As a result of the numerous corporate and accounting scandals, the financial crisis, and other similar events that have occurred in the first part of the 21st century, numerous regulatory and protection acts have been enacted to provide assurance to individuals, investors, and the boards and management of organizations regarding the financial and operational integrity of these companies.
Given the heightened awareness and requirements of the regulatory environment, many people hear the term ‘audit’ and immediately relate it to the ‘external audit’ teams of Certified Public Accountants tasked to review the accounting of organizations to assure the accuracy of the financial information.
An ‘internal audit’ can be critical to the successful operation and growth of any organization before the external audit team even begins to add their value. According to The Institute of Internal Auditors “internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” … Continue reading
Yet more evidence of the prevalence of financial fraud against organizations has emerged from a recent poll by Kyriba. The poll found that almost 80% of organizations had been victims of fraud. The very high proportion of victims is startling in itself, but it is consistent with information we have presented in previous posts that organizational fraud is a global problem, costing 5% of top line revenue annually.
Almost 30% of the respondents to the Kyriba poll reported suffering financial losses, but we think this is a conservative number in this context. Organizational fraud is a hidden crime that sometimes is difficult to detect, even long after the fact. When organizations do detect fraud, they may have incentives to minimize publicity about the crime, so underreporting is probable.
The poll includes some indications that the fraud was even more costly than reported. 5.6% of respondents reported that they had been targets of fraud but did not know if they had suffered losses, while almost 14% did not even know if they had been targets or not. In fact, a little less than 8% reported that they knew they had not been victims, and it’s a good bet that a few of these simply hadn’t found out yet. … Continue reading
In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
Is the added complexity of a risk-based approach worth the effort? … Continue reading
The banking industry has undergone significant and historic change since the financial crisis of 2008. The Dodd Frank Wall Street Reform and Consumer Protection Act created heightened expectations and new regulations for financial institutions.
This, in turn, has created the need for additional levels of oversight within the financial institution itself. However, it isn’t just financial institutions that are feeling the impact. Third party service providers of financial institutions, including armored carriers, are being impacted as well.
Historically, by outsourcing cash vault operations to CIT companies, financial institutions were able to pass along many of their risks and cost burdens. Today, the Office of the Comptroller of the Currency (OCC) makes clear that banks are expected to practice effective risk management “whether the bank performs the activity internally or through a third party” and goes on to say that “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner in compliance with applicable laws.”
Furthermore, the OCC has identified significant potential for gaps in risk mitigation and compliance, which has brought more focus on auditing procedures. … Continue reading
Payroll fraud accounts for about 9.3% of occupational fraud at a cost of over $300 million per year across all types of organizations. One of the most common forms of payroll fraud is the use of “ghost employees” to divert money to fraudulent identities. Like all organizational frauds, this is a hidden crime that can best be prevented by controls designed to expose all payroll transactions.
The Ghost in the Payroll Machine
A “ghost employee” exists only as an identity in payroll records, although the ghost may be a real person who does not actually work for the company. The ghost employee scam is only successful if the perpetrator has unmonitored access to company systems, so it is typically an inside job. The scheme works if:
The ghost identity can be added to payroll records.
The system has to be set up to make payments to the ghost, either for false time and/or wages, or for other types of payments, e.g., expense reimbursements.
Payments made to the ghost must be concealed, especially from existing controls.
