Lack of security advice may aid financial fraud

Manipulation of financial management software is a leading cause of fraud, says accounting firm KPMG. The fact that IT security professionals have hardly any input to how this software is designed or deployed may be one reason, the firm suggests.

Corporate frauds “ .... involving the manipulation of accounting systems continued to be the biggest single fraud threat to organisations” in the June 2010 KPMG Fraud Barometer.

The twice-yearly study, this edition of which covers January to June 2010, draws its inferences by monitoring fraud matters before the courts and found that accounting fraud is the leading cause of such actions.

The Barometer says that these frauds “... generally involve a staff member (employee or management) overriding or manipulating accounting procedures to divert payment of funds for their own benefit. In many cases these frauds went undetected for many years, suggesting fundamental weaknesses in internal controls.”

Gary Gill, Head of KPMG Forensic, told SearchSecurity ANZ that incorrect use of security features in accounting software are often to blame for these frauds.

“A lot of accounting systems give you the ability to do things like segregation of duties,” the practise of ensuring that transactions go through a workflow process that sees different people initiate, perform, approve and archive transactions. “The question is whether people are using them or not. When people override the systems and somebody who does not have access to a payroll or accounts payable master file is given access to that information, that can help them perpetrate a fraud.”

Gill believes “it makes sense” for IT security professionals to be involved in the implementation of accounting software, so that their specialised insights into access control can be applied. He fears, however, that security professionals are often overlooked as it is not felt they have anything to contribute to a discussion about finance.

“Are they are sufficiently involved? They may not be. People see it as an accounting control,” not a security matter, he told SearchSecurity ANZ.

Possible roles for security professionals could, he said, include advising on user rights when roles change.

“When someone changes jobs inside an organisation it is important to turn off their old access rights and make sure they only have their new levels of access. In practise what happens is they get both.”

“The other area we find is audit logs. Most decent software has a built-in audit log. We have done a number of investigations where those logs have been deleted.”

Read more on Security policy and user awareness