Fraud in the New Pandemic World – IT Controls
In part one of this series on fraud, I discussed how the COVID-19 pandemic forced organizations to quickly adapt to the new digital and remote world, opening the door to different types of frauds and, in some cases, making fraud a little easier. Now I’m going to discuss how you can protect your employees and your organization by implementing IT controls.
There are many security challenges associated with a remote workforce; access to applications, workarounds for security, increased exposure to hacker activity, and data security, to name a few. You have to have effective IT controls and they can’t stop at the exit to your building. They need to be not just at your office, but at your employee’s homes, at the park or at the airport bar. You need to make sure you have a virtual network and complex passwords to expand your protection to the new definition of “office”.
You can address some of these concerns by increasing your security technology. Establishing a virtual private network (VPN), paired with dual authentication, will heavily enhance your security. Your security technology is only as good as the people using it. That’s why you should require all employees to complete frequent security training and enforce password rules.
The pandemic not only raised awareness of the need for advanced security but also provided organizations opportunities to review and enhance their IT controls. With this increased need, however, has come an increased demand and dependency on your IT personnel and IT infrastructure. If the network goes down, your VPN goes down and then 80% of your workforce, who are working remotely, can’t get into the system to complete their work. So, one way to make sure your infrastructure is sound is to make sure that your IT staff are available.
With undefined working hours, you’ll need to expand your IT schedule beyond Monday through Friday. Not all organizations have the budget for a full-blown IT staff and in that situation, you’ll need to perform a cost-benefit analysis and an IT risk assessment to determine the best course of action. One option could be cross-training.
Cross-training naturally happens in most organizations. When it comes to paying vendors or collecting cash receipts, you have to have team members cross-trained in case of emergencies, or in case someone can't perform their duties. That applies to your IT team as well, which is why you should design contingency plans for IT personnel. What if your IT person or team gets sick or is not able to perform their duties? Do you have a backup plan for keeping your IT infrastructure moving? One solution, which has become increasingly popular, is password vaults. These are secured locations for storing administrative passwords that make them available for cross-trained IT individuals with appropriate rights.
Speaking of appropriate rights. You can never forget about segregation of duties. When we evaluate an organization’s risk structure, information technology, or internal control structure, separation of duties is always a concern. While you need to ensure that your operations are ongoing and that you can keep operations going if IT staff are out, you don't want to create a problem by overloading certain individuals with duties that then could expose your organization to even more risks of fraud or error.
So how do you determine who gets these rights? Through your change management controls. Change management is when you change access rights or change users within your systems. Your organization should review the current procedures to ensure the appropriate monitoring controls exist and that appropriate individuals have the right to make changes within the system.
It all starts with training. You need to train your users, especially in the IT area, to understand what an appropriate change request is. You also need to empower your IT department to challenge requests. They need to understand that they have a responsibility to be the gatekeeper on these requests and they can deny an inappropriate request. If your IT team is trained to understand and stop unnecessary requests, the volume of requests will lessen. If the volume of requests is increasing, for whatever reason, you need to make sure that your monitoring controls not only exist but are actually occurring.
When the pandemic came, organizations had to react quickly and many organizations were not aware of the risks they were exposed to through all of the changes to working conditions and new technology. The things I’ve discussed today may seem like challenges, especially to those of you who are responsible for adapting your controls or performing a lot of these duties. However, I choose to look at these as opportunities for your organization to place a higher emphasis on IT controls and to increase their effectiveness.
Watch my full presentation to learn more about controls, concerns, and responses for payroll, human resources, disbursements, and management review on the Brown Edwards’ YouTube channel.