Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

641 views

Published on

  • Be the first to comment

  • Be the first to like this

E-Business Suite 2 _ Mike Ward _ Fraud and its part in your downfall.pdf

  1. 1. Fraud  &  it’s  part  in  YOUR  downfall     MIKE  WARD   Managing  Director           The most comprehensive Oracle applications & technology content under one roof
  2. 2. If  your  job  was  at  stake.....    Can  you  with  certainty  state  that  users   of  your  Oracle  erp  system  are  locked   out  of  the  areas  they  should  not  be   able  to  see?   The most comprehensive Oracle applications & technology content under one roof
  3. 3. The most comprehensive Oracle applications & technology content under one roof
  4. 4. Agenda  •  Q  SoEware:  Who  are  we?  •  What  are  the  Problems?   –  Fraud  &  Compliance  •  Key  QuesKons?  •  Summary  &  QuesKons     The most comprehensive Oracle applications & technology content under one roof
  5. 5.              The  Oracle  Security  &  Compliance  People   270+ Customers The most comprehensive Oracle applications & technology content under one roof
  6. 6. Agenda  •  Q  SoEware:  Who  are  we?  •  What  are  the  Problems?   –  Fraud  &  Compliance  •  Key  QuesKons  •  Summary  &  QuesKons     The most comprehensive Oracle applications & technology content under one roof
  7. 7. Fraud  will  never  happen  to  You  •  75%  of  fraud  is  due  to  ineffecKve  internal   controls,  split  between     –  Lack  of  controls  38%   –  Over  riding  controls  19%   –  Lack  of  management  review  18%  •  80%  of  businesses  modify  controls  aEer  Fraud   AssociaKon  of  CerKfied  Fraud  Examiners   The most comprehensive Oracle applications & technology content under one roof
  8. 8. It  doesn’t  happen  here.......   UK: Canada:61% admit businesses suffered crime NewSouth 50% largesuffered “significant fraud Germany: 55% companieseconomicfraudUSA:almost Africa: 62%persuffering fraud 35% companies to business suffered companies Zealand: 42% suffered suffered crime almost83%incidents experiencedmost common -  Average 8 - average cost $491,000economic crime”asset misappropriation bribery & - 75% of 59% (5,000+ employees) - larger - Average cost 40% suffered economic crime Australia: of sufferedchancemilliontip-off - -most 38% detected by 100 incidentsEuros crime cost 4.2 increasingly corruption or by -33% of these by middle / senior management - likely cause is pressure due to economy Source: PwC 2009 fraud survey Crime survey Source: PwCopportunitySource: PwC driver survey 2009 - increased 2009Source: PwCPwC 2009 crime survey fraud Source: 2009 Crimecrime Source: PwC 2009 survey survey is primary Source: PwC 2009 crime survey The most comprehensive Oracle applications & technology content under one roof
  9. 9. Security  Creep  •  Ex-­‐employees  sKll  have  access  •  Changes  to  business  processes  •  OrganisaKonal  &  process  changes  •  Upgrades.........   Task 8 Risk Task 7 Task 6 Task 6   Task 5 Task 5 Task 4 Task 4 Task 4 Task 3 Task 3 Task 3 Task 2 Task 2 2 Task Task 2 Task 1 Task 1 1 Task Task 1 Task 1 Time The most comprehensive Oracle applications & technology content under one roof
  10. 10. •  VP  in  Finance  Department  •  July  –  December  2010  •  Stole  $19m   “Defendant  bought  a  Masera3,  6  Proper3es,   and  a  $½m  entertainment  system”   “Excessive  Access  Rights”   The most comprehensive Oracle applications & technology content under one roof
  11. 11. SegregaKon  of  DuKes  (SoD)   Jones & Jones Inc. A Manager Sets up MB Inc. as a supplierAccepts Purchase Invoices from MB Inc. Approves Invoices Processes for Payment Transfers the funds Runs  off  with  £1m   The most comprehensive Oracle applications & technology content under one roof
  12. 12. Deloiee  –  Auditor  Survey  •  3  Most  Common  Frauds   –  MisappropriaKon  of  Assets  –  31%   –  Improper  Expenditures  –  22%   –  Procurement  Fraud  –  16%  •  63%  companies  say  vulnerability  has  increased  •  83%  UK  companies  had  suffered  fraud   The most comprehensive Oracle applications & technology content under one roof
  13. 13. Agenda  •  Q  SoEware:  Who  are  we?  •  What  are  the  Problems?   –  Fraud  &  Compliance  •  Key  QuesKons  •  Summary  &  QuesKons     The most comprehensive Oracle applications & technology content under one roof
  14. 14. EffecKve  control  of  SOD:  What  is  it?  •   …no  single  individual  should  have  control   over  two  or  more  phases  of  a  transacKon  or   operaKon…    (University  of  Utah  Department  of  Internal  Audit  IdenKfy  the  DuKes)    •  …no  one  individual  employee  can  complete   a  significant  business  transacKon  in  its   enKrety…    (UCSD  Audit  &  Management  Advisory  Services)   The most comprehensive Oracle applications & technology content under one roof
  15. 15. EffecKve  control  of  SOD:  What  is  it?  Examples  Include  …..    §  Those  responsible  for  physical  receipt  of  goods  should   not  be  responsible  for  paying  for  the  goods.  §  Those  responsible  for  custody  of  goods    §  should  not  be  responsible  for  maintaining  the  records  of   the  assets.  §  Those  responsible  for  collecEon  of  receivables  should   not  be  responsible  for  entries  in  the  book  of  accounts.   Source:     Sawyer’s  Internal  AudiEng   5th  EdiEon,  page  1198   The most comprehensive Oracle applications & technology content under one roof
  16. 16. EffecKve  control  of  SOD:  EBS   •  Monitoring  ApplicaKon  Controls   –  e.g.  Post  Journal  Approval  –  Journal  Application Layer Sources   •  Lack  of  Audit  All   –  Certain  Forms  without  Audit  Trail   •  Inability  to  audit  WHAT     •  Data  Growth   •  UnintuiKve  info   –  Vendor  ID,  Cust  ID   –  Same  with  Log  based  soluKons   The most comprehensive Oracle applications & technology content under one roof
  17. 17. EffecKve  control  of  SOD:  EBS   •  SensiKve  InformaKon  Application Layer –  e.g.  Employee  Bank  Info,  NI  #   Database Layer –  MulKple  Forms   •  Different  Views  of  Same  Info   –  SQL  Forms   –  Request  Groups   –  External  ReporKng  SoluKons   –  Hiding/Masking  impacts   ApplicaKons   –  SegregaKon  Policies  difficult  to   enforce   The most comprehensive Oracle applications & technology content under one roof
  18. 18. EffecKve  control  of  SOD:  Principles  1.  Least  Privilege  Rule  2.  Access  to  fulfill  a  job  funcKon  3.  Minimise  Risks  to  SensiKve  FuncKons  4.  Segregate  Roles  in  CriKcal  Processes  5.  Monitor  known  high  risks  6.  Use  Tools   The most comprehensive Oracle applications & technology content under one roof
  19. 19. EffecKve  control  of  SOD:  What  to  do?  •  But  use  the  right  tools!   –  PrevenKon   –  DetecKon   –  Approval  Process   –  MiKgaKon  Handling   –  False  PosiKve  Handling  •  And  look  for  lower  TCO   –  Embedded  into  EBS   –  No  addiKonal  Hardware   –  Rapid  ImplementaKon   –  Quick  InstallaKon   The most comprehensive Oracle applications & technology content under one roof
  20. 20. EffecKve  control  of  SOD  Access  Control  AudiEng   Ø     Full  audit  trail   Ø     TransacKon  Data   Ø     Enquire  &  Report   The most comprehensive Oracle applications & technology content under one roof
  21. 21. EffecKve  control  of  SOD         SoD  ImplementaEon         Ø     Real  Kme  SoD  controls       Ø     Approvals       Ø     What  if  Analysis   Ø     ReporKng   The most comprehensive Oracle applications & technology content under one roof
  22. 22. EffecKve  control  of  SOD    Implement  Complex  Security  Ø     Data  SegregaKon  Ø     Data  Masking    Ø     Dynamic  Security  Policies   The most comprehensive Oracle applications & technology content under one roof
  23. 23. Agenda  •  Q  SoEware:  Who  are  we?  •  What  are  the  Problems?   –  Fraud  &  Compliance  •  Case  Studies  •  Summary  &  QuesKons     The most comprehensive Oracle applications & technology content under one roof
  24. 24. QsoEware  SoluKon  •  DetecKve  SoD  •  PrevenKve  SoD  •  Blanket  FuncKon  Lockout  •  Trend  InformaKon  •  Integrated    •  Rapid  ImplementaKon  •  Pre-­‐Seeded  Content   The most comprehensive Oracle applications & technology content under one roof
  25. 25. Key  audit  quesKons:  •  Who  is  in  violaKon  of  SoD  rules?   –  &  how?  •  What  programs  can  a  user  access?   –  &  with  what  authoriKes?  •  Who  can  access  a  parKcular  program?   –  &  with  what  authoriKes?  •  Who  can  access  criKcal  programs?   –  Such  as  Address  Book  Master  Maintenance,  Bank   Payments  and  Credit  Limits  •  Who  can  access  Master  Data?   –  Such  as  AutomaKc  AccounKng  InstrucKons,  Bank   Account  details,  Chart  of  Accounts    •  What  security  sesngs  does  a  parKcular  user  have?   The most comprehensive Oracle applications & technology content under one roof
  26. 26. Solve  Business  Problems  with  Good  Security  •  Audit  Security  –  KNOW  your  status  •  Map  Security  to  Business  Processes  •  Build  in  SoD  •  Make  Security  more  Manageable        &  Reduce  Costs  •  Consider  Outsourcing        Security  Management  •  Compliance  Management            &  ReporKng   The most comprehensive Oracle applications & technology content under one roof
  27. 27. SegregaKon  of  Duty  Issues  •  Spread-­‐sheets   No  Integrity  •  Queries   No  Accuracy  •  Manual  Review   Time  consuming  •  Responsibility  level  SoD   Omits  key  risks  (needs  to  be  at   the  FuncKon  level)  •  Periodic  Reviews   Risk  between  reviews  •  External  SoluKons   High  Cost   The most comprehensive Oracle applications & technology content under one roof
  28. 28. EffecKve  control  of  SOD:  Reduce  Costs   •  Tools  reduce  Cost  of  CorrecKng  Errors….   –  Prevent  Unwanted  Access   –  Approval  Process   –  MiKgaKon  Handling   –  False  PosiKve  Handling   •  Reduced  Staff  Time……   –  Embedded  into  EBS   –  No  addiKonal  Hardware   –  Rapid  ImplementaKon  of  Complex  Security   –  No  impact  on  Upgrades   The most comprehensive Oracle applications & technology content under one roof
  29. 29. SegregaKon  of  DuKes  (SoD)   Jones & Jones Inc. A Manager Sets up MB Inc. as a supplierAccepts Purchase Invoices from MB Inc. Approves Invoices Processes for Payment Transfers the funds Runs  off  with  £1m   The most comprehensive Oracle applications & technology content under one roof
  30. 30. SegregaKon  of  DuKes  (SoD)   Jones & Jones Inc. A Manager Sets up MB Inc. as a supplierAccepts Purchase Invoices from MB Inc. Approves Invoices Processes for Payment Transfers the funds Runs  off  with  £1m   The most comprehensive Oracle applications & technology content under one roof
  31. 31. QuesKons?   The most comprehensive Oracle applications & technology content under one roof
  32. 32. Have  pity  on  the  homeland.....   The most comprehensive Oracle applications & technology content under one roof

×