Preventing vs. Responding to Computer Fraud
Many organizations understand that preventing computer fraud is an important technology initiative and have instituted programs to recognize and prevent fraudulent activity. However, when preventive measures fail and computer fraud does occur, very few organizations have a plan to address and respond to the fraud attempt.
The issue of preventing and responding to computer fraud is among the top ten technology initiatives, according to the AICPA's 2013 North America Top Technology Initiatives Survey, which ranks preventing and responding to computer fraud at number six out of ten for U.S. organizations and at number nine out of ten for Canadian organizations.
The Need for Fraud Risk Management
It's no secret that the increase in information technology has facilitated the perpetration of fraud in organizations. Companies who are most vulnerable include those who do not know how to identify IT-related fraud, do not have policies to prevent such fraud and do not have policies to prevent management override opportunities within financial related systems.
If fraud does occur, these organizations may not have an appropriate plan in place to respond. Unfortunately, the “intangible” value associated with data can be significant. When data is stolen, its value is directly impacted and must be written down on the balance sheet – either when an event occurs or during the annual impairment analysis.
London-based Barclays Bank recently experienced computer fraud by a group of IT hackers. According to The Huffington Post, eight men were arrested in September and October for attempting to steal more than $2 million from the bank by taking control of one of its computer systems using a KVM (keyboard video mouse) device allowing them to commit cyber theft by using spy tactics to gain access to employees’ hardware and software devices. Barclays believes that the device was installed by one of the men who posed as an IT engineer to gain access to one of the bank's smaller branch offices.
So, how does Barclays address computer fraud issues as a whole? While the company could not address specifics relating to the recent fraud incidents for security purposes, it did provide some insight. According to Computer Weekly, Patrick Romain, head of information security at Barclays Bank reluctantly shared current efforts taken to mitigate the risk of subsequent fraud attacks:
“When we do a risk analysis on our Internet-facing applications, we think about issues such as application-to-application encryption. Part of that is if it's capable [of application-to-application encryption]. In some cases, were it isn't capable, there are decisions that need to be made about other mitigating controls that can be used, whether it's okay to permit the application to continue in the way it is, or if it's reasonable to rewrite the application.”
Although Barclays seems to be doing everything it can to address the issue, the bottom line is that computer fraud can be lucrative and companies have to have plans in place to monitor and detect it.
How Can You Manage Fraud Risk?
CPAs who are tasked with managing computer fraud risk should take into account the following considerations:
- Consider fraud risks associated with information technology
- Design policies and internal controls to mitigate risks
- Design and implement monitoring controls
- Establish policies to detect management override abuse and
- Establish policies, which respond to a fraud perpetration
These considerations may also include daily flash reports and exception reporting that should alert management to an error, anomaly or potential fraud. The key to an effective computer fraud monitoring control is twofold:
- A responsible party is reviewing the control to prevent the fraud, and
- An action plan is in place, which allows for response, correction and remediation in the unlikely event that fraud occurs.
Need more help? The AICPA has created various tools and resources to assist organizations in addressing this year’s top technology initiatives. These tools, available to IMTA Division members, can be found in the 2013 U.S. Top Technology Initiatives Master Toolkit. Find even more IMTA benefits including the highly anticipated A CPA's Approach to Business Solution Implementationsat aicpa.org/IMTA.
The free Top 5 Cybercrimes white paper, developed by the AICPA’s Forensic & Valuation Services Section and IMTA Division, identifies and examines the cybercrimes that pose the greatest threats for CPAs. It also features expert remediation guidance, real-life examples, in-depth statistics and invaluable resources that can help CPAs in their prevention, detection and recovery strategies.
Jocelyn M. Woodard, Manager IMTA, American Institute of CPAs. Jocelyn is a technology risk and assurance manager assisting AICPA committee and task force members with the planning and implementation of initiatives that will better aid CPAs in understanding and utilizing information management and technology assurance tools and concepts.
Computer fraud image via Shutterstock