> This is where transformative allowances come in as well, if not logically because no crime can be committed without any evidence.

I really don't share that particular view. Crimes definitely can occur without evidence, there are plenty of examples. The fact that nobody gets convicted, that possibly the crime goes completely undetected does not mean that no crime occurred.

Let me give you one example of how this could happen: I was in charge of the audit of the 'RSB', a system that controlled a few 100B guilders way back in the day, mainframes were in, the PC/AT was 2 and ran at a whopping 8 Mhz and cost as much as a really good second hand car, Madonna releases 'True Blue'. The bank I worked for had for compliance reasons two physically separate entities, one to produce the code and the data, and another to keep track of it.

Initially I worked on the side that did the daily audits to make sure that everything was good. The process was specified thus: you will receive about 1/8th of a cubic meter of large format (132 column) printout at 7:30 AM. You have 30 minutes to manually review this (feel free to use a pocket calculator that can handle 13 digit numbers if you can find one and be sure to let us know where you found it) and release it, you better have a bloody good reason to not release it because it means that technically there is no opening balance for the day if that should happen. Clearly this is impossible, good luck.

On the first day of my new job, at 7:45 I realized that this is completely impossible so I went to see my boss. He told me that in practice the only known way to make sure that the most horrific of errors are caught is to go to the last page of the report first, check the two number all the way at the bottom of that page and see if they match up, this can be done in less than a minute. And if they match - which they always do - you can safely release the system, it's never been wrong.

So much for the oversight department. About a year later I got accepted as a junior programmer on the other side, and guess what, while there was a formal division between the personal side and the business side of the bank you had access to everything. This was well before ISO27001, security was something someone once may have read something about but we mostly focused on physical security. Once you were 'behind the red rope' you could do just about anything. Sure we had logins and passwords. Three letter login, three letter passwords were pretty common. The three letter logins were typically just the initials of the employee because there wasn't room for much more so those were trivial to guess and there was no upper limit on the number of tries on a password. So you could access pretty much all of the code and while there was a test environment there was no code review worth mentioning. And frankly, with very few exceptions most of the programmers weren't all that good. So it would have been trivial to:

- use someone elses account in the right group

- make a bunch of changes to the RSB system

- ensure that the report that went out to the audit department had matching numbers on the last row of the report

- and finally, to trigger all this say a year after leaving the bank

This likely would never have been discovered because their whole idea of threat modeling did not for one second stop and look at the 'rogue employee' angle, it was strictly a single line of defense: to get on to the 'floor' you had to have a badge that allowed access. The badges were an older Motorola system, brown plastic casing with a sticker on the front with your picture on it. Inside was a beefy pickup coil all the way around the case and a board with a little computer on it that would respond to being powered up by sending out a serial stream ID'ing the badge. That was it. No encryption, no challenge/response. And the ID? It could be set with a nice 8 position dip switch. Guess what ID #001 did?

So all of the requirements for an absolutely perfect crime were there, there would be no evidence and yet a crime would have been committed. There were many other such opportunities, that bank really relied way too much on trust and I would not have been surprised to find out that they had been hacked horribly from the inside without being able to point at the culprit.

The bank was founded in 1918, well before the age of computers and it processed a small mountain of paper every day. On that front their procedures were pretty good. But on the digital side they were - frankly - absolutely hopeless. The gear they used then was old enough that some of it was still labelled 'Sperry Rand' which the company was no longer fielding for about a decade at that time. IT was a cost, security non existent and any half competent coder would have seen 1001 possibilities to defraud that bank, and get away with it cleanly. Maybe some even did.