How to catch the fraudsters@ work
The Hindu Business Line
Partner, Fraud Investigation and Dispute Services, Ernst & Young
Information technology has become indispensable in our lives, and its use is expected to increase as most transactions rely on technology.
According to a recent EY India Survey (Technology frauds: A changing world), 85 per cent of respondents confirmed that more than half of their data is in electronic format, and more than 25 per cent revealed that their organisation experienced technology-related fraud.
While technology has helped businesses scale up and streamline operations, it has also made it easier for fraud perpetrators. With the rapid growth in automation, fraudsters are able to perpetrate frauds without raising suspicion. Furthermore, fraudsters always seem to be ahead of the curve, and organisations are caught completely off-guard.
Consider the following real-life situations:
Company A was in the middle of a highly sensitive transaction. Except for three senior management personnel, no one in the company was aware of the details. Yet, the management found out that critical information had been leaked to outsiders.
Forensic investigation revealed an employee in the technology function configured the CFO’s email access on the server in such a way that emails delivered to the CFO’s system and handheld device were additionally delivered to another handheld device. The employee in question was accessing and leaking the information to a competitor.
Many non-technical personnel, including auditors, are often unaware of these simple flaws in the IT systems — and are thus unprepared for the lurking danger.
Bypassing system controls
Company B implemented a control within the payables process whereby the system would not process payments against duplicate vendor invoice numbers. In order to bypass this, an employee in the purchase function replaced “0” (zero) with “O” (letter O) in vendor invoice numbers and processed duplicate payments.
Lack of basic controls
Company C implemented controls on vendor master access, wherein a new vendor code could be created only by authorised personnel. However, the access right to modify the beneficiary bank account at the time of payment processing (uploading payment details on the bank Web site) was not controlled, thereby permitting alteration of beneficiary details at the time of payment processing.
Vulnerabilities in IT systems, lack of understanding and awareness, and blind reliance on ‘maker-checker’ concept are among key reasons for the increase in IT frauds.
In several cases, during the automation process, organisations unknowingly leave loopholes, which are subsequently misused by fraudsters.
Preventing IT frauds
Companies can adopt the following measures to detect and protect against IT fraud:
- Periodic fraud vulnerability review of IT systems to identify loopholes.
- Adequate segregation of duties.
- Periodic review of access controls to ensure changes on account of separation or role changes are adequately addressed.
- Compliance with password confidentiality policy should be reviewed periodically.
- Establish protocols for review of logs — logs which are important (physical and digital); exact checks to be carried out; process of escalating exceptions.
- Undertake timely review of IT security violation/ exception reports.
- Review of data security should be continuous and not a one-time exercise.