By Chong Ee, CISA, CGEIT
It’s ironic that the act of fraud involves some form of circumvention around existing borders yet, all too often, we operate in silos when responding to fraud.
At a fraud risk management summit in May, I spoke about the need to think beyond technology in revisiting system access from an anti-fraud perspective. The level of integration between HR and IT in access provisioning comes to mind. Or, consider the availability of avenues in an organization for reporting and handling employee issues.
In “Adopting an Integrated Framework in Managing Fraud Risks
” in ISACA Journal
’s volume 4 issue, I explore how multiple risk factors can interact to create a perfect storm for fraudulent behavior. In assessing fraud risks, what matters is not so much a singular focus on any one suspect, such as password (re)use, rather IT auditors need to appreciate the interplay amongst various components.
Manual transactional controls that are part and parcel of getting the job done can, in part, compensate for excessive system access. Conversely, an excessive reliance on system monitoring may be akin to looking for a needle in a haystack. In a global survey released by the Association of Certified Fraud Examiners (ACFE) in June, members reported that the most common means of fraud detection was through insider tips.
An integrated approach to assessing fraud risks would surface potential issues with pervasive impact and, in turn, drive a more integrated enterprise response, one that marshals resources across functions.
What do you think? I would appreciate your comments.
Read Chong Ee’s recent Journal Article: