Money Mover (MM) is a public electronic funds transfer network with its head office and major computer switch based in Melbourne. The company has computer switches in each capital city throughout Australia that are linked into a national communications network. Approximately 150 financial institutions-banks, building societies, credit unions-use the network to provide automatic teller machine and point-of-sale services to their customers.

MM has been in operation for only a few years, but during this time it has been very successful. It has used cutting-edge technology, high-quality innovative services, and aggressive pricing to attract customers away from other electronic funds transfer networks. Moreover, any new financial institutions that have entered the Australian market have inevitably selected MM to provide their electronic funds transfer services in preference to other network vendors.

As a consultant specializing in computer controls and audit, you have been hired by the managing director of MM to examine the state of controls within the electronic funds transfer system. She explains to you that an increasing number of potential customers are requesting some type of independent assurance that controls within the system are reliable. Accordingly, the board of directors of MM has decided to initiate a controls review of the entire system so that a third-party "letter of comfort" can be provided to potential customers.

The initial part of your controls review focuses on the main switch in Melbourne. As part of your review of physical access controls, you note one day during a visit that one of MM's system programmers has a card key that provides him with access to the computer room. You interview the supervising operator, and he informs you that all system programmers have similar keys.
As a result of this finding, you interview the managing director to find out why systems programmers have access to the computer room. She argues that they need this access because they are often called in at any hour of the day or night to correct problems "on the fly" that customers are experiencing with the system. For example, customers might be having problems with a communications line, and the system programmer has to diagnose the problem and correct it as soon as possible so that continuous service can be maintained.
You explain to the managing director that you are concerned about the possibility of system programmers undertaking unauthorized activities, particularly if they come in during the middle of the night when no one else is present in the computer room. She laughs and says that system programmers can carry out unauthorized activities any time they want because of their in-depth knowledge of the system. Accordingly, she says that it is useless to exercise any type of physical access controls over them. Besides, she argues there are certain compensating controls over system programmers. First, she has pointed out to the system programmers their responsibility for preserving system security and that they will be fired immediately if any breach of security is discovered. Second, because MM employs only four system programmers, it will not be hard to pinpoint responsibility if any type of irregularity occurs.
Required. In light of the managing director's responses, how will you now proceed with your investigation? What will be the likely implications, if any, of your current findings for the report you will present to the board of directors?