May 29, 2015 – Let’s consider the following scenario: Your organization enforces mandatory vacations in an effort to prevent occupational fraud. A current employee is perpetrating a fraud scheme involving a fictitious employee and must access your accounting system bi-weekly to continue the fraudulent activity. Unfortunately for you, employees are allowed to work from home and the fraudster in question simply logs in after-hours and performs the necessary steps to maintain his/her scheme.
This scenario highlights the importance of IT controls, as we see that the fraudster was able to circumvent the organization’s anti-fraud efforts by taking advantage of a weakness in the IT control environment.
The Association of Certified Fraud Examiners (ACFE) defines Occupational Fraud as: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” With a median fraud loss of $145,000, occupational fraud is not something that can be ignored. Information technology plays a critical role in an organization’s fraud prevention program, but what exactly is that role?
The Role of Information Technology
Information technology controls may be found throughout the three broad areas of a fraud prevention program:
Fraud Awareness & Prevention
Segregating Incompatible Duties: All too often, traditional segregation of duties controls are not reinforced by information technology controls. Take, for example, this comment I received recently from a client’s employee: “I don’t think anyone realizes all the things I can do in the accounting system. I’ve never done anything bad…but I could.” It can be easy to get hung up on making sure your employees can perform their necessary job functions at the expense of security, but it’s crucial that you know exactly what your employees can, and can’t, do in financial applications.
Accumulating Unnecessary Access
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC, CMMC-AB RP
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.