In honor of throwback Thursday let me take you on a journey down memory lane to reminisce about Office Space, a light hearted and irreverent comedy starring Ron Livingston and Jennifer Aniston.
Spoiler alert! (Actually, if you haven’t seen the movie during the last 17 years I don’t feel bad.)
Peter, played by Ron Livingston, enlists the help of his coworkers Michael and Samir to embezzle money from their employer Initech. The trio manages to tamper with the accounting system using a computer virus and siphon (or salami slice) money into one of Peter’s personal bank account.
Their motivation? To retaliate against Initech after Peter learns Michael and Samir’s jobs are next on the company’s chopping block.
There is one minor (okay, major) hiccup. While developing the code, Michael puts the decimal point in the wrong place. Rather than skimming fractions of a cent per transaction into Peter's account, hundreds of thousands of dollars appear on the first day. Oops!
Let’s discuss a few of the cringe-worthy internal control failings. It’s lucky (or unlucky, depending on how you look at it) that Initech didn’t have to comply with Sarbanes-Oxley 404.
Fail #1: Initech exhibits poor segregation of duties.
One would hope that logical access to programs and data is restricted to authorized individuals. It’s safe to say it isn’t at Initech.
Here’s how we can tell. Peter’s job is to update code to prepare Initech for Y2K. He shouldn’t have access to upload a virus to infect the accounting system. What happened to segregation of duties? According to the ISACA Journal, auditors expect that the "person who puts an application into operation should be different from the programmers in IT who are responsible for the coding and testing."
However, it does appear neither Michael nor Samir have the same access as Peter since they have an epic floppy disk hand-off in the movie. That indicates some programmers and developers (excluding Peter) do not have access to production. We will give Initech some credit for that at least. Either way, it’s time for a user audit to restrict access privileges.
Fail #2: Initech has unclear logical access policies after employee termination.
Michael and Samir are walked off of the Intech property the day they are fired. Good news, we know Initech at least has a physical access termination policy! Yippee. It might be stretch, but let’s assume their logical system access was also revoked and they cut off system access immediately.
It’s a bit of a grey area since it is not explicitly discussed in the movie. As auditors, let’s hope so because that’s grounds for a notable control deficiency.
Fail #3: Initech is fostering a breeding ground for collusion.
Although collusion is technically not an internal control, it is definitely a control consideration.
Initech didn’t see the writing on the wall when it comes to collusion. Why on earth would the Bobs tell Peter that his friends were getting canned? That’s the perfect rationalization for fraudulent activities. Duh.
While you can’t stop a mob of angry people, establishing controls to deter and detect fraud is a good start. No single character in Office Space had the know-how or means to execute the scheme alone.
Alright, it’s your turn. What in Office Space drove you crazy? Do have a stapler obsession? We won’t judge… much.