Fraud Awareness & Prevention: Access Control

May 29, 2015 | Authored by William Prohn CISSP, CISA, CGEIT, CRISC

 

May 29, 2015 – Let’s consider the following scenario: Your organization enforces mandatory vacations in an effort to prevent occupational fraud. A current employee is perpetrating a fraud scheme involving a fictitious employee and must access your accounting system bi-weekly to continue the fraudulent activity. Unfortunately for you, employees are allowed to work from home and the fraudster in question simply logs in after-hours and performs the necessary steps to maintain his/her scheme.

This scenario highlights the importance of IT controls, as we see that the fraudster was able to circumvent the organization’s anti-fraud efforts by taking advantage of a weakness in the IT control environment.

Occupational Fraud

The Association of Certified Fraud Examiners (ACFE) defines Occupational Fraud as: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” With a median fraud loss of $145,000, occupational fraud is not something that can be ignored. Information technology plays a critical role in an organization’s fraud prevention program, but what exactly is that role?

The Role of Information Technology

Information technology controls may be found throughout the three broad areas of a fraud prevention program:

  1. Prevention
  2. Detection
  3. Investigation/Response
While a novel could be written about each area, this blog series will focus on fraud prevention techniques. Specifically, the topics of Access Control, Administrators and Logging/Monitoring.

Fraud Awareness & Prevention

Access Control

Segregating Incompatible Duties: All too often, traditional segregation of duties controls are not reinforced by information technology controls. Take, for example, this comment I received recently from a client’s employee: “I don’t think anyone realizes all the things I can do in the accounting system. I’ve never done anything bad…but I could.” It can be easy to get hung up on making sure your employees can perform their necessary job functions at the expense of security, but it’s crucial that you know exactly what your employees can, and can’t, do in financial applications.

Accumulating Unnecessary Access

Typically, organizations have strong controls in place to grant and revoke access when an employee is hired or terminated. However, employees who move throughout the company or perform temporary functions are much less controlled, often resulting in inappropriate or unnecessary access. For example, an employee in the accounting department takes a vacation; this employee is the administrator of the accounting system and is responsible for adding new users. During the vacation, a co-worker is temporarily given the administrators rights; the employee now possesses conflicting privileges and is able to add a new user, perform transactions and then remove the user. When the administrator returns, no one remembers to revoke the inappropriate access.

Passwords

A common practice when it comes to shared accounts (think bank accounts, social media, internal sites) is to utilize a password with familiar terms, such as: BusinessName_1. When a new account is created that will be shared by more than one employee, a new password will all-too-often contain a similar naming convention: BusinessName_2, BusinessName_3 etc. The use of easily guessable, recycled passwords can present significant fraud risks within an organization as an employee has a high likelihood of guessing the password based on their knowledge of the common naming convention.
I hope you’ll check back for the second part of this series where we will address the fraud risks associated with Administrators and privileged users. For more information on how Dopkins & Company can help your organization be more secure, please contact William Prohn at wprohn@dopkins.com.

About the Author

William Prohn CISSP, CISA, CGEIT, CRISC

Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.

Do What You Love.
Love What You Do.

It’s about balance. The variety and quality of the clients, along with access to the latest technology and business information keeps the work interesting.

Learn More
Three Dopkins Employees

Opportunity Awaits

Take your career to the next level at Dopkins

Learn more