From point-of-sale and credit card processing to how customer information is stored and quarterly reports are generated, technology is rapidly changing the backbone of business. On the verge of going entirely paperless, almost all proprietary and financial information is now stored digitally so it can be accessed from anywhere in the world.
But as technology continues to make things easier and more efficient for business users, it also is helping facilitate those looking to perpetrate fraud, which, in the past, was committed by obtaining access to physical papers or devices. The Internet, mobile devices such as laptops and smartphones, and conducting business via the cloud allow people to commit fraud from almost anywhere. As organizations continue to move toward the virtual office, they're going to have to take extra measures to prevent fraud.
Auditors will play a growing role in the war against fraud, and some of their most valuable tools will be continuing education, effective data analytics, and an understanding of IT security.
Information theft remains one of the most widespread frauds facing organizations and is the second most common fraud, according to the 2012-2013 Kroll Global Fraud Report, which surveyed 839 senior executives from a broad range of industries and functions. Thirty percent of the respondents say they are most vulnerable to information theft, and they cite IT complexity as the leading cause of increased exposure to fraud risk.
The report also notes that IT fraud continues to increase in variety, frequency, and sophistication. Common security breaches include undetected malware, hacking, and misplaced mobile devices, which make financial data, customer data, and trade secrets more vulnerable to attacks. Whether intentionally or due to carelessness, employees are more to blame for information loss and fraud than hackers, the report adds.
Steve Mar, director of IT audit for a major retailer in Seattle, says almost all frauds are rooted in opportunity and vulnerability. Fraud opportunity has increased with technology growth because thieves can now steal information and funds from anywhere in the world. Twenty-five years ago, the threats may have come from employees or insiders using confidential information and documents. Now, a 23-year-old with a laptop in Russia can steal millions from a business in New York or Atlanta.
High-speed Internet, computers, laptops, tablets, and smartphones have made committing fraud easier than ever. "It's not that fraud has changed, it's that technology has made it [easier]," Mar says. "The impact, velocity, and volume all have increased."
David Coderre is president of Ottawa-based CAATS (Computer Assisted Analysis Techniques and Solutions) and author ofComputer-Aided Fraud Prevention and Detection: A Step-by-Step Guide (John Wiley & Sons Inc.). He says as organizations continue to digitize, they will face increased vulnerabilities in the areas of data security and recovery.
A growing problem, Coderre says, is that organizations are relying on applications and systems that are not under their direct control. Cloud-based solutions and software-as-a-service (SaaS) systems mean sensitive information is hosted in cyberspace under the control of third-party vendors. While that itself is not a problem, it means the information is leaving the security umbrella of the organization and relying on the protection and security measures of another. As many companies use multiple cloud-based solutions, it can leave large vulnerabilities. "There needs to be additional emphasis on the importance of developing adequate service-level agreements, which will ensure data security, availability, and recovery," Coderre says.
He predicts cloud-based areas will be a hotspot for fraud in the coming years. Auditors will have to pay specific attention to the risks around unauthorized access, alteration, and destruction of data. Coderre says technology will simply lead to new and different methods for committing frauds. New vulnerabilities in the data mean auditors must look for the symptoms of fraud and prevent future attacks. "[Auditors] will have to look harder at the data because it's easier to conceal," he says.
Paul Zikmund, director of global ethics and compliance for Bunge Ltd. in White Plains, N.Y., says while technology and digitization provide tremendous benefits to organizations, password access can easily open the door to major fraud. In one recent example, he discovered embezzlement where bookkeepers used their boss' password to create a phantom vendor account and defrauded the company of US $130,000 over three years.
The fraud was enabled by the growing use of technology to improve efficiency, Zikmund says. Under the old system, bookkeepers had to submit a form to a manager for vendor approval. But new automation of the process allowed them to create the vendor online themselves and wait for one-click approval. With a manager's password, it was easy to approve the phony vendor.
In another example, Zikmund says it's becoming easier to falsify expense reports because more companies are accepting scanned digital receipts for efficiency and archival purposes. While the benefits are profound, there's an added risk for fraud because scanned receipts are easy to alter. As opposed to trying to change an original receipt, anyone with an imaging program easily can change a digital copy. It's also harder to judge authenticity when reviewing electronic files, Zikmund says.
Greg Grocholski, business finance director and former chief audit executive at Dow Chemical Co. in Midland, Mich., says the loss of relationships, combined with technology, also has made it easier to commit fraud. Twenty years ago, businesses had merchant accounts with credit card processing companies that were heavily vetted. Now, anyone with a smartphone and a bank account can process credit card payments by use of third-party apps or software.
Social Media Risks
There also are growing risks from social media, says Samir Hans, principal at Deloitte Financial Advisory Services in Washington, D.C. Blurring the lines of private and public, people are sharing more information over the Web. While much of it is personal, certain pieces related to their employment or employer can leak into the digital world. A casual post on Facebook about a new promotion, a new product, or a change in a department could potentially reveal sensitive information to a hacker. Hans says the growing use of mobile devices to post updates or take photos from work also can increase the vulnerabilities. All of that is further complicated when employers implement bring your own device programs or employees use company machines for personal use.
"People are more willing to share things with the public," Hans says. "Fraudsters can find out information about employees without even hacking into the system. That can eventually lead back to the company."
Identity theft also is an increasing problem in social media. While it causes personal problems for an employee, it also can become an organizational problem. A fraudster could obtain personal information on social media to hack a personal email account and use that to access a work email account where there could be confidential or corporate financial information. "Identity theft has become a huge problem as a result of mobile access and continuous posting of private information," Hans says.
The 2012 Identity Fraud Industry Report by Javelin Strategy & Research notes that more than 11.6 million adults became victims of identity fraud in 2011, up 16 percent over the previous year. One of the key findings was that social behaviors and smartphones are putting consumers at greater risk. Sixty-eight percent of social media users share their birthday information, 63 percent share their high school name, and 30 percent share their phone number or pet's name — all commonly used by companies to verify identity. The report also found that 7 percent of smartphone owners became victims of identity fraud at least once, a 33 percent higher incidence rate than the general public, because 32 percent do not update their operating system when it's available, 62 percent do not use a password on their home screen, and another 32 percent save login information on their device.
Prevention and Detection
The technology and digitization that enables fraudsters also can help auditors and security analysts fight the battle against fraud. Computerized systems and programs can help auditors analyze data and spot red flags or anomalies in transactions. Grocholski says he is a big proponent of data analytics and that organizations now have access to technology that allows unparalleled data testing. "Today's computing power enables better data mining, better analysis, and 100 percent data attribute testing that can be done in almost real-time," he says.
Coderre says auditors can help prevent fraud by ensuring the IT strategies and plans are consistent with the organization's goals. This includes assessing service-level agreements in SaaS and cloud computing arrangements and actively considering risks when adopting new strategies.
Despite what seems like a high-tech, complex world of shadowy figures hacking into systems, Mar says most breaches are relatively simple. Most attacks occur when a fraudster obtains a password to a system. Whether it's a lost smartphone containing passwords in a spreadsheet or an employee email with login information, any of that can open the door to potential fraud. He says no matter how technology changes, fraud prevention ultimately will be rooted in simple techniques of password security. "It's really up to the organization and how it practices security relative to things such as card information, bank information, and passwords," Mar says.
Zikmund says evidence of fraud can become more deeply buried in numbers as the data available to auditors continues to grow. The basics of looking for fraud remain the same, but auditors may have to trace more payments and scrutinize more relationships, he says. Popular frauds still consist of things such as billing schemes and fictitious vendors, so auditors should look at dollar amounts, different payments to the same vendor, and below-the-threshold payments made the same day. "A lot of it goes back to the same [foundations], but I'm finding at many conferences that auditors aren't using data analytics as much as they should," Zikmund says. "While they are getting more comfortable with it, there is still room for improvement."
Another issue that concerns Zikmund is word that auditors are spending more time in the office and less time in the field in an effort to be more efficient. While technology is making some information more available, auditors shouldn't downplay the importance of field time. Nothing can match the value of talking to people in person, observing, and doing walk-throughs. If auditors let digitization tempt them to veer away from the field, it could open the door to more fraud.
"The analytics should be done on the front end and can help you identify any anomalies, variables in the data, or red flags," he says. "But technology cannot replace time in the field. That is mandatory to help increase effectiveness and efficiency."
Education and Collaboration
Because many audit departments are running leaner, Zikmund says budget cuts are putting advanced training on the back burner. While auditors may be trained to spot current risks, he says they're unlikely to spot new vulnerabilities as they appear, so they will need ongoing training and education in IT.
Hans says auditors will need to take a more holistic view of their organizations and the areas that have a direct or indirect relationship with the general ledger. Instead of focusing on journal entry testing, they'll have to consider the fraud detection systems that often are individually set up for credit cards, deposits, wire transfers, and other payments.
The audit department at Mar's company treats the war between auditors and fraudsters as an arms race. The endless game of cat and mouse means that by the time auditors are onto the latest techniques to commit fraud, the criminals have moved on to new methods.
Bigger companies could have new vulnerabilities virtually anywhere, he says. A thief could even gain access to general ledger information through a shipping and supply department. Anything that touches payments or receivables could be vulnerable, and that vulnerability increases with the use of technology. To keep them fresh on the latest fraud tactics and IT vulnerabilities, Mar recommends organizations have their auditors occasionally shadow those who work in security. "They really learn by seeing things," Mar says. "By seeing what IT security personnel are doing, they learn more about the vulnerabilities and where to look."