 |
|
|
|
|
||||||||||||||||
 |
||||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||||||
|
|
|
|
|
|
 |
|||||
|
Fraudsters are cunning individuals who manipulate systems and processes to their advantage. They find and exploit control weaknesses, taking advantage of loopholes to obtain valuables fraudulently. They tend to be trusted insiders (often managers with good career records) and, as such, are mostly above suspicion. The way fraudsters combine cunning and trust makes it practically impossible to stop fraud completely but a lot can be done to reduce the risks. In order to specify appropriate controls, we would normally start with a risk assessment that specifically considers potential fraud scenarios. Working with a group of managers, IsecT consultants facilitate creative thinking along the lines of “If we were so inclined, how might we defraud our systems?”. Our real-world experience of information security breaches and frauds gives us plenty of ideas of the technical and procedural vulnerabilities that may be exploited. We also lead the group through a discussion of how fraudsters might get away with the loot: breaching system access controls is not enough unless the fraudsters can manipulate and remove valuables (for example by extortion or money laundering). Moving on, we help clients design controls to prevent, detect and/or correct frauds. Typical examples here are improved access controls for sensitive data and transactions, silent alarms, discrepancy and exception reports, audit trails, fraud contingency plans etc. HR procedures for identifying and monitoring individuals with above-average fraud potential may be appropriate as fraudsters sometimes give themselves away through indicators such as an excessively lavish lifestyle ('living beyond their visible means'). A “whistleblowers’ charter” and mechanism for reporting potential frauds anonymously may be useful too. Contingency plans for other disasters can often be adapted to fraud situations (e.g. forming a small crisis management team to initiate an immediate response, protect forensic evidence and manage the full resolution). Do your contingency/business continuity plans cover major information security breaches such as fraud? As with other governance controls, the anti-fraud controls have to be tested, implemented and maintained properly to keep them effective. Our independence and experience gives us a particular advantage over most internal staff for testing controls, and we can help clients design and implement appropriate processes for maintaining and managing their controls (e.g. regular and ad hoc reviews by independent auditors). Finally, IsecT can assist in the event of a potential fraud being uncovered. Taking full account of the need to preserve evidence in case of future prosecution, we can investigate and document the situation and, in parallel, apply additional lock-down controls to stop the fraud in its tracks. We would normally expect to coordinate with other third-party specialists (e.g. the Police and IT forensics specialists) as well as your own managers and staff as appropriate (e.g. Legal and HR) during an investigation, using your fraud contingency plans where available (you do have fraud contingency plans, don’t you ... ?). |
|||||
|
Copyright © 2008 IsecT Ltd. |
|||||