Access Management

The Identification and Control of Fraudulent Behavior

September 6, 2011
/ Print / Reprints /
ShareMore
/ Text Size+

The Association of Certified Fraud Examiner’s (ACFE) 2010 Report to the Nations on Occupational Fraud and Abusecompiled 1,843 cases of occupational fraud worldwide between January 2008 and December 2009. The survey estimated that a typical organization lost 5 percent of its annual revenue to fraud with a median loss of $160,000; nearly one-quarter of the frauds involved losses of at least $1 million. Applied to the 2009 Gross World Product, this figure translates to fraud losses of more than $2.9 trillion. The ACFE study provides data that helps in the prevention of fraud. The study showed that small organizations are disproportionately victimized by fraud and typically lack controls compared to larger organizations, and that more than 80 percent of fraud was committed by individuals working in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing.

To combat cases of fraud, many companies have hired teams of auditors, physical and virtual security experts, compliance personnel, lawyers and even fraud investigators. However, in the majority of cases, utilizing these measures has only minimized the amount of fraud that has occurred. Clearly, the hiring of these individuals is not the total solution to the fraud problem. Some of the larger Fortune 500 companies have gone farther and hired a corporate security officer to coordinate the activities of all of the areas mentioned. The creation and implementation of a CSO, in some cases, has successfully reduced the amount of fraud within the corporation. Yet, for many companies the hiring of a CSO is not always possible, and in many situations it is the lack of this type of coordination that allows for fraud to occur. The lack of coordination makes any strategic program implementation very difficult. Whether the coordination of efforts is through a single voice like a CSO or with the unified efforts of several departments working together, a planned, coordinated approach to fraud reduction is an effective reduction strategy.    

This coordinated approach should focus on specific characteristics of fraud prevention. The ACFE report indicated that fraud is more likely to be detected by tip than any other means. Surprise audits are another strategy that has shown to be effective in the fight against fraud. Less than 30 percent of victim organizations in the study conducted surprise audits; however, the study showed that organizations that utilized surprise audits tended to have lower fraud losses or detected frauds more quickly.

In developing a unified strategy that coordinates organizational efforts to reduce fraud, the unified approach should include aspect of identification and access control, specifically, a single credential to identify employees and control access into all levels of the organization and within all organizational systems. This includes access to all buildings, IT infrastructures, inventory and financial systems, along with debt services. Single credential means one product and process that works with all systems to authorize and track all persons gaining access into the corporate structure.

A unified credential approach to identification and access control means a process in which an employee, visitor, client or whoever is given access into corporate systems uses one identification process in order to access any and all of the systems they are granted access to. The process can be a simple password or access card. However, the best approach is the combination of both. The idea behind this concept is two-fold. First, a single credential makes it easier for the user, eliminating their desire to circumvent the system. Second, a single credential makes the identification of a user easier for the corporate entity to track. This allows for the auditing not only in individual systems but, most importantly, across all of the organizational systems.

As indicated in the ACFE report, auditing is one of the most under utilized tools to thwart fraud. Auditing should be used on a surprise or regulated basis and the audit should track exceptional behaviors within the workings of all the corporate systems together. Exceptions or abnormal patterns of behavior within the working structures of the day-to-day operations of any single or group of users can determine the start of or existence of fraudulent behavior. It is this single method of monitoring that can dramatically reduce fraud. By monitoring access to systems and use within these systems unusual behavior can be recognized.

The idea of exception reporting is not new. The idea is to look at those patterns of behavior that have strayed from conformity or the majority. This data is the most important in determining and monitoring adverse behaviors. It is the ability to obtain this type of data not just from the access control system but also from all of the organization’s systems. Computer log-on into desktop computers, procurement systems, payroll systems and client records together produces a clearer picture of behaviors. The goal to reducing fraud is the collection of behaviors that can determine patterns of unusual or abnormal behaviors. Whether collecting data from a study conducted by ACFE or from the coordinated direction of the CSO, auditing of adverse behaviors is a solid method of deterrence in the fight against occupational fraud.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Bernard Scaglione

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13