The most comprehensive Oracle applications & technology content under one roof The most comprehensive Oracle applications & technology content under one roof Fraud & it’s part in YOUR downfall MIKE WARD Managing Director
The most comprehensive Oracle applications & technology content under one roof The most comprehensive Oracle applications & technology content under one roof
Fraud & it’s part in YOUR downfall
MIKE WARD Managing Director
The most comprehensive Oracle applications & technology content under one roof
If your job was at stake..... Can you with certainty state that users of your Oracle erp system are locked out of the areas they should not be able to see?
The most comprehensive Oracle applications & technology content under one roof
The most comprehensive Oracle applications & technology content under one roof
Agenda • Q SoEware: Who are we? • What are the Problems?
– Fraud & Compliance
• Key QuesKons? • Summary & QuesKons
The most comprehensive Oracle applications & technology content under one roof
The Oracle Security & Compliance People
270+ Customers
The most comprehensive Oracle applications & technology content under one roof
Agenda • Q SoEware: Who are we? • What are the Problems?
– Fraud & Compliance
• Key QuesKons • Summary & QuesKons
The most comprehensive Oracle applications & technology content under one roof
Fraud will never happen to You
• 75% of fraud is due to ineffecKve internal controls, split between – Lack of controls 38% – Over riding controls 19% – Lack of management review 18%
• 80% of businesses modify controls aEer Fraud AssociaKon of CerKfied Fraud Examiners
The most comprehensive Oracle applications & technology content under one roof
South Africa: 62% companies suffered fraud 59% experienced bribery &
corruption Source: PwC 2009 crime survey
Australia: 40% suffered economic crime Source: PwC 2009 Crime survey
Canada: 55% companies suffered fraud - 83% - asset misappropriation most common - 38% detected by chance or by tip-off Source: PwC 2009 crime survey
It doesn’t happen here....... UK: almost 50% admit to suffering fraud almost 75% of larger (5,000+ employees)
- 33% of these suffered 100 incidents Source: PwC 2009 fraud survey
Germany: 61% large businesses suffered crime - Average 8 incidents per business - Average cost of crime cost 4.2 million Euros
Source: PwC 2009 fraud survey
USA: 35% companies suffered “significant economic crime”
- most likely cause is pressure due to economy - increased opportunity is primary driver Source: PwC 2009 crime survey
New Zealand: 42% suffered economic crime - average cost $491,000 - increasingly by middle / senior management Source: PwC 2009 Crime survey
The most comprehensive Oracle applications & technology content under one roof
Security Creep
• Ex-‐employees sKll have access • Changes to business processes • OrganisaKonal & process changes • Upgrades.........
Task 1 Task 1
Task 2 Task 2
Task 3 Task 3
Task 4 Task 4
Task 1
Time
Risk
Task 1 Task 1
Task 2 Task 2
Task 3
Task 4
Task 5 Task 5
Task 6 Task 6
Task 7
Task 8
The most comprehensive Oracle applications & technology content under one roof
• VP in Finance Department • July – December 2010 • Stole $19m “Defendant bought a Masera3, 6 Proper3es,
and a $½m entertainment system” “Excessive Access Rights”
The most comprehensive Oracle applications & technology content under one roof
SegregaKon of DuKes (SoD)
Runs off with £1m
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
The most comprehensive Oracle applications & technology content under one roof
Deloiee – Auditor Survey
• 3 Most Common Frauds – MisappropriaKon of Assets – 31% – Improper Expenditures – 22% – Procurement Fraud – 16%
• 63% companies say vulnerability has increased • 83% UK companies had suffered fraud
The most comprehensive Oracle applications & technology content under one roof
Agenda • Q SoEware: Who are we? • What are the Problems?
– Fraud & Compliance
• Key QuesKons • Summary & QuesKons
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: What is it?
• …no single individual should have control over two or more phases of a transacKon or operaKon… (University of Utah Department of Internal Audit IdenKfy the DuKes)
• …no one individual employee can complete a significant business transacKon in its enKrety… (UCSD Audit & Management Advisory Services)
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: What is it?
Examples Include …..
§ Those responsible for physical receipt of goods should not be responsible for paying for the goods.
§ Those responsible for custody of goods
§ should not be responsible for maintaining the records of the assets.
§ Those responsible for collecEon of receivables should not be responsible for entries in the book of accounts.
Source: Sawyer’s Internal AudiEng
5th EdiEon, page 1198
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: EBS • Monitoring ApplicaKon Controls
– e.g. Post Journal Approval – Journal Sources
• Lack of Audit All – Certain Forms without Audit Trail
• Inability to audit WHAT • Data Growth • UnintuiKve info
– Vendor ID, Cust ID – Same with Log based soluKons A
pplic
atio
n La
yer
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: EBS • SensiKve InformaKon
– e.g. Employee Bank Info, NI # – MulKple Forms
• Different Views of Same Info – SQL Forms – Request Groups – External ReporKng SoluKons – Hiding/Masking impacts ApplicaKons
– SegregaKon Policies difficult to enforce A
pplic
atio
n La
yer
Dat
abas
e La
yer
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: Principles 1. Least Privilege Rule 2. Access to fulfill a job funcKon 3. Minimise Risks to SensiKve FuncKons 4. Segregate Roles in CriKcal Processes 5. Monitor known high risks 6. Use Tools
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: What to do? • But use the right tools!
– PrevenKon – DetecKon – Approval Process – MiKgaKon Handling – False PosiKve Handling
• And look for lower TCO – Embedded into EBS – No addiKonal Hardware – Rapid ImplementaKon – Quick InstallaKon
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD
Access Control AudiEng Ø Full audit trail Ø TransacKon Data Ø Enquire & Report
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD
SoD ImplementaEon Ø Real Kme SoD controls Ø Approvals Ø What if Analysis Ø ReporKng
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD
Implement Complex Security Ø Data SegregaKon Ø Data Masking Ø Dynamic Security Policies
The most comprehensive Oracle applications & technology content under one roof
Agenda • Q SoEware: Who are we? • What are the Problems?
– Fraud & Compliance
• Case Studies • Summary & QuesKons
The most comprehensive Oracle applications & technology content under one roof
QsoEware SoluKon
• DetecKve SoD • PrevenKve SoD • Blanket FuncKon Lockout • Trend InformaKon • Integrated • Rapid ImplementaKon • Pre-‐Seeded Content
The most comprehensive Oracle applications & technology content under one roof
Key audit quesKons: • Who is in violaKon of SoD rules?
– & how? • What programs can a user access?
– & with what authoriKes? • Who can access a parKcular program?
– & with what authoriKes? • Who can access criKcal programs?
– Such as Address Book Master Maintenance, Bank Payments and Credit Limits
• Who can access Master Data? – Such as AutomaKc AccounKng InstrucKons, Bank Account details, Chart of Accounts
• What security sesngs does a parKcular user have?
The most comprehensive Oracle applications & technology content under one roof
Solve Business Problems with Good Security
• Audit Security – KNOW your status • Map Security to Business Processes • Build in SoD • Make Security more Manageable & Reduce Costs
• Consider Outsourcing Security Management
• Compliance Management & ReporKng
The most comprehensive Oracle applications & technology content under one roof
• Spread-‐sheets • Queries • Manual Review • Responsibility level SoD
• Periodic Reviews • External SoluKons
No Integrity No Accuracy Time consuming Omits key risks (needs to be at the FuncKon level) Risk between reviews High Cost
SegregaKon of Duty Issues
The most comprehensive Oracle applications & technology content under one roof
EffecKve control of SOD: Reduce Costs
• Tools reduce Cost of CorrecKng Errors…. – Prevent Unwanted Access – Approval Process – MiKgaKon Handling – False PosiKve Handling
• Reduced Staff Time…… – Embedded into EBS – No addiKonal Hardware – Rapid ImplementaKon of Complex Security – No impact on Upgrades
The most comprehensive Oracle applications & technology content under one roof
SegregaKon of DuKes (SoD)
Runs off with £1m
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
The most comprehensive Oracle applications & technology content under one roof
SegregaKon of DuKes (SoD)
Runs off with £1m
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
The most comprehensive Oracle applications & technology content under one roof
QuesKons?
The most comprehensive Oracle applications & technology content under one roof
Have pity on the homeland.....