Below is a case study used in blog entry three.
"A small business owner on the Gold
Coast was crippled financially due to an employee siphoning money from the
business accounts into her own account. This continued undetected for six
months [The owner should have been aware of the fraud by analysing the fraudsters behaviour and attetude at work to identify fraudulent behaviour. Additionally the owner could have performed checks on the individual to ensure there is no fraud in their past and to ensure their integrity to the organisation.] resulting in a loss of approximately $115,000 – a huge loss for a small
business. Ultimately, the business closed down after struggling to meet its
debts. The employee was able to perpetrate the fraud as another employee had
left the business and provided her with her password for accounting and
bookkeeping. [IT should have removed the past employee's access to ensure that the fraudster had no access to make payments to her account.] Other than passwords, there were no other control measures used by
the business to protect its data and systems. [The owner should be aware of the risks of operating an online banking and accounting system and steps other than passwords needed to be taken to ensure the safety of data. Steps such as audit trails, separate user names and separation of duties could have protected the business.] Therefore, the fraudster had both
passwords required to gain access to various accounts and found it quite easy
to move monies into her own account.[Checks should have been in place to ensure the fraudster was not able to authorise payments to her own account such as red flags and authorisation checks for unknown account transfers and internal audits to track the flow of monies.]
Being only 18 years old, she used the
money to purchase a car, play the pokies at the casino, and buy gifts for her
friends and family and jewellery for herself. Once found, although the car was
repossessed and resold to regain some of the loss, no other monies were
recovered by the business.
When interviewed by local radio, the
business owner was asked if he was aware that there are IT Governance controls
that he could follow to help minimise this problem occurring again. The owner
replied that he had not been aware of the risks associated with online
accounting and banking, and regardless, was not a big enough business to take
on board IT Governance control measures – that they would be too costly."
Key:
Highlighted in yellow are areas of concern
Red are my recommendations
Highlighted in blue are her motives and pressures as to why she committed the fraud according to Cressey's fraud triangle
(AYB115, Tutorial 3, p4)
No comments:
Post a Comment