JOnline: Dealing With Computer Fraud 

As all organisations have become increasingly automated, their IT has become critical. IT-related risk, if not properly managed, can deter an enterprise from achieving its business goals. This increased automation also incites a continuous evolution in computer fraud.¹

Within computer fraud the computer (hardware, software or data) may have been used to commit fraud or it may be the target itself. Unfortunately, computer fraud and, moreover, cybercrime have become business as usual.

The importance of mitigating fraud is stressed by the fact that according to the Report to the Nations on Occupational Fraud and Abuse the typical organisation loses about 5 percent of its annual revenue to fraud.² Belgian newspapers revealed in 2012 that cybercrime in Belgium costs €1–3 billion annually, but it is still not a top concern of many.³

Other reports summarise the typical fraudster as an internal employee, but the number of external frauds is rapidly increasing based on the large number of hacking-related materials recently published.⁴ Hacking-related news reaches the headlines almost every week; no organisation is immune—from banks (e.g., payment card fraud) and interim agencies (e.g., private data of potential employees) to schools (e.g., hacking exam questions) and hospitals (e.g., influencing scanners).

Control the Opportunity

The fraud triangle⁵ describes the three factors that are present in every fraud situation: motivation, rationalization and opportunity.

Fraud occurs if all three elements are present. Of the three elements, opportunity is the leg over which organisations have the most control. According to the Report to the Nations on Occupational Fraud and Abuse, occupational frauds⁶ are much more likely to be detected by whistle-blowing than by any other means. The report indicates that only 0.8 percent of the cases of occupational fraud were initially detected by IT controls.⁷

Safeguard the Enterprise Information Systems

To reduce computer crime, information security should focus on safeguarding proactively the confidentiality, integrity and availability (CIA) of the enterprise’s information systems. ISACA’s COBIT framework assists, among other things, the information risk manager in establishing a successful IT-related risk analysis and proposing a computer fraud mitigation response. COBIT also provides the necessary guidelines, in terms of control design tests and control practices, to evaluate the effectiveness of the implemented computer fraud mitigation solutions.

Implement the Information Risk Management Process

To obtain a cost-balanced guideline for discovering, measuring and mitigating computer fraud schemes on the enterprise’s key information systems, a well-done information risk management process is indispensable. The main goal of this process should be to strengthen the security so potential weaknesses within the enterprise’s core systems are not able to be exploited by individuals with bad intentions. A risk management process will, at a minimum, aid the enterprise in identifying its key information systems and current, related security weaknesses.

The following steps are necessary to implement a risk management process:

1. Understand the enterprise—Prior to developing and implementing any kind of computer fraud or information risk mitigation plan, one must understand the business. It is essential to define the business activities that are vital for the enterprise. Basic questions that need to be answered are:
   • What are the objectives of the enterprise?
   • How will those objectives be realised?
   • What kinds of products and/or services are offered by the enterprise?
   • Who is involved in the realisation of these objectives (internal as well as external participants)?

   This first process step is ideally executed by the information and communications technology (ICT) management in collaboration with the involved key business departments. The interviews and/or workshops should be challenged by an independent person as the second line of defence.

   Companies often face difficulties in making an inventory of their IT asset landscape and related business-critical data that might be affected when computer fraud occurs. On top of that, business data are frequently stored in several databases and servers physically located in and/or outside the country (where other legislation and regulation apply). As many copies exist of data (for immediate and customized reporting purposes), protecting all relevant business data is quite a challenge. For example, if data are stored in servers located in multiple jurisdictions, how sure is the enterprise that the data have been deleted when required?

   Subsequently, to guarantee that all people throughout the enterprise speak a common language and apply the same risk appetite and tolerance, risk footprints (figure1) must be developed. This exercise must be completed prior to the next process step. The risk appetite defined by senior management is the amount of risk the enterprise or other (business) entity is willing to accept in pursuit of its mission.

   

   Risk is calculated by multiplying the likelihood by the impact. The likelihood is based on the number of times a risk event is expected to happen. The business impact (rating) can be expressed by the financial (quantitative) and nonfinancial (qualitative) loss such as reputational damage, personal harm and regulatory penalties. It is important to adapt the financial impact ratings for an enterprise when there is a need for it (e.g., merger of enterprises). As previously described, the security of the information systems is expressed by the data’s CIA. Companies can, therefore, opt for a detailed business impact rating by adding these three main security areas.

   In the next phase, the IT fraud risk scenarios are determined. IT fraud appears in any kind of occupational fraud and abuse classification. IT fraud risk is dedicated to:
   • Fraudulent statements, e.g., override of asset user access management, which leads to fraudulent adjustments of confidential data in reports
   • Asset misappropriation, e.g., theft of physical assets
   • Corruption, e.g., abuse of confidential customer or personnel data
   
   IT risk scenario analysis is a technique to make IT risk more concrete and tangible and to allow for proper risk analysis and assessment. It is a core approach to bring realism, insight, organisational engagement, improved analysis and structure to the complex matter of IT risk. To define the computer fraud, the risk scenarios aforementioned report advises that the following questions be asked during the fraud risk assessment:
   • How can a fraudster exploit weak elements in the internal (IT) control system?
   • How can a fraudster circumvent (IT) controls? Is management override feasible?
   • How can a fraudster hide the computer fraud?

   A good computer fraudster, within or outside the enterprise, gathers information about the target from sources. After all, the fraudster wants to be careful not to get caught. Thus, one should promote out-of-the-box thinking while defining the risk scenarios and try to imagine which scenarios can be applied to circumvent internal controls. For example, firewalls cannot prevent malicious people from infecting computers with a virus launched by a USB stick. People are often the weakest link in the overall risk mitigation process. Enterprises can be made as robust as possible, but if (internal) people’s behaviour conflicts with the enterprise’s internal code of conduct (e.g., social media, USB sticks, phishing mails, password/badge sharing, downloading personal programs on enterprise material), controls can be circumvented by those with bad intentions. Accessing work remotely, e.g., from home, also leads to potential weaknesses within the enterprise’s internal controls.

   At this point, the business impact analysis (BIA) (figure 2) and risk and control assessment (RCA) (figure 3) can be executed.

   

2. Determine the risk response and strategy—The basis for determining the risk response and strategy is an important element of risk management. The intention is to build further on the risk assessment and control analysis from the previous phase with the purpose being to choose appropriate continuity strategies that meet the business impact targets and application’s CIA-rating. The strategy should sustain the objectives, obligations and legal duties of the enterprise in a cost-balanced fashion. For each process step in which a risk and control assessment exercise was carried out, a separate conscious management decision (strategy) must be taken:
   • Mitigate—Reducing the risk by implementing or improving appropriate countermeasures (people, technology, and policy) such as implementing or improving the user access management process, segregation of duties, virus scan or (data) backup process
   • Accept—Accepting the risk, consequently no additional mitigation solutions are implemented
   • Transfer—Capturing certain (financial-related) risk by means of subscribing to an (additional) insurance
   • Change, suspend or terminate—Adapting or terminating certain systems or processes that contain the risk
3. Develop and implement the response—If mitigation has been chosen in the previous process phase, the implementation of COBIT processes is an option. The business objective must be taken into account when selecting the appropriate COBIT processes (figure 4). The objective may be reducing the business impact and/or (IT) risk likelihood (figure 5).
   

   
   

   
   The 2012 Data Breach Investigations Report revealed that most external attacks continue to circumvent authentication by combining stolen or easily guessed credentials.⁸ By focusing on countermeasures, mitigating this type of issue should be a quick-win priority.
4. Exercise, maintain and review the response—To guarantee the appropriateness, effectiveness and efficiency of the implemented COBIT risk mitigation processes, it is critical to test and maintain them regularly. Testing ensures that IT-risk-related gaps are identified and all stakeholders are aware of the plans, their responsibility in the areas of business continuity and IT security, and their specific role when the plan is implemented. The implemented mitigation processes should be tested at least annually, or more frequently in cases of:
   • Change of personnel
   • Enterprise strategy
   • Changes in enterprise location, facilities and means
   • Law and regulations
   • External employees, providers and critical partners
   • New or terminating existing processes
   • (New) risk factors, both operational and financial
   
   A test can be performed on two different levels:
   • Test of design (ToD)—Determines if the control is capable, if properly executed, of preventing or detecting an error and/or misstatement
   • Test of operating effectiveness (ToE)—Determines if the control is functioning as designed. The test determines the extent to which the controls were performed, the consistency of their performance and who performed them.
   
   Only the ToE gives full proof of whether a control is functioning as designed. It might be that there is a discrepancy between the auditee’s opinion or thought and the real functioning in practice. For example, a (security) procedure/policy has been well written and does exist (ToD result is okay), but is not known or is wrongly interpreted and applied by involved users (ToE result is not okay).

Embed the IT Risk Management Culture by the Three Lines of Defence

The Three Lines of Defence model (i.e., business [line 1], risk management [line 2] and audit [line 3]) combined with the COBIT framework certainly provide a solid foundation for an embedded IT risk management culture within the organisation.⁹

The Three Lines of Defence model is an approach to safeguard the internal control framework. It can be used to demonstrate and structure roles, responsibilities and accountabilities for decision making, risk and control to achieve effective governance risk management and assurance. This model is based on the resilient compliance risk management framework that is comprised of three key elements: risk identification and assessment, risk management, and risk monitoring. The Three Lines of Defence model can be enriched by adopting the COBIT framework.

Information risk managers should take the following factors into account and/or ensure that they are well embedded into the enterprise (a non-exhaustive list):

• Avoid duplication of work—The business is often asked (by different risk management and compliance teams) to provide evidence of risk mitigation actions. This leads to duplicate efforts, inefficiency and decreased motivation of the line 1 employees.
• Speak the same language—The three levels of defence should defend the same enterprise benefits and should, therefore, speak the same language. It may occur that line 1 defines a management response (i.e., describing the risk mitigation solution) that is not fully aligned with the line 3 recommendation, while risk management defends only the line 3 recommendation during evidence validation.
• Establish a common risk framework—The disparate relationship between risk teams can lead to the failure to recognise potential correlations amongst various risk factors. A well-established and common framework for reporting risk is advisable.
• Find skilled team members—Risk and compliance teams are often understaffed. (Information) risk people are hard to find.
• Safeguard the independency—Risk management and audit should remain independent and should not assist during mitigation control implementations at operations. Often discussions are raised about the consultancy roles of line 2 and line 3.
• Lead by example—Business management should lead by example. Often enterprises deal with issues when the appropriate risk and action plan must be determined.
• Establish a well-elaborated plan and respect deadlines—As a result of their objectives and approaching deadlines, some people within the business often focus on a rapid risk closure instead of providing qualitative evidence.
• Execute risk reassessments only when useful—When risk issues cannot be mitigated in time, some business people are more willing to launch (even without valuable evidence) a risk reassessment in the hope that the particular issue will be excluded from specific radars (e.g., critical and high-risk issues).
• Align the evaluation criteria between the second and third lines of defence—To avoid the audit department reopening closed risk issues, it is essential that the second and third lines of defence apply the same evaluation mind-set and techniques. The better risk management is performing its job, the smaller the chance that audit will reopen recently closed issues.
• Provide evidence in time—Because risk management staff needs enough time for evidence validation, it is advisable for the first line of defence to deliver that evidence on time. This way of working properly avoids a risk issue being overdue in the case, for example, of risk management demanding additional clarifications and/or evidences during closing.

Conclusion

As always in security, there is no guarantee, but the proposed best practices will at least better prepare enterprises for computer crime cases. A properly applied information risk management process aims to protect information systems based on the security level they require. This principle contributes to a decreased vulnerability exposure for the enterprise, a reduction of (un)intentional accidents, and increased network stability, business expectation and satisfaction.

Endnotes

¹ This article represents a summary of the author’s thesis submitted and publicly defended in October 2012 for the accomplishment of the Master Class Forensic Auditing course, led by Professor Michel J. De Samblanx at the Antwerp Management School (Belgium). The entire detailed reference list can be consulted at: Antwerp Management School, Book ‘Interne audit en forensische audit: Bijdragen aan een maatschappelijk debat’, Thesis 2012, p. 345, Filip Van Hallewijn, ‘Best Practice in Mitigating Computer Fraud’. The thesis aimed to present a best practice guideline for discovering, measuring and mitigating computer fraud.
² Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2012, p. 8, www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf
³ Het Laatste Nieuws, ‘Cybercriminaliteit kost België jaarlijks 1 tot 3 miljard euro’, www.hln.be/hln/nl/4125/Internet/article/detail/1450258/2012/06/07/Cybercriminaliteit-kost-Belgie-jaarlijks-1-tot-3-miljard-euro.dhtml
⁴ KPMG International Cooperative, Who Is the Typical Fraudster?, 2011, p. 1, www.kpmg.com/IS/is/utgefidefni/greinar-og-utgefid/Documents/Who_is_the_typical_fraudster.pdf
⁵ Fraud triangle, Werkgroep Fraudemechanismen, Interne fraude, Evert-Jan Lammers, 13 February 2012, p. 1-6
⁶ Op cit, Association of Certified Fraud Examiners. Occupational fraud is the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.
⁷ Op cit, Association of Certified Fraud Examiners
⁸ Verizon, 2012 Data Breach Investigations Report, 2012, www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
⁹ Oyemade, Ronke; ‘Effective IT Governance Through the Three Lines of Defense, Risk IT and COBIT’, ISACA Journal, vol. 1, 2012, www.isaca.org/archives

Filip Van Hallewijn, CISA, CISM, AMBCI, is a senior consultant of ICT audit, risk and security at delITad NV (Cronos Group). Van Hallewijn assists customers in IT audits (general IT and application controls, IT fraud, security and business continuity planning/disaster recovery planning), regulatory and compliance services (Sarbanes-Oxley 404, SAS 70, ISO 27001, ISO 9001 and ISO 14001), IT risk advisory (data classification, business impact analysis, and risk and compliance assessment), and IT governance (COBIT, ITIL and COSO). He can be contacted at [email protected].

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.