Friday, March 16, 2007

Keep Your Pants Up!

What really gets to me is when Management doesn’t give a rip about security until it’s too late – what idiots!  The greatest danger is from “within” but Management remains oblivious to this danger.  Usually Management wants everything done NOW, and that applies to bringing new staff members up to speed on the applications they will be using.  That can lead to disaster.  Embezzlement can happen quicker than you ever thought possible!

Case in point:  A new Assistant Controller is hired, and Management says, “Get him trained on the financials this week.  He’s going to be managing the Payables section next week.  Give him whatever access he needs to do the job.” The IT Department explains that “everything” means having the ability to post invoices, payments, and to add and modify the Vendor’s master file which is a security risk.  Management responds, “We don’t care, just do it!” Oh, did I mention that these geniuses gave this individual check signing privileges as well?

The Assistant Controller they hired was a smart one.  Within a week this individual had the A/P system figured out.  He could modify an existing vendor name to his name, post a couple of false invoices, cut a check made out to himself, and change the master record back to the original vendor name.  Of course, he picked a vendor with high activity, so it wasn’t questioned because the A/P system reported these payments under the original vendor name.  Nobody was the wiser until the employee failed to show up for work after taking the company for thousands of dollars!  Management got caught with their collective pants down, and they had no one to blame but themselves.

We need to protect ourselves from incidents such as these!  We can’t do anything about Management. Stupid is, as stupid does.  Ideally, we would separate the duties, so that staff who create the master records (vendors, customers, and employees) aren’t the same people that post checks or payments.

We also need do something about Systems.  Systems need a way of tracking additions, changes, and deletes to all records.  Changes need to record a before and after image.  Additionally, there needs to be a time-stamp and operator ID as part of this record.  Most importantly, there needs to be a means to monitor and report this information, possibly with an alarm mechanism to an IT security person and/or to the Controller.  At least this way it’s faster to discover and easier to prosecute! 

What’s your horror story?

Posted by S.C.R.A.H. on 03/16 at 09:30 PM
System Design • (0) CommentsPermalink
Page 1 of 1 pages

Members:
Login | Register | Add Post | Member List

<
 May 2008
>
S M T W T F S
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Search


Advanced Search

Syndicate

Join our Mailing List