Upload
erik-bond
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
ISACA Kampala Chapter Annual Security Workshop
Godffrey Mwika, CPA(K), CIA, CISA, CISM
Risk Consulting Division
KPMG East Africa
SECURITY DECISIONS: THE CHALLENGES FOR TODAY AND
TOMORROW
1Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information Insecurity
Real life casesof how businesses are
losing cashwithout trace
2Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information insecurityFailure protect information assets from the following risks: -
–Unauthorized access
–Unauthorized use
–Disclosure to unauthorized parties
–Disruption of the information
3Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information insecurityFailure protect information assets from the following risks: -
–Modification
–Viewing, perusal, Inspection
–Writing, Recording or Editing
–Deletion or other forms of destruction
4Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information insecurityGenerally its failure to ensure that the 3 key components of information security are established and operational i.e. CIA
–Confidentiality ( C )
– Integrity ( I )
–Availability ( A )
The order of importance is debatable 5Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
– Software weaknesses – when applications
are made insecure at development
–When an organisation has not classified its
information – restricted, confidential,
protect, public, unclassified etc
6Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
– Lack of capacity – Inadequate IT Resources
to assess and mitigate against security risks,
–Poor or Non – existent Risk Management
Framework for information security risks
hence no mitigating factors
7Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
–Governance issues – Tone at the top on IS
Risks is wrong or missing
–Wrong attitude – ‘Snakes are not dangerous
till they bite me’
–Underestimating the people risk factor
8Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
–Poorly defined business processes – this
includes issues like lack of separation of
duties and conflicting roles (Labour cost)
– Fraudulent intentions – Where fraudulent
managers and staff prefer insecure systems.
9Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Why information insecurityReasons why information will be insecure: -
–Resistance to change – security comes with
responsibility, roles definition, process
designing/redesigning and people may
resist
– Ignorance and General lack of knowledge
10Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Information Insecurity – Losses When business information is insecure and the weaknesses are exploited, the result is either: -
–Direct cash losses – direct benefits to the
people exploiting the security gaps
– Indirect cash losses to an organisation as a
result of the security gaps
11Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Suppliers Master Data Insecurity • Creation of non-prequalified suppliers and
deletion after fraud payments have been made
• Amending suppliers details for fraudulent payments
• Violation of Separation of duties in systems• Create, use and delete scheme
A company pays for poor quality work or no work at all
12Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
POP and Goods receipts Insecurity • System holds on order matching are
overridden to allow wrong or inadequate receipts to be delivered
• Exaggerated usage reports to reconcile ghost deliveries
• Un-reconciled production reports• Accounting for cost of production based on
actual usage only (end to end) and without stepwise business process WIP management
13Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
POP and Goods receipts Insecurity • Contract /Order breakdown into small bits to
skip certain levels of management approval • Creation of orders for unwanted items in the
mix of wanted ones • Buying with a view to write off • Generating GRN/SRN for non-existent
technical and complicated services – when there is no control of services in the system – using heavy terminology to confuse accounts
14Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Payments Insecurity • Procure to payment manned by a single
person (intentional or unknown). Cutting on labor costs and loss of cash
• IT unlimited and uncontrolled access to the business process modules
• No relationship between POP, suppliers master and Payment System
• Manual payments to capture in the system later
15Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Payments Insecurity • Down payments that are never recovered on
final payment • Access controls over the payment master• Duplicate supplier payments undetected by
the system • Deliberate disputes created by suppliers to
recover un-reconciled amounts in a company• Approving many small immaterial payments
and preparing a final single payment 16Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Customers master Insecurity• Creating customers, trading on credit and
deleting from database • Varying credit limits, trading and reversing• Posting ‘erroneously’ trading and reversing
the posting• Endless unexplained postings into an a
customers account • Inter-account transfers that are ‘due to error’
17Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Customers master Insecurity• Deleting invoices from a customers accounts
and describing as an error • Unapproved credit notes posted in customers
accounts without support • Confused customers accounts that take too
long to reconcile while goods are shipped• Customers switching between cash and credit
terms temporarily
18Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Sales Order processing Insecurity• Unprotected price master• Big customers orders placed on the eve of a
price increase to frustrate price increases and favor an individual
• Moving customers to price regimes they don’t deserve
• Hedging orders floated in the system to await a favorable price
• Fraudulent and unnecessary promotions 19Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Inventories Insecurity • Product master changes to accept wrong
goods which are later written off as obsolete goods
• Changes of product usage to cover stock losses
• Deletion of missing/misappropriated inventories from the database
• Malicious issues and receipts • Weighbridge fraud – ‘cheating the system’
20Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Governments systems Insecurity • Unrecorded receipts • Parallel systems to beat IT based systems • Ghost payments • Deliberate system crashes • Bureaucracy• Resistance to ICT • Most old government staff ignore IT• Young government staff take advantage
21Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Overtime and payroll Insecurity• Recording un-worked hours• Varying the value of hours worked • Paying twice for same hours even more than
24 hours a day• Running parallel payroll systems for bank and
for accounting and then creating reconciling differences that are never resolved.
• Editing salaries and wages after computation but before transmission to increase net pay
22Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23
Taming Insecurity• Align ICT to business needs – A MUST DO. • Define your data and classify it correctly.
Various information has different levels of insecurity
• Define all process level risks and implement controls for that
• Use CAATs for continuous auditing procedures • Establish a Risk Management System that
includes all business process owners 23Godffrey Mwika, Risk Consulting, KPMG
East Africa04/18/23
Taming Insecurity• Have a clear ICT Security policy• Define security roles and separate duties
between ICT & Business and between Business process owners
• Develop and implement monitoring reports that can be reviewed by managers continuously
• Conduct proper investigations and Punish violations mercilessly as a deterrent
24Godffrey Mwika, Risk Consulting, KPMG East Africa04/18/23