When you think of computer crime, you immediately think of Internet fraud, hacking, viruses or other external threats to an organization.
However, all too often, the internal threats are the silent, more sinister risks with a high price of failure to address them. Organizations must look closer to home to consider the full spectrum of risk and how their own computers may be used against them.
Consider the role of your computer as a potential accomplice, protector and informer.
PricewaterhouseCoopers' recent European Economic Crime survey suggests that around 60 per cent of fraud is perpetrated by an organization's own employees. Given that most businesses are dependent on computers, it is likely that much of the fraud perpetrated by employees involves the use of a computer in some form or another.
Typical examples include:
- Misappropriation of confidential information held electronically
- Manipulation of payment systems to divert payments
- Manipulation of finance or other systems to hide misappropriation of funds, inventory or other assets
- Creation of ghost employees and suppliers
- Creation of false invoices in collusion with suppliers or to support fraudulent expense claims.
So what can you do with your IT systems to minimize the risk of fraud? The two key areas are access controls and segregation of duties.
Every computer user should be well versed on the importance of restricting access to information and the use of passwords.
Access to sensitive information and systems should only be granted to specific employees who require access to perform specific duties. No user should have 'just in case' access. It is often the case that users who do not normally require access to sensitive systems are granted access 'just in case' another user is away on annual or sick leave. However, granting additional access compromises the effective segregation of duties between employees and may create opportunities for the potential fraudster to alter sensitive information. Temporary amendments to user profiles to provide additional access should only be made as and when required and these changes should be made as quickly as possible to minimize disruption.
Passwords are also of critical importance. All computer users should understand the importance of ensuring that passwords are secret, secure, are not obvious and are changed regularly to avoid being 'guessed' by a potential fraudster. However, password control procedures must also be flexible to ensure that there is no negative effect on computer security and a balance has to be struck between passwords that are difficult to crack, and those that are simple to remember.
To create strong and secure passwords leads to users having to remember an increasing number of different passwords, including a proliferation of passwords to access various work-related web sites. Users are also forced to change passwords regularly and must combine letters and numbers for many passwords.
The above scenario may result in users writing down passwords that are difficult to remember, and possibly creating an opportunity for the potential fraudster. Organizations should consider the likely effects on users of password control procedures.
Fortunately, user provisioning and access control technologies are now maturing; these enable organizations to reduce the number of different passwords a user has to remember, enabling users to choose (and remember) a single strong password rather than a multitude of weak ones.
Segregation of duties
For internal controls to work effectively and make fraud difficult to commit without collusion, there are certain duties that should not be performed by the same person. This segregation of duties is particularly important within the finance department. For example, an employee who is able to post purchase invoices to the finance system and also create supplier accounts may post a fraudulent invoice to a supplier account set up by him or herself. This invoice may then be processed for payment either through a bank transfer to an account held by the employee or by a check sent to his or her home or other address.
Or, an employee who is able to post purchase invoices and process the payments of these invoices may post a fraudulent invoice to an existing supplier account. The employee may then divert the payment of the invoice, either through altering the account number on a bank mandate authorizing the payment via a bank transfer, or by incepting the check payment before it is mailed out.
Simply assigning duties appropriately among staff is not sufficient. Appropriate access controls should be set up to prevent employees performing conflicting duties.
An important but regularly overlooked risk is the user profile of the finance director and senior accountants within the finance department. Senior members of the finance department should not have full access to the finance system. Their responsibilities are usually restricted to monitoring and authorizing the work of junior staff and their access to the finance system should reflect this. For example, the finance director would not ordinarily process invoices, so access to the system should prevent him or her from doing so.
The simple fact that a user ID allowing full access to the system may exist creates a risk that the user ID and password may fall into the wrong hands and create an opportunity for the potential fraudster. Similarly, no member of the finance department should have access to set up or amend user profiles on the finance system, as this should be done outside the finance department.
Increasingly, businesses are using enterprise resource planning (ERP) packages to handle their accounting records and purchase ledger. ERP packages normally have very complex and flexible rules for allowing and restricting access to activities. It is very important that businesses that use ERP software test during its implementation that their configuration does not create segregation issues, and periodically repeat the testing post-implementation. Automated audit tools exist that can identify potential segregation issues quickly and efficiently.
The fact that computers are used to facilitate fraud means that computer evidence may also be available to detect the crime.
Data analysis and interrogation techniques may be routinely applied to vast amounts of data to identify unusual patterns within the data or specific potentially suspicious transactions. For example, an analysis of purchase orders may identify a cluster of orders around a certain value. This cluster may correspond to an authorization limit, whereby orders above the limit require authorization but orders below the limit do not. The cluster can occur when a single purchase order is broken into many smaller orders, each just below the authorization limit, to avoid seeking authorization and facilitate procurement fraud.
Audit software may be used to obtain the optimum benefit from data analysis techniques, and is a powerful query tool for analyzing and cross-matching almost unlimited amounts of data from different sources and in different formats.
On discovery of a fraud or potential fraud, crucial evidence may be gathered from computers. However, care must be taken to ensure that the method of gathering evidence does not result in the evidence being successfully challenged or inadmissible in court. It is therefore important not to simply turn on a computer and browse through files looking for evidence. In fact, simply turning on the computer can compromise the integrity of any evidence subsequently gathered. Instead, an exact copy of a computer's hard drive should be taken using specialist disk imaging hardware and software. A fraud response plan that includes guidance on how to secure and gather electronic evidence, is therefore essential.
Disk imaging has more immediate benefits as significant evidence can be gathered from outside the conventional file structure to retrieve complete or fragments of deleted files that have yet to be overwritten from the free space and slack space of the hard drive.
The most common threat of economic crime against an organization comes from within. Measures to address external threats are important, but organizations must also focus their efforts on ensuring that internal controls and procedures are effective in countering the significant internal threat from their own computers.
Martin Dougall is a forensic accountant with PricewaterhouseCoopers, based in Edinburgh, Scotland. He is a specialist in dispute analysis, fraud and other financial investigations. Martin can be contacted at firstname.lastname@example.org