IN THIS ISSUE
Detecting Fraud in the Information Age
Internal auditors who understand the growing risk of systems-based fraud also recognize their role in meeting the accompanying audit challenges and regulatory requirements. In conjunction with their company's risk management process, internal auditors in progressive organizations are deploying solutions for continuous transaction monitoring, empowering the auditors to reduce their dependence on sampling-based audits and dedicate more of their time to investigating suspicious transactions flagged by the system.
Fraud From the Inside
While Internet-related hackers make news headlines for disrupting business, stealing intellectual assets, and putting personal information at risk, internal computer fraud remains a dirty little secret of many businesses. Industry experts agree that 60 percent to 70 percent of the financial losses suffered as a result of computer crime come at the hands of authorized insiders, draining from 1 percent to 6 percent of an enterprise's total revenue.
Organizations have historically focused on perimeter defenses, such as network firewalls and virtual private networks, to keep unauthorized outsiders from accessing internal systems. However, reports from Gartner, Yankee Group, and other national research organizations continually point toward authorized insiders as the biggest threat to real financial loss in businesses and government organizations.
Most enterprises don't have to look far to find examples of potential fraud in their business. Systems-based fraudulent schemes can include:
When reviewing purchasing transactions, for example, traditional fraud detection involves looking for vendors with similar billing addresses to those of employees. However, an employee with authorized system access can create a ghost vendor account with an unsuspicious address and then, just before the check-print batch run is processed, go into the system to alter the billing address. After the checks are printed, the employee goes back into the system and re-enters the original credible address.
Finding evidence of fraud with employees who know how to cover their tracks is often difficult. As users become familiar with a system, they figure out the logic behind it and learn how to beat the system — known in the business hackers' world as "gaming the system." Authorized insiders also often circumvent internal controls to bypass inefficient processes. Although this flexibility may be good for boosting productivity, it opens the door for misuse by overriding approvals, creating duplicate accounts, or introducing systems-based errors.
Misuse and abuse of the system often create an opportunity for other less-moral insiders to commit fraud. For example, if an employee sees that an invoice is paid twice or that a single invoice is booked twice without detection or correction, he or she may capitalize on the opportunity to commit fraud by routing the second payment for personal benefit.
As the number of transactions has increased dramatically with automated systems and businesses link more system information with vendors, suppliers, and contractors, fraud has the potential to pervade an enterprise in unforeseen places.
To identify and prevent fraud, organizations are increasingly reliant upon the built-in controls of their ERP applications. However, these controls often come with a lot of baggage. Built-in segregation of duties controls, for example, can protect a company by enforcing a procedure that does not allow the same person to approve an invoice and its related payment voucher. These control functions can be incredibly detailed; maintaining and updating them is often overlooked and viewed as a heavy burden that few organizations are willing to undertake. Keeping up with new users, eliminating old users, and adding new roles for existing users can be a daunting task.
Any individual familiar with internal business processes represents a significant threat. Because a large percentage of computer crimes involve insiders with access to key data transactions, internal auditors are tasked with identifying vulnerabilities within the business systems. Unfortunately, management often overrules resulting audit recommendations for more stringent system controls because the direct costs of implementing and maintaining those controls outweighs the benefits or because the controls introduce unwelcome inefficiencies.
Benefits of Continuous Transaction Monitoring
Continuous transaction monitoring can help assess the effectiveness of system-based controls and complement existing system-generated exception reports. Typical assessments involve examining 100 percent of selected types of transactions to determine whether or not they comply with defined controls. The assessments can also determine if transactions exist for which no controls have been implemented. Internal auditors, empowered with more comprehensive ammunition regarding anomalies, errors, and exceptions can help determine the related control weaknesses and can provide management with more meaningful audit recommendations.
Recently enacted federal legislation introduces requirements related to the financial losses from systems-based fraud. In particular, the U.S. Sarbanes-Oxley Act of 2002 requires many businesses to rethink their internal controls. Section 302 of Sarbanes-Oxley requires public companies to disclose significant internal control deficiencies, whereas Section 404 outlines specific requirements for managers to document the effectiveness of internal controls on financial reporting. Although most organizations are working to meet these requirements, they must also provide a process to continually assess the effectiveness of these documented controls. Continuous transaction monitoring, one solution to this need, suggests four key requirements to effective oversight:
With vigilance over all transactions within a business system, continuous transaction monitoring can be used to recognize the context of a transaction and cross-reference outside data sources. By flagging the transaction — for example, a mailing address that is altered just before payment — and comparing information from various systems, such as Dunn & Bradstreet vendor numbers and human resource applications, continuous transaction monitoring builds a case of evidence for internal auditors to pursue.
Continuous transaction monitoring can also help businesses identify transaction errors. For example, a telecommunications company was contacted by one of its vendors to report that the company sent duplicate payments for a single $500,000 invoice. Transaction monitoring allows an enterprise to understand holes in its system and eliminate costly errors.
Benefits Versus Costs
In most cases, continuous transaction monitoring directly benefits the bottom line. For every instance of fraud or error that is identified, transaction oversight proves its value. Through diligent maintenance and documentation, it can also reduce the time and costs of implementing the requirements of regulatory compliance.
As technology continues to streamline internal business processes, enterprises should evaluate how these efficiencies might create vulnerabilities that insiders can exploit. Continuous transaction monitoring can easily identify systems-based fraud and help organizations comply with regulations.
Patrick Taylor has more than 15 years' experience in companies such as Internet Security Systems, ORACLE, and Symantec in sales, product management, marketing communications, and channel marketing activities for information security and wireless Internet platforms.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.