Using Internal Controls to Prevent Fraud and Cyberattacks Key Takeaways
News headlines are riddled with mentions of suspected fraud or cyber breaches. Either of these instances can be extremely costly for an organization to withstand. You can better protect yourself from fraud and cyberattacks by understanding where your vulnerabilities exist in your internal controls.
Types of Fraud Schemes
There are numerous types of fraud schemes that can occur within a business, and, more than one can occur at a time:
- Payroll Fraud
- Expense Reimbursement Fraud
- Billing Fraud
- Unauthorized Bonuses
- Financial Statement Fraud
- Collusion
- Embezzlement
The AICPA released a Fraud Risk Framework, where each role (board, management, vendors, customers, etc.) has a number of identified risks. To lower your fraud risk, it’s critical to have strong internal controls in place steps to quickly detect and mitigate fraud.
Fraud Statistics: The Association of Certified Fraud Examiners issues a report every two years. In that global report, it demonstrates that organizations lose five percent of their revenue to fraud each year – a typical fraud scheme goes undetected for 14 months with the organization losing approximately $8,300 per month. Can your company withstand that every year? Do you have a budget line item for that? Probably not, nor should you.
There are seven key warning signs of fraud when working with employees. But, keep in mind that having just one or two warning signs present may not indicate fraud. Questions to consider that may raise a red flag for whether an employee is committing fraud: Are they living beyond their means? Are you aware that they have financial difficulties? Are they unusually close with a vendor/customer? Are they going through a divorce or having family problems? These situations could affect their ability to rationalize committing fraud, present the opportunity, and create financial pressure.
Segregation of duties is a key risk management tool to combat fraud and with this, responsibilities and duties are distributed amongst employees to ensure proper checks and balances as well as authorization and approval. One person shouldn’t be able to approve an invoice and then initiate a check, print a check and sign it.
Strong internal controls customized to each role will be key in preventing and detecting the array of frauds.
What is cybersecurity?
Overall, cybersecurity is about managing risk, establishing processes and procedures, controls and technology to protect our assets. It’s about ensuring that only the people who should have access, have access, when and where they need it. Some key components within managing a company or organization’s cybersecurity:
People
Employees can be our greatest risk, but if trained they’re also the greatest asset and the first line of defense.
Processes
This layer of cybersecurity ensures that businesses have strategies in place to proactively prevent and to respond effectively to cybersecurity incidents.
Technology
Technology must be deployed to prevent or reduce the impact of cyber risks. Managing Business Risk
Compliance
Is about documenting and demonstrating what you to meet regulatory requirements. A business can be compliant without being secure. Compliance helps you ensure controls are performed consistently and that you can demonstrate what you do.
Security
Security is about doing the right things to protect your business and your customers.
What are threats actors?
Threat actors are a group or an individual who have malicious intent and can take advantage of cybersecurity vulnerabilities for their own gain. They include: nation-states, industrial spies, organized crime groups, hacktivists, terrorists.
How are we attacked?
There are vulnerabilities in software where someone can take advantage of you. For example, it can be as simple as delaying software updates on a computer, which can leave your data vulnerable.
Forms of Attack Through Social Engineering
Social engineering, the most common form of cyberattack, is when someone tries to take advantage of you by deceiving you into taking action. Being cognizant of messages in the varieties of inboxes will be incredibly important for blocking cyberattacks. Exercise general skepticism about messages to remain vigilant.
Phishing, Vishing, Smishing
- Phishing happens via email. There are many clues that give these fraudulent emails away:
o Subject line has a generic, yet urgent or scary title.
o Sender is a foreign email address.
o Timestamp is well outside of business hours
o Email content has poor grammar
o Hyperlinks aren’t real
- Vishing is a phishing phone call that try to take advantage of a need your business may have.
- Smishing is usually a text message with a link, from what seems like a trusted source.
Types of Cyberattacks and Fraud Committed
Ultimately, cyberattacks, regardless of what method is used, is a form of fraud. Fraud and cyberattacks both occur through holes within the software or holes within internal controls.
- Data breaches
- Ransomware
- Insider Threat
- Business Email and Fraud Scams
- DDos Attack
Data Breach Costs
“There are two types of companies—those that have been hacked and
those that don’t know they’ve been hacked. “
Robert Herjaveac , 2017
The average cost of a data breach globally is $4.24 million each year. The indicator of how much it’ll cost your company is how long it takes to identify a breach. It can take nearly a year to realize someone breached your system, remediate and fix the damage.
If you can identify and contain the breach in under 200 days, you’ll save $1.12M in a year.
How to Prevent Cyberattacks
At a bare minimum, focus on your cyber hygiene to strengthen your defenses. The biggest advantage you have is having a plan. Cybersecurity training for employees needs to keep the threat top of mind throughout the year. However, annual training is not effective at changing employee behavior, so you’ll want to focus on adding these key cybersecurity controls:
- Implement multifactor authentication
- Create security policies
- Establish anti-virus/anti-malware defenses
- Limit the number of privileged accounts
- Require anti-malware software, data encryption, enforce strong password security features for mobile devices
- Keep VPN appliances up-to-date and only allow VPN access from managed devices
- Encrypt data and WiFi networks
- Use managed and encrypted file transfer portals
- Implement digital loss prevention (DLP) software
- Configure, maintain and monitor firewalls
- Log, monitor and review security events
- Establish comprehensive policies and procedures
- Implement internal and external vulnerability and penetration testing
- Use automated patch utilities
- Develop business continuity (BC) and disaster recovery (DR) incident response plans
- Obtain adequate cyber insurance
- Maintain off-network backups
- Use asset discovery tool to identify inventory
- Develop change management protocols
- Have a risk assessment and gap analysis performed
Internal Control Best Practices
The COVID-19 pandemic has effectively increased fraud as a result of a variety of reasons: people are facing financial pressure and hardship, have less oversight and reduced controls with as a remote employee, and an increased ability to rationalize fraud as a justification if, for example, the company reduced their pay.
The use of targeted anti-fraud controls has decreased over the last decade. A lack of internal controls contributes to nearly 1/3 of all fraud. The presence of controls is associated with lower fraud losses and quicker detection.
Focus on these areas first to implement internal controls:
-Proper Segregation of Duties
-Accounts Payable
-Accounts Receivable
-Credit Card Usage
-Payroll and Expense Reimbursement
-Access to Information Systems
-Physical Access
Having the right internal controls in place can help reduce instances for occupational fraud and can help strengthen cybersecurity controls. Review your current policies and consider the changes that need to take place to help protect your company. For questions, reach out to Dean Flores.
Using Internal Controls to Prevent Fraud and Cyberattacks
