Add to collection(s) Add to saved
  1. Business
  2. Accounting

Security Worshop presentation

advertisement 
ISACA Kampala Chapter
Annual Security Workshop
SECURITY DECISIONS: THE
CHALLENGES FOR TODAY AND
TOMORROW
Godffrey Mwika, CPA(K), CIA, CISA, CISM
Risk Consulting Division
KPMG East Africa
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
1
Information Insecurity
Real life cases
of how businesses are
losing cash
without trace
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
2
Information insecurity
Failure protect information assets from the
following risks: – Unauthorized access
– Unauthorized use
– Disclosure to unauthorized parties
– Disruption of the information
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
3
Information insecurity
Failure protect information assets from the
following risks: – Modification
– Viewing, perusal, Inspection
– Writing, Recording or Editing
– Deletion or other forms of destruction
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
4
Information insecurity
Generally its failure to ensure that the 3 key
components of information security are
established and operational i.e. CIA
– Confidentiality ( C )
– Integrity ( I )
– Availability ( A )
The order of importance is debatable
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
5
Why information insecurity
Reasons why information will be insecure: – Software weaknesses – when applications
are made insecure at development
– When an organisation has not classified its
information – restricted, confidential,
protect, public, unclassified etc
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
6
Why information insecurity
Reasons why information will be insecure: – Lack of capacity – Inadequate IT Resources
to assess and mitigate against security risks,
– Poor or Non – existent Risk Management
Framework for information security risks
hence no mitigating factors
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
7
Why information insecurity
Reasons why information will be insecure: – Governance issues – Tone at the top on IS
Risks is wrong or missing
– Wrong attitude – ‘Snakes are not dangerous
till they bite me’
– Underestimating the people risk factor
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
8
Why information insecurity
Reasons why information will be insecure: – Poorly defined business processes – this
includes issues like lack of separation of
duties and conflicting roles (Labour cost)
– Fraudulent intentions – Where fraudulent
managers and staff prefer insecure systems.
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
9
Why information insecurity
Reasons why information will be insecure: – Resistance to change – security comes with
responsibility, roles definition, process
designing/redesigning and people may
resist
– Ignorance and General lack of knowledge
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
10
Information Insecurity – Losses
When business information is insecure and
the weaknesses are exploited, the result is
either: -
– Direct cash losses – direct benefits to the
people exploiting the security gaps
– Indirect cash losses to an organisation as a
result of the security gaps
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
11
Suppliers Master Data Insecurity
• Creation of non-prequalified suppliers and
deletion after fraud payments have been
made
• Amending suppliers details for fraudulent
payments
• Violation of Separation of duties in systems
• Create, use and delete scheme
A company pays for poor quality work or no
work at all
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
12
POP and Goods receipts Insecurity
• System holds on order matching are
overridden to allow wrong or inadequate
receipts to be delivered
• Exaggerated usage reports to reconcile ghost
deliveries
• Un-reconciled production reports
• Accounting for cost of production based on
actual usage only (end to end) and without
stepwise business process WIP management
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
13
POP and Goods receipts Insecurity
• Contract /Order breakdown into small bits to
skip certain levels of management approval
• Creation of orders for unwanted items in the
mix of wanted ones
• Buying with a view to write off
• Generating GRN/SRN for non-existent
technical and complicated services – when
there is no control of services in the system –
using heavy terminology to confuse accounts
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
14
Payments Insecurity
• Procure to payment manned by a single
person (intentional or unknown). Cutting on
labor costs and loss of cash
• IT unlimited and uncontrolled access to the
business process modules
• No relationship between POP, suppliers
master and Payment System
• Manual payments to capture in the system
later
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
15
Payments Insecurity
• Down payments that are never recovered on
final payment
• Access controls over the payment master
• Duplicate supplier payments undetected by
the system
• Deliberate disputes created by suppliers to
recover un-reconciled amounts in a company
• Approving many small immaterial payments
and preparing a final single payment
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
16
Customers master Insecurity
• Creating customers, trading on credit and
deleting from database
• Varying credit limits, trading and reversing
• Posting ‘erroneously’ trading and reversing
the posting
• Endless unexplained postings into an a
customers account
• Inter-account transfers that are ‘due to error’
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
17
Customers master Insecurity
• Deleting invoices from a customers accounts
and describing as an error
• Unapproved credit notes posted in customers
accounts without support
• Confused customers accounts that take too
long to reconcile while goods are shipped
• Customers switching between cash and credit
terms temporarily
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
18
Sales Order processing Insecurity
• Unprotected price master
• Big customers orders placed on the eve of a
price increase to frustrate price increases and
favor an individual
• Moving customers to price regimes they don’t
deserve
• Hedging orders floated in the system to await
a favorable price
• Fraudulent and unnecessary promotions
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
19
Inventories Insecurity
• Product master changes to accept wrong
goods which are later written off as obsolete
goods
• Changes of product usage to cover stock
losses
• Deletion of missing/misappropriated
inventories from the database
• Malicious issues and receipts
• Weighbridge fraud – ‘cheating the system’
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
20
Governments systems Insecurity
•
•
•
•
•
•
•
•
Unrecorded receipts
Parallel systems to beat IT based systems
Ghost payments
Deliberate system crashes
Bureaucracy
Resistance to ICT
Most old government staff ignore IT
Young government staff take advantage
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
21
Overtime and payroll Insecurity
• Recording un-worked hours
• Varying the value of hours worked
• Paying twice for same hours even more than
24 hours a day
• Running parallel payroll systems for bank and
for accounting and then creating reconciling
differences that are never resolved.
• Editing salaries and wages after computation
but before transmission to increase net pay
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
22
Taming Insecurity
• Align ICT to business needs – A MUST DO.
• Define your data and classify it correctly.
Various information has different levels of
insecurity
• Define all process level risks and implement
controls for that
• Use CAATs for continuous auditing procedures
• Establish a Risk Management System that
includes all business process owners
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
23
Taming Insecurity
• Have a clear ICT Security policy
• Define security roles and separate duties
between ICT & Business and between
Business process owners
• Develop and implement monitoring reports
that can be reviewed by managers
continuously
• Conduct proper investigations and Punish
violations mercilessly as a deterrent
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
24
Questions
?
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
25
Ahsanteni Sana ………..
Be Secure
Kwaheri!
4/13/2015
Godffrey Mwika, Risk Consulting, KPMG
East Africa
26
Related documents
Module_Presentation_09_14_12_1451 Booz Allen Ham
Module_Presentation_09_14_12_1451 Booz Allen Ham
See slides
See slides
Slide pack - WTC Twente
Slide pack - WTC Twente
Global Consulting - Northwood University
Global Consulting - Northwood University
smcgahan Bio_9-16
smcgahan Bio_9-16
Writing an Article for an Academic Journal: Yes, you can" by Dr
Writing an Article for an Academic Journal: Yes, you can" by Dr
Flash International Executive Alert
Flash International Executive Alert
our information session slide deck here
our information session slide deck here
Added Value Services
Added Value Services
Download
advertisement