Embed Size (px)
Citation preview
FEATURE
Computer Fraud & Security June 201016
But overcoming these issues is – just as it would have appeared to those in the White House in 2000 – too impor-tant to be simply left to the technolo-gists. Finding the right answers is going to take both sides. Cloud providers and potential enterprise customers need to step forward together, road-testing serv-ices, developing new policies and prac-tices, and demonstrating that promised returns on investment can be realised. Solving the outstanding security ques-tions is in everyone’s interests, and that’s why 2010 could be the year the enter-prise cloud opens for business.
About the authorRay Stanton is the executive global head of BT’s Business Continuity, Security and Governance Practice (BCS&G). He has worked in information security for over 24 years, and is an experienced and recognised practitioner, particularly in the use and implementation of the BS7799 standard and incident management procedures. Stanton has worked for both government and commercial organisations in a variety of security-related roles including project management, security auditing, policy design, and the development of security management strategies.
Resources
things you wanted to know in 2010 but were afraid to ask’, go to: bt.com/globalservices
References
1. Quote taken from ‘Locking out the hackers’ by Ira Sager, Neil Gross and John Carey, Business Week, 28 February 2000.
2. Gartner press release, ‘Gartner EXP Worldwide Survey of Nearly 1,600 CIOs Shows IT Budgets in 2010 to be at 2005 Levels’, 19 January 2010.
An introduction to Continuous Controls Monitoring Richard Hunt Marc Jackson
In striving for compliance with regu-latory requirements such as Sarbanes-Oxley, many enterprises have already made significant strides in mapping their financial processes. These include iden-tifying risks to the accuracy of financial reporting, documenting the internal controls (both business process and IT) necessary to mitigate these risks, and operating these controls as required to ensure compliance. However, the path towards compliance has not been with-out cost. The extensive resources needed to design, develop, operate, test and
assess compliance control points have resulted in significant financial burdens for most organisations.
The initial achievement of compliance is just the beginning. Compliance is a continuous journey and, having attained an acceptable level through the imple-mentation of a compliance and control framework, significant ongoing resource costs are often required to maintain this and ensure that internal controls are operating effectively. Because they often lack the internal resources or skill set to undertake this, many companies must
continue to rely on external facilities to support ongoing compliance activi-ties, further increasing cost. However, it remains a necessary evil in order to meet regulatory requirements and prevent fraudulent activities from affecting the financial statements. The answer lies in finding a way to streamline this process.
Operating and monitoring controls – a manual burdenOrganisations with a robust compli-ance and control framework will have a number of internal controls that they need to operate on a regular basis. For example, ‘detective’ reports run at the end of each monthly payroll will ensure there has been no duplication of payments.
Although companies have automated some of their controls, the majority of them remain manual and so need to be
Richard Hunt and Marc Jackson, Turnkey Consulting
Today’s current economic climate has presented many major headaches for employers. One that is discussed less often than reduced sales and higher oper-ating costs is the increased risk of employee fraud. The elevated risk of being made redundant, or the frustration of having salaries frozen (or even reduced) for the foreseeable future, can make previously loyal staff search for control gaps in a business process that can be exploited for their financial gain. In addition, poor security and inappropriate levels of system access can lead to increased opportunities for users to perform fraudulent activities that can ulti-mately result in inaccurate financial reporting, or even material misstatements.
FEATURE
June 2010 Computer Fraud & Security17
proactively operated by the control own-ers themselves. For example, controls that act as check points within a process (such as approval required for a user pro-visioning request) tend to be manual in nature and need to be performed on an ‘as required’ basis. In contrast, controls that are based on system parameter set-tings (eg, configuring a three-way match requirement between invoice, purchase order and goods receipt to prevent pay-ment of potentially invalid invoices) are likely to be automated and so, once set up, will operate without further inter-vention. Despite this, the subsequent periodic review of reports highlighting unmatched invoices will need to be per-formed as a manual control in order to resolve and clear these items.
On top of manually operating these controls as required, manual checks also need to be performed in order to verify that they are working (rather than this being a non-tested assumption). This is the ‘controls monitoring’ element and helps to measure the potential gap between theory and reality. Without such monitoring activities, controls could be changed without the owner’s knowledge and compliance would no longer be achieved.
Despite their investment and dedica-tion towards compliance initiatives, many organisations don’t have the nees-sary resources to evaluate the operational effectiveness of their internal controls on a frequent basis and therefore lack confidence in their ability to pass con-trols testing. It also means they rely on feedback from their external auditors to flag up any issues, which is clearly not a desired route. In addition, required cor-rective actions will not be timely enough to prevent issues being raised in the auditor’s internal control report.
What is CCM and why should you use it?Asking five different organisations in the Governance, Risk and Compliance (GRC) market to define Continuous
Controls Monitoring (CCM) will pro-voke five difference responses. There is no single accepted definition and con-sequently it can cause confusion among organisations seeking further informa-tion when considering a CCM solution. However, despite this lack of uniformity, there are general concepts that remain constant and help provide clarity regard-ing the practical application of CCM and its undoubted benefits.
CCM is essentially a technology solu-tion for continuous monitoring which provides users with real-time status assurances for all of their compliance control points. For example, a rule may be configured that triggers an automatic review of the payment run output and sends results to the manager responsible for monitoring duplicate payments. Any exceptions will be flagged in the control output and then reviewed by the control owner for relevant action. The automa-tion of the control now means that the manager does not have to actively per-form the review and is only alerted when required, with subsequent reviews based on exceptions only. This reduces the burden on the control owner and allows them to perform more value-add activi-ties, and so can also help to deliver sig-nificant business process improvements.
In order for controls to be included in a CCM solution they need to be auto-mated. Taking the example above, the formerly manual operation of running a report every month in the business application and reviewing it to iden-tify duplicate payments, even if none actually exist, is converted to a purely
automated control. This is achieved by the use of a rule linked to an executable program which says ‘go and test this’, and is scheduled to be run periodically (or as required). Therefore, manual process driven controls are assigned to a program within the business application system with relevant rules applied, and the control is scheduled as appropriate from within the CCM system, where the results and alerts are also recorded.
Controls based on system parameter settings are already automated and con-figured in the application. In this case, the related control to be implemented for a CCM solution would be to develop a program in the business application system that notifies the control owner in the CCM system if any of the parameter settings have been changed. This will enable them to ensure that the control is still operating as designed and hasn’t been changed unknowingly. This control would be event-driven and so the control owner would be alerted by exception only.
Return on investment
It is evident that CCM can have a signif-icant Return On Investment (ROI) and so it should be straightforward to create a business case for its implementation. There are two main types of ROI for a CCM solution. The first is the signifi-cant saving in time and labour costs due to the automation of either the operation of controls and/or the testing of con-trols. By automating, people can be re-assigned to more productive operational tasks. Secondly, there are potentially
Figure 1: Integration between CCM and business application.
FEATURE
Computer Fraud & Security June 201018
huge returns by enabling the recovery of money, or preventing money being lost in the first place due to human error or fraudulent activities.
For example, a company may have a supplier who is billing two differ-ent divisions for the same goods or services. This may be due to a simple mistake by the supplier, or it could be intentional and therefore classified as fraud. Whatever the reason, if it hap-pens where there is no CCM solution in place the organisation may have to rely on manual controls to detect these duplicate invoices, which can lead to undetected exceptions and result in a control failure. A CCM solution could detect this exception immediately and almost pay for itself in the process.
What is the scope for a CCM solution?In the past, CCM has tended to be associated with a focus on transactions, and there are several software vendors that supply products to monitor all financial (and non-financial) transac-tions for compliance with internal controls. However, master data and application configuration (sometimes referred to as application controls) is also an integral part of CCM, as control weaknesses in these areas can lead to incorrect transactional data.
For example, transactions related to the payment of invoices are generated by a program within the business applica-tion. However, this program relies on
input from both application configura-tion (eg, invoice tolerance thresholds) and master data (eg, vendor bank account details in the vendor master record), as they determine whether the invoice should be paid in the first place and the relevant account that should receive it.
Both application configuration and master data can be changed, but the objective is to ensure that they are being changed in an authorised manner using the appropriate procedures and control points, and not due to human error or fraudulent intent. For a business process to operate effectively, the process or data owner needs to validate that changes to the master data or system parameter settings (many of which will be docu-mented as controls) are correct.
As well as CCM for transactions, manual process-driven controls, application configuration and mas-ter data, it can be used to support Segregation of Duties (SoD) processes. Organisations can harness SoD analysis technology such as SAP GRC Access Controls to automate the process of analysing and monitoring SoD and sensitive access exceptions, remediating exceptions, and analysing ongoing user access changes to prevent new risks. CCM tools such as the SAP GRC Process Controls tool can then be integrated to automate the documenta-tion and review of mitigating controls where removal of access is not possible. The net result is reduced risk, fewer cases of human error, and less internal fraud.
Continuous auditing and control self-assessmentsAs well as the benefit of having controls that operate with minimal human effort required, apart from the review and remediation of exceptions, this auto-mated control framework also facilitates a more effective and efficient way of test-ing the operating effectiveness of these controls. It is critical to the effective operation of a control, and the ongoing prevention and detection of fraudulent activities in the system, that the control owner periodically validates that the con-trol is still operating as designed. This is known as control self-assessments. Because this task has previously been labour intensive, time-consuming and costly, the tests of operating effective-ness end up being performed solely by the internal and external auditors, rather than the control owners themselves.
Such audit reviews can also be time consuming for the control owners as they have to extract reports and evidence requested by the auditors as they select samples and test them for compliance and accuracy. In addition, sampling risk – the possibility that exceptions may exist in the untested part of the total population – is still an issue, and will continue to be if manual testing meth-ods are used, as it is not possible to try all occurrences of a control over a given period. However, all of this can be done with relative ease by utilising the CCM functionality.
For example, while a manual control such as the approval of user provisioning requests would previously require an audit of 30 historical transactions, automated controls can be tested using a ‘black box’ positive-negative test approach with just two theoretical transactions to prove that the continuous monitoring control is working as it should. In addition, if the auditor wants to dig deeper then they can also review the audit trail retained in the CCM system, which lists all occurrences of that control, all exceptions encoun-tered, and whether the control owner
Figure 2: Black box testing.
FEATURE
June 2010 Computer Fraud & Security19
dealt with those exceptions in the appro-priate manner (which is another typical audit concern).
Conclusion
A CCM solution can help to reduce compliance costs (through decreased manual controls and manual testing of those controls), strengthen the control environment and reduce the risk of unintentional errors and fraud. It can also improve business process operations. In the current regulatory environment, where management and stakeholders demand complete accuracy and integrity in financial reporting, non-compliance is not a feasible option. Continuous moni-toring provides an efficient, cost-effective method of attaining this objective.
Automated continuous monitoring can provide a wealth of benefits to a control and compliance framework including: automating previously manual controls; eliminating excessive control testing; ena-
bling organisations to make control self-assessments more accessible; sustaining compliance with one or more regulations; enabling test results to be reusable across multiple compliance frameworks; mini-mising the risk of business losses via unin-tentional errors or malicious fraudulent activities by reporting control breakdowns as they happen; and delivering a return on investment by improving business process operations. Other less obvious benefits include using the CCM system as a cen-tral repository for documenting, schedul-ing, executing and recording results of controls operation and testing.
Automating the internal control environment and moving towards a Continuous Control Monitoring system enables an organisation to break free of the burdens traditionally associated with control compliance. This represents a significant milestone in the risk, security and compliance landscape, offering busi-nesses the opportunity to achieve a new level of internal control.
About the authors
Turnkey Consulting (www.turnkeyconsult-ing.com) is a specialist IT security company focused on combining business consulting with technical implementation to deliver information security solutions for SAP systems. The company was founded in 2004 by Richard Hunt and now has offices in the UK, Australia, Germany and the United States, servicing clients in Europe, the US and Asia. Hunt has worked in the IT security industry for more than a decade. He has been involved in more than 20 IT security projects working across a range of business processes and industry sectors in the UK, Asia and Australasia. Marc Jackson is a consultant at Turnkey Consulting. He has worked in the IT secu-rity and audit industry for the past decade. He has been involved in a number of security implementations and audit engage-ments working across a range of business processes and industry sectors in Europe and Asia.
...Continued from page 3
panel that supports one of the nation’s leading market research companies”. It claims to filter out personally identifiable data from the information collected by the spyware before passing on that infor-mation to its customers.
Growing malware menace for mobilesAt a recent event, Denis
Maslennikov of Kaspersky Lab said that 35% of malware is now aimed at mobile devices and is dis-tributed via the web. The company is seeing 30 new varieties or variants of mobile malware each month. And the malware is also more complex,
with the capability to detect an exist-ing Internet connection or make new connections, download additional malicious files, and perform URL redirection and phishing attacks.
“This threat will not go away, and the reason for the whole Internet-based malware appearance is that new technologies will be the future,” he said. “A mobile botnet will have the same impact as a simple PC bot-net. They will be able to send SMS, MMS, Google spam and mask pass-words and maybe provide telephone DDoS attacks.”
One recent exploit involved a doctored version of the game 3D Anti-Terrorist Action. A demo version was hacked to include the Terdial-A trojan, so that devices running it under Windows
Mobile made secret calls to premium-rate numbers in the Antarctic, the Dominican Republic and Somalia. Sophos believes the game was modified by a Russian-speaker. Coincidentally, Sophos has also released its first iPhone app – Sophos Security Threat Monitor – which constantly updates iPhone users with information about potential threats. It’s free and available for download from the iTunes App Store.
Meanwhile, a new company, Mobile Active Defense, has launched its Enterprise Unified Threat Management system, which provides a centralised console for managing smartphones according to corporate security poli-cies. Founder Winn Schwartau says the
Continued on back page ...
