Magazine article Security Management

Auditing for Anomalies: New Software Tools Are Available to Help Companies Scan Transactions for Anomalies That May Signal Internal Fraud

Magazine article Security Management

Auditing for Anomalies: New Software Tools Are Available to Help Companies Scan Transactions for Anomalies That May Signal Internal Fraud

Article excerpt

Working as a lender in a financial institution's private banking operations, which caters to affluent clients, is a plum assignment, bestowing cachet on the person holding that job. But it also exposes that person to opportunities for committing insider fraud. An employee at National Penn Bancshares recently abused that position and defrauded the bank of $6.7 million, according to papers filed by the company with the Securities and Exchange Commission.

[ILLUSTRATION OMITTED]

IT WORKED LIKE THIS: The employee misappropriated customer identities, making it appear as if those customers had obtained loans from the bank, then apparently shifted loan obligations around, in what the company called "a very sophisticated pyramid-style fraud scheme," to mask the crimes. The scheme, according to the February 2005 filing, "was specifically designed to avoid detection by ongoing bank controls and audits." The fraud, which began at least as far back as 2002, was discovered when irregularities in loan and deposit accounts were uncovered during control audit procedures conducted in the first week of 2005. No customer lost money, but the bank itself was fleeced of $6.7 million. In response, National Penn Bancshares has announced that it is considering new internal control measures, such as limiting worker access to the computer system used to maintain deposit accounts, reviewing activity in employee accounts, and changing paper-flow procedures and confirmation processes.

WHILE COMPUTERIZATION of information has made companies more efficient, it has also, as this example shows, made it easier for financial criminals to commit insider fraud.

At the same time that technology is making fraud easier, new federal mandates for antifraud are raising the stakes for companies that fail to secure their systems. But software-based solutions do exist. Let's look first at the typical schemes and then at the possible ways to prevent or detect them.

System-based schemes. Hack attacks against businesses make the headlines, but internal fraud remains the biggest threat for many businesses. Industry experts agree that 60 to 70 percent of the financial losses suffered by an organization result from insider fraud, and the Association of Certified Fraud Examiners estimates that fraud consumes six percent of an enterprise's revenue.

A June 2002 Gartner report entitled Moving to Transaction Incident Monitoring for IS Security summed up the insider risk by stating, "The major threat comes from technology-minded insiders who have knowledge about processes, business system customizations and technologies. Insiders such as current employees, recently terminated employees, subcontractors, and consultants are significantly more dangerous than outsiders.... In some business environments, such as ERP (enterprise resource planning) or CRM (customer relationship management), 95 percent of fraud comes from insiders or internal users with access to key data transactions."

Systems-based fraudulent schemes by insiders can fall into a number of categories. The main types include the following:

False ("ghost") vendors. A ghost--or bogus--vendor can be created and added into the system by an accounts-payable clerk, who can then use the account to process checks made out to that ghost account--essentially funneling money to him or herself.

The clerk simply creates a bank account in the fictitious vendor's name, then grants himself authorization to deposit or cash checks made out to the company. Some banks don't require even that much. A fake business card stating that the person is a high-level officer of the fictitious company can be enough to get account privileges.

The dishonest clerk can either hope that the payment is lost amid hundreds of other payments on the corporate system, or he can delete invoice and payment records. Doing so requires database access and some sophistication, however. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.