security planning susan lincke combatting fraud. security planning: an applied approach | 9/5/2015 |...

Security Planning

Susan Lincke

Combatting Fraud

Security Planning: An Applied Approach | 04/19/23 | 2

Objectives:

The student shall be able to:What are the key elements of fraud, and what techniques can be used to counteract these key elements?What are the three categories of fraud and what crimes do they include?Define skimming, larceny, embezzlement, lapping, shell company, payroll manipulation, ghost employees.What are the legal considerations of fraud?Who commits fraud, and who commits the most expensive fraud?What are some red flags of potential fraud?How does social engineering occur, and how can it be prevented?Define the four roles of segregation of duties.Describe the purpose of the 3 stages of a fraud investigation.


The Problem

Organizations lose 5% of revenue annually due to internal fraud Average scheme lasts 18 months, costs $140,00020% costs exceed $1MSmaller companies suffer greater average $ losses due to inadequate controls

ACFE 2012, 2014 “Report to the Nations on Occupational Fraud and Abuse”

Amount recovered following an Incident of fraud


Internal or Occupational FraudDefinition

Violates the employee’s fiduciary responsibility to employer

Is done secretly and is concealed

Is done to achieve a direct or indirect benefit

Costs the organization assets, revenue, or opportunity


Fraud CategoriesCategories % of

Cases, $ Average

Examples

Asset Misap-propriation

85%

$130,000

Theft of checks, cash, money orders, inventory, equipment, supplies, info

Bribery & Corruption

37%

$200,000

Bribe to accept contractor bid or Kickback, Collusion, Bid rigging.

Extortion: threat of harm if demand not met;

False Billing: Providing lower quality, overcharging

Conflict of interest in power decision

Corporate espionage: Sell secrets

Financial Statement

Fraud

9%

$1 million

($4 million in 2010)

Revenue Overstatement: False sales

Understating Expenses: Delayed or capitalization of expenses

Overstating Assets: No write down of uncollectable accounts, obsolete inventory, …

Understating Liabilities: Not recording owed amounts

Misapplication of Accounting Rules, etc.


Legal Considerations of Fraud

Intentionally false representation

Not an error

Lying or concealing actions

Pattern of unethical behavior

Personal material benefit

Organizational or victim loss


Key Elements of Fraud

Motivation: Need or perceived needOpportunity: Access to assets, information, computers, peopleRationalization: Justification for action

Oppor-tunity

Rational-ization

Moti-vation

3 KeyElements


How Fraud is Discovered

ACFE “2014 Report to the Nations on Occupational Fraud and Abuse”

Tips provided by employees 49%, customers 21.6%, anon.14.6%, vendors 9.6%.


Collusion

Collusion: Two or more employees or employee & vendor defraud together

2012 Global Fraud StudyAssoc. of Fraud Examiners


Who Does Fraud?

Most $$$ internal frauds committed by longer-tenured, older, and more educated staffExecutives commit most expensive fraud: $500K • Median manager fraud: $130K• Median line employee fraud: $75KMost hit: Banks/financial industries: 16.7%• Government/public administration: 10.3• Manufacturing: 10.1%

95% have no criminal convictions related to fraudTo steal a lot of money, you must have a position of power and access: • highly degreed > HS grad• older > younger people

2012, 2014 Global Fraud StudyAssoc. of Fraud Examiners


Discussion Points

What types of fraud could computer programmers or system administrators commit?For each type of fraud, what methods may help to prevent such fraud?


Example 1:Financial Statement Fraud

Executives, Wall Street have high expectations: employees needed to meet the standards. To meet these standards, it may

be necessary to play the game, and financial statement fraud may be accepted.

Methods of such fraud may include: manual adjustments to accounts or improper accounting procedures


Example 2: Corruption

The Director of a subsidiary always purchases goods from 2 large organizations, who provide rebates for large purchase quantities. The director negotiated contracts and pocketed the rebates to an off-shore bank account. Local vendors are upset that their bids

are ignored.


Example 3: Asset Misappropriation

A manager took money from one account, and when payment was due, paid via another account. When that was due, she paid

via a third account, etc. This lapping went on for years and was finally caught when a

sickness resulted in her being absent from work for an extended period.


Asset MisappropriationVocabularySkimming: Taking funds before they are recorded into company recordsCash Larceny: Taking funds (e.g., check) that company recorded as going to someone elseEmbezzlement: Abusing a business privilege for personal gainLapping: Theft is covered with another person’s check (and so on)Check Tampering: Forged or altered check for gainShell Company: Payments made to fake companyPayroll Manipulation: Ghost employees, falsified hours, understated leave/vacation timeFalse Shipping Orders or Missing/Defective Receiving Record: Inventory theft

Detecting & Preventing Fraud

How to Recognize FraudHow to Prevent Fraud

Info. Systems Applications


Fraud & Audit

Audits are not designed to detect fraudGoal: Determine whether the financial statement is free from material misstatements.Auditors test only a small fraction of transactionsAuditors must: •Be aware of the potential of fraud• Discuss how fraud could occur• Delve into suspicious observations and report them


Red FlagsSignificant change in lifestyle: New wealth

Addiction:

Gambling, drug addiction, infidelity

Criminal background

Chronic legal problems

Dishonest behavior in general

Beat the system: Break rules commonly

Dissatisfaction with job

Report to the Nations on Occupational Fraud and Abuse: 2014 Global Fraud Study. ACFE.


Work Habits of Fraudsters

One or more:Justifying poor work habitsDesperately trying to meet performance goalsOver-protective of certain documents (poor sharing or avoids documentation)Refusal to swap job dutiesConsistently at work in off-time (early or late) or never absent

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons


Potential Transaction Red Flags

Unusual transactions:Unusual timing, too frequent or infrequentUnusual amount: too much or too littleUnusual participant: involves unknown or closely-related partyVoided checks or receipts, with no explanationInsufficient supervisionPattern of adjustments to accountsDifferent addresses for same vendor, or vendors with similar names


Fraud Control TypesTime ofFraud

Detective Controls:Finding fraud when it occurs includes:Anonymous hotline*->Surprise audits*->Monitoring activities->Complaint or fraud investigationMandatory vacations

After Fraud Before Fraud:***BEST***

Preventive Controls**:Preventing fraud includes:Segregation of DutiesEthical CultureInternal controls: Physical & data security Authorization (Passwords, etc)Signed DocumentsFraud educationEmployee Support ProgramsBackground checks

CorrectiveControls:Punishment->Amend controlsFidelity InsuranceEmployee Bonding


Techniques to Discourage Fraud

Oppor-tunity

Rational-ization

Motivation

KeyElementsSegregation of duties

Checks and balancesJob rotationPhysical security of assetsBackground checksMandatory vacationsExamination of required documentation

Trained in policies and proceduresPolicy enforcementSr. Mgmt models ethical behavior to customers, vendors, employees, share holders

Realistic job expectationsAdequate payTraining in job duties


Segregation of Duties

Origination Verification

Authorization Distribution

Double-checks

Approves

Acts on


Compensating ControlsWhen Segregation of Duties not possible, use:Audit TrailsTransaction Logs: Record of all transactions in a batchReconciliation: Ensure transaction batches are not modified during processingException reporting: Track rejected and/or exceptional (non-standard) transactionsSupervisory or Independent ReviewsSeparation of duties: authorization, distribution, verification


Software to Detect Fraud

Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset write-offs.Detect unusual anomalies such as unusual amounts or patternsCompare vendor addresses and phone numbers with employee dataUse Range or Limit Validation to detect fraudulent transactionsLogged computer activity, login or password attempts, data access attempts, and geographical location data access.


Red flags software can detect

Out-of-sequence checksLarge number of voids or refunds made by employee or customerManually prepared checks from large companyPayments sent to nonstandard (unofficial) addressUnexplained changes in vendor activityVendors with similar names or addressesUnapproved vendor or new vendor with high activity


Encourage Security in IT Departments

Physical securitySegregation of dutiesEmployee monitoringSurprise auditsJob rotation Examination of Documentation

Quality Assurance

ProgrammerAnalyst

BusinessAnalyst


Business Application Checks

Checks locked up; access restrictedPhysical inventory of checks at least every quarterNew accounts payable vendors’ existence and address double-checked by management Returned checks sent to PO Box and evaluated by someone independent of Accts Payable


Question

What is the MOST effective means of preventing fraud?

1. Effective internal controls

2. Fraud training program

3. Fraud hotline

4. Punishment when fraud is discovered


Question

A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that:

1. The vendor was a phony company2. Purchases from the vendor did not result in inventory

received3. The initials for the vendor matched an employee in the

accounting dept.4. Management did not authorize new vendors with a separate

phone call


Question

What is: Origination, Authorization, Distribution, Verification?1. Four stages of software release2. Recommended authority allocations for access control3. Stages for development of a Biometric Identity Management

System (BIMS)4. Categories for Segregation of Duties

External Fraud

Social EngineeringCheck & Receipt Fraud

A Fraud Investigation


Red Flags Rule

Red Flag Category

Example Red Flag Cases

Suspicious Documents

Identification or application looks forged or altered. Info is inconsistent btwn ID, what client says, and their records. Picture or signature differs.

Personal Identifying Information

Info matches other clients Info. looks suspicious: phone number is answering service; SSN is on Death Master File;

info. inconsistent with credit report. Incomplete application and client fails to submit additional info Client cannot provide authenticating info beyond name address phone

Account Activity

A major change in spending or payment habits. A change in address, followed by unusual requests: e.g., multiple credit cards. Initial use of credit card shows unusual activity: first payment only; purchase of products

easily converted to cash: electronics, jewelry. Inactive accounts become suddenly active. Mail is undeliverable but transactions continue.

Warnings from a Credit Agency

Changes to a credit report, inconsistent with client’s history. Indication of fraud, credit freeze or other abuse. Changes in recent credit transactions: increase in inquiries or new accounts.

Other Sources Tip indicates an account has been opened inappropriately or used fraudulently.Red Flags Rule


Social Engineering I

Email:The first 500 people to register at our Web site will win free tickets to …Please provide company email address and choose a password

You received a message from Facebook. Follow this link … log in.

Social engineering: Getting people to do something they would not ordinarily do for a strangerSocial engineering is nearly 100% effective


Social Engineering II

Telephone call from ‘IT’:Some company computers have been infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix…We need to test a new utility to change your password…


Social Engineering III

Phone call 1:“I had a great experience at your store. Can you tell me manager’s name, address?”Phone call 2:“This is John from X. I got a call from Alice at your site wanting me to fax a sig-card. She left a fax number but I can’t read it can you tell me? What is the code?“You should be telling me the code…”“That’s ok, it can wait. I am leaving but Alice won’t get her information…”“The code is … “Phone call or fax 3:“I need … Code is …”


Social Engineering Techniques

Learns insider vocabulary and/or personnel namesPretends legit insider: “I am <VP, IT, other branch, other dept>. Can you …?”Pretends real transaction:Helping: I am in trouble <or> you need help due to …• <My,Your> computer is <virused, broke, busy, don’t have one>.

Can you <do, tell me> …?Deception: Hides real question among others. Establishes relationship: Uses friendliness to gain trust for future tasks


Combating Social Engineering

Verification ProcedureVerify requester is who they claim to beVerify the requester is currently employed in the position claimed.Verify role is authorized for requestRecord transaction

Organization securityData classification defines treatmentPolicies define guidelines for employee behaviorEmployees trained in roles, need-to-know, and policies


Fraud Scams

Get a receipt from the trash, ‘return’ a productCopy gift certificate and cash in at multiple locationsMarkdown sale prices reimbursed with receipt – copied and collected at multiple locationsFake UPC numbers to pay low prices then return at higher price. If receipt total is sufficient, scam may work.


Preventing Scams

Receipts must have security marks on them (e.g., two-colored ink on special paper, or better: thermochromatic ink)Line-item detail on receipts and sales records in company databaseGarbage bins which may receive receipts should be protected from access (e.g., bank garbage bins)Register gift certificates – unique numbersShredders should be used for any sensitive informationProtect against shoulder surfing or device attachment for card readers


Check Fraud ExamplesAltered Checks: Chemicals are used to erase the payee or amount, then re-printed OR check is appended to. •An Argentinian modified a ticket-overpayment refund check from Miami, changing a $2 check to $1.45 MillionCounterfeit Checks or Identity Assumption•Someone in your checkout line views your check, or does yard work for you•Fishes in a business’s in-mailbox or home’s out-mail for a check•Checks can be purchased on-line or mail orderTelemarketing Fraud: •“You’ve won a prize” or “Would you like to open a VISA?” “Now give me your account information.”Hot Check: “Insufficient Funds”90% of ‘insufficient funds’ checks are numbered between 101 and 200Account opening year may be printed on check


Be Careful Printing Checks!

Paychecks & Accounts Payable should not be printed on blank check paperLaser printer is non-impact (ink does not go into paper but sits on top)• Easy to remove printing• ‘Laser Lock’ or ‘Toner Lock’ seals laser printing

Matrix printer puts ink into the paper• Chemical ‘washing’ removes the print

Good Practices• Use larger printing: 12 font • Reverse toner in software: white on black• Control check stock and guard checks• Check your bank statements – you have 30 days


Check Security Features

Watermark: Subtle design viewable at 45-degree angle toward light. Cannot be photo-copiedVoid Pantograph: Background pattern of checks. When photo-copied, the background patter disappears or prints ‘VOID’ Chemical Voids: When check is treated with eradicator chemical, the word VOID appearsMicroprinting: When magnified, the signature or check border appears to be written words. The resolution is too fine for a photo-copier3-Dim. Reflective Holostripe: Metallic stripe contains at least one hologram, similar to credit card.Security ink: React to eradication chemicals, distorting checkThermochromic Ink: Ink reacts to heat and moisture by fading and reappearing


Processing Money Orders

Money order information provides info on a ready checking account

Non-negotiable incoming wire account prevents out-going checks

I would like to send you a money order. What is your account number?THANK YOU SO MUCH!!!


A Fraud InvestigationStep 1: Initial InquiryInvestigate what is happening:•What is happening from a financial and/or operational aspect? •Do security controls exist and are they always practiced? •Does the employee show any of the red flags of fraud?

Data mining analyzes financial transactions to find suspicious patterns or transactions•e.g., match employee and accounts payable contact information.

Initial Inquiry:Investigate processes,suspicious transactions

Develop & ConfirmHypothesis:

Determine methods& personnel involved

Collect Evidence:Prepare for trial;

Answer all questions


A Fraud Investigation (Cont’d)Step 2: Develop and confirm hypothesis

Analyze the evidence. Hypothesize on possible methods of fraud and who is involved.

The goal is to develop an accurate story of what happened. Develop:

•timeline of what happened when,

•pictures of evidence,

•a diagram showing evidence relationships: which evidence is associated with which people and other evidence

Step 3: Collect evidence. Collect evidence for trial.

Prove the three requirements of fraud: evidence of organizational loss, personal gain, and deception.

Establish answers to full set of questions:

•Who decided to make the unethical or illicit changes?

•Did affected personnel know the correct methods?

•How far up the management chain did this knowledge go, and could auditors have been complicit?


Computer forensic tools can •uncovering secret files•decoding encrypted files•investigating external media and deleted and retained email•E.g., find images of checks in computer or printer memory.Look at different versions of documents, transactions or emails:•Analyze emails from both sender and receiver side; is there a difference in emails purged?•Fraudsters change dates, amounts and/or names of transactions or checks; when are changes introduced?These tools may also be used during earlier stages of the investigation.

Forensic Tools for Fraud


Fraud on average takes 5% of all income but can bankrupt organizations.

3 Key Elements: Motivation, Opportunity, Rationalization

Internal Fraud = Employee Fraud•Asset misappropriation, corruption, financial statement fraud•Controls: Preventive, Detective, Corrective•Key: Segregation of Duties

External Fraud = Outsider Fraud

Red Flags Rule applies to any organization that provides credit•Specifies suspicious transactions to be wary of

Social engineering fraud: fraudster pretends to be an insider•Multiple calls build information

Other frauds: Receipt scams, checks, money orders, etc.

Summary

security planning susan lincke combatting fraud. security planning: an applied approach | 9/5/2015 |...

Documents

categories of fraud

fraud examiners

fraud investigation

expensive fraud

incident of fraud slide

fraud categories categories

applied approach

occupational fraud definition