isaca kampala chapter annual security workshop godffrey mwika, cpa(k), cia, cisa, cism risk...

ISACA Kampala Chapter Annual Security Workshop

Godffrey Mwika, CPA(K), CIA, CISA, CISM

Risk Consulting Division

KPMG East Africa

SECURITY DECISIONS: THE CHALLENGES FOR TODAY AND

TOMORROW

1Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23

Information Insecurity

Real life casesof how businesses are

losing cashwithout trace


Information insecurityFailure protect information assets from the following risks: -

–Unauthorized access

–Unauthorized use

–Disclosure to unauthorized parties

–Disruption of the information


Information insecurityFailure protect information assets from the following risks: -

–Modification

–Viewing, perusal, Inspection

–Writing, Recording or Editing

–Deletion or other forms of destruction


Information insecurityGenerally its failure to ensure that the 3 key components of information security are established and operational i.e. CIA

–Confidentiality ( C )

– Integrity ( I )

–Availability ( A )

The order of importance is debatable 5Godffrey Mwika, Risk Consulting, KPMG

East Africa04/18/23

Why information insecurityReasons why information will be insecure: -

– Software weaknesses – when applications

are made insecure at development

–When an organisation has not classified its

information – restricted, confidential,

protect, public, unclassified etc



– Lack of capacity – Inadequate IT Resources

to assess and mitigate against security risks,

–Poor or Non – existent Risk Management

Framework for information security risks

hence no mitigating factors



–Governance issues – Tone at the top on IS

Risks is wrong or missing

–Wrong attitude – ‘Snakes are not dangerous

till they bite me’

–Underestimating the people risk factor



–Poorly defined business processes – this

includes issues like lack of separation of

duties and conflicting roles (Labour cost)

– Fraudulent intentions – Where fraudulent

managers and staff prefer insecure systems.



–Resistance to change – security comes with

responsibility, roles definition, process

designing/redesigning and people may

resist

– Ignorance and General lack of knowledge


Information Insecurity – Losses When business information is insecure and the weaknesses are exploited, the result is either: -

–Direct cash losses – direct benefits to the

people exploiting the security gaps

– Indirect cash losses to an organisation as a

result of the security gaps


Suppliers Master Data Insecurity • Creation of non-prequalified suppliers and

deletion after fraud payments have been made

• Amending suppliers details for fraudulent payments

• Violation of Separation of duties in systems• Create, use and delete scheme

A company pays for poor quality work or no work at all


POP and Goods receipts Insecurity • System holds on order matching are

overridden to allow wrong or inadequate receipts to be delivered

• Exaggerated usage reports to reconcile ghost deliveries

• Un-reconciled production reports• Accounting for cost of production based on

actual usage only (end to end) and without stepwise business process WIP management


POP and Goods receipts Insecurity • Contract /Order breakdown into small bits to

skip certain levels of management approval • Creation of orders for unwanted items in the

mix of wanted ones • Buying with a view to write off • Generating GRN/SRN for non-existent

technical and complicated services – when there is no control of services in the system – using heavy terminology to confuse accounts


Payments Insecurity • Procure to payment manned by a single

person (intentional or unknown). Cutting on labor costs and loss of cash

• IT unlimited and uncontrolled access to the business process modules

• No relationship between POP, suppliers master and Payment System

• Manual payments to capture in the system later


Payments Insecurity • Down payments that are never recovered on

final payment • Access controls over the payment master• Duplicate supplier payments undetected by

the system • Deliberate disputes created by suppliers to

recover un-reconciled amounts in a company• Approving many small immaterial payments

and preparing a final single payment 16Godffrey Mwika, Risk Consulting, KPMG

East Africa04/18/23

Customers master Insecurity• Creating customers, trading on credit and

deleting from database • Varying credit limits, trading and reversing• Posting ‘erroneously’ trading and reversing

the posting• Endless unexplained postings into an a

customers account • Inter-account transfers that are ‘due to error’


Customers master Insecurity• Deleting invoices from a customers accounts

and describing as an error • Unapproved credit notes posted in customers

accounts without support • Confused customers accounts that take too

long to reconcile while goods are shipped• Customers switching between cash and credit

terms temporarily


Sales Order processing Insecurity• Unprotected price master• Big customers orders placed on the eve of a

price increase to frustrate price increases and favor an individual

• Moving customers to price regimes they don’t deserve

• Hedging orders floated in the system to await a favorable price

• Fraudulent and unnecessary promotions 19Godffrey Mwika, Risk Consulting, KPMG

East Africa04/18/23

Inventories Insecurity • Product master changes to accept wrong

goods which are later written off as obsolete goods

• Changes of product usage to cover stock losses

• Deletion of missing/misappropriated inventories from the database

• Malicious issues and receipts • Weighbridge fraud – ‘cheating the system’


Governments systems Insecurity • Unrecorded receipts • Parallel systems to beat IT based systems • Ghost payments • Deliberate system crashes • Bureaucracy• Resistance to ICT • Most old government staff ignore IT• Young government staff take advantage


Overtime and payroll Insecurity• Recording un-worked hours• Varying the value of hours worked • Paying twice for same hours even more than

24 hours a day• Running parallel payroll systems for bank and

for accounting and then creating reconciling differences that are never resolved.

• Editing salaries and wages after computation but before transmission to increase net pay


Taming Insecurity• Align ICT to business needs – A MUST DO. • Define your data and classify it correctly.

Various information has different levels of insecurity

• Define all process level risks and implement controls for that

• Use CAATs for continuous auditing procedures • Establish a Risk Management System that

includes all business process owners 23Godffrey Mwika, Risk Consulting, KPMG

East Africa04/18/23

Taming Insecurity• Have a clear ICT Security policy• Define security roles and separate duties

between ICT & Business and between Business process owners

• Develop and implement monitoring reports that can be reviewed by managers continuously

• Conduct proper investigations and Punish violations mercilessly as a deterrent


Questions

?


Ahsanteni Sana ………..

Be SecureKwaheri!
