it general controls & the prevention of fraud ed tobias, cisa, cia, cfe may 11, 2011
TRANSCRIPT
IT GENERAL CONTROLS &
THE PREVENTION OF FRAUD
Ed Tobias, CISA, CIA, CFEMay 11, 2011
AGEN
DA
What are IT General Controls?
5 Areas for Review
Case Study
What are IT General Controls (ITGC)?
What is a “control”?•Process developed by management •Provides reasonable assurance:•Operations – effective & efficient•Reliable financial reporting•Compliance – laws & regulations
What are IT General Controls (ITGC)?
•Used to manage risks“control someone’s behavior”
•Examples: •Policies & procedures •Approvals•Reconciliations •SoD (Segregation of Duties)
What are IT General Controls (ITGC)?
What are IT General Controls (ITGC)?•Process developed by management •Provides reasonable assurance that:•Operations – effective & efficient•Reliable financial reporting•Compliance – laws & regulations
•Used to manage technology risks
What are IT General Controls (ITGC)?
What’s the difference???
What are IT General Controls (ITGC)?
•ITGC affect everything based on technology• Passwords• Program Changes / System updates• Roles / SoD• Backups / Recovery• 3rd-party providers
What are IT General Controls (ITGC)?
•ITGC are part of the entire system of internal control
What are IT General Controls (ITGC)?
3 main technology areas:1. System (servers)2. Network3. Applications
What are IT General Controls (ITGC)?
•ITGC provide assurance that information systems are working as intended•Rely on the information •Legal / regulatory compliance•Effective / efficient operations
What are IT General Controls (ITGC)?
Center for Internet Security•Applying ITGC consistently•Protects against 85%+ of top vulnerabilities reported by:•NIST•FBI•SANS Institute•Computer Security Institute
What are IT General Controls (ITGC)?
Without effective ITGC, where is the fraud …• Financial statements schemes• Asset misappropriation schemes• Fraudulent disbursements• Theft of assets/inventory
• Bribery / Conflicts of interest
What are IT General Controls (ITGC)?
Without effective ITGC, where is the fraud …• Theft of Intellectual Property • Financial Institution Fraud• Check & Credit Card Fraud• Insurance Fraud• Health Care Fraud• Securities Fraud
What are IT General Controls (ITGC)?
Without effective ITGC, where is the fraud …• Consumer Fraud – Identity Theft• Computer / Internet Fraud• Public Sector Fraud
What are IT General Controls (ITGC)?
Without effective ITGC, where is the fraud …
Almost everywhere since we use technology• Store information• Make decisions
5 Areas for Review
1. IT Entity-Level2. Change Management3. Information Security4. Backup and Recovery5. 3rd-party IT Providers
5 Areas for Review
Normally done by IT Auditors• Technology skills/background• Can be performed by• Operational/financial auditors• IT Security / Compliance
5 Areas for Review
Need to determine the “key information technology risks”• Framework (NIST, COBIT)• IT Management
5 Areas for Review
What 3-5 things keep them awake at night?
5 Areas for Review
1. IT Entity-Level• Need to understand IT
involvement
• Assess IT complexity• Low – COTS, 1 server, 1-15 users• High – ERP and/or customized,
4+ servers, 30+ users
5 Areas for Review
1. IT Entity-Level• Impact to the system?
• Mitigating controls?
5 Areas for Review
1. IT Entity-Level• Policies & procedures • Acceptable Use• Found in Employee Manual
5 Areas for Review
What about …• USB Thumb Drives
Your data has legs!
5 Areas for Review
What about …• Smartphones
Your data has legs!
5 Areas for Review
What about …• Rogue wireless access points
Your network is
OPEN!
5 Areas for Review
• Acceptable Use• Information Security
responsibilities
YOU are responsible for your company’s data!
5 Areas for Review
1. IT Entity-Level• Annual Technology Plan• Annual Budget• Prioritization of IT projects
5 Areas for Review
2. Change Management• All changes to system• Properly authorized• Securely implemented• SoD is important!
5 Areas for Review
2. Change Management• Vendor does changes• Access always on?• Logging access times?• Review key reports
before/after changes?
5 Areas for Review
2. Change Management• Key Spreadsheets• Locked down?• Protected formulas?• Restricted access?
5 Areas for Review
Impact of Spreadsheet Errors• Data entry error of $118,000• $11M severance error• $30M spreadsheet error• $644M misstatement
Statistics from 2006 ACL White Paper – Spreadsheets
5 Areas for Review
3. Information Security• Physical Security• Passwords• User IDs• Roles in the system• Administrators / Super Users• Logging• Encryption
5 Areas for Review
3. Information Security• Wireless Access
5 Areas for Review
3. Information Security• Physical Security
5 Areas for Review
3. Information Security• Password best practices (NIST)• Password length - 8• Complex passwords – 2/4• Upper / lower case• Numeric (0-9)• Special (!,@,#,$)
5 Areas for Review
3. Information Security• Password best practices (NIST)• Password history – 90 days• Suspended after 3 tries• Change initial password • Password history – 8
5 Areas for Review
3. Information Security• Password best practices (NIST)• Mitigating controls• No dictionary words• Regular training /
awareness
5 Areas for Review
3. Information Security• User IDs• No sharing• No generic IDs (i.e. Clerk1)• No default IDs/passwords• CIRT.net – 444 vendors,
1800+ passwords
5 Areas for Review
3. Information Security• Roles in the system• Simplify security
administration• Regularly reviewed?
5 Areas for Review
3. Information Security• Administrators / Super Users
“Keys to the Kingdom”
5 Areas for Review
3. Information Security• Administrators / Super Users• Limited number• Required for job duties• Audit trail / logging• Use only when necessary• Periodic review
5 Areas for Review
3. Information Security• Logging• Slows down system• Critical changes/info
• Protected from Admins• Regularly reviewed
5 Areas for Review
3. Information Security• Encryption• Data at rest
WHY? • Hacked• Internal theft• Backups are compromised
5 Areas for Review
3. Information Security• Encryption• Data in transit
WHY? • Packet sniffing - Wire theft• War driving
5 Areas for Review
3. Information Security• Wireless Access• Wireless Access Policy• Encryption • MAC Address filtering
5 Areas for Review
4. Backup and Recovery• Encrypted?• Limited access
5 Areas for Review
5. 3rd-party IT Providers
“Data in the Cloud”
5 Areas for Review
5. 3rd-party IT Providers• Outsource anything• Servers (Data Center)• Virtual Servers on demand• Applications• Virus scanning
5 Areas for Review
5. 3rd-party IT Providers• SAS70 • Replaced by SSAE16 Type 2• Effective June 15, 2011• Financial Reporting
5 Areas for Review
5. 3rd-party IT Providers• SOC 2• Security• Availability• Processing integrity• Confidentiality• Privacy
• Risk-based control framework
Case Study
Profiled in Nov/Dec 2010 and Jan/Feb 2011 issues Fraud mag.
• Deputy treasurer/controller issued $236,000 in checks through authorized maker scheme
• Detected through manual reconciliation & computer exception report
Case Study
• $7,148 check cleared the bank but not an outstanding check
• Uncashed check of $7,148 to a vendor was found in his office
• Clerk noticed missing exception reports
• Looked at IT system changes for days w/missing reports
Case Study
• Staff cuts left him as the authorized person for changes
• IT discovered 2 inactive, unauthorized program changes• $215,846• $13,930
Case Study
What went wrong?
Case Study
• Weak IT Entity-Level controls• Improper SoD• Poor change management
• Weak controls in payment dept
Questions
Contact Information
http://www.linkedin.com/in/ed3200