The document discusses fraud risk analysis and security management. It notes some disturbing statistics about occupational fraud from a global fraud study. It then outlines how fraud is typically detected, where tips come from, and common controls used. The presentation aims to help businesses manage risks of loss from fraud and inadequate security. It covers assessing fraud risks, reviewing internal controls, and managing information technology security through regular assessments, purchasing considerations, and effective use of controls.
How Secure is your Business? Fraud Risk Analysis and Security Management
1. Presented by:
William H. Brown, CPA, CFFA, CFE
GAIN CONTROL
How Secure is your Business?
Fraud Risk Analysis and Security Management
GAIN CONTROL www.berrydunn.com
www.berrydunn.com
2. What is the problem?
Some statistics…..
From the “Report to the Nations on
Occupational Fraud and Abuse – 2010
Global Fraud Study”, published by the
Association for Certified Fraud Examiners
5.0% $231,000
37.8%
30.8% $155,000
GAIN CONTROL
7. Objective
Provide you with information to help you
manage the business risks of loss due to
fraud and inadequate IT security….
…..not to prevent, detect and prosecute all
instances of fraud and stamp out all evil
regardless of the cost
GAIN CONTROL
8. What Can I Tell You….
That Will Help?
• Overview of Fraud
• Fraud Risk Analysis
• IT Security Management
GAIN CONTROL
9. What is Fraud?
• U.S. Alleges Poker Site Stacked Deck
- Wall Street Journal September 21, 2011
-
• Focus on Goldman Ex-Director
- Wall Street Journal September 21, 2011
• Maine Man Facing Charges of Securities
Fraud
- Portland Press Herald February 18, 2011
GAIN CONTROL
10. What is Fraud?
• Financial statement fraud
• Asset misappropriation
• Corruption
GAIN CONTROL
11. Loss Prevention
• Fraud prevention
• Fraud monitoring
• Fraud detection
• Security
GAIN CONTROL
12. Fraud Risk Analysis
• Internal control review
• Fraud risk checkup
• Fraud risk assessment
GAIN CONTROL
14. Key Areas of Checkup
• Fraud risk oversight and ownership
• Fraud risk assessment
• Risk tolerance/policy
• Controls
– Process level
– Environment level
• Proactive detection
GAIN CONTROL
15. Fraud Risk Assessment
Series of questions to help an
organization identify risk areas and
respond to those risks
GAIN CONTROL
16. Results of Assessment
• Results should allow the organization to:
– Identify potential inherent fraud risks
– Assess likelihood and significance of occurrence
– Evaluate people and departments most likely to
commit fraud
– Identify and map preventative and detective
controls
GAIN CONTROL
17. Results of Assessment
• Results should allow the organization to:
– Evaluate whether identified controls are working
– Identify fraud risks resulting from lack of
control/ineffective controls
– Develop response
GAIN CONTROL
18. Typical Assessment Areas
• Employees
• Physical controls
• Cash
• Purchasing and billing
• Proprietary information/intellectual property
• Corruption
GAIN CONTROL
19. Employee Assessment
• Are employees afraid to deliver bad news
to management?
• Are employees required to take annual
vacations?
• Are the duties related to authorization,
custody of assets, and recording or reporting
of transactions segregated?
GAIN CONTROL
20. Physical Control
Assessment
• Does the organization conduct pre-employment
background checks to identify previous dishonest
or unethical behavior?
• Does the organization provide an anonymous way
to report suspected violations of the ethics and
anti-fraud policies?
• Does the organization restrict access to computer
systems with sensitive documents?
GAIN CONTROL
21. Cash Receipts Assessment
• Does a person independent of the cash receipts and
accounts receivable functions compare entries to the cash
receipts journals with the bank deposit slips and bank
deposit statements?
• Is an independent listing of cash receipts prepared
before the receipts are submitted to the cashier or accounts
receivable bookkeeper?
• Is job or assignment rotation mandatory for employees
who handle cash receipts and accounting duties?
GAIN CONTROL
22. Purchasing Assessment
• Is the master vendor file periodically reviewed for
unusual vendors and addresses?
• Are control methods in place to check for
duplicate invoices and purchase order numbers?
• Do write-offs of accounts payable debit balances
require approval of a designated manager?
GAIN CONTROL
23. Proprietary Info Assessment
• Are employees required to use screensaver and/or server
passwords to protect unattended computer systems?
• Are employees who have access to proprietary information
required to sign noncompete agreements to prevent them
from working for competitors within a stated period of time
and location?
• Are there policies and procedures addressing the
identification, classification, and handling of proprietary
information?
GAIN CONTROL
24. Corruption Assessment
• Is there a company policy that addresses the
receipt of gifts, discounts, and services
offered by a supplier or customer?
• Are contracts awarded based on
predetermined criteria?
• Are purchasing account assignments
rotated?
GAIN CONTROL
25. Information Technology
Security Management
• Security assessment
• Purchasing
• Fraud prevention suggestions
GAIN CONTROL
26. IT Security Assessment
• Typical assessment includes following areas:
– Organization/Management of IT
– Computer/Network Hardware
– Computer/Network Software
– Network Security Controls
– IT Security and Administration
– Backup and System Recovery
GAIN CONTROL
27. IT Security Assessment
• Includes review of documentation,
observation and interviews.
• Incorporates best practices guidelines
• Risk ratings
• Recommendations
GAIN CONTROL
28. IT Security Assessment
• Examples of specific areas:
– Secure media disposal
– Patch management
– Network design
– Backup procedures
– Mobile devices
GAIN CONTROL
29. IT Fraud Prevention Tools
Utilize reporting and monitoring systems
already in place
GAIN CONTROL
30. Using IT Controls Effectively
• Assign individual employees their own
system IDs.
– Disable usage of generic administrative IDs
– Change administrative passwords every 60 days
– Lock down system IDs
– ENFORCE!
GAIN CONTROL
31. Using IT Controls Effectively
• Ensure access to financial accounting
systems is compartmentalized, i.e.:
– Users have no way to access the financial
database
– IT cannot affect non-technology reconciliation
process
– Limit access to master vendor and customer files
GAIN CONTROL
32. Flags and Symptoms
• Missing checks, expense reports, registers
• Multiple & ongoing errors in accounting
system that are unexplained
• Access to the accounting system at odd
hours and/or in an unusual way
GAIN CONTROL
33. IT Purchasing Considerations
• Software
– Be aware of privacy and confidentiality issues,
laws and regulations
– What is vendor’s stated commitment in contract
for remediation time after patches released by
operating system companies
– What is stated remediation time for security
flaws?
GAIN CONTROL
34. IT Purchasing Considerations
• Outsourced services
– Does contract ensure secure processes?
– For credit card payments – PCI compliant?
– Website management – CONFIDENTIALITY
AND PRIVACY
GAIN CONTROL
35. Remember
• Fraud loss prevention includes preventative
measures, monitoring activities and detection.
• Assessments provide a starting point for
identifying and addressing the risk.
• Controls are only useful when they are
implemented and enforced
GAIN CONTROL
36. Thanks for Attending
Have a Pleasant Afternoon!
photo from near the Yurt at top of Pleasant Mountain – Shawnee Peak
Sunset on August 20, 2011
GAIN CONTROL
37. Contact Information
Bill Brown
bbrown@berrydunn.com
207-541-2208
Eigen Heald
eheald@berrydunn.com
207-541-2311
GAIN CONTROL