E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

The most comprehensive Oracle applications & technology content under one roof The most comprehensive Oracle applications & technology content under one roof

Fraud & it’s part in YOUR downfall

MIKE WARD Managing Director

The most comprehensive Oracle applications & technology content under one roof

If your job was at stake..... Can you with certainty state that users of your Oracle erp system are locked out of the areas they should not be able to see?



Agenda •  Q SoEware: Who are we? •  What are the Problems?

– Fraud & Compliance

•  Key QuesKons? •  Summary & QuesKons


The Oracle Security & Compliance People

270+ Customers




•  Key QuesKons •  Summary & QuesKons


Fraud will never happen to You

•  75% of fraud is due to ineffecKve internal controls, split between – Lack of controls 38% – Over riding controls 19% – Lack of management review 18%

•  80% of businesses modify controls aEer Fraud AssociaKon of CerKfied Fraud Examiners


South Africa: 62% companies suffered fraud 59% experienced bribery &

corruption Source: PwC 2009 crime survey

Australia: 40% suffered economic crime Source: PwC 2009 Crime survey

Canada: 55% companies suffered fraud - 83% - asset misappropriation most common - 38% detected by chance or by tip-off Source: PwC 2009 crime survey

It doesn’t happen here....... UK: almost 50% admit to suffering fraud almost 75% of larger (5,000+ employees)

- 33% of these suffered 100 incidents Source: PwC 2009 fraud survey

Germany: 61% large businesses suffered crime -  Average 8 incidents per business - Average cost of crime cost 4.2 million Euros

Source: PwC 2009 fraud survey

USA: 35% companies suffered “significant economic crime”

- most likely cause is pressure due to economy - increased opportunity is primary driver Source: PwC 2009 crime survey

New Zealand: 42% suffered economic crime - average cost $491,000 - increasingly by middle / senior management Source: PwC 2009 Crime survey


Security Creep

•  Ex-‐employees sKll have access •  Changes to business processes •  OrganisaKonal & process changes •  Upgrades.........

Task 1 Task 1

Task 2 Task 2

Task 3 Task 3

Task 4 Task 4

Task 1

Time

Risk

Task 1 Task 1

Task 2 Task 2

Task 3

Task 4

Task 5 Task 5

Task 6 Task 6

Task 7

Task 8


•  VP in Finance Department •  July – December 2010 •  Stole $19m “Defendant bought a Masera3, 6 Proper3es,

and a $½m entertainment system” “Excessive Access Rights”


SegregaKon of DuKes (SoD)

Runs off with £1m

Jones & Jones Inc.

A Manager

Sets up MB Inc. as a supplier

Accepts Purchase Invoices from MB Inc.

Approves Invoices

Processes for Payment

Transfers the funds


Deloiee – Auditor Survey

•  3 Most Common Frauds – MisappropriaKon of Assets – 31% –  Improper Expenditures – 22% – Procurement Fraud – 16%

•  63% companies say vulnerability has increased •  83% UK companies had suffered fraud




•  Key QuesKons •  Summary & QuesKons


EffecKve control of SOD: What is it?

•  …no single individual should have control over two or more phases of a transacKon or operaKon… (University of Utah Department of Internal Audit IdenKfy the DuKes)

•  …no one individual employee can complete a significant business transacKon in its enKrety… (UCSD Audit & Management Advisory Services)


EffecKve control of SOD: What is it?

Examples Include …..

§  Those responsible for physical receipt of goods should not be responsible for paying for the goods.

§  Those responsible for custody of goods

§  should not be responsible for maintaining the records of the assets.

§  Those responsible for collecEon of receivables should not be responsible for entries in the book of accounts.

Source: Sawyer’s Internal AudiEng

5th EdiEon, page 1198


EffecKve control of SOD: EBS •  Monitoring ApplicaKon Controls

–  e.g. Post Journal Approval – Journal Sources

•  Lack of Audit All –  Certain Forms without Audit Trail

•  Inability to audit WHAT •  Data Growth •  UnintuiKve info

–  Vendor ID, Cust ID –  Same with Log based soluKons A

pplic

atio

n La

yer


EffecKve control of SOD: EBS •  SensiKve InformaKon

–  e.g. Employee Bank Info, NI # – MulKple Forms

•  Different Views of Same Info –  SQL Forms –  Request Groups –  External ReporKng SoluKons – Hiding/Masking impacts ApplicaKons

–  SegregaKon Policies difficult to enforce A

pplic

atio

n La

yer

Dat

abas

e La

yer


EffecKve control of SOD: Principles 1.  Least Privilege Rule 2.  Access to fulfill a job funcKon 3.  Minimise Risks to SensiKve FuncKons 4.  Segregate Roles in CriKcal Processes 5.  Monitor known high risks 6.  Use Tools


EffecKve control of SOD: What to do? •  But use the right tools!

–  PrevenKon –  DetecKon –  Approval Process –  MiKgaKon Handling –  False PosiKve Handling

•  And look for lower TCO –  Embedded into EBS –  No addiKonal Hardware –  Rapid ImplementaKon –  Quick InstallaKon


EffecKve control of SOD

Access Control AudiEng Ø  Full audit trail Ø  TransacKon Data Ø  Enquire & Report



SoD ImplementaEon Ø  Real Kme SoD controls Ø  Approvals Ø  What if Analysis Ø  ReporKng



Implement Complex Security Ø  Data SegregaKon Ø  Data Masking Ø  Dynamic Security Policies




•  Case Studies •  Summary & QuesKons


QsoEware SoluKon

•  DetecKve SoD •  PrevenKve SoD •  Blanket FuncKon Lockout •  Trend InformaKon •  Integrated •  Rapid ImplementaKon •  Pre-‐Seeded Content


Key audit quesKons: •  Who is in violaKon of SoD rules?

–  & how? •  What programs can a user access?

–  & with what authoriKes? •  Who can access a parKcular program?

–  & with what authoriKes? •  Who can access criKcal programs?

–  Such as Address Book Master Maintenance, Bank Payments and Credit Limits

•  Who can access Master Data? –  Such as AutomaKc AccounKng InstrucKons, Bank Account details, Chart of Accounts

•  What security sesngs does a parKcular user have?


Solve Business Problems with Good Security

•  Audit Security – KNOW your status •  Map Security to Business Processes •  Build in SoD •  Make Security more Manageable & Reduce Costs

•  Consider Outsourcing Security Management

•  Compliance Management & ReporKng


•  Spread-‐sheets •  Queries •  Manual Review •  Responsibility level SoD

•  Periodic Reviews •  External SoluKons

No Integrity No Accuracy Time consuming Omits key risks (needs to be at the FuncKon level) Risk between reviews High Cost

SegregaKon of Duty Issues


EffecKve control of SOD: Reduce Costs

•  Tools reduce Cost of CorrecKng Errors…. –  Prevent Unwanted Access –  Approval Process – MiKgaKon Handling –  False PosiKve Handling

•  Reduced Staff Time…… –  Embedded into EBS –  No addiKonal Hardware –  Rapid ImplementaKon of Complex Security –  No impact on Upgrades



Runs off with £1m

Jones & Jones Inc.

A Manager



Approves Invoices


Transfers the funds



Runs off with £1m

Jones & Jones Inc.

A Manager



Approves Invoices


Transfers the funds


QuesKons?


Have pity on the homeland.....

E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

Documents