Is your reporting strategy a fraud risk?
When it comes to security, it’s easy to focus on the high profile threats – particularly cyber crime and data theft. But you should also be monitoring other aspects of your business communication strategy for signs that might indicate security problems.
In many cases, for example, inadequate management reporting strategies, are unwittingly enabling internal and opportunistic fraud – and IT systems and networks could be the weak link when it comes to spotting a potential threat. Erratic, incomplete or excuse-laden reporting could all be warning signs that something is wrong. IT failures and compatibility issues between different company systems will be used to explain away gaps and delays.
An automated, integrated data network that underpins a company-wide strategy should enable up-to-date, on-demand reporting that reveals anomalies in real time rather than waiting for suppliers, contractors or customers to raise alerts that can’t be properly addressed due to broken links in the audit trail.
Make sure data audits are treated with respect and that they are completed on time. If there are delays, you should make it a priority to understand why they occurred and make sure there are no sinister reasons behind them.
Your data security policy should make sure files are protected from deletion. Always be wary if a request for information is met with the news that those particular data files have been dumped. You might even want to make unauthorised file deletion a disciplinary matter. Increased automation also makes it easy to forget that paper records should be managed just as closely as their digital equivalents.
Process laziness – the assumption that everybody in the communications chain is playing by the book – could be another weakness. Control processes, and anything that focuses on the purchase-to-invoice and customer control cycle, should be tightly managed and frequently reviewed. Look out for data inconsistencies. Factual mismatches will always happen due to human error and rogue staff could use this to explain away discrepancies.
Don’t forget the human element. If staff are working on systems unsupervised and outside office hours, are they being monitored by your IT security manager? It’s an uncomfortable truth but these are situations in which company data is often at risk of theft or corruption by disgruntled users. A full IT asset register and IT audit system are essential elements of any anti-fraud programme.
The solution to this complex challenge is to have a comprehensive anti-fraud strategy, enabled by the company’s ICT systems and driven from the top of the business. Of course it must embrace high profile cyber crime issues but it should also alert management to the early warning signs of possible fraud and data anomalies in routine business processes.