Top 5 Ways Your Procurement System Is Vulnerable to the Inside Threat

© Greenlight Technologies. All Rights Reserved.

Did you hear about the insider threat at Microsoft? A former director of sports marketing and alliances at Microsoft was indicted for creating fake vendor invoices totaling $1.4 million and then changing the vendor’s bank account information so payments routed to his own personal account. This is no surprise as research shows that 60% of breaches are carried out by insiders and employee data continues to be a key target. So what are you doing to prevent the inside threat to your procurement system? Let’s take a look at the top 5 vulnerabilities you need to address and how to fix them now.

Introduction

Internal Control Failures on the Rise

Source: SOX & Internal Controls Professionals Group, Moss Adams LLP, and Workiva

Per the State of the SOX/Internal Controls Market Survey, there was a 9% increase in the number of respondents that reported internal control failures compared to the previous year. The most cited cause was “Control not properly performed, enforced, or monitored” (increased by 6%)

A former office manager at a Life Science Technology firm pleaded guilty today in U.S. District Court in Boston to embezzling over $1.3 million dollars from her employer over a 10 year period. Risk Vulnerability • Fictitious vendor payments to real vendors used

to cover up fraudulent checks

How Did it Happen? • Responsible for handling the firm’s accounts payable • Used her position to steal company checks, which she made payable to herself • Removed copies of the negotiated checks when sent back by the bank, and then falsified

entries to make it appear as if the checks had been used to pay legitimate vendors https://www.justice.gov/usao-ma/pr/fitchburg-woman-pleads-guilty-embezzling-over-13-million-dollars-employer

Example #1: Fraudulent Checks

An Accounting Manager playing a lead role in transitioning ING onto a new ERP system embezzled nearly $8.5 million dollars from his former employer over a 4 year and 3 month period.

Risk Vulnerability • Create a fictitious vendor & approve purchases

to this vendor

How Did it Happen? • Knew everyone else’s system passwords in the accounting department and often logged on

as someone else • Logged in as someone else, requested a check, and then log in as themselves to approve

their own request • Started small, requesting checks to pay off credit cards that had a similar name as an

approved vendor • Then created a fake vendor, Ace Business Consulting, and began paying that vendor

https://www.journalofaccountancy.com/issues/2014/aug/fraud-20149862.html

Example #2: Fictitious Vendors

A former bottling company Controller embezzled $8.7 million dollars from G&J Pepsi-Cola bottlers over an 11 year period. Risk Vulnerability • Enter a fraudulent vendor bank account, pay the

vendor and then redirect payments to a personal bank account

How Did it Happen? • Created a fake bank account for a vendor • Transferred money into the unauthorized vendor account • Transferred money from the fake vendor bank account to personal bank and brokerage

accounts

https://www.reuters.com/article/us-ohio-crime-hiker/man-who-hid-on-appalachian-trail-sentenced-for-fraud-in-ohio-idUSKCN0Z816Q

Example #3: Inappropriate Funds Transfer

The Treasurer and Head of Compliance for South Korea embezzled $31.31 million dollars from Switzerland’s engineering group ABB across 73 transactions. Risk Vulnerability • Maintain purchase orders, post a fictitious

goods receipt and work with third parties to cover up payments

How Did it Happen? • Generate false purchase orders • Post fictitious goods receipt • Forge documentation and collusion with third parties to cover up

https://www.reuters.com/article/us-abb-fraud-idUSKBN16114L

Example #4: Fictitious Purchase Orders

French technology consultancy Altran uncovered $10 million dollars in false purchase orders at its recently acquired ($2B) US competitor Aricent, shares fell 30% to their lowest point in 3 years. Risk Vulnerability • Forged orders that had inflated reported

revenue and profit

How Did it Happen? • Fake purchase orders were issued to one U.S. client

https://www.reuters.com/article/us-altran-aricent-forgery/altran-shares-plunge-on-discovery-of-forged-orders-at-aricent-idUSKBN1K30LI

Example #5: Forged Orders

ERP Business Systems

Legacy & Custom

Cloud & SaaS

IT Systems, Servers & DB

Manage Privileged Access Risk with ResQ Enable, automate, monitor & audit privileged user access

Streamline the access request & approval process

Automate super-user credentialing & time based revocations

Simplify audit preparation & reporting for exceptional access

Notify, alerts, monitor & report on super-user usage & activity

Ensure all activity is monitored, reviewed & signed-off

Add Firefighting to SuccessFactors, Ariba, Workday, Salesforce and other cloud based or on-premise applications

Ensure Access is Consistent, Compliant & Secure with ResQ

Gain end-to-end access lifecycle management for super users including access request, approval, credentialing, and activity auditing for chosen business applications.

Customer Case Study Company Sharp Electronics Corporation

Headquarters (US) Montvale, New Jersey

Industry Information Technology & Services

Products & Services Home electronics, appliances, mobile devices, and business solutions

Number of Employees 15,000+

Website www.sharpusa.com

Objectives • Leverage technology to streamline access

governance across enterprise applications • Use automation to standardize GRC processes for

all financially relevant business applications • Contextualize the segregation of duty risk in

terms of financial exposure to the business

Solution • Extend GRC and centralize access governance

solution • Automate SOD controls • Provide insight into financial exposure of SOD

violations

Benefits • Reduction in manual efforts • Reduction in external audit costs • Reallocation of resources in the IT security team

80% Reduction in IT personnel time required to manage access governance and SOD controls

300 hours Reduction in time spent per month on SOD control monitoring

33% Increase in the number of systems managed by GRC

“The synergy frees companies to focus on core business functions. Leveraging innovative solutions like Greenlight allows Sharp to do more and maximize resources.”

- Wyatt MacManus, Associate Director, Information Security, Sharp

Business Value

CIO

• Empower Business & IT users • Delegation of admin activities • Enable efficient auditing • Assurance

LOB

• Fast assignment of

emergency access • Data privacy & theft

protection

AUDIT

• Proactive tracking of user

activities • Consistent & compliant

approach • Extends controls reach

CFO

• Improved visibility • Minimize insider risk • Reduce cost of compliance

Company Greenlight Technologies https://greenlightcorp.com/

Partnerships SAP Solution Extension

Oracle Platinum Partner

CA Identity & Access Governance

Cisco Security

Awards & Recognition Best Big Data Solution for SAP HANA

Highest Possible Rating in Gartner Marketscope

Company Overview

View on-demand demos of ResQ and learn more at greenlightcorp.com/demos

© Greenlight Technologies. All Rights Reserved.