The importance of combating internal financial fraud, by breaking the cycle of motive, opportunity and rationalisation, is widely accepted by CFOs. But concerns are growing over the lack of progress in hardening corporate resilience against financial fraud perpetrated by outsiders. With cybercrime on the rise and capable of moving markets, customers and perceptions, is it time for finance directors to rethink internal controls and forge a much closer working relationship with the chief information officer (CIO)?
For decades, the greatest threat of fraud to a company came from within, with companies most at risk of suffering fraud from one of their own employees. The reason was simple. To commit fraud on a company you needed to have both the motivation and the opportunity and, more often than not, it was employees who would find themselves in this position.
In the wake of numerous high profile frauds in the 1990s and 2000s, forced companies to take their obligations to create sound internal control environments more seriously
Trust was not a control. In many cases it was often the longstanding employee who was guilty – the individual who worked long hours, never took a holiday and knew the company inside out. He or she did not always set out to defraud the company but often a change in personal circumstances, such as debt, addiction or infidelity created a previously non-existent motivation which, when coupled with the opportunity, proved a temptation too big to resist. To reduce the risk of fraud, from within, corporates spent considerable amounts of time and money to build safeguards around their assets, often by preventing individuals with the motivation to defraud the company from entering the organisation in the first place. At the vanguard of this strategy were robust recruitment policies, incorporating detailed employee screening, background questionnaires, reference checking and psychometric testing, all designed to filter out high risk individuals.
Companies have also been directing significant resources to create robust internal control environments. Typically overseen by finance directors and compliance officers, the internal control structures were built around the fundamental concepts of segregation of duties and reconciliations.
In the wake of numerous high profile frauds in the 1990s and 2000s, increased regulation, such as the Sarbanes-Oxley Act, forced companies to take their obligations to create sound internal control environments more seriously. Their efforts have been under close scrutiny from shareholders, audit committees and non-executive directors, with controls and procedures regularly reviewed and tested.
Now, however, those responsible for internal financial controls have been thrown a curved ball. Cyber criminals have created scenarios that could render many of the existing internal controls, designed for a different era, redundant.
Cybercrime represents a new threat, typified by determined fraudsters who have the potential to take control of systems from the outside and bypass conventional fraud prevention measures, such as segregation of duties or sign-offs. To minimise such risks, companies must take steps to connect their internal and external financial fraud and security strategies, by bringing existing internal financial controls closer to system-led controls and analytics.
However, the threat from within has not diminished and organisations cannot be complacent. In reality, cyber threats have only added to the existing risk management workload. As a result, corporates have no option but to continue to manage and review existing internal control policies and procedures as robustly as before, while also addressing emerging cyber challenges. In effect, they are fighting a dual battle.
Similar to the rogue employee, the first line of defence against the cyber criminal is the focus on minimising the opportunity to get into corporate systems. The task of preventing unauthorised access often falls to the head of IT, CIO or, in some organisations, the chief information security officer (CISO). He or she is to the cyber criminal what human resources are to the rogue employee. Their job is to try and stop the criminal getting into the company in the first place. However, in this day and age, even the best security measures sometimes fail.
Therefore, the finance director and his or her team need to work on the basis that, eventually, those with the right skills and motivation will succeed in accessing the company’s systems. As a result, every organisation should have systems in place to prevent fraud from happening, even if a hacker accesses the system. At the very least, corporates must put in place controls to identify a rogue transaction as it takes place. In particular, this should include the review of the company’s key transaction processes and the identification of those transactions that may be vulnerable to abuse from the outside.
Take for example the classic controls relating to stock and inventory. In theory, if a cyber-criminal took control of a company’s accounting system, within the system he could remotely set up a new supplier; create a purchase order ID; process a goods received note number; and authorise a payment. It would only be when a physical stock count took place that the missing stock would come to light. Whereas the company would typically have relied on segregation of duties in the purchasing process, in the cyber era, such controls may be meaningless. In response, companies must develop additional risk mitigation strategies. These are likely to include the implementation of transaction monitoring, or the use of data analytics to identify unusual patterns in the accounting system. This may include financial analytics on transactions that are processed through the ledgers or analysis of the actual ledgers, investigating elements such as the timing of postings, updates to master files and the originator of such activity.
Internal controls and measures required to address emerging risks will require a switch from the traditional process-driven approach, to a more technology-led, analytical approach. As a result, finance directors will need to have a much closer working relationship with the CIO, CISO or IT team than in the past. This process must also ensure that the FD plays a key role in cyber threat planning and the response working group. Only through the active involvement in this process and the design and implementation of adequate analytics and controls, can organisations heighten their resilience to complex external and internal risks.
Richard Abbey is a managing director in the London office of Stroz Friedberg, an investigations, intelligence and risk management company, and oversees its global forensic accounting practice.
BIS launches cyber security standard
ICAEW joins cyber security campaign
FS firms to increase cyber budget
Public sector fraud has fallen