a sample of transactions and tracing them through a process, while giving
special attention to the checkpoints, and looking for evidence that staff had
reviewed reports.Without automation, which covers so many more transactions in a shorter
period, auditors are limited as to how many tests they can perform within
their given review time. They take the results of their sample test and project
them to the entire population of transactions processed by the system.
Because of the gap between the testing methods and the processing meth-
ods, samples are not always representative of the total population.As traffic cops, automated internal controls have the power to apply the
same method of testing on an ongoing basis. Alltransactions can be tested
and exceptions are more easily highlighted. Management can then address —
and report on — any exceptions.130 Part II: Diving into GRC
A lack of internal controls: The trading scandal
at Societe Generale in Paris
A rogue trader at the French bank Societe
Generale somehow lost close to $7.1 billion by
engaging in secret, unauthorized derivatives
trades. According to a January 29, 2008, article
in the New York Times,the trader in question, 31-
year-old Jérôme Kerviel, admitted to French offi-
cials that he had placed the unauthorized trades,
which were actually worth around $70 billion —
more than the worth of the bank itself — before
many of them were reversed.
Apparently, according to the same New York
Times article, once these trades were detected,
the bank was able to move quickly to stop many
of them, hence the loss of (just!) $7.1 billion.And in a February, 6, 2008, Washington Postarti-
cle, French Finance Minister Christine Lagarde
was quoted as saying that the internal controls
that Societe Generale had in place didn’t func-
tion and that when they did they weren’t prop-
erly followed up.
Kerviel, for his part, also admitted to officials
that he had hacked his fellow employee’s com-
puters at the bank and penned fake emails tocover his tracks. In one press report, a col-
league of Kerviel’s described him as a “com-
puter genius.”
Kerviel had apparently taken only four vacation
days in 2007, which he himself told police was an
obvious sign that a trader doesn’t want his
actions reviewed by supervisors or fellow
employees. If, for example, the human resources
department at the bank had a control in place to
warn them when an employee isn’t taking his or
her vacation days, a query to that person’s super-
visor could be sent asking them to check into the
matter.The case is far from settled as this book goes to
press, but Lagarde has already issued an 11-
page report, which suggests that banks gener-
ally focus more on internal fraud, involve
managers and committees in supervising risk
controls, reinforce internal controls over how
much money traders can risk, and raise the
fines that France’s banking commission can levy
on banks that violate regulations.