Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Top 5 Ways Your Procurement System Is Vulnerable to the Inside Threat
© Greenlight Technologies. All Rights Reserved.
Did you hear about the insider threat at Microsoft? A former director of sports marketing and alliances at Microsoft was indicted for creating fake vendor invoices totaling $1.4 million and then changing the vendor’s bank account information so payments routed to his own personal account. This is no surprise as research shows that 60% of breaches are carried out by insiders and employee data continues to be a key target. So what are you doing to prevent the inside threat to your procurement system? Let’s take a look at the top 5 vulnerabilities you need to address and how to fix them now.
Introduction
Internal Control Failures on the Rise
Source: SOX & Internal Controls Professionals Group, Moss Adams LLP, and Workiva
Per the State of the SOX/Internal Controls Market Survey, there was a 9% increase in the number of respondents that reported internal control failures compared to the previous year. The most cited cause was “Control not properly performed, enforced, or monitored” (increased by 6%)
A former office manager at a Life Science Technology firm pleaded guilty today in U.S. District Court in Boston to embezzling over $1.3 million dollars from her employer over a 10 year period. Risk Vulnerability • Fictitious vendor payments to real vendors used
to cover up fraudulent checks
How Did it Happen? • Responsible for handling the firm’s accounts payable • Used her position to steal company checks, which she made payable to herself • Removed copies of the negotiated checks when sent back by the bank, and then falsified
entries to make it appear as if the checks had been used to pay legitimate vendors https://www.justice.gov/usao-ma/pr/fitchburg-woman-pleads-guilty-embezzling-over-13-million-dollars-employer
Example #1: Fraudulent Checks
An Accounting Manager playing a lead role in transitioning ING onto a new ERP system embezzled nearly $8.5 million dollars from his former employer over a 4 year and 3 month period.
Risk Vulnerability • Create a fictitious vendor & approve purchases
to this vendor
How Did it Happen? • Knew everyone else’s system passwords in the accounting department and often logged on
as someone else • Logged in as someone else, requested a check, and then log in as themselves to approve
their own request • Started small, requesting checks to pay off credit cards that had a similar name as an
approved vendor • Then created a fake vendor, Ace Business Consulting, and began paying that vendor
https://www.journalofaccountancy.com/issues/2014/aug/fraud-20149862.html
Example #2: Fictitious Vendors
A former bottling company Controller embezzled $8.7 million dollars from G&J Pepsi-Cola bottlers over an 11 year period. Risk Vulnerability • Enter a fraudulent vendor bank account, pay the
vendor and then redirect payments to a personal bank account
How Did it Happen? • Created a fake bank account for a vendor • Transferred money into the unauthorized vendor account • Transferred money from the fake vendor bank account to personal bank and brokerage
accounts
https://www.reuters.com/article/us-ohio-crime-hiker/man-who-hid-on-appalachian-trail-sentenced-for-fraud-in-ohio-idUSKCN0Z816Q
Example #3: Inappropriate Funds Transfer
The Treasurer and Head of Compliance for South Korea embezzled $31.31 million dollars from Switzerland’s engineering group ABB across 73 transactions. Risk Vulnerability • Maintain purchase orders, post a fictitious
goods receipt and work with third parties to cover up payments
How Did it Happen? • Generate false purchase orders • Post fictitious goods receipt • Forge documentation and collusion with third parties to cover up
https://www.reuters.com/article/us-abb-fraud-idUSKBN16114L
Example #4: Fictitious Purchase Orders
French technology consultancy Altran uncovered $10 million dollars in false purchase orders at its recently acquired ($2B) US competitor Aricent, shares fell 30% to their lowest point in 3 years. Risk Vulnerability • Forged orders that had inflated reported
revenue and profit
How Did it Happen? • Fake purchase orders were issued to one U.S. client
https://www.reuters.com/article/us-altran-aricent-forgery/altran-shares-plunge-on-discovery-of-forged-orders-at-aricent-idUSKBN1K30LI
Example #5: Forged Orders
ERP Business Systems
Legacy & Custom
Cloud & SaaS
IT Systems, Servers & DB
Manage Privileged Access Risk with ResQ Enable, automate, monitor & audit privileged user access
Streamline the access request & approval process
Automate super-user credentialing & time based revocations
Simplify audit preparation & reporting for exceptional access
Notify, alerts, monitor & report on super-user usage & activity
Ensure all activity is monitored, reviewed & signed-off
Add Firefighting to SuccessFactors, Ariba, Workday, Salesforce and other cloud based or on-premise applications
Ensure Access is Consistent, Compliant & Secure with ResQ
Gain end-to-end access lifecycle management for super users including access request, approval, credentialing, and activity auditing for chosen business applications.
Customer Case Study Company Sharp Electronics Corporation
Headquarters (US) Montvale, New Jersey
Industry Information Technology & Services
Products & Services Home electronics, appliances, mobile devices, and business solutions
Number of Employees 15,000+
Website www.sharpusa.com
Objectives • Leverage technology to streamline access
governance across enterprise applications • Use automation to standardize GRC processes for
all financially relevant business applications • Contextualize the segregation of duty risk in
terms of financial exposure to the business
Solution • Extend GRC and centralize access governance
solution • Automate SOD controls • Provide insight into financial exposure of SOD
violations
Benefits • Reduction in manual efforts • Reduction in external audit costs • Reallocation of resources in the IT security team
80% Reduction in IT personnel time required to manage access governance and SOD controls
300 hours Reduction in time spent per month on SOD control monitoring
33% Increase in the number of systems managed by GRC
“The synergy frees companies to focus on core business functions. Leveraging innovative solutions like Greenlight allows Sharp to do more and maximize resources.”
- Wyatt MacManus, Associate Director, Information Security, Sharp
Business Value
CIO
• Empower Business & IT users • Delegation of admin activities • Enable efficient auditing • Assurance
LOB
• Fast assignment of
emergency access • Data privacy & theft
protection
AUDIT
• Proactive tracking of user
activities • Consistent & compliant
approach • Extends controls reach
CFO
• Improved visibility • Minimize insider risk • Reduce cost of compliance
Company Greenlight Technologies https://greenlightcorp.com/
Partnerships SAP Solution Extension
Oracle Platinum Partner
CA Identity & Access Governance
Cisco Security
Awards & Recognition Best Big Data Solution for SAP HANA
Highest Possible Rating in Gartner Marketscope
Company Overview
View on-demand demos of ResQ and learn more at greenlightcorp.com/demos
© Greenlight Technologies. All Rights Reserved.