Companies fail to tackle internal IT fraud

Computer security is generally taken to mean protecting IT systems against hackers and viruses. However, systems are also vulnerable to employees using them to defraud the company.

  • E-Mail
By  Neil Denslow Published  March 24, 2003

|~||~||~|Computer security is generally taken to mean protecting IT systems against hackers and viruses. However, systems are also vulnerable to employees using them to defraud the company, by either changing payment details or recording false sales data, for instance.

“Computer fraud has always been happening, but the awareness has not been high. Essentially, what has been happening is that computer fraud is viewed as external fraud, primarily because that gets publicity. What people don’t really know is that you can have people in the organisation who could be perpetrating the same fraud,” says Ivan Rosario, senior manager, information security, PwC.

According to Ernst & Young, internal staff carry out 85% of fraud, with managers the main culprits as they have most access to IT systems. These payment systems can be fraudulently used in a variety of ways. For instance, staff may be able to record sales they haven’t actually made, or change the details on a payment to re-route it into another account. With an insecure system, this can then be hidden by changing the details back again after the payment run.

“When the supplier rings up and says their cheque hasn’t arrived, the fraudster requests a copy [of the invoice], and they just put that through the normal system. We’ve seen that quite a lot,” says David Sherwin, Ernst & Young’s head of fraud investigation.

To try and prevent this kind of fraudulent activity, a company can implement a variety of different systems that alert management to exceptional transactions, such as double invoicing. However, these types of systems are seen as offering little competitive advantage, so they are often overlooked.

“Companies in the financial services sector are more willing to invest in the front office... on the IT side because they want to be faster than their competitors in giving prices and executing trades. What they are not very good at is putting in controls in the back office to control the front office because that’s seen as an overhead expense, and therefore not adding to the bottom line,” says Sherwin.

Even companies that do have systems to highlight exceptional transactions tend not to use them effectively. “What happens is that a lot of stuff is produced, but because it is done as a matter of routine, nobody ever bothers to look at it from an enquiry point of view, it’s just done as a procedure,” complains Sherwin.

If a fraud is uncovered, then the IT systems may contain the best evidence for establishing what happened and who did it. However, according to Ernst & Young, electronic evidence is not used in 95% of fraud investigations, mainly because of a lack of awareness and regulatory issues. “It’s not very widely used, it’s just used on an exception basis,” confirms Rosario.

However, electronic evidence is at times the only way to untangle a fraud. In one case investigated by Ernst & Young, for example, over a million deals at a currency desk in a bank needed to be examined in order to find fraudulent transactions. By using data mining tools, the IT fraud team were able to isolate 160 transactions and then pinpoint the fraud. “The number of transactions that are going through these systems is huge, and you can’t really look at it without using technology,” says Sherwin.

However, despite the usefulness of electronic evidence for investigating fraud, it cannot necessarily be used to secure a prosecution. “A lot of companies are keeping electronic records, but until recently those electronic records were not admissible in court,” notes Samer Qudah, legal consultant, Al Tamimi & Company.

This is beginning to change. For instance, Dubai and Jordan have already passed laws recognising electronic evidence, and Egypt and Saudi Arabia are working on draft laws. However, the majority of countries in the region are yet to make it to this level.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code