Filip Van Hallewijn, CISA, CISM, AMBCI
As all organisations have become increasingly automated, their IT has become critical. IT-related risk, if not properly managed, can deter an enterprise from achieving its business goals. This increased automation also incites a continuous evolution in computer fraud.1
Within computer fraud the computer (hardware, software or data) may have been used to commit fraud or it may be the target itself. Unfortunately, computer fraud and, moreover, cybercrime have become business as usual.
The importance of mitigating fraud is stressed by the fact that according to the Report to the Nations on Occupational Fraud and Abuse the typical organisation loses about 5 percent of its annual revenue to fraud.2 Belgian newspapers revealed in 2012 that cybercrime in Belgium costs €1–3 billion annually, but it is still not a top concern of many.3
Other reports summarise the typical fraudster as an internal employee, but the number of external frauds is rapidly increasing based on the large number of hacking-related materials recently published.4 Hacking-related news reaches the headlines almost every week; no organisation is immune—from banks (e.g., payment card fraud) and interim agencies (e.g., private data of potential employees) to schools (e.g., hacking exam questions) and hospitals (e.g., influencing scanners).
The fraud triangle5 describes the three factors that are present in every fraud situation: motivation, rationalization and opportunity.
Fraud occurs if all three elements are present. Of the three elements, opportunity is the leg over which organisations have the most control. According to the Report to the Nations on Occupational Fraud and Abuse, occupational frauds6 are much more likely to be detected by whistle-blowing than by any other means. The report indicates that only 0.8 percent of the cases of occupational fraud were initially detected by IT controls.7
To reduce computer crime, information security should focus on safeguarding proactively the confidentiality, integrity and availability (CIA) of the enterprise’s information systems. ISACA’s COBIT framework assists, among other things, the information risk manager in establishing a successful IT-related risk analysis and proposing a computer fraud mitigation response. COBIT also provides the necessary guidelines, in terms of control design tests and control practices, to evaluate the effectiveness of the implemented computer fraud mitigation solutions.
To obtain a cost-balanced guideline for discovering, measuring and mitigating computer fraud schemes on the enterprise’s key information systems, a well-done information risk management process is indispensable. The main goal of this process should be to strengthen the security so potential weaknesses within the enterprise’s core systems are not able to be exploited by individuals with bad intentions. A risk management process will, at a minimum, aid the enterprise in identifying its key information systems and current, related security weaknesses.
The following steps are necessary to implement a risk management process:
This first process step is ideally executed by the information and communications technology (ICT) management in collaboration with the involved key business departments. The interviews and/or workshops should be challenged by an independent person as the second line of defence.
Companies often face difficulties in making an inventory of their IT asset landscape and related business-critical data that might be affected when computer fraud occurs. On top of that, business data are frequently stored in several databases and servers physically located in and/or outside the country (where other legislation and regulation apply). As many copies exist of data (for immediate and customized reporting purposes), protecting all relevant business data is quite a challenge. For example, if data are stored in servers located in multiple jurisdictions, how sure is the enterprise that the data have been deleted when required?
Subsequently, to guarantee that all people throughout the enterprise speak a common language and apply the same risk appetite and tolerance, risk footprints (figure1) must be developed. This exercise must be completed prior to the next process step. The risk appetite defined by senior management is the amount of risk the enterprise or other (business) entity is willing to accept in pursuit of its mission.
Risk is calculated by multiplying the likelihood by the impact. The likelihood is based on the number of times a risk event is expected to happen. The business impact (rating) can be expressed by the financial (quantitative) and nonfinancial (qualitative) loss such as reputational damage, personal harm and regulatory penalties. It is important to adapt the financial impact ratings for an enterprise when there is a need for it (e.g., merger of enterprises). As previously described, the security of the information systems is expressed by the data’s CIA. Companies can, therefore, opt for a detailed business impact rating by adding these three main security areas.
A good computer fraudster, within or outside the enterprise, gathers information about the target from sources. After all, the fraudster wants to be careful not to get caught. Thus, one should promote out-of-the-box thinking while defining the risk scenarios and try to imagine which scenarios can be applied to circumvent internal controls. For example, firewalls cannot prevent malicious people from infecting computers with a virus launched by a USB stick. People are often the weakest link in the overall risk mitigation process. Enterprises can be made as robust as possible, but if (internal) people’s behaviour conflicts with the enterprise’s internal code of conduct (e.g., social media, USB sticks, phishing mails, password/badge sharing, downloading personal programs on enterprise material), controls can be circumvented by those with bad intentions. Accessing work remotely, e.g., from home, also leads to potential weaknesses within the enterprise’s internal controls.
At this point, the business impact analysis (BIA) (figure 2) and risk and control assessment (RCA) (figure 3) can be executed.
The Three Lines of Defence model (i.e., business [line 1], risk management [line 2] and audit [line 3]) combined with the COBIT framework certainly provide a solid foundation for an embedded IT risk management culture within the organisation.9
The Three Lines of Defence model is an approach to safeguard the internal control framework. It can be used to demonstrate and structure roles, responsibilities and accountabilities for decision making, risk and control to achieve effective governance risk management and assurance. This model is based on the resilient compliance risk management framework that is comprised of three key elements: risk identification and assessment, risk management, and risk monitoring. The Three Lines of Defence model can be enriched by adopting the COBIT framework.
Information risk managers should take the following factors into account and/or ensure that they are well embedded into the enterprise (a non-exhaustive list):
As always in security, there is no guarantee, but the proposed best practices will at least better prepare enterprises for computer crime cases. A properly applied information risk management process aims to protect information systems based on the security level they require. This principle contributes to a decreased vulnerability exposure for the enterprise, a reduction of (un)intentional accidents, and increased network stability, business expectation and satisfaction.
1 This article represents a summary of the author’s thesis submitted and publicly defended in October 2012 for the accomplishment of the Master Class Forensic Auditing course, led by Professor Michel J. De Samblanx at the Antwerp Management School (Belgium). The entire detailed reference list can be consulted at: Antwerp Management School, Book ‘Interne audit en forensische audit: Bijdragen aan een maatschappelijk debat’, Thesis 2012, p. 345, Filip Van Hallewijn, ‘Best Practice in Mitigating Computer Fraud’. The thesis aimed to present a best practice guideline for discovering, measuring and mitigating computer fraud.2 Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2012, p. 8, www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf3 Het Laatste Nieuws, ‘Cybercriminaliteit kost België jaarlijks 1 tot 3 miljard euro’, www.hln.be/hln/nl/4125/Internet/article/detail/1450258/2012/06/07/Cybercriminaliteit-kost-Belgie-jaarlijks-1-tot-3-miljard-euro.dhtml4 KPMG International Cooperative, Who Is the Typical Fraudster?, 2011, p. 1, www.kpmg.com/IS/is/utgefidefni/greinar-og-utgefid/Documents/Who_is_the_typical_fraudster.pdf5 Fraud triangle, Werkgroep Fraudemechanismen, Interne fraude, Evert-Jan Lammers, 13 February 2012, p. 1-66 Op cit, Association of Certified Fraud Examiners. Occupational fraud is the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.7 Op cit, Association of Certified Fraud Examiners8 Verizon, 2012 Data Breach Investigations Report, 2012, www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf9 Oyemade, Ronke; ‘Effective IT Governance Through the Three Lines of Defense, Risk IT and COBIT’, ISACA Journal, vol. 1, 2012, www.isaca.org/archives
Filip Van Hallewijn, CISA, CISM, AMBCI, is a senior consultant of ICT audit, risk and security at delITad NV (Cronos Group). Van Hallewijn assists customers in IT audits (general IT and application controls, IT fraud, security and business continuity planning/disaster recovery planning), regulatory and compliance services (Sarbanes-Oxley 404, SAS 70, ISO 27001, ISO 9001 and ISO 14001), IT risk advisory (data classification, business impact analysis, and risk and compliance assessment), and IT governance (COBIT, ITIL and COSO). He can be contacted at filip.vanhallewijn@delitad.com.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.