Now Why Would You Do That?

Yesterday, at the request of a user, one of our developers put together a simple program to update the table that stores accounts receivable (A/R) for each customer. The program deleted A/R data for a single account. A request to run the program was forwarded to a Team Lead for approval. The request is supposed to list the types of updates being made to each table. I assume this one did as well. It was approved and sent on through channels to be executed.

The A/R data for this one account was deleted from the system. My team - the Finance Team - found out about it this morning when the total system A/R on the table in question did not match the general ledger totals. Our controls allowed us to easily identify the account in question (A/R change with no associated G/L updates). The account was also missing A/R in the test regions. An email goes out and the developer figuratively raises her hand. We get the story above. The users created a charge on this account that they didn't like, that they apparently couldn't get rid of, and the charge kept showing up on a report. They wanted it off the report so they requested the table update.

We jump through so many Sarbanes-Oxley hoops each day that P.T. Barnum would be awe struck. Yet, when it really matters, when actual $$$ is on the line, the users make a stupid request, the developer goes along with it, and a Team Lead approved the update.

FAIL.