SlideShare a Scribd company logo

How Secure is your Business? Fraud Risk Analysis and Security Management

W
whbrown5

The document discusses fraud risk analysis and security management. It notes some disturbing statistics about occupational fraud from a global fraud study. It then outlines how fraud is typically detected, where tips come from, and common controls used. The presentation aims to help businesses manage risks of loss from fraud and inadequate security. It covers assessing fraud risks, reviewing internal controls, and managing information technology security through regular assessments, purchasing considerations, and effective use of controls.

Related topics:
Risk Assessment
1 of 37
Downloaded 60 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Presented by: William H. Brown, CPA, CFFA, CFE GAIN CONTROL How Secure is your Business? Fraud Risk Analysis and Security Management GAIN CONTROL www.berrydunn.com www.berrydunn.com
What is the problem? Some statistics….. From the “Report to the Nations on Occupational Fraud and Abuse – 2010 Global Fraud Study”, published by the Association for Certified Fraud Examiners 5.0% $231,000 37.8% 30.8% $155,000 GAIN CONTROL
How is Fraud Detected? GAIN CONTROL
Where do Tips Come From? GAIN CONTROL
What Controls are Used? GAIN CONTROL
Disturbing Statistic GAIN CONTROL
Objective Provide you with information to help you manage the business risks of loss due to fraud and inadequate IT security…. …..not to prevent, detect and prosecute all instances of fraud and stamp out all evil regardless of the cost GAIN CONTROL
What Can I Tell You…. That Will Help? • Overview of Fraud • Fraud Risk Analysis • IT Security Management GAIN CONTROL
What is Fraud? • U.S. Alleges Poker Site Stacked Deck - Wall Street Journal September 21, 2011 - • Focus on Goldman Ex-Director - Wall Street Journal September 21, 2011 • Maine Man Facing Charges of Securities Fraud - Portland Press Herald February 18, 2011 GAIN CONTROL
What is Fraud? • Financial statement fraud • Asset misappropriation • Corruption GAIN CONTROL
Loss Prevention • Fraud prevention • Fraud monitoring • Fraud detection • Security GAIN CONTROL
Fraud Risk Analysis • Internal control review • Fraud risk checkup • Fraud risk assessment GAIN CONTROL
Fraud Prevention Checkup Is it time to see a professional? GAIN CONTROL
Key Areas of Checkup • Fraud risk oversight and ownership • Fraud risk assessment • Risk tolerance/policy • Controls – Process level – Environment level • Proactive detection GAIN CONTROL
Fraud Risk Assessment Series of questions to help an organization identify risk areas and respond to those risks GAIN CONTROL
Results of Assessment • Results should allow the organization to: – Identify potential inherent fraud risks – Assess likelihood and significance of occurrence – Evaluate people and departments most likely to commit fraud – Identify and map preventative and detective controls GAIN CONTROL
Results of Assessment • Results should allow the organization to: – Evaluate whether identified controls are working – Identify fraud risks resulting from lack of control/ineffective controls – Develop response GAIN CONTROL
Typical Assessment Areas • Employees • Physical controls • Cash • Purchasing and billing • Proprietary information/intellectual property • Corruption GAIN CONTROL
Employee Assessment • Are employees afraid to deliver bad news to management? • Are employees required to take annual vacations? • Are the duties related to authorization, custody of assets, and recording or reporting of transactions segregated? GAIN CONTROL
Physical Control Assessment • Does the organization conduct pre-employment background checks to identify previous dishonest or unethical behavior? • Does the organization provide an anonymous way to report suspected violations of the ethics and anti-fraud policies? • Does the organization restrict access to computer systems with sensitive documents? GAIN CONTROL
Cash Receipts Assessment • Does a person independent of the cash receipts and accounts receivable functions compare entries to the cash receipts journals with the bank deposit slips and bank deposit statements? • Is an independent listing of cash receipts prepared before the receipts are submitted to the cashier or accounts receivable bookkeeper? • Is job or assignment rotation mandatory for employees who handle cash receipts and accounting duties? GAIN CONTROL
Purchasing Assessment • Is the master vendor file periodically reviewed for unusual vendors and addresses? • Are control methods in place to check for duplicate invoices and purchase order numbers? • Do write-offs of accounts payable debit balances require approval of a designated manager? GAIN CONTROL
Proprietary Info Assessment • Are employees required to use screensaver and/or server passwords to protect unattended computer systems? • Are employees who have access to proprietary information required to sign noncompete agreements to prevent them from working for competitors within a stated period of time and location? • Are there policies and procedures addressing the identification, classification, and handling of proprietary information? GAIN CONTROL
Corruption Assessment • Is there a company policy that addresses the receipt of gifts, discounts, and services offered by a supplier or customer? • Are contracts awarded based on predetermined criteria? • Are purchasing account assignments rotated? GAIN CONTROL
Information Technology Security Management • Security assessment • Purchasing • Fraud prevention suggestions GAIN CONTROL
IT Security Assessment • Typical assessment includes following areas: – Organization/Management of IT – Computer/Network Hardware – Computer/Network Software – Network Security Controls – IT Security and Administration – Backup and System Recovery GAIN CONTROL
IT Security Assessment • Includes review of documentation, observation and interviews. • Incorporates best practices guidelines • Risk ratings • Recommendations GAIN CONTROL
IT Security Assessment • Examples of specific areas: – Secure media disposal – Patch management – Network design – Backup procedures – Mobile devices GAIN CONTROL
IT Fraud Prevention Tools Utilize reporting and monitoring systems already in place GAIN CONTROL
Using IT Controls Effectively • Assign individual employees their own system IDs. – Disable usage of generic administrative IDs – Change administrative passwords every 60 days – Lock down system IDs – ENFORCE! GAIN CONTROL
Using IT Controls Effectively • Ensure access to financial accounting systems is compartmentalized, i.e.: – Users have no way to access the financial database – IT cannot affect non-technology reconciliation process – Limit access to master vendor and customer files GAIN CONTROL
Flags and Symptoms • Missing checks, expense reports, registers • Multiple & ongoing errors in accounting system that are unexplained • Access to the accounting system at odd hours and/or in an unusual way GAIN CONTROL
IT Purchasing Considerations • Software – Be aware of privacy and confidentiality issues, laws and regulations – What is vendor’s stated commitment in contract for remediation time after patches released by operating system companies – What is stated remediation time for security flaws? GAIN CONTROL
IT Purchasing Considerations • Outsourced services – Does contract ensure secure processes? – For credit card payments – PCI compliant? – Website management – CONFIDENTIALITY AND PRIVACY GAIN CONTROL
Remember • Fraud loss prevention includes preventative measures, monitoring activities and detection. • Assessments provide a starting point for identifying and addressing the risk. • Controls are only useful when they are implemented and enforced GAIN CONTROL
Thanks for Attending Have a Pleasant Afternoon! photo from near the Yurt at top of Pleasant Mountain – Shawnee Peak Sunset on August 20, 2011 GAIN CONTROL
Contact Information Bill Brown bbrown@berrydunn.com 207-541-2208 Eigen Heald eheald@berrydunn.com 207-541-2311 GAIN CONTROL

More Related Content

PPTX
CM Introduction 081414
aidanc5
 
PPT
Project_Paper_Presentation_ISSC471_Intindolo
John Intindolo
 
PDF
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
PPTX
When Internal Controls Fail - Baker Tilly
Zachary Zedd
 
PDF
Separation strategy presentation
InvestorSymantec
 
PDF
Accelerating Enhanced Threat Identification and Incident Investigation
Enterprise Management Associates
 
PPTX
Horizon 2013 P2P Re-imagined: No User Pain, but Real Compliance Gains, A Cas...
Zycus
 
PPTX
Finanzprodukt Emittenten im Netz: Social Media und Online Marketing
Christian König
 
CM Introduction 081414
aidanc5
 
Project_Paper_Presentation_ISSC471_Intindolo
John Intindolo
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
When Internal Controls Fail - Baker Tilly
Zachary Zedd
 
Separation strategy presentation
InvestorSymantec
 
Accelerating Enhanced Threat Identification and Incident Investigation
Enterprise Management Associates
 
Horizon 2013 P2P Re-imagined: No User Pain, but Real Compliance Gains, A Cas...
Zycus
 
Finanzprodukt Emittenten im Netz: Social Media und Online Marketing
Christian König
 

Viewers also liked (20)

PPTX
Finanzprodukte und Vermögensverwaltung 2.0 Strukiforum 24.10.13
Christian König
 
PPTX
What is fintech and disruptive finance introduction for vietnam yes event
Christian König
 
PPT
Remittance to india
worldfx
 
PPTX
Inland Remittances of Pakistan
Fahad Iqbal
 
PPTX
Iso27001 The Road To Certification
tschraider
 
PDF
Tagcash
Christian König
 
PDF
Singapore Fintech Startups Best of Social Media and Blogs
Christian König
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
PDF
digital strategy & e-reputation
Prof. Jacques Folon (Ph.D)
 
PDF
Mapa mental iso 27002
Alexis Jara
 
PDF
Philippines Fintech Startup Report
Christian König
 
PDF
Corporate compliance
justinschreiber
 
PPS
ISO 27001 2013 isms final overview
Naresh Rao
 
PDF
COM CM 726 @ Boston University: Digital Strategy Building
Steph Parker
 
PDF
Internet of Things, Innovation and India by Syam Madanapalli
Syam Madanapalli
 
PDF
Effective Internal Controls by @EricPesik
Eric Pesik
 
PPTX
All you wanted to know about iso 27000
Ramana K V
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
PPTX
Compliance ppt
Alok Yadav
 
PDF
Internal Control
Salih Islam
 
Finanzprodukte und Vermögensverwaltung 2.0 Strukiforum 24.10.13
Christian König
 
What is fintech and disruptive finance introduction for vietnam yes event
Christian König
 
Remittance to india
worldfx
 
Inland Remittances of Pakistan
Fahad Iqbal
 
Iso27001 The Road To Certification
tschraider
 
Tagcash
Christian König
 
Singapore Fintech Startups Best of Social Media and Blogs
Christian König
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
digital strategy & e-reputation
Prof. Jacques Folon (Ph.D)
 
Mapa mental iso 27002
Alexis Jara
 
Philippines Fintech Startup Report
Christian König
 
Corporate compliance
justinschreiber
 
ISO 27001 2013 isms final overview
Naresh Rao
 
COM CM 726 @ Boston University: Digital Strategy Building
Steph Parker
 
Internet of Things, Innovation and India by Syam Madanapalli
Syam Madanapalli
 
Effective Internal Controls by @EricPesik
Eric Pesik
 
All you wanted to know about iso 27000
Ramana K V
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Compliance ppt
Alok Yadav
 
Internal Control
Salih Islam
 
Ad

Similar to How Secure is your Business? Fraud Risk Analysis and Security Management (20)

PDF
Designing Effective Financial Controls - Leveraging the Internal Control Fram...
Stephen G. Lynch
 
PPTX
2012 protecting your business
Alan Greggo
 
PPTX
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
PPT
Fraud Awareness For Managers
rickycfe
 
PPT
Accounting manual for Chamber of Commerce
Malik Mirza
 
PPT
Ais Romney 2006 Slides 06 Control And Ais
Sharing Slides Training
 
PPT
Ais Romney 2006 Slides 06 Control And Ais Part 1
Sharing Slides Training
 
PPT
Ais Romney 2006 Slides 06 Control And Ais
sharing notes123
 
PPT
Ais Romney 2006 Slides 06 Control And Ais Part 1
sharing notes123
 
DOCX
Anti-Fraud 1Anti-Fraud PreventionName.docx
rossskuddershamus
 
PPT
Binary Scam Watch Monitor | Restriction Of Online Scam
BinaryScamWatchMonitor
 
PPTX
Internal Control And Fraud 11-19-10
Ed Tobias
 
PPTX
3. financial controllership
Judy Ricamara
 
DOC
Internal control.. control env
Phillys Sebastiane
 
PPT
Fraud And Internal Controls Linked In April 2011
John Hall, CPA - Keynote Speaker Consultant
 
PDF
Insight2014 mitigate risk_fraud_6863
IBMgbsNA
 
PPTX
A Lack of IT Controls= Fraud Opportunities
WhitleyPenn
 
PPTX
The Importance of Internal Controls in Fraud Prevention
Rea
 
PPT
Fraud In Our Midst, The Acfe 2010
annmarieboyd
 
PPT
Fraud In Our Midst, The Acfe 2010
annmarieboyd
 
Designing Effective Financial Controls - Leveraging the Internal Control Fram...
Stephen G. Lynch
 
2012 protecting your business
Alan Greggo
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
Fraud Awareness For Managers
rickycfe
 
Accounting manual for Chamber of Commerce
Malik Mirza
 
Ais Romney 2006 Slides 06 Control And Ais
Sharing Slides Training
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Sharing Slides Training
 
Ais Romney 2006 Slides 06 Control And Ais
sharing notes123
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
sharing notes123
 
Anti-Fraud 1Anti-Fraud PreventionName.docx
rossskuddershamus
 
Binary Scam Watch Monitor | Restriction Of Online Scam
BinaryScamWatchMonitor
 
Internal Control And Fraud 11-19-10
Ed Tobias
 
3. financial controllership
Judy Ricamara
 
Internal control.. control env
Phillys Sebastiane
 
Fraud And Internal Controls Linked In April 2011
John Hall, CPA - Keynote Speaker Consultant
 
Insight2014 mitigate risk_fraud_6863
IBMgbsNA
 
A Lack of IT Controls= Fraud Opportunities
WhitleyPenn
 
The Importance of Internal Controls in Fraud Prevention
Rea
 
Fraud In Our Midst, The Acfe 2010
annmarieboyd
 
Fraud In Our Midst, The Acfe 2010
annmarieboyd
 
Ad

How Secure is your Business? Fraud Risk Analysis and Security Management

  • 1. Presented by: William H. Brown, CPA, CFFA, CFE GAIN CONTROL How Secure is your Business? Fraud Risk Analysis and Security Management GAIN CONTROL www.berrydunn.com www.berrydunn.com
  • 2. What is the problem? Some statistics….. From the “Report to the Nations on Occupational Fraud and Abuse – 2010 Global Fraud Study”, published by the Association for Certified Fraud Examiners 5.0% $231,000 37.8% 30.8% $155,000 GAIN CONTROL
  • 3. How is Fraud Detected? GAIN CONTROL
  • 4. Where do Tips Come From? GAIN CONTROL
  • 5. What Controls are Used? GAIN CONTROL
  • 7. Objective Provide you with information to help you manage the business risks of loss due to fraud and inadequate IT security…. …..not to prevent, detect and prosecute all instances of fraud and stamp out all evil regardless of the cost GAIN CONTROL
  • 8. What Can I Tell You…. That Will Help? • Overview of Fraud • Fraud Risk Analysis • IT Security Management GAIN CONTROL
  • 9. What is Fraud? • U.S. Alleges Poker Site Stacked Deck - Wall Street Journal September 21, 2011 - • Focus on Goldman Ex-Director - Wall Street Journal September 21, 2011 • Maine Man Facing Charges of Securities Fraud - Portland Press Herald February 18, 2011 GAIN CONTROL
  • 10. What is Fraud? • Financial statement fraud • Asset misappropriation • Corruption GAIN CONTROL
  • 11. Loss Prevention • Fraud prevention • Fraud monitoring • Fraud detection • Security GAIN CONTROL
  • 12. Fraud Risk Analysis • Internal control review • Fraud risk checkup • Fraud risk assessment GAIN CONTROL
  • 13. Fraud Prevention Checkup Is it time to see a professional? GAIN CONTROL
  • 14. Key Areas of Checkup • Fraud risk oversight and ownership • Fraud risk assessment • Risk tolerance/policy • Controls – Process level – Environment level • Proactive detection GAIN CONTROL
  • 15. Fraud Risk Assessment Series of questions to help an organization identify risk areas and respond to those risks GAIN CONTROL
  • 16. Results of Assessment • Results should allow the organization to: – Identify potential inherent fraud risks – Assess likelihood and significance of occurrence – Evaluate people and departments most likely to commit fraud – Identify and map preventative and detective controls GAIN CONTROL
  • 17. Results of Assessment • Results should allow the organization to: – Evaluate whether identified controls are working – Identify fraud risks resulting from lack of control/ineffective controls – Develop response GAIN CONTROL
  • 18. Typical Assessment Areas • Employees • Physical controls • Cash • Purchasing and billing • Proprietary information/intellectual property • Corruption GAIN CONTROL
  • 19. Employee Assessment • Are employees afraid to deliver bad news to management? • Are employees required to take annual vacations? • Are the duties related to authorization, custody of assets, and recording or reporting of transactions segregated? GAIN CONTROL
  • 20. Physical Control Assessment • Does the organization conduct pre-employment background checks to identify previous dishonest or unethical behavior? • Does the organization provide an anonymous way to report suspected violations of the ethics and anti-fraud policies? • Does the organization restrict access to computer systems with sensitive documents? GAIN CONTROL
  • 21. Cash Receipts Assessment • Does a person independent of the cash receipts and accounts receivable functions compare entries to the cash receipts journals with the bank deposit slips and bank deposit statements? • Is an independent listing of cash receipts prepared before the receipts are submitted to the cashier or accounts receivable bookkeeper? • Is job or assignment rotation mandatory for employees who handle cash receipts and accounting duties? GAIN CONTROL
  • 22. Purchasing Assessment • Is the master vendor file periodically reviewed for unusual vendors and addresses? • Are control methods in place to check for duplicate invoices and purchase order numbers? • Do write-offs of accounts payable debit balances require approval of a designated manager? GAIN CONTROL
  • 23. Proprietary Info Assessment • Are employees required to use screensaver and/or server passwords to protect unattended computer systems? • Are employees who have access to proprietary information required to sign noncompete agreements to prevent them from working for competitors within a stated period of time and location? • Are there policies and procedures addressing the identification, classification, and handling of proprietary information? GAIN CONTROL
  • 24. Corruption Assessment • Is there a company policy that addresses the receipt of gifts, discounts, and services offered by a supplier or customer? • Are contracts awarded based on predetermined criteria? • Are purchasing account assignments rotated? GAIN CONTROL
  • 25. Information Technology Security Management • Security assessment • Purchasing • Fraud prevention suggestions GAIN CONTROL
  • 26. IT Security Assessment • Typical assessment includes following areas: – Organization/Management of IT – Computer/Network Hardware – Computer/Network Software – Network Security Controls – IT Security and Administration – Backup and System Recovery GAIN CONTROL
  • 27. IT Security Assessment • Includes review of documentation, observation and interviews. • Incorporates best practices guidelines • Risk ratings • Recommendations GAIN CONTROL
  • 28. IT Security Assessment • Examples of specific areas: – Secure media disposal – Patch management – Network design – Backup procedures – Mobile devices GAIN CONTROL
  • 29. IT Fraud Prevention Tools Utilize reporting and monitoring systems already in place GAIN CONTROL
  • 30. Using IT Controls Effectively • Assign individual employees their own system IDs. – Disable usage of generic administrative IDs – Change administrative passwords every 60 days – Lock down system IDs – ENFORCE! GAIN CONTROL
  • 31. Using IT Controls Effectively • Ensure access to financial accounting systems is compartmentalized, i.e.: – Users have no way to access the financial database – IT cannot affect non-technology reconciliation process – Limit access to master vendor and customer files GAIN CONTROL
  • 32. Flags and Symptoms • Missing checks, expense reports, registers • Multiple & ongoing errors in accounting system that are unexplained • Access to the accounting system at odd hours and/or in an unusual way GAIN CONTROL
  • 33. IT Purchasing Considerations • Software – Be aware of privacy and confidentiality issues, laws and regulations – What is vendor’s stated commitment in contract for remediation time after patches released by operating system companies – What is stated remediation time for security flaws? GAIN CONTROL
  • 34. IT Purchasing Considerations • Outsourced services – Does contract ensure secure processes? – For credit card payments – PCI compliant? – Website management – CONFIDENTIALITY AND PRIVACY GAIN CONTROL
  • 35. Remember • Fraud loss prevention includes preventative measures, monitoring activities and detection. • Assessments provide a starting point for identifying and addressing the risk. • Controls are only useful when they are implemented and enforced GAIN CONTROL
  • 36. Thanks for Attending Have a Pleasant Afternoon! photo from near the Yurt at top of Pleasant Mountain – Shawnee Peak Sunset on August 20, 2011 GAIN CONTROL
  • 37. Contact Information Bill Brown bbrown@berrydunn.com 207-541-2208 Eigen Heald eheald@berrydunn.com 207-541-2311 GAIN CONTROL