Yep, agreed. I worked in IT related departments and the only way to change data, other than a prescribed auditable process, was to change the raw data field on the system. This could only be done with a lot of blood letting and management control.
Much is to do with whoever audited the system. It was suggested in the hearing today that it had been audited several times - I find that amazing. Auditors need naming and shaming.
I worked in IT for many years, specifying and system testing fairly major computer systems for a major financial institution. Testing was really rigorous and covered every eventuality and it would never go into production until it had been signed off to death.
I suspect that it wasn’t properly...