so-002 it fraud and the finance function vancouver, toronto, calgary, winnipeg, halifax and montreal...
Post on 25-Dec-2015
214 Views
Preview:
TRANSCRIPT
SO-002
IT Fraud and the IT Fraud and the Finance Finance FunctionFunction
IT Fraud and the IT Fraud and the Finance Finance FunctionFunctionVancouver, Toronto, Calgary, Vancouver, Toronto, Calgary, Winnipeg, Halifax and Winnipeg, Halifax and Montreal Montreal November, 2005November, 2005
In collaboration with
Defeat IT Fraud with Defeat IT Fraud with Strategic InitiativesStrategic InitiativesDefeat IT Fraud with Defeat IT Fraud with Strategic InitiativesStrategic Initiatives
Tony DimnikTony DimnikQueen’s School of BusinessQueen’s School of Business
Botticelli’s Chart of Hell circa 1480(also painted Birth of Venus)
Dante’s Inferno circa 1310
Those who commit Violence
Those who commit Fraud
Traitors
Circle 8 – The FraudulentCircle 8 – The FraudulentThose guilty of deliberate, knowing Those guilty of deliberate, knowing evilevil
Worse than murderersWorse than murderers
Slightly better than traitors if externalSlightly better than traitors if external
No better than traitors if internalNo better than traitors if internal
Gustave Doré 1867
AgendaAgenda
Defeat IT Fraud with Strategic Defeat IT Fraud with Strategic InitiativesInitiatives
Definition and size-up of IT fraudDefinition and size-up of IT fraud
Start with Tone at the TopStart with Tone at the Top
Choice of cultures: fear or securityChoice of cultures: fear or security
Establishing and evaluating culture with Establishing and evaluating culture with CoCoCoCo
Kidder Peabody exampleKidder Peabody example
Fighting Fraud Through Data Fighting Fraud Through Data GovernanceGovernance
People, Process and TechnologyPeople, Process and Technology
IT FraudIT Fraud
Where a financial loss or malicious Where a financial loss or malicious damage has been sustained by an damage has been sustained by an organization, which has been organization, which has been facilitated by the use of IT in some facilitated by the use of IT in some wayway
Theft of financial resources from Theft of financial resources from organization, suppliers or customersorganization, suppliers or customers
Theft of time and other resourcesTheft of time and other resources
Extent of FraudExtent of Fraud
10% of organizations suffer 10% of organizations suffer serious serious IT IT fraud each yearfraud each year
North American IT fraud costs North American IT fraud costs hundreds of billions of dollars each hundreds of billions of dollars each year year
Damage to reputation due to IT fraud Damage to reputation due to IT fraud slices 8% to 13% off market value of slices 8% to 13% off market value of public companiespublic companies
Every survey shows IT fraud at top or Every survey shows IT fraud at top or near the top of CFOs concernsnear the top of CFOs concerns
IT Fraud IssuesIT Fraud IssuesLegislation (e.g. COSO and SOX) – reporting Legislation (e.g. COSO and SOX) – reporting requirement and personal liabilityrequirement and personal liabilityLitigation – black hole in terms of time and moneyLitigation – black hole in terms of time and moneyPublicity of high profile frauds – damage to Publicity of high profile frauds – damage to personal and corporate reputationpersonal and corporate reputation
Increasing demands by insurance industry Increasing demands by insurance industry – onerous standards– onerous standardsExternal and global sourcing – magnifies External and global sourcing – magnifies riskrisk
Insurance industry – ChoicePoint – Insurance industry – ChoicePoint – compromised tens of thousands of clientscompromised tens of thousands of clientsCredit cards – CardSystems Solutions – exposed Credit cards – CardSystems Solutions – exposed information from 40 million customersinformation from 40 million customersBusiness Schools – ApplyYourself – disgruntled Business Schools – ApplyYourself – disgruntled Harvard applicant publicized breech on InternetHarvard applicant publicized breech on Internet
Key to IT Fraud Initiatives: Tone at the Key to IT Fraud Initiatives: Tone at the Top Top
Standards and literature claim Tone at the Standards and literature claim Tone at the Top is key to prevention of IT fraudTop is key to prevention of IT fraudStudy of IT audits showed that Tone at the Study of IT audits showed that Tone at the Top is most important criterion in assessing Top is most important criterion in assessing IT securityIT securityTone at the Top is more important than:Tone at the Top is more important than:
SoftwareSoftwareLogical controlsLogical controlsPhysical controlsPhysical controls
Auditors assessed tone by asking about Auditors assessed tone by asking about management’s emphasis on and support for management’s emphasis on and support for security policies and procedures and security policies and procedures and resource commitmentsresource commitments
Security Controls and Management ToneSecurity Controls and Management ToneT. Kizinian and W. R. Leese, Internal Auditing, T. Kizinian and W. R. Leese, Internal Auditing, March/April 2004March/April 2004
Tone at the Top OptionsTone at the Top Options
Culture of fearCulture of fear
Culture of security Culture of security
Culture of FearCulture of FearResponses triggered by eventsResponses triggered by events
Adopts a “fortress” strategyAdopts a “fortress” strategy
Compliance is sufficientCompliance is sufficient
CIO or CTO responsibilityCIO or CTO responsibility
Punishment oriented – requires monitoring and Punishment oriented – requires monitoring and systems that may impede legitimate businesssystems that may impede legitimate business
Motivated by fearMotivated by fearVendors and consultants Vendors and consultants
Media Media
Problems with Culture of Problems with Culture of FearFearFear is a short-term motivatorFear is a short-term motivator
Responds to failures after the Responds to failures after the damage is donedamage is done
Underestimates costs of failures Underestimates costs of failures andand costs of prevention (e.g. time lost in costs of prevention (e.g. time lost in dealing with security issues and dealing with security issues and systems)systems)
Someone else’s problemSomeone else’s problem
Lowers morale and creates “us vs. Lowers morale and creates “us vs. them” mindsetthem” mindset
Culture of SecurityCulture of Security
Motivated by desire for excellenceMotivated by desire for excellence
Holistic understanding of securityHolistic understanding of security
Aims to prevent fraudAims to prevent fraud
Compliance is necessary but not Compliance is necessary but not sufficient for securitysufficient for security
Organizational responsibilityOrganizational responsibility
Conscious strategy for Tone at the Conscious strategy for Tone at the Top and cultureTop and culture
Standards and Assessment Standards and Assessment ToolsTools
COSO and SOXCOSO and SOX
Control Objectives for Information Control Objectives for Information and Related Technology (COBIT) and and Related Technology (COBIT) and Information Technology Control Information Technology Control Guidelines (ITCG)Guidelines (ITCG)
Need management and assessment Need management and assessment tool specifically for Tone at the Top tool specifically for Tone at the Top and Culture of Securityand Culture of Security
Criteria of Control Model of Control Criteria of Control Model of Control (CoCo)(CoCo)
Purpose
Commitment
Capability
Action
Monitoring& Learning
CoCo is a good CoCo is a good management and management and assessment tool assessment tool for Tone at the Top for Tone at the Top and Culture of and Culture of Security.Security.
CoCo is a good CoCo is a good management and management and assessment tool assessment tool for Tone at the Top for Tone at the Top and Culture of and Culture of Security.Security.
Applying CoCo to Create a Culture of Applying CoCo to Create a Culture of SecuritySecurity
Purpose
Commitment
Capability
Action
Monitoring& Learning
Tone at the Topand
Concrete, Comprehensive and Catholic Policy
Democracy and
Rewards
Training and
Resources (Systems and Technology)
Doing the right thingand
Doing it in the right way
PurposePurposeDevelop a policy on IT fraudDevelop a policy on IT fraud
Concrete - writtenConcrete - written
ComprehensiveComprehensiveBoundariesBoundaries
ProceduresProcedures
Vision (ethics) Vision (ethics)
Catholic - involves everyone in the organization (e.g. Catholic - involves everyone in the organization (e.g. receptionists)receptionists)
Set tone at the topSet tone at the topFollow policy – act as role modelFollow policy – act as role model
Understand security issues and systems – communicate with Understand security issues and systems – communicate with CIOCIO
Sell policy up, down and across organizationSell policy up, down and across organization
Purpose
Commitment
Capability
Action
Monitoring& Learning
CommitmentCommitmentCongruent rewards Congruent rewards
Folly of rewarding A, while hoping for BFolly of rewarding A, while hoping for B
Fairness Fairness
Democratic principles – one of nine principles Democratic principles – one of nine principles from from OECD OECD Guidelines for the Security of Guidelines for the Security of Information Systems and Networks Information Systems and Networks
Purpose
Commitment
Capability
Action
Monitoring& Learning
CapabilityCapability
Regular trainingRegular trainingUnderstanding of policyUnderstanding of policy
Alertness and inoculation to potential problemsAlertness and inoculation to potential problems
Specific responses (e.g. who to call if supervisor Specific responses (e.g. who to call if supervisor suspect)suspect)
FeedbackFeedback
Current technologyCurrent technology
Purpose
Commitment
Capability
Action
Monitoring& Learning
Monitoring and LearningMonitoring and Learning
Are we doing the right thing?Are we doing the right thing?
Are we doing it in the right way?Are we doing it in the right way?
Discuss successes Discuss successes andand failures (don’t failures (don’t build a firewall against bad news)build a firewall against bad news)
Apply monitoring tools to ensure that Apply monitoring tools to ensure that senior management has the senior management has the opportunity to focus on the big pictureopportunity to focus on the big picture
Purpose
Commitment
Capability
Action
Monitoring& Learning
Kidder Peabody Fraud Kidder Peabody Fraud CaseCaseFinancial institution founded in 1824 and acquired Financial institution founded in 1824 and acquired
by GE in 1986by GE in 1986
Hired Joseph Jett in 1991 to trade US government Hired Joseph Jett in 1991 to trade US government bondsbonds
Jett’s conversion of STRIPS to bonds and vice versa Jett’s conversion of STRIPS to bonds and vice versa showed as profit on computer system even though showed as profit on computer system even though there was no economic gain – like showing a profit there was no economic gain – like showing a profit on breaking a $20 billon breaking a $20 bill
Kidder Peabody management and staff richly Kidder Peabody management and staff richly rewardedrewarded
Kidder Peabody announced a $350 million charge Kidder Peabody announced a $350 million charge for false trading profits in 1994for false trading profits in 1994
GE sold company – more than 2,000 lost jobsGE sold company – more than 2,000 lost jobs
Principals received slaps on wrists but still Principals received slaps on wrists but still struggling with legal issues 10 years later – Dante’s struggling with legal issues 10 years later – Dante’s PurgatoryPurgatory
CoCo and Kidder PeabodyCoCo and Kidder Peabody
Purpose
Commitment
Capability
Action
Monitoring& Learning
Management did not understand business or IT system No clear fraud policy
Hoping A, rewarding B
Us vs. them mindset
No trainingPoor technology and systems
No monitoring
Acceptance of status quo
SummarySummary
Defeat IT Fraud with Strategic Defeat IT Fraud with Strategic InitiativesInitiatives
Start with Tone at the TopStart with Tone at the Top
Create a Culture of SecurityCreate a Culture of Security
Use CoCo to manage and evaluate Use CoCo to manage and evaluate cultureculture
Fighting Fraud Through Data Fighting Fraud Through Data GovernanceGovernance
People, Process and TechnologyPeople, Process and Technology
ReferencesReferences
OECD Guidelines for the Security of OECD Guidelines for the Security of Information Systems and Networks: Information Systems and Networks: Towards a Culture of SecurityTowards a Culture of Security http://www.oecd.org/dataoecd/16/22/15582260.pdfhttp://www.oecd.org/dataoecd/16/22/15582260.pdf
The Carnegie Mellon Software The Carnegie Mellon Software Engineering Institute: Governing for Engineering Institute: Governing for Enterprise SecurityEnterprise Security http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn02http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf3.pdf
top related