Poorly governed financial systems and fraud: It all starts with access

A facilities manager who created shell companies and submitted fake invoices for them stole nearly $1.2 million from his employer in a scheme that spanned about seven years. Quest Diagnostics employed David Alan Smith in its Tampa, Florida-based laboratory, and one might wonder who at Quest was rubber-stamping his fake invoices for fake companies for all those years? The answer would be Smith himself as he was the one in charge of approving vendor invoices and sending them to the corporate office for payment. After being caught, Smith pleaded guilty to numerous fraud charges and was sentenced to five years in prison. (See “Ex-manager to plead guilty in theft of $1.2M,” Tampa Bay Times, Archive, updated Feb. 26, 2008 and “Fraudulent lab manager handed five-year prison stint,” by Joseph Harvey, Citeline, June 6, 2008.)

In another fraud case, a man working in IKEA’s phone and mail-order business made a tidy profit by giving himself refunds on purchases made by customers. By the time he was caught, Suraj S. Samaroo had stolen nearly $400,000 in less than a year from IKEA Direct’s Rosedale, Maryland, location.

According to a news article, it wasn’t IKEA that discovered his fraud — Samaroo was caught after his bank noticed unusual deposits to his account and informed police of the suspicious activity. After making a full confession and admitting “pure greed,” Samaroo pleaded guilty and was convicted of a felony theft scheme. (See “IKEA worker pleads guilty to stealing $400K,” Maryland Daily Record, Nov. 20, 2008.)

When access is a vulnerability

As a CFE, I’ve seen the evolution of access/identity control — from testing my client’s password security, reviewing their protection policies and procedures, and performing segregation-of-duties studies, to the current proliferation of both on-premises and cloud-based identity auditing programs.

And yet, we’re still experiencing an explosion of both internal and external fraud in organizations that appear to share a common thread: They lack controls over access, or they don’t properly use IT resources that are supposed to be in place to govern these identities and practices. This is especially true when it comes to the intentional misrepresentation of financial statements or the misappropriation of an organization’s assets.

As in the introductory cases, financial statement fraud and embezzlement are white-collar crimes usually perpetrated by insiders to misrepresent an organization’s financial position or cover up misappropriations of funds. Fraudsters may be motivated by personal gain, such as performance-based compensation. They might seek to enhance the company’s reputation by misleading potential investors. Or they may simply be using the fraud as a delaying tactic until financial mistakes and losses can be properly corrected.

Financial statement fraud and embezzlement are crimes of opportunity. Companies with lax internal controls, manual accounting systems or dishonest and overly aggressive leaders are more likely to fall prey. The key to combating financial statement fraud is to prevent it from ever happening. Using on-premises and cloud-based identity auditing programs helps reduce fraud by controlling the privileges of insiders, such as clients, staff and consultants, and keeping outsiders from accessing your systems by eliminating or managing all potential key identity exploits and controlling insiders’ privileges.

Key identity exploits

First, let’s look at an outline of the insider identity exploits that will play a key role in many CFEs’ investigations of financial reporting fraud. They demonstrate why user-access reviews are so important in stopping the progress of a fraudster’s attack before they can move around an organization’s network.

• Ghost accounts: The accounts of users who are no longer with the enterprise, but still have active accounts in it. Hackers, internal and external, love these accounts because they tend to avoid the reviewal process, and they can manipulate these ignored accounts at will.
• Privilege creep: This often occurs when an employee changes job responsibilities within an organization and is granted new privileges. While employees may need to retain their former privileges during a period of transition, those privileges are rarely revoked and result in an unnecessary accumulation of access privileges.
• Unauthorized access: A user account or service has logical or physical access to resources that are inappropriate. This violates the principle of least privilege — a security best practice (as defined by the National Institute of Standards Technology) that says a user shouldn’t have access to data and resources beyond what’s necessary to perform the task assigned to them. Such accounts must be identified and removed. The best practice to identify this unauthorized access is an access review of rights and a review of logs and other controls.
• Privilege escalation: A user is escalated to rights that are reserved for a higher level of access, such as admin privileges, but they are inappropriate to the user. Privilege escalation is both an internal and external threat. External hackers will often create or commandeer an existing internal account and then escalate the privilege for nefarious purposes.
• Lateral movement: A tactic used to move laterally within a network to gain access to additional resources and potentially sensitive data. It’s usually enacted after the attacker takes over an internal account and escalates the privilege of the account. Understanding lateral movement is a key part of what’s called cyber kill chain, the process that traces the various stages of a cyberattack to help combat these kinds of threats. Lockheed Martin developed cyber kill chain in 2011 to help identify the common steps a hacker takes to investigate, penetrate and exfiltrate data from a cyber victim. This is why user-access review of user accounts is so important in stopping the progress of the attack before the account can move around the network.

Now, let’s examine external identity exploits. The following are key aspects of how attackers begin and complete their outside hacker journey into compromised enterprises.

• Recon: An external hacker’s first step in compromising a system. It’s known as the reconnaissance step in the cyber kill chain. The hacker is trying to identify system, web and application types and versions to then map what are known as CVEs, or common vulnerabilities and exposures, to attack these systems and begin the exploitation process.
• Exfiltration: Once the hacker is in, their goal will be to get the sensitive information back out. They may ransom it or sell it to the highest bidder. No matter what they do, once they can get it out the data will be out of the control of the organization. Preventing this is one of the prime goals of cybersecurity. Through understanding the cyber kill chain, organizations can understand how hackers carry out a cyberattack. Vulnerabilities at these points should be eliminated to stop hackers in their tracks before they can cause serious damage.
• Denial of service: An attack on a resource through either an internal or external mechanism. External attacks usually involve bots sent to consume network, web and application resources to overwhelm the system. It’s usually done through a coordinated effort of a massive number of bots pointed at the target at a coordinated time, known as a distributed denial of service (DDOS) attack.
• Anti-forensics: The concept of “covering your tracks.” Hackers will do all they can to remove from data logs any evidence of their efforts. That’s why logs cannot be the only way of looking at status changes in a system. A “state-in-time” comparison between roles done on a regular basis will help alert a security team of privilege changes and privilege escalation.

Technology background

Financial reporting technology isn’t new, and in some cases goes back to the original drivers of the IT industry. Far too many companies still use spreadsheets and their derivatives in their accounting practices. Many other organizations, however, have matured to more scalable and extendable IT financial services. These tools are now mostly cloud based, allowing enterprises to account for all financial aspects of the business, including accounts receivable, accounts payable, owner’s equity, expenses and others.

These software tools don’t govern themselves. An enterprise needs to set up checks and balances of users, permissions and rights to ensure that fraud isn’t built into the system.

Current state of practices

Enterprises are normally good at establishing users’ roles and setting up systems to ensure users get basic functionality out of these tools. But this is often where the implementation stops. The system works, inasmuch as users can input information with a minimal amount of reporting. But what about governance? Who’s checking whether the same people involved with expenditures are also creating reports on who gets paid?

It’s important to note that governance, especially role-based governance, isn’t built into these tools. Before using them, the best practices and procedures should be established by a professional who helps decision-makers understand the function of these tools and then maps them to enforceable identity roles.

Improvements in technology/practices

As with many endeavors, it’s best to look at outside practices and procedures to solve the problem of governance that plagues the financial application arena. There are tools specifically designed for what’s called identity governance and administration (IGA). These tools integrate in various ways with the existing identity resources at the enterprise. (The identity tools are called identity and access management, or IAM.) Historically, most IAM products stood alone and had little to no built-in governance. They provided access but did little to test the access.

To this end, the cyberworld created a whole suite of software to address the governance on the identities and access granted by the IAM systems. Firms should employ these IGA programs, and the practices and procedures around them, to protect their financial systems. IGA, when used correctly, flushes out all the entitlement information on the users who have access to these tools. That includes the users, roles, permissions and attributes. The business-line manager needs to review this information and determine if each user should have access.

Getting started

The following recommendations provide a straightforward guide for any entity to begin securing their access/identity control. First, the enterprise should quantify the applications that have access to financial information, as well as the data sources and which account(s) have access to these resources. Then, the enterprise should use modern IGA tools to:

• Immediately review the access to these resources.
• Clear out ghost accounts.
• Clear out unauthorized access.
• Rinse and repeat on a regular basis.

It’s important to note that regulations like Sarbanes-Oxley mandate that you review these resources annually. But this is ludicrously out of date. The roles should be reviewed at least on a quarterly, if not on a monthly, basis. That should be a top priority especially given how so many organizations still rely on manual processes in their governance risk and compliance programs. Enterprises must step up their game by either directly employing a user-access review tool, or demand that their managed services deploy a tool that makes these reviews simple and repeatable.

Jeffrey Tilton, CFE, is chief fraud advisor at YouAttest, a company that offers cloud-based solutions and management. Contact him at jmtilton@jmtconsultingllc.com.

Garret Grajek is CEO of YouAttest. Contact him at ggrajek@youattest.com.