Professional Documents
Culture Documents
Robert Onions Researcher - Information Systems Security Research Group, The University of Salford, England.
Enron, Xerox, Maxwell, Worldcom, BCCI, Parmelat. Large Company Frauds Prevalent, Dont Hear from Small and Medium Companies.
SMEs 3.8 m UK, 30m + USA, 40m EU. In EU employ circa 156 million people.
European Union Definition of SME: Small Company if any two of following apply:
DTI funded research questionnaire: Control group of 20 SMEs. 4 x A4 Pages. Total of 161 questions. Posted to 2000 random SMEs late 2002. Truly Random = Inference. Census/Sample Letter from DTI/Salford explaining research. Pre-paid return envelope. Response from 107 companies, 5.4%.
1. Most SMEs receive limited systems auditing attention with auditors paying inadequate attention to aspects of Information Technology and Security. 2. Unreported fraud may be widespread within SMEs and may be growing.
3. Directors are keenly interested in reducing fraud if they can.
4. SMEs might favour an alternative, low cost, automated auditing technology such as a Continuous Auditing software package if such a technology was available to them.
1. Most SMEs receive limited systems auditing attention with auditors paying inadequate attention to aspects of Information Technology and Security. In 2002 80% SMEs not mandated to annual audit. Using revised 5.6 m threshold in 2004 its 88%. 8% Would not undergo voluntary audit. 24% Would take a voluntary audit. 68% Undecided
1. Most SMEs receive limited systems auditing attention with auditors paying inadequate attention to aspects of Information Technology and Security. 64% Auditors do not audit company systems. 78% Auditors do not bring in specialist technical expertise to audit the systems. 60% of auditors have no specialist knowledge of the application systems. 75% do not report on any aspect of Information Technology 62% Auditors do not use specialised auditing software. Only 6% auditors attempt penetration testing. Hypothesis 1.
Corollary to Hypothesis 1 analysing all respondents defrauded in last 5 years: 40% did not have an annual audit. Where audited: 54% did not have any systems auditing. 61% auditors had no specialist IT knowledge. 55% auditors did not report on any aspect IT.
2. Unreported fraud may be widespread within SMEs and may be growing. Very difficult to measure. How does one measure intangible?
45% respondents had been defrauded last 5 years and they all Completed questionnaire.
Howeveronly 31% of that 45% gave details of frauds. Reasons for non reporting? Hypothesis 2
36.9 16.7
Total of 84% Directors completed arduous questionnaire. Letter stated best practice Hypothesis 3.
4. SMEs might favour an alternative, low cost, automated auditing technology such as a Continuous Auditing software package if such a technology was available to them.
55% of respondents thought that there should be a simple methodology for systems auditing
53% favoured some form of automatic auditing. Rises to 60% in defrauded companies. Where fraud values given rises to 88%. 15.8% would pay up to 2,000 for package. 14.3% would pay up to 2,500/year to maintain system. Hypothesis 4.
Some examples, if research findings are accepted as inferential, extrapolated across UK SME base (3.8 million companies). 100% of Group companies having their computer networks accessed remotely, had no idea what functions were being carried out by Group. This equates to some 328,000 UK companies. Around 3.5 million SMEs use anti-virus software; 3.34 million have Internet access and 2.93 million use e-mail. Some 3.68 million companies send data over the Internet without any protection such as encryption.
Some 2.69 million companies are at risk from virus attacks by not updating their virus definition software on a daily basis. Over 543,000 companies NEVER update their virus definition software and around 445,000 only update once a year.
Companies where all employees know the system administrator password number some 1.71 million. Some 1.44 million UK companies, do not screen their new or temporary staff.
1.78 million UK companies have suffered instances of fraud in the last five years! Of this number, 1.44 million were defrauded by employees.
2.28 million companies have auditors who have no specialist knowledge of the company software systems and a staggering 2.85 million companies have auditors who do not report on any aspect of Information Technology. 2.43 million companies have auditors who do not audit the company software systems and 3 million companies have auditors who do not bring in specialist technical expertise to audit systems. Some 2.1 million companies favour some form of automatic, on-line auditing capability. In 1.68 million companies staff members know each others passwords.
Continuous Auditing
The world we have created today as a result of our thinking thus far, has problems which cannot be solved by thinking the way we thought when we created them. Einstein. Definition of Continuous Auditing:
Analysis of endogenous and exogenous transactions and keystrokes, virtually simultaneously with, or a short period of time after the processing.
Continuous Auditing
Local Workstation
Remote Workstation
Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.
2
Secure Partitioned Processor or External System
Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge
7
X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department
Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux
4
Secure VPN
Legend of Mnemonics
X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.
Continuous Auditing
DBMS Requirements: They should be computer generated and capture all database changes including the time, workstation and signed-on name of the user which generated the transaction. They need to be immediately encrypted and exported to a secure area. It must be tamper proof and any attempts to tamper with it need to be logged.
Continuous Auditing
DBMS Requirements: All keystrokes need to be stored. All endogenous and exogenous data must be captured.
One such package is DataMirror (http://www.datamirror.com/resourcecenter/liveaudit.aspx) which can function in conjunction with several database systems and multiple operating systems. It also contains a mapping tool which outputs XML.
Continuous Auditing
Local Workstation
Remote Workstation
Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.
2
Secure Partitioned Processor or External System
Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge
7
X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department
Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux
4
Secure VPN
Legend of Mnemonics
X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.
Continuous Auditing
Defines a generic transaction and master files. Needed because of plethora of software packages. Similar to XBRL which defines a generic GL Chart of Accounts. Now world standard. Cisco, Reuters, Evergreen statements.
Continuous Auditing
Local Workstation
Remote Workstation
Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.
2
Secure Partitioned Processor or External System
Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge
7
X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department
Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux
4
Secure VPN
Legend of Mnemonics
X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.
Continuous Auditing
Ephemeral editing rules require meta-rules: Benford across all relevant fields
User authorised to transaction.
Time of transaction
Weekend transaction? Remote transaction? Total transaction cost acceptable? I.E. Stock adjustments
Continuous Auditing
Local Workstation
Remote Workstation
Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.
2
Secure Partitioned Processor or External System
Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge
7
X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department
Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux
4
Secure VPN
Legend of Mnemonics
X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.
Continuous Auditing
Aggregated transactions:
Action 1. 2. 3. 4. 5. 6. 7 8. 9. 10. System Administrator (SA) signs on remotely at 11.00 pm SA goes to master file maintenance routines. SA opens supplier master file, searches for supplier. SA changes mailing address of supplier. SA selects supplier invoice post routines. SA posts invoice for supplier just amended. SA selects payment run and cheques are produced. SA selects mail label run for suppliers with cheques. SA goes back to master file maintenance. SA changes supplier-mailing address to original. Acceptable to System Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Continuous Auditing
Local Workstation
Remote Workstation
Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.
2
Secure Partitioned Processor or External System
Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge
7
X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department
Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux
4
Secure VPN
Legend of Mnemonics
X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.
Future
The future is like heaven, everyone exalts it but no one wants to go there right now. Baldin 1961.
Future # 1. Eighth World Continuous Auditing and Reporting Symposium Web Address: http://raw.rutgers.edu/8wcas Rutgers Business School, 190 University Avenue Engelhard Hall Bove Auditorium 1st floor, Newark, NJ 07102 November 5, 2004 ( 8:30AM-5:00PM) November 6, 2004 ( 8:30AM 4:030PM)
Future # 2. Ninth World Continuous Auditing and Reporting Symposium The University of Malta. May 20th & 21st 2005. E-Mail: roberton@maltanet.net