1. Presented by: William H. Brown, CPA, CFFA, CFEGAIN CONTROLHow Secure is your Business?Fraud Risk Analysis and Security ManagementGAIN CONTROLwww.berrydunn.comwww.berrydunn.com

2. What is the problem?Some statistics..From the Report to the Nations onOccupational Fraud and Abuse 2010Global Fraud Study, published by the Association for Certified Fraud Examiners5.0% $231,00037.8%30.8%$155,000GAIN CONTROL 3. How is Fraud Detected?GAIN CONTROL 4. Where do Tips Come From?GAIN CONTROL 5. What Controls are Used?GAIN CONTROL 6. Disturbing StatisticGAIN CONTROL 7. Objective Provide you with information to help you manage the business risks of loss due to fraud and inadequate IT security. ..not to prevent, detect and prosecute all instances of fraud and stamp out all evil regardless of the costGAIN CONTROL 8. What Can I Tell You. That Will Help? Overview of Fraud Fraud Risk Analysis IT Security ManagementGAIN CONTROL 9. What is Fraud? U.S. Alleges Poker Site Stacked Deck- Wall Street Journal September 21, 2011- Focus on Goldman Ex-Director - Wall Street Journal September 21, 2011 Maine Man Facing Charges of SecuritiesFraud - Portland Press Herald February 18, 2011GAIN CONTROL 10. What is Fraud? Financial statement fraud Asset misappropriation CorruptionGAIN CONTROL 11. Loss Prevention Fraud prevention Fraud monitoring Fraud detection SecurityGAIN CONTROL 12. Fraud Risk Analysis Internal control review Fraud risk checkup Fraud risk assessmentGAIN CONTROL 13. Fraud Prevention Checkup Is it time to see a professional?GAIN CONTROL 14. Key Areas of Checkup Fraud risk oversight and ownership Fraud risk assessment Risk tolerance/policy Controls Process level Environment level Proactive detectionGAIN CONTROL 15. Fraud Risk AssessmentSeries of questions to help anorganization identify risk areas andrespond to those risksGAIN CONTROL 16. Results of Assessment Results should allow the organization to: Identify potential inherent fraud risks Assess likelihood and significance of occurrence Evaluate people and departments most likely tocommit fraud Identify and map preventative and detectivecontrolsGAIN CONTROL 17. Results of Assessment Results should allow the organization to: Evaluate whether identified controls are working Identify fraud risks resulting from lack ofcontrol/ineffective controls Develop responseGAIN CONTROL 18. Typical Assessment Areas Employees Physical controls Cash Purchasing and billing Proprietary information/intellectual property CorruptionGAIN CONTROL 19. Employee Assessment Are employees afraid to deliver bad newsto management? Are employees required to take annualvacations? Are the duties related to authorization,custody of assets, and recording or reportingof transactions segregated?GAIN CONTROL 20. Physical ControlAssessment Does the organization conduct pre-employmentbackground checks to identify previous dishonestor unethical behavior? Does the organization provide an anonymous wayto report suspected violations of the ethics andanti-fraud policies? Does the organization restrict access to computersystems with sensitive documents?GAIN CONTROL 21. Cash Receipts Assessment Does a person independent of the cash receipts andaccounts receivable functions compare entries to the cashreceipts journals with the bank deposit slips and bankdeposit statements? Is an independent listing of cash receipts preparedbefore the receipts are submitted to the cashier or accountsreceivable bookkeeper? Is job or assignment rotation mandatory for employeeswho handle cash receipts and accounting duties?GAIN CONTROL 22. Purchasing Assessment Is the master vendor file periodically reviewed forunusual vendors and addresses? Are control methods in place to check forduplicate invoices and purchase order numbers? Do write-offs of accounts payable debit balancesrequire approval of a designated manager?GAIN CONTROL 23. Proprietary Info Assessment Are employees required to use screensaver and/or serverpasswords to protect unattended computer systems? Are employees who have access to proprietary informationrequired to sign noncompete agreements to prevent themfrom working for competitors within a stated period of timeand location? Are there policies and procedures addressing theidentification, classification, and handling of proprietaryinformation?GAIN CONTROL 24. Corruption Assessment Is there a company policy that addresses thereceipt of gifts, discounts, and servicesoffered by a supplier or customer? Are contracts awarded based onpredetermined criteria? Are purchasing account assignmentsrotated?GAIN CONTROL 25. Information TechnologySecurity Management Security assessment Purchasing Fraud prevention suggestionsGAIN CONTROL 26. IT Security Assessment Typical assessment includes following areas: Organization/Management of IT Computer/Network Hardware Computer/Network Software Network Security Controls IT Security and Administration Backup and System RecoveryGAIN CONTROL 27. IT Security Assessment Includes review of documentation,observation and interviews. Incorporates best practices guidelines Risk ratings RecommendationsGAIN CONTROL 28. IT Security Assessment Examples of specific areas: Secure media disposal Patch management Network design Backup procedures Mobile devicesGAIN CONTROL 29. IT Fraud Prevention ToolsUtilize reporting and monitoring systemsalready in placeGAIN CONTROL 30. Using IT Controls Effectively Assign individual employees their ownsystem IDs. Disable usage of generic administrative IDs Change administrative passwords every 60 days Lock down system IDs ENFORCE!GAIN CONTROL 31. Using IT Controls Effectively Ensure access to financial accountingsystems is compartmentalized, i.e.: Users have no way to access the financialdatabase IT cannot affect non-technology reconciliationprocess Limit access to master vendor and customer filesGAIN CONTROL 32. Flags and Symptoms Missing checks, expense reports, registers Multiple & ongoing errors in accountingsystem that are unexplained Access to the accounting system at oddhours and/or in an unusual wayGAIN CONTROL 33. IT Purchasing Considerations Software Be aware of privacy and confidentiality issues,laws and regulations What is vendors stated commitment in contractfor remediation time after patches released byoperating system companies What is stated remediation time for securityflaws?GAIN CONTROL 34. IT Purchasing Considerations Outsourced services Does contract ensure secure processes? For credit card payments PCI compliant? Website management CONFIDENTIALITYAND PRIVACYGAIN CONTROL 35. Remember Fraud loss prevention includes preventativemeasures, monitoring activities and detection. Assessments provide a starting point foridentifying and addressing the risk. Controls are only useful when they areimplemented and enforcedGAIN CONTROL 36. Thanks for Attending Have a Pleasant Afternoon!photo from near the Yurt at top of Pleasant Mountain Shawnee Peak Sunset on August 20, 2011GAIN CONTROL 37. Contact InformationBill Brown bbrown@berrydunn.com207-541-2208Eigen Heald eheald@berrydunn.com 207-541-2311GAIN CONTROL