Developer and Fusion Middleware 2 _Greg Kirkendall _ How Australia Post teach...
E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf
1. Fraud
&
it’s
part
in
YOUR
downfall
MIKE
WARD
Managing
Director
The most comprehensive Oracle applications & technology content under one roof
2. If
your
job
was
at
stake.....
Can
you
with
certainty
state
that
users
of
your
Oracle
erp
system
are
locked
out
of
the
areas
they
should
not
be
able
to
see?
The most comprehensive Oracle applications & technology content under one roof
4. Agenda
• Q
SoEware:
Who
are
we?
• What
are
the
Problems?
– Fraud
&
Compliance
• Key
QuesKons?
• Summary
&
QuesKons
The most comprehensive Oracle applications & technology content under one roof
5.
The
Oracle
Security
&
Compliance
People
270+ Customers
The most comprehensive Oracle applications & technology content under one roof
6. Agenda
• Q
SoEware:
Who
are
we?
• What
are
the
Problems?
– Fraud
&
Compliance
• Key
QuesKons
• Summary
&
QuesKons
The most comprehensive Oracle applications & technology content under one roof
7. Fraud
will
never
happen
to
You
• 75%
of
fraud
is
due
to
ineffecKve
internal
controls,
split
between
– Lack
of
controls
38%
– Over
riding
controls
19%
– Lack
of
management
review
18%
• 80%
of
businesses
modify
controls
aEer
Fraud
AssociaKon
of
CerKfied
Fraud
Examiners
The most comprehensive Oracle applications & technology content under one roof
8. It
doesn’t
happen
here.......
UK: Canada:61% admit businesses suffered crime
NewSouth 50% largesuffered “significant fraud
Germany: 55% companieseconomicfraud
USA:almost Africa: 62%persuffering fraud
35% companies to business suffered
companies
Zealand: 42% suffered suffered crime
almost83%incidents experiencedmost common
- Average 8 - average cost $491,000
economic crime”asset misappropriation bribery &
- 75% of 59% (5,000+ employees)
- larger
- Average cost 40% suffered economic crime
Australia: of sufferedchancemilliontip-off
-
-most 38% detected by 100 incidentsEuros
crime cost 4.2
increasingly corruption or by
-33% of these by middle / senior management
- likely cause is pressure due to economy
Source: PwC 2009 fraud survey Crime survey
Source: PwCopportunitySource: PwC driver survey
2009
- increased 2009Source: PwCPwC 2009 crime survey
fraud Source: 2009 Crimecrime
Source: PwC 2009 survey
survey
is primary
Source: PwC 2009 crime survey
The most comprehensive Oracle applications & technology content under one roof
9. Security
Creep
• Ex-‐employees
sKll
have
access
• Changes
to
business
processes
• OrganisaKonal
&
process
changes
• Upgrades.........
Task 8
Risk Task 7
Task 6 Task 6
Task 5 Task 5
Task 4 Task 4
Task 4
Task 3 Task 3
Task 3
Task 2 Task 2 2
Task Task 2
Task 1 Task 1 1
Task Task 1
Task 1
Time
The most comprehensive Oracle applications & technology content under one roof
10. • VP
in
Finance
Department
• July
–
December
2010
• Stole
$19m
“Defendant
bought
a
Masera3,
6
Proper3es,
and
a
$½m
entertainment
system”
“Excessive
Access
Rights”
The most comprehensive Oracle applications & technology content under one roof
11. SegregaKon
of
DuKes
(SoD)
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
Runs
off
with
£1m
The most comprehensive Oracle applications & technology content under one roof
12. Deloiee
–
Auditor
Survey
• 3
Most
Common
Frauds
– MisappropriaKon
of
Assets
–
31%
– Improper
Expenditures
–
22%
– Procurement
Fraud
–
16%
• 63%
companies
say
vulnerability
has
increased
• 83%
UK
companies
had
suffered
fraud
The most comprehensive Oracle applications & technology content under one roof
13. Agenda
• Q
SoEware:
Who
are
we?
• What
are
the
Problems?
– Fraud
&
Compliance
• Key
QuesKons
• Summary
&
QuesKons
The most comprehensive Oracle applications & technology content under one roof
14. EffecKve
control
of
SOD:
What
is
it?
•
…no
single
individual
should
have
control
over
two
or
more
phases
of
a
transacKon
or
operaKon…
(University
of
Utah
Department
of
Internal
Audit
IdenKfy
the
DuKes)
• …no
one
individual
employee
can
complete
a
significant
business
transacKon
in
its
enKrety…
(UCSD
Audit
&
Management
Advisory
Services)
The most comprehensive Oracle applications & technology content under one roof
15. EffecKve
control
of
SOD:
What
is
it?
Examples
Include
…..
§ Those
responsible
for
physical
receipt
of
goods
should
not
be
responsible
for
paying
for
the
goods.
§ Those
responsible
for
custody
of
goods
§ should
not
be
responsible
for
maintaining
the
records
of
the
assets.
§ Those
responsible
for
collecEon
of
receivables
should
not
be
responsible
for
entries
in
the
book
of
accounts.
Source:
Sawyer’s
Internal
AudiEng
5th
EdiEon,
page
1198
The most comprehensive Oracle applications & technology content under one roof
16. EffecKve
control
of
SOD:
EBS
• Monitoring
ApplicaKon
Controls
– e.g.
Post
Journal
Approval
–
Journal
Application Layer
Sources
• Lack
of
Audit
All
– Certain
Forms
without
Audit
Trail
• Inability
to
audit
WHAT
• Data
Growth
• UnintuiKve
info
– Vendor
ID,
Cust
ID
– Same
with
Log
based
soluKons
The most comprehensive Oracle applications & technology content under one roof
17. EffecKve
control
of
SOD:
EBS
• SensiKve
InformaKon
Application Layer
– e.g.
Employee
Bank
Info,
NI
#
Database Layer – MulKple
Forms
• Different
Views
of
Same
Info
– SQL
Forms
– Request
Groups
– External
ReporKng
SoluKons
– Hiding/Masking
impacts
ApplicaKons
– SegregaKon
Policies
difficult
to
enforce
The most comprehensive Oracle applications & technology content under one roof
18. EffecKve
control
of
SOD:
Principles
1. Least
Privilege
Rule
2. Access
to
fulfill
a
job
funcKon
3. Minimise
Risks
to
SensiKve
FuncKons
4. Segregate
Roles
in
CriKcal
Processes
5. Monitor
known
high
risks
6. Use
Tools
The most comprehensive Oracle applications & technology content under one roof
19. EffecKve
control
of
SOD:
What
to
do?
• But
use
the
right
tools!
– PrevenKon
– DetecKon
– Approval
Process
– MiKgaKon
Handling
– False
PosiKve
Handling
• And
look
for
lower
TCO
– Embedded
into
EBS
– No
addiKonal
Hardware
– Rapid
ImplementaKon
– Quick
InstallaKon
The most comprehensive Oracle applications & technology content under one roof
20. EffecKve
control
of
SOD
Access
Control
AudiEng
Ø
Full
audit
trail
Ø
TransacKon
Data
Ø
Enquire
&
Report
The most comprehensive Oracle applications & technology content under one roof
21. EffecKve
control
of
SOD
SoD
ImplementaEon
Ø
Real
Kme
SoD
controls
Ø
Approvals
Ø
What
if
Analysis
Ø
ReporKng
The most comprehensive Oracle applications & technology content under one roof
22. EffecKve
control
of
SOD
Implement
Complex
Security
Ø
Data
SegregaKon
Ø
Data
Masking
Ø
Dynamic
Security
Policies
The most comprehensive Oracle applications & technology content under one roof
23. Agenda
• Q
SoEware:
Who
are
we?
• What
are
the
Problems?
– Fraud
&
Compliance
• Case
Studies
• Summary
&
QuesKons
The most comprehensive Oracle applications & technology content under one roof
24. QsoEware
SoluKon
• DetecKve
SoD
• PrevenKve
SoD
• Blanket
FuncKon
Lockout
• Trend
InformaKon
• Integrated
• Rapid
ImplementaKon
• Pre-‐Seeded
Content
The most comprehensive Oracle applications & technology content under one roof
25. Key
audit
quesKons:
• Who
is
in
violaKon
of
SoD
rules?
– &
how?
• What
programs
can
a
user
access?
– &
with
what
authoriKes?
• Who
can
access
a
parKcular
program?
– &
with
what
authoriKes?
• Who
can
access
criKcal
programs?
– Such
as
Address
Book
Master
Maintenance,
Bank
Payments
and
Credit
Limits
• Who
can
access
Master
Data?
– Such
as
AutomaKc
AccounKng
InstrucKons,
Bank
Account
details,
Chart
of
Accounts
• What
security
sesngs
does
a
parKcular
user
have?
The most comprehensive Oracle applications & technology content under one roof
26. Solve
Business
Problems
with
Good
Security
• Audit
Security
–
KNOW
your
status
• Map
Security
to
Business
Processes
• Build
in
SoD
• Make
Security
more
Manageable
&
Reduce
Costs
• Consider
Outsourcing
Security
Management
• Compliance
Management
&
ReporKng
The most comprehensive Oracle applications & technology content under one roof
27. SegregaKon
of
Duty
Issues
• Spread-‐sheets
No
Integrity
• Queries
No
Accuracy
• Manual
Review
Time
consuming
• Responsibility
level
SoD
Omits
key
risks
(needs
to
be
at
the
FuncKon
level)
• Periodic
Reviews
Risk
between
reviews
• External
SoluKons
High
Cost
The most comprehensive Oracle applications & technology content under one roof
28. EffecKve
control
of
SOD:
Reduce
Costs
• Tools
reduce
Cost
of
CorrecKng
Errors….
– Prevent
Unwanted
Access
– Approval
Process
– MiKgaKon
Handling
– False
PosiKve
Handling
• Reduced
Staff
Time……
– Embedded
into
EBS
– No
addiKonal
Hardware
– Rapid
ImplementaKon
of
Complex
Security
– No
impact
on
Upgrades
The most comprehensive Oracle applications & technology content under one roof
29. SegregaKon
of
DuKes
(SoD)
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
Runs
off
with
£1m
The most comprehensive Oracle applications & technology content under one roof
30. SegregaKon
of
DuKes
(SoD)
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
Runs
off
with
£1m
The most comprehensive Oracle applications & technology content under one roof
31. QuesKons?
The most comprehensive Oracle applications & technology content under one roof
32. Have
pity
on
the
homeland.....
The most comprehensive Oracle applications & technology content under one roof