isaca kampala chapter annual security workshop godffrey mwika, cpa(k), cia, cisa, cism risk...
TRANSCRIPT
ISACA Kampala Chapter Annual Security Workshop
Godffrey Mwika, CPA(K), CIA, CISA, CISM
Risk Consulting Division
KPMG East Africa
SECURITY DECISIONS: THE CHALLENGES FOR TODAY AND
TOMORROW
1Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information Insecurity
Real life casesof how businesses are
losing cashwithout trace
2Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information insecurityFailure protect information assets from the following risks: -
–Unauthorized access
–Unauthorized use
–Disclosure to unauthorized parties
–Disruption of the information
3Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information insecurityFailure protect information assets from the following risks: -
–Modification
–Viewing, perusal, Inspection
–Writing, Recording or Editing
–Deletion or other forms of destruction
4Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information insecurityGenerally its failure to ensure that the 3 key components of information security are established and operational i.e. CIA
–Confidentiality ( C )
– Integrity ( I )
–Availability ( A )
The order of importance is debatable 5Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
– Software weaknesses – when applications
are made insecure at development
–When an organisation has not classified its
information – restricted, confidential,
protect, public, unclassified etc
6Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
– Lack of capacity – Inadequate IT Resources
to assess and mitigate against security risks,
–Poor or Non – existent Risk Management
Framework for information security risks
hence no mitigating factors
7Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
–Governance issues – Tone at the top on IS
Risks is wrong or missing
–Wrong attitude – ‘Snakes are not dangerous
till they bite me’
–Underestimating the people risk factor
8Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
–Poorly defined business processes – this
includes issues like lack of separation of
duties and conflicting roles (Labour cost)
– Fraudulent intentions – Where fraudulent
managers and staff prefer insecure systems.
9Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
–Resistance to change – security comes with
responsibility, roles definition, process
designing/redesigning and people may
resist
– Ignorance and General lack of knowledge
10Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information Insecurity – Losses When business information is insecure and the weaknesses are exploited, the result is either: -
–Direct cash losses – direct benefits to the
people exploiting the security gaps
– Indirect cash losses to an organisation as a
result of the security gaps
11Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Suppliers Master Data Insecurity • Creation of non-prequalified suppliers and
deletion after fraud payments have been made
• Amending suppliers details for fraudulent payments
• Violation of Separation of duties in systems• Create, use and delete scheme
A company pays for poor quality work or no work at all
12Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
POP and Goods receipts Insecurity • System holds on order matching are
overridden to allow wrong or inadequate receipts to be delivered
• Exaggerated usage reports to reconcile ghost deliveries
• Un-reconciled production reports• Accounting for cost of production based on
actual usage only (end to end) and without stepwise business process WIP management
13Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
POP and Goods receipts Insecurity • Contract /Order breakdown into small bits to
skip certain levels of management approval • Creation of orders for unwanted items in the
mix of wanted ones • Buying with a view to write off • Generating GRN/SRN for non-existent
technical and complicated services – when there is no control of services in the system – using heavy terminology to confuse accounts
14Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Payments Insecurity • Procure to payment manned by a single
person (intentional or unknown). Cutting on labor costs and loss of cash
• IT unlimited and uncontrolled access to the business process modules
• No relationship between POP, suppliers master and Payment System
• Manual payments to capture in the system later
15Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Payments Insecurity • Down payments that are never recovered on
final payment • Access controls over the payment master• Duplicate supplier payments undetected by
the system • Deliberate disputes created by suppliers to
recover un-reconciled amounts in a company• Approving many small immaterial payments
and preparing a final single payment 16Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Customers master Insecurity• Creating customers, trading on credit and
deleting from database • Varying credit limits, trading and reversing• Posting ‘erroneously’ trading and reversing
the posting• Endless unexplained postings into an a
customers account • Inter-account transfers that are ‘due to error’
17Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Customers master Insecurity• Deleting invoices from a customers accounts
and describing as an error • Unapproved credit notes posted in customers
accounts without support • Confused customers accounts that take too
long to reconcile while goods are shipped• Customers switching between cash and credit
terms temporarily
18Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Sales Order processing Insecurity• Unprotected price master• Big customers orders placed on the eve of a
price increase to frustrate price increases and favor an individual
• Moving customers to price regimes they don’t deserve
• Hedging orders floated in the system to await a favorable price
• Fraudulent and unnecessary promotions 19Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Inventories Insecurity • Product master changes to accept wrong
goods which are later written off as obsolete goods
• Changes of product usage to cover stock losses
• Deletion of missing/misappropriated inventories from the database
• Malicious issues and receipts • Weighbridge fraud – ‘cheating the system’
20Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Governments systems Insecurity • Unrecorded receipts • Parallel systems to beat IT based systems • Ghost payments • Deliberate system crashes • Bureaucracy• Resistance to ICT • Most old government staff ignore IT• Young government staff take advantage
21Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Overtime and payroll Insecurity• Recording un-worked hours• Varying the value of hours worked • Paying twice for same hours even more than
24 hours a day• Running parallel payroll systems for bank and
for accounting and then creating reconciling differences that are never resolved.
• Editing salaries and wages after computation but before transmission to increase net pay
22Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Taming Insecurity• Align ICT to business needs – A MUST DO. • Define your data and classify it correctly.
Various information has different levels of insecurity
• Define all process level risks and implement controls for that
• Use CAATs for continuous auditing procedures • Establish a Risk Management System that
includes all business process owners 23Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Taming Insecurity• Have a clear ICT Security policy• Define security roles and separate duties
between ICT & Business and between Business process owners
• Develop and implement monitoring reports that can be reviewed by managers continuously
• Conduct proper investigations and Punish violations mercilessly as a deterrent
24Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23