it fraud and the finance function l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IT Fraud and the Finance Function PowerPoint Presentation
Download Presentation
IT Fraud and the Finance Function

Loading in 2 Seconds...

play fullscreen
1 / 28

IT Fraud and the Finance Function - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

IT Fraud and the Finance Function. In collaboration with. Vancouver, Toronto, Calgary, Winnipeg, Halifax and Montreal November, 2005. SO-002. Defeat IT Fraud with Strategic Initiatives. Tony Dimnik Queen’s School of Business. Botticelli’s Chart of Hell circa 1480

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IT Fraud and the Finance Function' - Pat_Xavi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
it fraud and the finance function

IT Fraud and the Finance Function

In collaboration with

Vancouver, Toronto, Calgary, Winnipeg, Halifax and Montreal

November, 2005

SO-002

defeat it fraud with strategic initiatives

Defeat IT Fraud with Strategic Initiatives

Tony Dimnik

Queen’s School of Business

slide3

Botticelli’s Chart of Hell circa 1480

(also painted Birth of Venus)

slide4

Those who commit Violence

Those who commit Fraud

Traitors

Dante’s Inferno circa 1310

circle 8 the fraudulent those guilty of deliberate knowing evil
Circle 8 – The FraudulentThose guilty of deliberate, knowing evil
  • Worse than murderers
  • Slightly better than traitors if external
  • No better than traitors if internal
agenda
Agenda
  • Defeat IT Fraud with Strategic Initiatives
    • Definition and size-up of IT fraud
    • Start with Tone at the Top
    • Choice of cultures: fear or security
    • Establishing and evaluating culture with CoCo
    • Kidder Peabody example
  • Fighting Fraud Through Data Governance
  • People, Process and Technology
it fraud
IT Fraud

Where a financial loss or malicious damage has been sustained by an organization, which has been facilitated by the use of IT in some way

  • Theft of financial resources from organization, suppliers or customers
  • Theft of time and other resources
extent of fraud
Extent of Fraud
  • 10% of organizations suffer serious IT fraud each year
  • North American IT fraud costs hundreds of billions of dollars each year
  • Damage to reputation due to IT fraud slices 8% to 13% off market value of public companies
  • Every survey shows IT fraud at top or near the top of CFOs concerns
it fraud issues
IT Fraud Issues
  • Legislation (e.g. COSO and SOX) – reporting requirement and personal liability
  • Litigation – black hole in terms of time and money
  • Publicity of high profile frauds – damage to personal and corporate reputation
  • Increasing demands by insurance industry – onerous standards
  • External and global sourcing – magnifies risk
    • Insurance industry – ChoicePoint – compromised tens of thousands of clients
    • Credit cards – CardSystems Solutions – exposed information from 40 million customers
    • Business Schools – ApplyYourself – disgruntled Harvard applicant publicized breech on Internet
key to it fraud initiatives tone at the top
Key to IT Fraud Initiatives: Tone at the Top

Security Controls and Management Tone

T. Kizinian and W. R. Leese, Internal Auditing, March/April 2004

  • Standards and literature claim Tone at the Top is key to prevention of IT fraud
  • Study of IT audits showed that Tone at the Top is most important criterion in assessing IT security
  • Tone at the Top is more important than:
    • Software
    • Logical controls
    • Physical controls
  • Auditors assessed tone by asking about management’s emphasis on and support for security policies and procedures and resource commitments
tone at the top options
Tone at the Top Options
  • Culture of fear
  • Culture of security
culture of fear
Culture of Fear
  • Responses triggered by events
  • Adopts a “fortress” strategy
  • Compliance is sufficient
  • CIO or CTO responsibility
  • Punishment oriented – requires monitoring and systems that may impede legitimate business
  • Motivated by fear
    • Vendors and consultants
    • Media
problems with culture of fear
Problems with Culture of Fear
  • Fear is a short-term motivator
  • Responds to failures after the damage is done
  • Underestimates costs of failures and costs of prevention (e.g. time lost in dealing with security issues and systems)
  • Someone else’s problem
  • Lowers morale and creates “us vs. them” mindset
culture of security
Culture of Security
  • Motivated by desire for excellence
  • Holistic understanding of security
  • Aims to prevent fraud
  • Compliance is necessary but not sufficient for security
  • Organizational responsibility
  • Conscious strategy for Tone at the Top and culture
standards and assessment tools
Standards and Assessment Tools
  • COSO and SOX
  • Control Objectives for Information and Related Technology (COBIT) and Information Technology Control Guidelines (ITCG)
  • Need management and assessment tool specifically for Tone at the Top and Culture of Security
criteria of control model of control coco

Purpose

Monitoring

& Learning

Commitment

Action

Capability

Criteria of Control Model of Control (CoCo)
applying coco to create a culture of security

Purpose

Monitoring

& Learning

Commitment

Action

Capability

Applying CoCo to Create a Culture of Security

Tone at the Top

and

Concrete, Comprehensive and Catholic Policy

Democracy

and

Rewards

Doing the right thing

and

Doing it in the right way

Training

and

Resources (Systems and Technology)

purpose

Purpose

Monitoring

& Learning

Commitment

Action

Capability

Purpose
  • Develop a policy on IT fraud
    • Concrete - written
    • Comprehensive
      • Boundaries
      • Procedures
      • Vision (ethics)
    • Catholic - involves everyone in the organization (e.g. receptionists)
  • Set tone at the top
    • Follow policy – act as role model
    • Understand security issues and systems – communicate with CIO
    • Sell policy up, down and across organization
commitment

Purpose

Commitment

Monitoring

& Learning

Commitment

Action

  • Congruent rewards
    • Folly of rewarding A, while hoping for B
    • Fairness
  • Democratic principles – one of nine principles from OECD Guidelines for the Security of Information Systems and Networks

Capability

capability

Purpose

Capability

Monitoring

& Learning

Commitment

Action

  • Regular training
    • Understanding of policy
    • Alertness and inoculation to potential problems
    • Specific responses (e.g. who to call if supervisor suspect)
    • Feedback
  • Current technology

Capability

monitoring and learning

Purpose

Monitoring and Learning

Monitoring

& Learning

Commitment

Action

  • Are we doing the right thing?
  • Are we doing it in the right way?
  • Discuss successes and failures (don’t build a firewall against bad news)
  • Apply monitoring tools to ensure that senior management has the opportunity to focus on the big picture

Capability

kidder peabody fraud case
Kidder Peabody Fraud Case
  • Financial institution founded in 1824 and acquired by GE in 1986
  • Hired Joseph Jett in 1991 to trade US government bonds
  • Jett’s conversion of STRIPS to bonds and vice versa showed as profit on computer system even though there was no economic gain – like showing a profit on breaking a $20 bill
  • Kidder Peabody management and staff richly rewarded
  • Kidder Peabody announced a $350 million charge for false trading profits in 1994
  • GE sold company – more than 2,000 lost jobs
  • Principals received slaps on wrists but still struggling with legal issues 10 years later – Dante’s Purgatory
coco and kidder peabody

Management did not understand business or IT system

No clear fraud policy

Purpose

Hoping A, rewarding B

Us vs. them mindset

No monitoring

Acceptance of status quo

Monitoring

& Learning

Commitment

Action

Capability

No training

Poor technology and systems

CoCo and Kidder Peabody
summary
Summary
  • Defeat IT Fraud with Strategic Initiatives
    • Start with Tone at the Top
    • Create a Culture of Security
    • Use CoCo to manage and evaluate culture
  • Fighting Fraud Through Data Governance
  • People, Process and Technology
references
References
  • OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Securityhttp://www.oecd.org/dataoecd/16/22/15582260.pdf
  • The Carnegie Mellon Software Engineering Institute: Governing for Enterprise Securityhttp://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf