1 / 28

IT Fraud and the Finance Function

IT Fraud and the Finance Function. In collaboration with. Vancouver, Toronto, Calgary, Winnipeg, Halifax and Montreal November, 2005. SO-002. Defeat IT Fraud with Strategic Initiatives. Tony Dimnik Queen’s School of Business. Botticelli’s Chart of Hell circa 1480

Pat_Xavi
Télécharger la présentation

IT Fraud and the Finance Function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Fraud and the Finance Function In collaboration with Vancouver, Toronto, Calgary, Winnipeg, Halifax and Montreal November, 2005 SO-002

  2. Defeat IT Fraud with Strategic Initiatives Tony Dimnik Queen’s School of Business

  3. Botticelli’s Chart of Hell circa 1480 (also painted Birth of Venus)

  4. Those who commit Violence Those who commit Fraud Traitors Dante’s Inferno circa 1310

  5. Circle 8 – The FraudulentThose guilty of deliberate, knowing evil • Worse than murderers • Slightly better than traitors if external • No better than traitors if internal

  6. Gustave Doré 1867

  7. Agenda • Defeat IT Fraud with Strategic Initiatives • Definition and size-up of IT fraud • Start with Tone at the Top • Choice of cultures: fear or security • Establishing and evaluating culture with CoCo • Kidder Peabody example • Fighting Fraud Through Data Governance • People, Process and Technology

  8. IT Fraud Where a financial loss or malicious damage has been sustained by an organization, which has been facilitated by the use of IT in some way • Theft of financial resources from organization, suppliers or customers • Theft of time and other resources

  9. Extent of Fraud • 10% of organizations suffer serious IT fraud each year • North American IT fraud costs hundreds of billions of dollars each year • Damage to reputation due to IT fraud slices 8% to 13% off market value of public companies • Every survey shows IT fraud at top or near the top of CFOs concerns

  10. IT Fraud Issues • Legislation (e.g. COSO and SOX) – reporting requirement and personal liability • Litigation – black hole in terms of time and money • Publicity of high profile frauds – damage to personal and corporate reputation • Increasing demands by insurance industry – onerous standards • External and global sourcing – magnifies risk • Insurance industry – ChoicePoint – compromised tens of thousands of clients • Credit cards – CardSystems Solutions – exposed information from 40 million customers • Business Schools – ApplyYourself – disgruntled Harvard applicant publicized breech on Internet

  11. Key to IT Fraud Initiatives: Tone at the Top Security Controls and Management Tone T. Kizinian and W. R. Leese, Internal Auditing, March/April 2004 • Standards and literature claim Tone at the Top is key to prevention of IT fraud • Study of IT audits showed that Tone at the Top is most important criterion in assessing IT security • Tone at the Top is more important than: • Software • Logical controls • Physical controls • Auditors assessed tone by asking about management’s emphasis on and support for security policies and procedures and resource commitments

  12. Tone at the Top Options • Culture of fear • Culture of security

  13. Culture of Fear • Responses triggered by events • Adopts a “fortress” strategy • Compliance is sufficient • CIO or CTO responsibility • Punishment oriented – requires monitoring and systems that may impede legitimate business • Motivated by fear • Vendors and consultants • Media

  14. Problems with Culture of Fear • Fear is a short-term motivator • Responds to failures after the damage is done • Underestimates costs of failures and costs of prevention (e.g. time lost in dealing with security issues and systems) • Someone else’s problem • Lowers morale and creates “us vs. them” mindset

  15. Culture of Security • Motivated by desire for excellence • Holistic understanding of security • Aims to prevent fraud • Compliance is necessary but not sufficient for security • Organizational responsibility • Conscious strategy for Tone at the Top and culture

  16. Standards and Assessment Tools • COSO and SOX • Control Objectives for Information and Related Technology (COBIT) and Information Technology Control Guidelines (ITCG) • Need management and assessment tool specifically for Tone at the Top and Culture of Security

  17. Purpose Monitoring & Learning Commitment Action Capability Criteria of Control Model of Control (CoCo)

  18. CoCo is a good management and assessment tool for Tone at the Top and Culture of Security.

  19. Purpose Monitoring & Learning Commitment Action Capability Applying CoCo to Create a Culture of Security Tone at the Top and Concrete, Comprehensive and Catholic Policy Democracy and Rewards Doing the right thing and Doing it in the right way Training and Resources (Systems and Technology)

  20. Purpose Monitoring & Learning Commitment Action Capability Purpose • Develop a policy on IT fraud • Concrete - written • Comprehensive • Boundaries • Procedures • Vision (ethics) • Catholic - involves everyone in the organization (e.g. receptionists) • Set tone at the top • Follow policy – act as role model • Understand security issues and systems – communicate with CIO • Sell policy up, down and across organization

  21. Purpose Commitment Monitoring & Learning Commitment Action • Congruent rewards • Folly of rewarding A, while hoping for B • Fairness • Democratic principles – one of nine principles from OECD Guidelines for the Security of Information Systems and Networks Capability

  22. Purpose Capability Monitoring & Learning Commitment Action • Regular training • Understanding of policy • Alertness and inoculation to potential problems • Specific responses (e.g. who to call if supervisor suspect) • Feedback • Current technology Capability

  23. Purpose Monitoring and Learning Monitoring & Learning Commitment Action • Are we doing the right thing? • Are we doing it in the right way? • Discuss successes and failures (don’t build a firewall against bad news) • Apply monitoring tools to ensure that senior management has the opportunity to focus on the big picture Capability

  24. Kidder Peabody Fraud Case • Financial institution founded in 1824 and acquired by GE in 1986 • Hired Joseph Jett in 1991 to trade US government bonds • Jett’s conversion of STRIPS to bonds and vice versa showed as profit on computer system even though there was no economic gain – like showing a profit on breaking a $20 bill • Kidder Peabody management and staff richly rewarded • Kidder Peabody announced a $350 million charge for false trading profits in 1994 • GE sold company – more than 2,000 lost jobs • Principals received slaps on wrists but still struggling with legal issues 10 years later – Dante’s Purgatory

  25. Management did not understand business or IT system No clear fraud policy Purpose Hoping A, rewarding B Us vs. them mindset No monitoring Acceptance of status quo Monitoring & Learning Commitment Action Capability No training Poor technology and systems CoCo and Kidder Peabody

  26. Summary • Defeat IT Fraud with Strategic Initiatives • Start with Tone at the Top • Create a Culture of Security • Use CoCo to manage and evaluate culture • Fighting Fraud Through Data Governance • People, Process and Technology

  27. References • OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Securityhttp://www.oecd.org/dataoecd/16/22/15582260.pdf • The Carnegie Mellon Software Engineering Institute: Governing for Enterprise Securityhttp://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf

More Related