Key Measures to Prevent Fraud on your ERP System
CIOs around the world have sleepless nights about hackers, ransomware, and the potential effect on their employment status. But how many of them recognize the fraud threat posed by the enemy within, particularly bearing in mind that statistics suggest over 50% of all IT crimes are committed by insiders?
Fraud on the ERP system is a growing danger, but it has largely been ignored by the C level. Considering that every company has around a 1-in-3 chance of experiencing internal fraud this year, and the average loss is $½m, this threat should be taken very seriously indeed.
Firstly, you need to understand what can go wrong. The biggest risk factor is allowing users to access parts of the system that they shouldn’t be able to see, thereby enabling them to commit fraud in a variety of ways.
The most common type is the dummy company fraud, where a user sets up a false supplier, processes fictitious orders and invoices, and pays for “goods” that are never received. This is surprisingly easy to perform for a user with a bit too much access. But there are many other frauds, such as inventory manipulation, supplier bank account changes, and unauthorized changes to payroll data.
Reliable access management controls can protect your business from these common frauds, as well as from other risks.
For example, users might attempt to manipulate financial reports to give an inaccurate view of the company’s performance. This is an area that external auditors are particularly concerned about, and they will expect to see evidence of controls that prevent this from happening.
There’s also the risk of damage resulting from accidental error. Users are not robots and they can easily make mistakes if they are able to update data from the wrong division, for example. Such problems can take a lot of effort to sort out and incur huge costs.
Crucial controls to help you reduce the risk of fraud
So, what can you do about it? Here are some key measures that you can easily put in place to help you prevent fraud on your ERP system:
Segregation of Duties (SoD)
Good SoD controls are essential. The dummy company fraud happens because a user can access all the stages involved in the process of setting up a supplier and processing false transactions. It is important to break down such processes, and make sure that no single individual can perform end to end tasks.
You need to identify the risky business processes, which is relatively easy, then work through them with the business to define the SoD rules, or policies, which is often not so easy. The final question is how to implement these rules on your ERP and to audit the issues on a continuous basis. With the right tools, that can be easy too.
Regular access reviews, where business managers check and approve who has access to what, are important to help you avoid “security creep” and ensure that users’ access rights stay in line with the requirements of their jobs.
As responsibilities change, users are often granted additional access, as needed for their new roles, but the removal of redundant rights is easily overlooked. When people leave, managers should ensure that their ERP access is deactivated.
Periodic access reviews highlight such issues and help you to keep your system clean. Identifying exactly what ERP users can access can be problematic, but again, with the right tools, this should be easy.
However stringent your controls may be, it’s wise to implement detective controls to pick up any dubious activity that falls through the cracks.
Some users, particularly in IT, need to have wide-ranging access, but this introduces risk which must be mitigated. Put audit controls in place to track the activities of privileged users and make sure they are aware that they are being monitored, which should be enough to deter them.
Audit all changes to critical data, and notify appropriate managers when such changes occur. For example, make sure that key personnel are alerted if a supplier’s bank details are changed, or if a salary is increased by more than 5%. And maintain audit trails on key transactions if you feel that is warranted, but bear in mind that this area can be very time consuming to monitor without good rules and automation.
It’s easier than you think to protect your company (and your job!)
So why don’t all companies take proactive steps to prevent fraud?
With so many pressing business projects competing for attention and resources, many C levels underestimate the very real nature of the insider threat, and don’t buy in to the need to implement preventive measures. It often takes a scare such as an actual fraud incident, or the threat of a qualified audit to make a CFO commit to spend in this area.
But historically the main reason has been the cost of implementing fraud controls; manual systems are time-consuming and notoriously unreliable, and automated systems were complex and expensive.
Nowadays there are solutions that can be up and running within weeks and it can cost as little as $1 per month per user to mitigate a potential loss of $½m or more.
Find out more about preventing fraud on your ERP here.