A bank clerk extracts customers' personal and account information from a database and then sells that data. A production manager for a manufacturer improperly accesses the system to enter recurring service fees for a nonexistent vendor. Monthly disbursements are then made, with payments sent via electronic fund transfer to a bank account opened by the production manager.
Technology presents so many opportunities for fraud to occur. Fortunately, technology also provides many opportunities to combat fraud. In a preventative role, technology enforces defined segregations of duties, a crucial fraud prevention concept; IT access restrictions need to align with the segregated work roles and responsibilities given to individuals. That alignment enables an organization to deploy application controls and other automated, preventative measures in the most effective manner.
User provisions provide the foundation for establishing and enforcing segregation of duties within an organization's IT systems. The user provision defines what IT elements an individual needs to access for completing assigned work responsibilities. The user provision incorporates the concept of least privilege, which restricts IT access rights to only those components required to fulfill defined, segregated duties.
IT directories maintain employee groupings and the levels of IT access granted to each individual. When someone logs on to a server, application or other element, access is granted or denied, based on the login, password, and the user provision information contained in the IT directories.
In conjunction with the IT directories, user provisions provide an automated means of ensuring that segregation of duties remains in place for all processes requiring IT access. Segregation of duties and corresponding IT access restrictions need to be applied to all financial, operational and IT tasks that present significant potential for fraudulent activity.
Application controls keep individuals from accessing all of the modules or functions needed to carry out a fraudulent transaction. Those controls keep a building material supplier's employee from authorizing, entering, and issuing a refund or credit for goods that were never returned. For all internal processes, application controls help organizations maintain segregations of duties to protect data.
Within a particular module, application controls block someone from viewing information not needed to complete an assigned duty. For an accounts receivable function, a work screen might only show truncated versions of customer credit card numbers.
Application controls also enforce boundaries that keep employees from exceeding granted levels of authority. An organizational policy may restrict an equipment leasing company's employees from writing off overdue accounts above a specified balance without supervisory permission. When someone attempts to exceed that balance, the application automatically rejects that data entry.
Even with the best preventive measures, individuals may still find a way to commit fraud. Detective measures are very important to deploy because IT controls can not fully protect against collusion.
Various methods of detecting inappropriate or unexpected activity can be used. Exception reports are often created to identify data anomalies or changes to protected data. Data analysis is also commonly used to compare data sets to identify transactions based on rules to identify incongruent or inappropriate activity.
Security Information and Event Management (SIEM) systems can be deployed to automatically send notifications of possible infractions. SIEM systems issue alerts whenever unusual transactions, security infractions or other suspicious activities occur. That SIEM oversight may cover a lone application or numerous programs, as well as databases, servers, and other IT components. An alert may occur when someone spends too much time viewing a read-only file containing customer account numbers, for instance, or when an individual attempts to save a crucial file to a USB drive.
Screen shot files capture what someone was viewing when such actions were executed, and audit trail features document each entry made by an individual in question. Some SIEM systems also immediately suspend user activity whenever suspicious actions unfold.
Such immediate detection eliminates the costly time lags and potentially inconsistent review practices associated with manually evaluating various IT logs to detect anomalies or exceptions.