Fraud Awareness & Prevention: Access Control
May 29, 2015 | Authored by William Prohn CISSP, CISA, CGEIT, CRISC
This scenario highlights the importance of IT controls, as we see that the fraudster was able to circumvent the organization’s anti-fraud efforts by taking advantage of a weakness in the IT control environment.
Occupational Fraud
The Association of Certified Fraud Examiners (ACFE) defines Occupational Fraud as: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” With a median fraud loss of $145,000, occupational fraud is not something that can be ignored. Information technology plays a critical role in an organization’s fraud prevention program, but what exactly is that role?
The Role of Information Technology
Information technology controls may be found throughout the three broad areas of a fraud prevention program:
- Prevention
- Detection
- Investigation/Response
Fraud Awareness & Prevention
Access Control
Segregating Incompatible Duties: All too often, traditional segregation of duties controls are not reinforced by information technology controls. Take, for example, this comment I received recently from a client’s employee: “I don’t think anyone realizes all the things I can do in the accounting system. I’ve never done anything bad…but I could.” It can be easy to get hung up on making sure your employees can perform their necessary job functions at the expense of security, but it’s crucial that you know exactly what your employees can, and can’t, do in financial applications.
Accumulating Unnecessary Access
Passwords
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.