Monday, January 18, 2010

Decreasing the Risk of Fraud and Embezzlement in ERP Systems

Written by Medi Karkashon-Mizrahi, ERP Security Division Manager

The gradual implementation of ERP systems has united all of the business processes into one comprehensive system on the one hand, and on the other has opened the opportunity to carry out various fraud and embezzlement actions through the system. The existence of a number of factors, such as general authorizations, non-segregation of duties, incorrect policies and procedures, and inadequate design and maintenance of sensitive databases – all these are breaches through which one can conduct fraud and embezzlement. The identification and auditing of these issues will significantly decrease the risk for a potential attack.

The words “fraud” and “embezzlement” are a concern for diverse organizations and managers. This issue is raised repeatedly due to the variety of fraud and embezzlement cases that were recently exposed across the globe.

Fraud and embezzlement is carried out when three elements occur:

1. Pressure (to carry out the act)

2. Attitude (of the malicious party)

3. Opportunity

The first two elements are not and cannot be controlled by the organization. However, opportunities to carry out fraud are abundant due to the failure to manage information systems and the non-implementation of suitable control mechanisms.

The implementation of control mechanisms and the correct system management are critical issues in the implementation of an ERP system. This, due to the fact that these systems store sensitive information on suppliers, clients, employees, sales, budgets, revenue, and additional confidential business information. Furthermore, this working environment presents various opportunities for fraud as described below.

When a product goes into production, a great deal of effort is invested in improving the functionality of the system and in successful implementation amongst the users. As a direct result, many users (including regular employees, consultants and implementers) receive wide system authorization. These wide authorizations are a common phenomenon in many organizations due to the fact that the latter believe it will shorten the time to production.

ERP systems are extremely complex, and there are a number of possibilities to receive wide authorizations in the entire system. In SAP systems, for example, user management is based on user definition, profiles, rules and objects. The user can receive wide authorizations from a problematic profile, can be ascribed incorrect rules or receive objects that are breached.

The removal of wide system authorizations is not a simple task, an organization must recognize the various possibilities, repair them, and manage each separately. The misidentification of wide authorizations increases the organization’s exposure to fraud and embezzlement.

ERP systems register business transactions in real-time. This fact decreases the chance both to prevent fraud and to identify the fraud as soon as possible. For example, if a person stole inventory from a certain company, and at the same time rearranged the inventory application in the ERP system, it would be extremely difficult to discover the embezzlement. The existence of system audits can prevent such an occurrence.

Companies should identify the problematic focal-points in the system and implement real-time audits that decrease the exposure.

ERP systems work via one database, a fact that improves the flow of information and process integration on the one hand, and on the other causes a situation where the majority of the company’s processes are managed under one system. If in the past, procurement was carried out by a buyer on system X, and the payment was carried out via system Y, now these two actions are carried out in a single ERP system. Thus, if the company did not implement a user management scheme that preserves the role distribution principle, most likely there are violations of role distributions. Various embezzlements across the globe could have been avoided if the company had implemented a role distribution principle, which states that each process – from start to finish – will not be conducted by a single individual, rather at least one other person will be involved for auditing and authorization.

Companies should identify the violations of the role distribution principle, repair them and manage them regularly.

The implementation of an ERP system usually includes the assimilation of sensitive procedures such as Signatory Authorization, Procurement Authorization, Supplier Payment Authorization, etc. In the past, these procedures were assimilated through physical measures, however today many organizations have adopted automatic mechanisms instead. The incorrect assimilation of these procedures may cause employees to carry out faulty actions that cannot be prevented.

Companies should implement a suitable audit framework that decreases the occurrence of these situations.

The transfer to an ERP environment is usually conducted from a variety of Legacy systems which manage sensitive data such as employees’ bank account numbers and customers’ price terms. Today, all this data is managed in one system with one database. The conversion process is complex and usually requires exporting data from system X, improving the data and importing it to an ERP system. If the sensitive data is exposed to hostile factors during one of these three stages, it is possible that data will be leaked to unauthorized factors or damaged intentionally. The infrastructure for the correct and efficient management of processes in the system is based on a trustworthy database of master data (for example, payment to a supplier which is carried out in accordance with the payment date, the way of payment and bank account – all master data; collecting payment from a customer is carried out in accordance with the way of payment and customer discounts – both master data). Thus, the management of master data is a potential basis for conducting fraudulent activities.

Companies should identify the sensitive data and carry out periodic examinations on the data’s verity and maintenance by system users.

The problematic focal points should be dealt with in two phases. The first, identification of these focal points, and the second – establishment of a continuous auditing framework that will prevent and decrease the chance of exposure.

ERP systems such as SAP and Oracle are large and complex in regard to the number of implemented processes they store, the huge amounts of data they store and their way of operation. Thus, the identification and proper treatment of the problematic focal points requires skill and deep knowledge of the system.

Comsec Information Security has developed proprietary methodology to conduct Fraud and Embezzlement Assessments in ERP systems in general and SAP systems in particular. The uniqueness of this methodology is derived from work plans that refer to the specific, problematic focal points in each ERP system, whilst emphasizing a continuous auditing framework.