E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

Fraud
&
it’s
part
in
YOUR
downfall

MIKE
WARD

Managing
Director

The most comprehensive Oracle applications & technology content under one roof

If
your
job
was
at
stake.....

Can
you
with
certainty
state
that
users

of
your
Oracle
erp
system
are
locked

out
of
the
areas
they
should
not
be

able
to
see?


Agenda

•  Q
SoEware:
Who
are
we?

•  What
are
the
Problems?

–  Fraud
&
Compliance

•  Key
QuesKons?

•  Summary
&
QuesKons


The
Oracle
Security
&
Compliance
People

270+ Customers


Agenda

•  Q
SoEware:
Who
are
we?

•  What
are
the
Problems?

–  Fraud
&
Compliance

•  Key
QuesKons

•  Summary
&
QuesKons


Fraud
will
never
happen
to
You

•  75%
of
fraud
is
due
to
ineﬀecKve
internal

controls,
split
between

–  Lack
of
controls
38%

–  Over
riding
controls
19%

–  Lack
of
management
review
18%

•  80%
of
businesses
modify
controls
aEer
Fraud

AssociaKon
of
CerKﬁed
Fraud
Examiners


It
doesn’t
happen
here.......

UK: Canada:61% admit businesses suffered crime
NewSouth 50% largesuffered “significant fraud
Germany: 55% companieseconomicfraud
USA:almost Africa: 62%persuffering fraud
35% companies to business suffered
companies
Zealand: 42% suffered suffered crime
almost83%incidents experiencedmost common
-  Average 8 - average cost $491,000
economic crime”asset misappropriation bribery &
- 75% of 59% (5,000+ employees)
- larger
- Average cost 40% suffered economic crime
Australia: of sufferedchancemilliontip-off
-
-most 38% detected by 100 incidentsEuros
crime cost 4.2
increasingly corruption or by
-33% of these by middle / senior management
- likely cause is pressure due to economy
Source: PwC 2009 fraud survey Crime survey
Source: PwCopportunitySource: PwC driver survey
2009
- increased 2009Source: PwCPwC 2009 crime survey
fraud Source: 2009 Crimecrime
Source: PwC 2009 survey
survey
is primary
Source: PwC 2009 crime survey


Security
Creep

•  Ex-‐employees
sKll
have
access

•  Changes
to
business
processes

•  OrganisaKonal
&
process
changes

•  Upgrades.........
Task 8

Risk Task 7

Task 6 Task 6

Task 5 Task 5

Task 4 Task 4
Task 4
Task 3 Task 3
Task 3

Task 2 Task 2 2
Task Task 2

Task 1 Task 1 1
Task Task 1
Task 1

Time

•  VP
in
Finance
Department

•  July
–
December
2010

•  Stole
$19m

“Defendant
bought
a
Masera3,
6
Proper3es,

and
a
$½m
entertainment
system”

“Excessive
Access
Rights”


SegregaKon
of
DuKes
(SoD)

Jones & Jones Inc.

A Manager
Sets up MB Inc. as a supplier

Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
Runs
oﬀ
with
£1m


Deloiee
–
Auditor
Survey

•  3
Most
Common
Frauds

–  MisappropriaKon
of
Assets
–
31%

–  Improper
Expenditures
–
22%

–  Procurement
Fraud
–
16%

•  63%
companies
say
vulnerability
has
increased

•  83%
UK
companies
had
suﬀered
fraud


EﬀecKve
control
of
SOD:
What
is
it?

• 
…no
single
individual
should
have
control

over
two
or
more
phases
of
a
transacKon
or

operaKon…

(University
of
Utah
Department
of
Internal
Audit
IdenKfy
the
DuKes)

•  …no
one
individual
employee
can
complete

a
signiﬁcant
business
transacKon
in
its

enKrety…

(UCSD
Audit
&
Management
Advisory
Services)


EﬀecKve
control
of
SOD:
What
is
it?

Examples
Include
…..

§  Those
responsible
for
physical
receipt
of
goods
should

not
be
responsible
for
paying
for
the
goods.

§  Those
responsible
for
custody
of
goods

§  should
not
be
responsible
for
maintaining
the
records
of

the
assets.

§  Those
responsible
for
collecEon
of
receivables
should

not
be
responsible
for
entries
in
the
book
of
accounts.

Source:

Sawyer’s
Internal
AudiEng

5th
EdiEon,
page
1198


EﬀecKve
control
of
SOD:
EBS

•  Monitoring
ApplicaKon
Controls

–  e.g.
Post
Journal
Approval
–
Journal

Application Layer

Sources

•  Lack
of
Audit
All

–  Certain
Forms
without
Audit
Trail

•  Inability
to
audit
WHAT

•  Data
Growth

•  UnintuiKve
info

–  Vendor
ID,
Cust
ID

–  Same
with
Log
based
soluKons


EffecKve
control
of
SOD:
EBS

•  SensiKve
InformaKon

Application Layer
–  e.g.
Employee
Bank
Info,
NI
#

Database Layer –  MulKple
Forms

•  Different
Views
of
Same
Info

–  SQL
Forms

–  Request
Groups

–  External
ReporKng
SoluKons

–  Hiding/Masking
impacts

ApplicaKons

–  SegregaKon
Policies
difficult
to

enforce


EﬀecKve
control
of
SOD:
Principles

1.  Least
Privilege
Rule

2.  Access
to
fulﬁll
a
job
funcKon

3.  Minimise
Risks
to
SensiKve
FuncKons

4.  Segregate
Roles
in
CriKcal
Processes

5.  Monitor
known
high
risks

6.  Use
Tools


EﬀecKve
control
of
SOD:
What
to
do?

•  But
use
the
right
tools!

–  PrevenKon

–  DetecKon

–  Approval
Process

–  MiKgaKon
Handling

–  False
PosiKve
Handling

•  And
look
for
lower
TCO

–  Embedded
into
EBS

–  No
addiKonal
Hardware

–  Rapid
ImplementaKon

–  Quick
InstallaKon


EﬀecKve
control
of
SOD

Access
Control
AudiEng

Ø 

Full
audit
trail

Ø 

TransacKon
Data

Ø 

Enquire
&
Report


EﬀecKve
control
of
SOD

SoD
ImplementaEon

Ø 

Real
Kme
SoD
controls

Ø 

Approvals

Ø 

What
if
Analysis

Ø 

ReporKng


EﬀecKve
control
of
SOD

Implement
Complex
Security

Ø 

Data
SegregaKon

Ø 

Data
Masking

Ø 

Dynamic
Security
Policies


Agenda

•  Q
SoEware:
Who
are
we?

•  What
are
the
Problems?

–  Fraud
&
Compliance

•  Case
Studies

•  Summary
&
QuesKons


QsoEware
SoluKon

•  DetecKve
SoD

•  PrevenKve
SoD

•  Blanket
FuncKon
Lockout

•  Trend
InformaKon

•  Integrated

•  Rapid
ImplementaKon

•  Pre-‐Seeded
Content


Key
audit
quesKons:

•  Who
is
in
violaKon
of
SoD
rules?

–  &
how?

•  What
programs
can
a
user
access?

–  &
with
what
authoriKes?

•  Who
can
access
a
parKcular
program?

–  &
with
what
authoriKes?

•  Who
can
access
criKcal
programs?

–  Such
as
Address
Book
Master
Maintenance,
Bank

Payments
and
Credit
Limits

•  Who
can
access
Master
Data?

–  Such
as
AutomaKc
AccounKng
InstrucKons,
Bank

Account
details,
Chart
of
Accounts

•  What
security
sesngs
does
a
parKcular
user
have?


Solve
Business
Problems
with
Good
Security

•  Audit
Security
–
KNOW
your
status

•  Map
Security
to
Business
Processes

•  Build
in
SoD

•  Make
Security
more
Manageable

&
Reduce
Costs

•  Consider
Outsourcing

Security
Management

•  Compliance
Management

&
ReporKng


SegregaKon
of
Duty
Issues

•  Spread-‐sheets
No
Integrity

•  Queries
No
Accuracy

•  Manual
Review
Time
consuming

•  Responsibility
level
SoD
Omits
key
risks
(needs
to
be
at

the
FuncKon
level)

•  Periodic
Reviews
Risk
between
reviews

•  External
SoluKons
High
Cost


EﬀecKve
control
of
SOD:
Reduce
Costs

•  Tools
reduce
Cost
of
CorrecKng
Errors….

–  Prevent
Unwanted
Access

–  Approval
Process

–  MiKgaKon
Handling

–  False
PosiKve
Handling

•  Reduced
Staﬀ
Time……

–  Embedded
into
EBS

–  No
addiKonal
Hardware

–  Rapid
ImplementaKon
of
Complex
Security

–  No
impact
on
Upgrades


QuesKons?


Have
pity
on
the
homeland.....


E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

Semelhante a E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf (20)

Mais de InSync2011

Mais de InSync2011 (20)

E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf