What processes or controls might the stadium and First Union have implemented to help reduce these risks?

What will be an ideal response?

---

One of the most crucial controls that both the stadium and First Union should have implemented
is thorough testing of all proposed system changes. Before any system change is implemented, both
the bank and stadium personnel most likely performed extensive testing and review of the system.
Testing of the entire sales capturing and downloading processes should have been performed with
realistic volumes of realistic data. Initial implementation of certain processes of the system (such as the
download to the bank) might have been done in parallel to old processes to be certain the system was
functioning before reliance was placed on that system. For example, reports could be printed for each
POS machine before downloading to the stadium computer. Those reports could then be reconciled to
printouts from the stadium computer. Similarly, reports could be printed from the stadium computer
before the download to the bank. Those reports could then be reconciled to printouts subsequently
generated by First Union. In addition, both the stadium and bank personnel most likely worked together
to design specific back-up contingency plans in the event of a disaster.
Stadium Specific Procedures
Stadium management should have implemented procedures to ensure that all POS machines are
regularly tested for accuracy. POS machines most likely were accompanied with battery backups that
would power the POS machines in the event the original power source fails. Perhaps the frequency
of downloads of data from POS machines to the stadium computers was set to occur periodically
throughout a game rather than just once at the end of a day’s sales. Or, perhaps the POS machines
regularly updated backup disks stored in the machines. In any event, backup copies of POS machine
data should have been created before the download to the stadium computer in case the download
process fails and the data was lost during the download process. The stadium computers could also have
been used to create backup copies of data files before downloading to the First Union computer. This
would have allowed stadium personnel to later cross-check information against First Union’s processed
reports. In addition, stringent check-out and check-in procedures should have been implemented to
establish effective controls over the POS equipment. All POS machines most likely were assigned a
unique serial number that would assist the check-in and check-out process. These controls would help
to ensure that all POS machines were downloaded to the stadium computer.
The software used to process individual transactions using the POS machines could have
been programmed to include reasonableness checks and other internal controls to verify the accuracy
of transactions. For example, the software might have included a control that rejects transactions
that exceed an usually large dollar amount. And, the software could have been designed to process
transactions only when a valid product number is entered.
Stadium management should have installed procedures that restrict the ability to update price
list master files that the POS machines use to process sales. Controls should have been in place to
regularly update master files and that restrict the ability to update those files.
Stadium management most likely made sure that all POS operators were suitably trained in
the operation of the POS machines. Personnel involved in both generating sales and downloading data
should have received thorough training on all aspects of those tasks.
First Union Specific Procedures
In addition to the system development contingency and backup controls noted above, First Union
most likely established effective backup contingency plans for the computer at its facilities. Given that
many customers would be relying on Spot Card technologies, numerous parties would be negatively
impacted by a malfunctioning computer at First Union. The bank should have invested sufficiently in
developing backup plans to be implemented in the event of a disaster.
In addition to failure of the bank’s computer, the bank would need controls to ensure that data
being transmitted from the stadium to the bank is not altered or deleted during transmission. The use
of batch control totals and the use of encryption techniques would reduce the potential for errors in
transmission.