SO-002

IT Fraud and the IT Fraud and the Finance Finance FunctionFunction

IT Fraud and the IT Fraud and the Finance Finance FunctionFunctionVancouver, Toronto, Calgary, Vancouver, Toronto, Calgary, Winnipeg, Halifax and Winnipeg, Halifax and Montreal Montreal November, 2005November, 2005

In collaboration with

Defeat IT Fraud with Defeat IT Fraud with Strategic InitiativesStrategic InitiativesDefeat IT Fraud with Defeat IT Fraud with Strategic InitiativesStrategic Initiatives

Tony DimnikTony DimnikQueen’s School of BusinessQueen’s School of Business

Botticelli’s Chart of Hell circa 1480(also painted Birth of Venus)

Dante’s Inferno circa 1310

Those who commit Violence

Those who commit Fraud

Traitors

Circle 8 – The FraudulentCircle 8 – The FraudulentThose guilty of deliberate, knowing Those guilty of deliberate, knowing evilevil

Worse than murderersWorse than murderers

Slightly better than traitors if externalSlightly better than traitors if external

No better than traitors if internalNo better than traitors if internal

Gustave Doré 1867

AgendaAgenda

Defeat IT Fraud with Strategic Defeat IT Fraud with Strategic InitiativesInitiatives

Definition and size-up of IT fraudDefinition and size-up of IT fraud

Start with Tone at the TopStart with Tone at the Top

Choice of cultures: fear or securityChoice of cultures: fear or security

Establishing and evaluating culture with Establishing and evaluating culture with CoCoCoCo

Kidder Peabody exampleKidder Peabody example

Fighting Fraud Through Data Fighting Fraud Through Data GovernanceGovernance

People, Process and TechnologyPeople, Process and Technology

IT FraudIT Fraud

Where a financial loss or malicious Where a financial loss or malicious damage has been sustained by an damage has been sustained by an organization, which has been organization, which has been facilitated by the use of IT in some facilitated by the use of IT in some wayway

Theft of financial resources from Theft of financial resources from organization, suppliers or customersorganization, suppliers or customers

Theft of time and other resourcesTheft of time and other resources

Extent of FraudExtent of Fraud

10% of organizations suffer 10% of organizations suffer serious serious IT IT fraud each yearfraud each year

North American IT fraud costs North American IT fraud costs hundreds of billions of dollars each hundreds of billions of dollars each year year

Damage to reputation due to IT fraud Damage to reputation due to IT fraud slices 8% to 13% off market value of slices 8% to 13% off market value of public companiespublic companies

Every survey shows IT fraud at top or Every survey shows IT fraud at top or near the top of CFOs concernsnear the top of CFOs concerns

IT Fraud IssuesIT Fraud IssuesLegislation (e.g. COSO and SOX) – reporting Legislation (e.g. COSO and SOX) – reporting requirement and personal liabilityrequirement and personal liabilityLitigation – black hole in terms of time and moneyLitigation – black hole in terms of time and moneyPublicity of high profile frauds – damage to Publicity of high profile frauds – damage to personal and corporate reputationpersonal and corporate reputation

Increasing demands by insurance industry Increasing demands by insurance industry – onerous standards– onerous standardsExternal and global sourcing – magnifies External and global sourcing – magnifies riskrisk

Insurance industry – ChoicePoint – Insurance industry – ChoicePoint – compromised tens of thousands of clientscompromised tens of thousands of clientsCredit cards – CardSystems Solutions – exposed Credit cards – CardSystems Solutions – exposed information from 40 million customersinformation from 40 million customersBusiness Schools – ApplyYourself – disgruntled Business Schools – ApplyYourself – disgruntled Harvard applicant publicized breech on InternetHarvard applicant publicized breech on Internet

Key to IT Fraud Initiatives: Tone at the Key to IT Fraud Initiatives: Tone at the Top Top

Standards and literature claim Tone at the Standards and literature claim Tone at the Top is key to prevention of IT fraudTop is key to prevention of IT fraudStudy of IT audits showed that Tone at the Study of IT audits showed that Tone at the Top is most important criterion in assessing Top is most important criterion in assessing IT securityIT securityTone at the Top is more important than:Tone at the Top is more important than:

SoftwareSoftwareLogical controlsLogical controlsPhysical controlsPhysical controls

Auditors assessed tone by asking about Auditors assessed tone by asking about management’s emphasis on and support for management’s emphasis on and support for security policies and procedures and security policies and procedures and resource commitmentsresource commitments

Security Controls and Management ToneSecurity Controls and Management ToneT. Kizinian and W. R. Leese, Internal Auditing, T. Kizinian and W. R. Leese, Internal Auditing, March/April 2004March/April 2004

Tone at the Top OptionsTone at the Top Options

Culture of fearCulture of fear

Culture of security Culture of security

Culture of FearCulture of FearResponses triggered by eventsResponses triggered by events

Adopts a “fortress” strategyAdopts a “fortress” strategy

Compliance is sufficientCompliance is sufficient

CIO or CTO responsibilityCIO or CTO responsibility

Punishment oriented – requires monitoring and Punishment oriented – requires monitoring and systems that may impede legitimate businesssystems that may impede legitimate business

Motivated by fearMotivated by fearVendors and consultants Vendors and consultants

Media Media

Problems with Culture of Problems with Culture of FearFearFear is a short-term motivatorFear is a short-term motivator

Responds to failures after the Responds to failures after the damage is donedamage is done

Underestimates costs of failures Underestimates costs of failures andand costs of prevention (e.g. time lost in costs of prevention (e.g. time lost in dealing with security issues and dealing with security issues and systems)systems)

Someone else’s problemSomeone else’s problem

Lowers morale and creates “us vs. Lowers morale and creates “us vs. them” mindsetthem” mindset

Culture of SecurityCulture of Security

Motivated by desire for excellenceMotivated by desire for excellence

Holistic understanding of securityHolistic understanding of security

Aims to prevent fraudAims to prevent fraud

Compliance is necessary but not Compliance is necessary but not sufficient for securitysufficient for security

Organizational responsibilityOrganizational responsibility

Conscious strategy for Tone at the Conscious strategy for Tone at the Top and cultureTop and culture

Standards and Assessment Standards and Assessment ToolsTools

COSO and SOXCOSO and SOX

Control Objectives for Information Control Objectives for Information and Related Technology (COBIT) and and Related Technology (COBIT) and Information Technology Control Information Technology Control Guidelines (ITCG)Guidelines (ITCG)

Need management and assessment Need management and assessment tool specifically for Tone at the Top tool specifically for Tone at the Top and Culture of Securityand Culture of Security

Criteria of Control Model of Control Criteria of Control Model of Control (CoCo)(CoCo)

Purpose

Commitment

Capability

Action

Monitoring& Learning

CoCo is a good CoCo is a good management and management and assessment tool assessment tool for Tone at the Top for Tone at the Top and Culture of and Culture of Security.Security.

CoCo is a good CoCo is a good management and management and assessment tool assessment tool for Tone at the Top for Tone at the Top and Culture of and Culture of Security.Security.

Applying CoCo to Create a Culture of Applying CoCo to Create a Culture of SecuritySecurity

Purpose

Commitment

Capability

Action

Monitoring& Learning

Tone at the Topand

Concrete, Comprehensive and Catholic Policy

Democracy and

Rewards

Training and

Resources (Systems and Technology)

Doing the right thingand

Doing it in the right way

PurposePurposeDevelop a policy on IT fraudDevelop a policy on IT fraud

Concrete - writtenConcrete - written

ComprehensiveComprehensiveBoundariesBoundaries

ProceduresProcedures

Vision (ethics) Vision (ethics)

Catholic - involves everyone in the organization (e.g. Catholic - involves everyone in the organization (e.g. receptionists)receptionists)

Set tone at the topSet tone at the topFollow policy – act as role modelFollow policy – act as role model

Understand security issues and systems – communicate with Understand security issues and systems – communicate with CIOCIO

Sell policy up, down and across organizationSell policy up, down and across organization

Purpose

Commitment

Capability

Action

Monitoring& Learning

CommitmentCommitmentCongruent rewards Congruent rewards

Folly of rewarding A, while hoping for BFolly of rewarding A, while hoping for B

Fairness Fairness

Democratic principles – one of nine principles Democratic principles – one of nine principles from from OECD OECD Guidelines for the Security of Guidelines for the Security of Information Systems and Networks Information Systems and Networks

Purpose

Commitment

Capability

Action

Monitoring& Learning

CapabilityCapability

Regular trainingRegular trainingUnderstanding of policyUnderstanding of policy

Alertness and inoculation to potential problemsAlertness and inoculation to potential problems

Specific responses (e.g. who to call if supervisor Specific responses (e.g. who to call if supervisor suspect)suspect)

FeedbackFeedback

Current technologyCurrent technology

Purpose

Commitment

Capability

Action

Monitoring& Learning

Monitoring and LearningMonitoring and Learning

Are we doing the right thing?Are we doing the right thing?

Are we doing it in the right way?Are we doing it in the right way?

Discuss successes Discuss successes andand failures (don’t failures (don’t build a firewall against bad news)build a firewall against bad news)

Apply monitoring tools to ensure that Apply monitoring tools to ensure that senior management has the senior management has the opportunity to focus on the big pictureopportunity to focus on the big picture

Purpose

Commitment

Capability

Action

Monitoring& Learning

Kidder Peabody Fraud Kidder Peabody Fraud CaseCaseFinancial institution founded in 1824 and acquired Financial institution founded in 1824 and acquired

by GE in 1986by GE in 1986

Hired Joseph Jett in 1991 to trade US government Hired Joseph Jett in 1991 to trade US government bondsbonds

Jett’s conversion of STRIPS to bonds and vice versa Jett’s conversion of STRIPS to bonds and vice versa showed as profit on computer system even though showed as profit on computer system even though there was no economic gain – like showing a profit there was no economic gain – like showing a profit on breaking a $20 billon breaking a $20 bill

Kidder Peabody management and staff richly Kidder Peabody management and staff richly rewardedrewarded

Kidder Peabody announced a $350 million charge Kidder Peabody announced a $350 million charge for false trading profits in 1994for false trading profits in 1994

GE sold company – more than 2,000 lost jobsGE sold company – more than 2,000 lost jobs

Principals received slaps on wrists but still Principals received slaps on wrists but still struggling with legal issues 10 years later – Dante’s struggling with legal issues 10 years later – Dante’s PurgatoryPurgatory

CoCo and Kidder PeabodyCoCo and Kidder Peabody

Purpose

Commitment

Capability

Action

Monitoring& Learning

Management did not understand business or IT system No clear fraud policy

Hoping A, rewarding B

Us vs. them mindset

No trainingPoor technology and systems

No monitoring

Acceptance of status quo

SummarySummary

Defeat IT Fraud with Strategic Defeat IT Fraud with Strategic InitiativesInitiatives

Start with Tone at the TopStart with Tone at the Top

Create a Culture of SecurityCreate a Culture of Security

Use CoCo to manage and evaluate Use CoCo to manage and evaluate cultureculture

Fighting Fraud Through Data Fighting Fraud Through Data GovernanceGovernance

People, Process and TechnologyPeople, Process and Technology

ReferencesReferences

OECD Guidelines for the Security of OECD Guidelines for the Security of Information Systems and Networks: Information Systems and Networks: Towards a Culture of SecurityTowards a Culture of Security http://www.oecd.org/dataoecd/16/22/15582260.pdfhttp://www.oecd.org/dataoecd/16/22/15582260.pdf

The Carnegie Mellon Software The Carnegie Mellon Software Engineering Institute: Governing for Engineering Institute: Governing for Enterprise SecurityEnterprise Security http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn02http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf3.pdf