Fraud Prevention – Application Security is a Great Place to Start

Fraud prevention policies and procedures can seem overwhelming to organizations that have grown and developed without those areas in there forethought. So, where do they start? Unfortunately, there is no exact answer on where an organization should start a risk assessment to determine their potential fraud risks. A great place to start is in the accounting application, because it is the heart of most organizations and often holds more data than just accounting. By analyzing an accounting application, an organization will quickly realize which accounting areas need more investigations and controls. 

Let’s first talk about a few of the potential liabilities of an unsecure accounting package to an organization.

-         No matter what segregation of duties policy you have in place an insecure accounting package nullifies that control.

-         An unsecure accounting package allows for potential identity theft of employees, customers and vendors.

-         Depending on what makes the accounting package insecure, users sharing passwords possibly, logging may not be able to be relied on making fraud investigations tougher.

-         Potential ghost employees added to payroll.

-         Fraudulent checks written.

-         Inventory disposed of and stolen by employees.

-         Confidential financial data given to competitors.

The liabilities caused by an insecure accounting program can be solved with properly written policies and procedures and applying them to the accounting application. I have seen organization after organization with well-written application security policies that do not match the actual security policies in their accounting program. Most of the time it is what I call security creep. Generally, some type of unplanned hurried event causes this:

-         Vendor is at the back door, check needs to be written so security is adjusted since the employees with authorization are out to lunch.

-         Employee is on vacation and the boss needs something done, report, journal entry, etc., so security adjustments are made.

-         Data migration from the old system means more users are needed for input. Security never adjusted after the project.

It can also be caused by an employee changing positions and the employee’s security not being correctly set for their new position. For example, if a user has check writing privileges and then moves to the Accounts Receivable department there rights to write checks in the accounting applications need to be removed. Security creep will happen and that is why you need to look at this area annually. 

Most accounting applications today provide adequate user security, but are rarely used to their potential because of efficiency. What level of efficiency is your organization willing to gamble? A check writing fraud scheme could cost your organization six figures or more. Is the ability to quickly write a check worth that much?

If your organization would like to continue a discussion on this topic, or other fraud related topics, please email me at [email protected].