In a world where we are constantly reminded to check everything, look out for anything unusual and where phishing emails seem to be the norm, it is risky to make assumptions that people are actually doing what you would expect them to do as part of the control environment within an organisation. That applies to basic, obvious internal controls that we assume people are doing as part of their role...but sometimes they are not. There may be a number of reasons; a new job where someone is blissfully unaware of what is expected of them due to a lack of training or information, forgetfulness, complacency, it is considered a waste of time and unnecessary, or work life is so busy sometimes people cut corners to meet deadlines. The reason for not undertaking a vital control activity can be innocent but ultimately very costly.
A few things to think about:
Communication – Are employees encouraged and reminded to check anything out of the ordinary? One of our team recently received a text from a friend indicating they had been sent something which they needed to retrieve by following a link. It looked genuine. However, this was not the normal form of communication by this particular friend who only usually texted for short messages. Photos, videos and links were always communicated via WhatsApp so they knew this did not look right. A quick telephone call confirmed the friend had not sent them anything and it was duly deleted.
Phishing emails – How often does your organisation have an email phishing test exercise? This reminds people to be vigilant but also highlights those that are not and brings it to their attention. Educating people on what to watch out for can make the difference between being hacked or being secure! One organisation we know asked every employee to change their passwords as a precautionary measure. If this was not done by a specific time they would be locked out of the system and have to reset the password with the IT department. Imagine the inconvenience and time wasted - more importantly imagine if the system was compromised and the impact that would have.
For example, French film production and cinema chain Pathé fell victim to a business email compromise scheme also known as CEO Fraud, losing €19 million ($21 million at its Amsterdam-based Pathé Theaters BV subsidiary in the Netherlands). Such schemes involve attackers pretending to be a senior executive, then instructing others to send money urgently to a designated location, typically via wire transfer.
The Securities and Exchange Commission (SEC) also issued a report indicating several public companies each lost millions of dollars as a result of cyber-related frauds. In each case, company employees received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, tricking the employees into initiating wire transfers or paying invoices to accounts controlled by fraudsters rather than legitimate counterparties.
Master file data – Do your staff independently verify any changes to Masterfile data? Is this part of the organisational procedures? We came across a case recently when changes to supplier bank details were amended as an employee noticed that an invoice received from a supplier had different bank details to those on the system. Well spotted, but unfortunately the Master file data was changed without receiving a request from the supplier to change and the employee telephoning the number they currently held for the supplier to confirm the change was genuine. It is easy to create a legitimate looking invoice with technology today. In this case there was no process in place relating to changes in master file data and controls that should be applied. Therefore, there was an assumption that people would undertake reasonable checks.
System Access Controls - How often do the processes indicate there are good segregation of duties but access controls are not restricted to mirror the segregated controls? We are never surprised to hear someone say they had no idea they had access to system areas and they could undertake activities unrelated to their job role or they could access a process that negates any segregation of duties that people think are in place. It is a common issue and more prevalent where there is a small finance team.
Most people think about access for starters and leavers, but not always for a change in job role or administrator access rights. Where there are limited members in the finance or IT team and business needs to carry on as usual if one person is absent, this can lead to a lack of segregation regarding system access. If this is the case, consider mitigating controls e.g. independent review of exception reports or some form of divisional review / control. Segregation controls are essential. Where they break down, the opportunity for fraud and theft is considerable.
For example, during routine year-end procedures review Dundee City Council highlighted an invoice for £7,337 where supporting information could not be found. The payment for this invoice was made into one of the Council’s IT officer's bank account in May 2016, which resulted in an internal investigation and a Police Scotland investigation. The reviews highlighted fundamental weaknesses in the council's internal financial control systems. Investigations identified fraudulent payments to the employee totalling £1,065,085 during the period from August 2009 to May 2016.
In another recent case, an employee at Santander bank took details including security information from clients. He later created new accounts for two of them. Money was then transferred from the client’s account to the new accounts.
This article highlights just a few examples of basic things we need to make sure we are considering and making sure the business remains on its guard. You cannot eliminate human error, but you can reduce the likelihood of an error occurring whether it be accidental or deliberate.