310 likes | 603 Vues
IT Fraud and the Finance Function. In collaboration with. Toronto November 15, 2005. SO-002. Defeat IT Fraud with Strategic Initiatives. Tony Dimnik Queen’s School of Business. Botticelli’s Chart of Hell circa 1480 (also painted Birth of Venus). Those who commit Violence.
E N D
IT Fraud and the Finance Function In collaboration with Toronto November 15, 2005 SO-002
Defeat IT Fraud with Strategic Initiatives Tony Dimnik Queen’s School of Business
Botticelli’s Chart of Hell circa 1480 (also painted Birth of Venus)
Those who commit Violence Those who commit Fraud Traitors Dante’s Inferno circa 1310
Circle 8 – The FraudulentThose guilty of deliberate, knowing evil • Worse than murderers • Slightly better than traitors if external • No better than traitors if internal
Agenda • Defeat IT Fraud with Strategic Initiatives • Definition and size-up of IT fraud • Start with Tone at the Top • Choice of cultures: fear or security • Establishing and evaluating culture with CoCo • Kidder Peabody example • Fighting Fraud Through Data Governance • People, Process and Technology
IT Fraud Where a financial loss or malicious damage has been sustained by an organization, which has been facilitated by the use of IT in some way • Theft of financial resources from organization, suppliers or customers • Theft of time and other resources
Extent of Fraud • 10% of organizations suffer serious IT fraud each year • North American IT fraud costs hundreds of billions of dollars each year • Damage to reputation due to IT fraud slices 8% to 13% off market value of public companies • Every survey shows IT fraud at top or near the top of CFOs concerns
IT Fraud Issues • Legislation (e.g. COSO and SOX) – reporting requirement and personal liability • Litigation – black hole in terms of time and money • Publicity of high profile frauds – damage to personal and corporate reputation • Increasing demands by insurance industry – onerous standards • External and global sourcing – magnifies risk • Insurance industry – ChoicePoint – compromised tens of thousands of clients • Credit cards – CardSystems Solutions – exposed information from 40 million customers • Business Schools – ApplyYourself – disgruntled Harvard applicant publicized breech on Internet
Key to IT Fraud Initiatives: Tone at the Top Security Controls and Management Tone T. Kizinian and W. R. Leese, Internal Auditing, March/April 2004 • Standards and literature claim Tone at the Top is key to prevention of IT fraud • Study of IT audits showed that Tone at the Top is most important criterion in assessing IT security • Tone at the Top is more important than: • Software • Logical controls • Physical controls • Auditors assessed tone by asking about management’s emphasis on and support for security policies and procedures and resource commitments
Tone at the Top Options • Culture of fear • Culture of security
Culture of Fear • Responses triggered by events • Adopts a “fortress” strategy • Compliance is sufficient • CIO or CTO responsibility • Punishment oriented – requires monitoring and systems that may impede legitimate business • Motivated by fear • Vendors and consultants • Media
Problems with Culture of Fear • Fear is a short-term motivator • Responds to failures after the damage is done • Underestimates costs of failures and costs of prevention (e.g. time lost in dealing with security issues and systems) • Someone else’s problem • Lowers morale and creates “us vs. them” mindset
Culture of Security • Motivated by desire for excellence • Holistic understanding of security • Aims to prevent fraud • Compliance is necessary but not sufficient for security • Organizational responsibility • Conscious strategy for Tone at the Top and culture
Standards and Assessment Tools • COSO and SOX • Control Objectives for Information and Related Technology (COBIT) and Information Technology Control Guidelines (ITCG) • Need management and assessment tool specifically for Tone at the Top and Culture of Security
Purpose Monitoring & Learning Commitment Action Capability Criteria of Control Model of Control (CoCo)
CoCo is a good management and assessment tool for Tone at the Top and Culture of Security.
Purpose Monitoring & Learning Commitment Action Capability Applying CoCo to Create a Culture of Security Tone at the Top and Concrete, Comprehensive and Catholic Policy Democracy and Rewards Doing the right thing and Doing it in the right way Training and Resources (Systems and Technology)
Purpose Monitoring & Learning Commitment Action Capability Purpose • Develop a policy on IT fraud • Concrete - written • Comprehensive • Boundaries • Procedures • Vision (ethics) • Catholic - involves everyone in the organization (e.g. receptionists) • Set tone at the top • Follow policy – act as role model • Understand security issues and systems – communicate with CIO • Sell policy up, down and across organization
Purpose Commitment Monitoring & Learning Commitment Action • Congruent rewards • Folly of rewarding A, while hoping for B • Fairness • Democratic principles – one of nine principles from OECD Guidelines for the Security of Information Systems and Networks Capability
Purpose Capability Monitoring & Learning Commitment Action • Regular training • Understanding of policy • Alertness and inoculation to potential problems • Specific responses (e.g. who to call if supervisor suspect) • Feedback • Current technology Capability
Purpose Monitoring and Learning Monitoring & Learning Commitment Action • Are we doing the right thing? • Are we doing it in the right way? • Discuss successes and failures (don’t build a firewall against bad news) • Apply monitoring tools to ensure that senior management has the opportunity to focus on the big picture Capability
Kidder Peabody Fraud Case • Financial institution founded in 1824 and acquired by GE in 1986 • Hired Joseph Jett in 1991 to trade US government bonds • Jett’s conversion of STRIPS to bonds and vice versa showed as profit on computer system even though there was no economic gain – like showing a profit on breaking a $20 bill • Kidder Peabody management and staff richly rewarded • Kidder Peabody announced a $350 million charge for false trading profits in 1994 • GE sold company – more than 2,000 lost jobs • Principals received slaps on wrists but still struggling with legal issues 10 years later – Dante’s Purgatory
Management did not understand business or IT system No clear fraud policy Purpose Hoping A, rewarding B Us vs. them mindset No monitoring Acceptance of status quo Monitoring & Learning Commitment Action Capability No training Poor technology and systems CoCo and Kidder Peabody
Agenda • Defeat IT Fraud with Strategic Initiatives • Start with Tone at the Top • Create a Culture of Security • Use CoCo to manage and evaluate culture • Fighting Fraud Through Data Governance • People, Process and Technology
Summary • Tony Dimnik • Create a Culture of Security – start with Tone at the Top • Use CoCo as management and assessment tool • John Weigelt • Leverage compliance to enhance security • Build security with partnerships • Andy Papadopoulos • Apply existing technologies • Implement new tools for monitoring IT security
References • OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Securityhttp://www.oecd.org/dataoecd/16/22/15582260.pdf