primary system of control for small shops is going out of business when you're dumb enough to lose $47M and getting replaced by more competent people running the competition
And there are no murderers, because they are sent to prison.