COMPUTER SECURITY AND CORPORATE FRAUD IN DEVELOPING COUNTRIES ------------------------------------------------------------- Adebola Olatunji When in the past few years, ministers and governors in West African countries and a host of chief executives from major companies have fallen from power as a result of fraud, no one could argue that the bells have not been rung. Fraud is a grey subject surrounded by mystique and apathy. Whereas society seems outraged, and mightyly so, at overt acts of violence and terrorism and is prepare to devote attention and resources to their solution, covert and possibly more damaging losses through fraud, escape attension and succeed by default. Fraud may be defined as any behaviour by which one person intends to gain a dishonest advantage over another. This is not a legal definition but is not intended to be. It is adequate to embrace the subject matter of this paper and to include such diverse acts as embezzlement, unfair competition, commercial espionage and other white and blue collar crimes. COMPUTER RELATED RISKS ---------------------- We are told that putting the cart before the horse is wrong. But something about the cart - defensive techniques should be mentioned here, so that risks can be seen in proper perspective. Later, I shall discuss a multidisciplined approach to computer security, involving the formation of a project team. With this defence approach in mind, detailed discussion of computer technology and operations is not necessary: such knowledge should be provided by the teams computer specialist. The point in mentioning defences here is this; Computer proffessionals, acting alone can seldom provide the complete answer to computer security, and security and audit people acting alone are equally doomed. The best and perhaps the only effective approach is the formation and ongoing review of a project team consisting of security, computer, user and audit representatives. In such a team, there should be sufficient depth and knowledge to tackle risks to computer operations. Many computers are owned by security bureau who let out time to more than one user. Although it is not possible, therefore, to accurately assess the grasp that computers have on modern commerce. It is fair to say that it is enormous in excess of 150,000 major companies in Africa depend upon computers in their day to day business. This is the minimum potential number of computer fraud and espionage victims. It is necessary to examine the way in which computers process commercial records. Computer processing of Commercial records ----------------------------------------- It is axiomatic that a computer can only manipulate those transactions, records and accounts it processes. Computer frauds involving payroll inflation are obviously impossible if the payroll is prepared manually. In a similar vein, financial frauds can only be achieved in financial records. It is impossible for a thief to generate a false credit in a computer application processing market research or logistics data, although such records may be vulnerable to espionage. Most commercial organisations maintain and prepare their financial records by one or more of three basic methods. 1. Batch Processing 2. Real time processing 3. On line processing. Batch processing:- ------------------ Source data -- Purchase or sales invoices, for example are batched together (hence the term batch processing) and input into the computer for processing. Each application has its own set of computer files (data sets) and programmes and these are used to produce output. Source data is usually assembled by the user department and sent to the data preparation unit for conversion into computer readable form - magnetic disc or magnetic tape. This computer readable input is read by and processed by the computer. Hard copy output may be delivered to the user department while magnetic tape files and discs will normally be retained within the computer centre. Real time processing :- ----------------------- In real time systems, data is introduced into the central processing unit and is automatically converted into computer readable form. Semi- instantaneous processing takes place in the central processing unit (CPU) and a response is given on a visual display screen (VDU) or printer. The immediate response is the distinguishing feature of realtime processing. Real time system are not frequently used for mainstream financial accounting but such things as airline reservations, stock and statistical data are common applications. Source informations (sales data) is introduced into the system via one of the remote terminals and its accuracy is verified automatically by various internal checks. Individual transactions are recorded and balances are established in the input transaction journal and then processed in the CPU, which calls up the necessary master and other informations from the On-line database, invoices, customer debits and stock files are produced and updated. >From an operation and accuracy point of view, realtime systems with integrated databases have significant advantages. Perhaps the main one is the consistency of master file information. In batch systems, where seperate data files are held for each application, process of informations are introduced and held in master files and transaction tapes which may be duplicated, sometimes incorrectly, in other data files for other applications. At the centre of databases is the concept that information should be introduced only once and should be available for all applications. It is introduced just once, consistency between applications is guaranteed. The third major type of computer processing is that called 'on line' (a term derived from the direct interplay between the CPU and files and periherals which are on direct line). On line processing:- -------------------- On line processing consists of features common to both batch and real time systems and may or may not operate through remote terminals and teleprocessing links. The customer, product and other files are linked 'On line' to the central processing unit (CPU). The partial 'running' of batch processing does not apply to 'on line' systems where the various files are in direct two-way connection with the CPU normally, on a random access basis. All of us try to assess what might happen in the future by examining what has happened in the past. This approach is useful in risk assessment, provided the limitation on published figures and reports are borne in mind. Perfect crime - by definition escapes detection. Against this background, the report on computer security produced by the Stanford Research Institute (SRI) can be used to illustrate computer risks under the headings. 1. Fraud 2. Epsionage 3. Violence 4. Privacy. In using the SRI report as a starting point, two facts should be kept in mind. The first is that the report does not claim to be comprehensive. Secondly, once a computer is introduced conventional risks do not disappear. For example, it is not known for companies to install complex pass and lockward protection for computer files at the same time as allowing sensitive hard copy output to lie on desk tops, insecure and unattended. It is important to put computer risks into a corporate perspective. They are part of business risks and not in a watertight or exclusive compartment. The most important intention of this paper is to draw attention to relevant technical informations on computer security and to suggest a practical approach to computer security. Now I shall focus on fraud defences and computer security under the following plans:- APPOINTMENT OF A COMPUTER SECURITY PROJECT TEAM ------------------------------------------------ It would be an exceptional person who would claim that he could solve all computer security problems by himself. In most companies, computer security is a compromise , either security and audit people struggling with computer technology or computer people trying to learn accounting and security as they go along. Which route is more difficult is hard to say; that neither one is effective is often all too obvious. Yet within most companies, there is adequate skill available -it is simply a question of organising it. One way of concentrating and making the best use of available resources is to appoint a project team which can be held accountable for reviewing the security of the company's computer installations- main frame, 'minis', processing and control machinery. Ideally, the project team should consist of (i) The Chief Accountant or Controller (ii) The Data Processing Manager (iii) The Chief Progrrammer (iv) The System Manager (v) The Audit Manager (vi) The Security Adviser (vii) User department representatives and it should have direct access to a board member. Precise terms of reference should be prepared for the project team and its authority written down and approved by senior mangement. Whenever possible, deadlines should be set and the team held acountable for meeting them. It is important that realistic target dates are set , otherwise matters can be drawn out from month to month and year to year without positive or even noticeable results. How and how often the project team meets will depend on the size and complexity of the company concerned, but meetings should not be too frequent or or too long. The meetings should be sufficient to allocate specific risks and responsibilities to each of the members and to review progress. Whenever possible, tasks should be allocated according to the skills and resonsibilities of the members. The chief accountant or controller might be concerned with the overall co-ordination, the security adviser with physical security and fraud detection and the audit manager with documentation and billing programmes. Whenever possible, responsibilities should be identified in writing. The checklist approach can be used to gurantee accountability and continuty. The first task of the team is to identify risks. The risks evaluation phase is essential and the need for accuracy cannot be over-emphasised. RISKS EVALUATION ---------------- The risks to main frame computers and to computer system were discussed to be under the following headings, espionage, fraud, violence and privacy. The project team should also be concerned with mini computers and computer controlled machinery. Its expertise should be used to gain the maximum economy of effort. Each operating or user department should be asked to supply details of any computer controlled or computer related processing. The applications should be analysed in details and their sensitivity and vulnerability established. As a result of this exercise, the project team will have statements- in user departments, in order of the assets at risk and posssible theft concealment and comversion courses. From these user statements further analysis is posssible. For example, where an asset appears vulnerable to fraud, concealment and manipulation possibilities within the computer center, it can be identified and added to the charts. This approach will ensure that defensive measures are related to assets at risk, and that controlls- either before or after the fact - are concetrated on the vital issues. EXISTING AVAILABLE AND OPTIMUM DEFENCES. ---------------------------------------- An accurate identification of risks and risk elements will allow existing defences to be tested. These test can be conducted by analysis or by threat assesment. The first method calls for an objective measurement of the contols - physical, procedural, back up and detection - that already exist both within and outside the computer centre. In the second, delibrate efforts are made to violate controls to test thier efficiency. The chances are that existing controls will be arranged before the fact - aimed at reducing opportunities and preventing errors. It is axiomatic that frauds and other criminal violation carry an impact outside the computer centre - a fact that sometimes is overlooked. In short, the technical aspect of computing can be seen as the risks. The complexity of the technology blinds people to this basic fact. Fraud is about stealing assets and although manipulation is possible within the computer centre, it is related to real life events, facts and people and it leaves clues that can be traced and identified. Thus in examiming existing defences, the team should take a broad view and not try to solve all fraud and security problems by what happens within computing. It should examine external controls, movements of goods, conversion possbilities and most important, the impact that these real life acts will have on accounting records. The corporate view of existing defences will demonstrate how controls within computing fit into the integrated defensive plan. There is an abundance of literature already available on computer security. The project team should research possible methods of combating known vulnerabilities and should select appropriate counter measures, either before or after the fact. Some risks may be countered by controls in user or operational departments and others within computing. Often the best way of analysing possible defensive controls is to work from a comprehensive checklist. Most lists concentrate on security within the computer and usually cover the subjects below. LEGAL DEFENCES:- ---------------- Under this heading the checklists would refer to copyright and records protection systems. They might also deal with contracts with suppliers and other third parties. PLANNING AND CONSENT: --------------------- The items under this heading would be designed to ensure that all new computer installations are properly and securely planned and that builders and other workmen are adequately supervised during the construction period. It could cover (i) location of computer centres (ii) location of back up stores (iii) building security. INTERIOR DESIGN:- ------------------ Checkpoints draw attention to the need for proper physical security in computer centres and back up stores. Environmental features may also be referred to as well as the standards for air conditioning and other utilities. SECURITY SYSTEMS:- ----------------- The standards necessary for controlling access into the computer centre would be spelled out and guidelines for dealing with emergencies such as bombs and bomb threats, fires, floods, sabotage and power failures would be referred to. ACCOUNTING SYSTEMS AND PROCESSING CONTROLS:- ---------------------------------------------- Accounting and other controls form the major part of most checklists and may be decided as follows:- (a) Systems Development Controls - ---------------------------- These cover the development and approval of new applications, documentation, audit criteria, programme and systems testing etc. (b) Organisation and Administrative control: --------------------------------------- These controls cover segregation of duties (by function and transaction), data preparation and user department controls, document transfer controls, batch and processing blances, input controls, media handling standards, data and quantity controls, file controls, reconstruction procedures, operating procedures, and internal audit. (c) Procedural Controls: ------------------- These cover protection and integrity of master files, proccesing controls (within computing) controls over output. (d) Data Transmission: ----------------- These set out standards, operational and security, for real time data transmission, security of remote terminals, access levels etc. INSURANCE AND MISCELLENOUS CONTROLS: ------------------------------------ Under this heading might come insurance of hardware against loss or damage. Fraud, espionage or consequential losses are rarely fully covered. Also under the miscellenous heading, staff selection, identification and pre-employment screening might be listed. AMMENDMENTS TO CHECKLISTS: ------------------------- Published checklists can be amended or added to by the project team so that a list suitable for the needs and wishes of the company concerned can be compiled. The lists can be divided into accountable tasks for each project team member. The security adviser, for example, could be made responsible for all the security points on the checklist and would be required to report his progress at meetings of the team. However, before any item is included on the company's checklist, its appropriateness to an existing risk should be confirmed. Controls' for controls sake are a waste of time and effort and will unnecesarily restrict commerrical operations. Further, defences should be related to risk, - risks should not be twisted or misrepresented to fit a preconceived defensive plan. OTHER DEEFENSIVE POSSIBILITIES ------------------------------ There are two additional lines of defence:- (i) Event and resources used log (referred to here as SMF: systems management facility). (ii) Computer surveillance of records to detect fraud. Both operate after the fact but can be used on most main frame computers to serve a preventive purpose. That is to say, their known use and efficiency can deter as well as detect fraud. S M F ----- Most computer hardware suppliers produce utility programmes of the SMF type. They may be adapted and added to, to retrieve, analyse and print out operating statistics, compile user billing records and generally record what processing has taken place. SMF type programme extension have the ability - either by conventional listings or exception reporting - to detect. (i) Unscheduled processing and testing. (ii) Unauthorised access to data. (iii) Unauthorised user identification. They can be adapted to detect frauds involving programme patches, espionage and misuse of computer time. It has been said that at least half of all known computer frauds would have been prevented or detected more quickly had the victims used efficient SMF controls. Within the SMF heading, there is a vast variety of programme formats. Sifficient to say that it is possible to buy or develop an SMF programme to monitor any main frame system. A sophisticated SMF programme could seldom be justified on security grounds alone. But, since for operational reasons a billing programme needs to be detailed and accurate, the project team maybe able to suggest slight additions or modifications that will increase its security value. The procedure to follow is set out below:- (1) The SMF/billing programmes should be as accurate as possible. They should be afforded the highest levels of security. (2) The CPU meter should be secured against interference. (3) Bills should be charged back to the smallest possible operating units. For example, seperate bills should be prepared for branch A, B and C rather than for deparrtment of which they are constituents. This way the effects of fraud will have the highest and must noticeable impact. (4) Standards should be developed for each computer application and comparisom made between the standards and operational programmes and processing 'runs'. (5) Deviations from the standards should be listed on exception reports and investigated. Other operational logs and print-outs may be used to supplement SMF reports. It is essential that the project team ensures that a member of management is held accountable for following up deviations and exceptions and that the results of verifications are recorded. The investigation and resolution of exceptions is obviously an area that internal auditors should concentrate upon. COMPUTER SURVEILLANCE OF RECORDS TO DETECT FRAUD ------------------------------------------------ Many frauds, whether computer related or manual, leave glaring symptoms: account inventory/discrepancies, falsely created and converted credits or distortions in proportional, historical or reasonableness trends and ratios. Frauds manipulated inside the computer centre have impacts outside, in customer or suppliers accounts, stock or goods movement records. The computer tasks that any company might conduct to detect fraud symptoms will depend on three things. First, the risks, second the available records and third, the efficiency of manual methods of detection and prevention (critical point auditing, for example). The technical factors involved in setting up programmes to detect fraud symptoms by computer are nearly always simple sorting or comparison functions and need no detailed explanation. The highest level of security should be applied to the preparation and use of computer surveillance programmes. Documentation should be prepared and rigorous tests carried out. Preliminary risks should be manually investigated and validated against basic documents and known physical facts so that proper exception levels can be set. For the surveillance programme to have the greatest deterrent value, the exact nature of the tasks it conducts and the results it produces should be discussed and released on a strict need to know basis. Further, such progrrammes should be run during the day under supervision and the reports and files from which they are produced should be removed from the centre immediately after procesing has finished. They should not be left in operational libraries. The exception point-outs should be examined by a person held accountable for the task. The results of his follow up work should be recorded. INTERRELATIONSHIP OF DEFENCES ----------------------------- The defences that are available to prevent computer frauds and other violations are almost limitless. The project team should make sure that all real risks are countered but should be just as careful not to over react or 'overkill'. It should strive for an integrated defence consisting of before and after the fact controls: creation of a climate of honesty, back-up and detection. IMPLEMENTATION OF PROJECT TEAM'S RECOMMENDATIONS ------------------------------------------------- Some of the recommended defences will involve expenditure on physical barriers, locks, closed circuit television and alarms and, subject to funds, should present no difficulty in implementation. Other defences may call for revisions to existing accounting, computer operations, or security procedures. These should be drafted by the team, discussed with the staff who will have to operate or enforce them and then incorporated into existing manuals. It is seldom wise to compile seperate references on computer security; security consideration should be included in operations or systems manuals. Few security problems can be solved with a once off burst of attention and this is particularly true in the case of computers. Although there are things that a company can do immediately to improve the security of its computer systems, only a continuing programme of interest and concern can provide a lasting solution. Members of the team should be made responsible for ensuring that controls do not degenerate. Auditors also have an ongoing need to monitor and review the system. CONCLUSION ---------- This paper has been deliberately kept brief. (laugh). There is no point in delving deeply into the technicalities of computers and computer security. It is not impossible that one reason is because I'm not a computer scientist but a medical student with a brief knowledge but much interest in computer. Be that as it may, many of the defensive principles for computer systems are not different from those that would apply in manual accounting. Investigation of computer related fraud - once the symptoms have been detected in the theft act, concealment, or conversion elements - is no different from any other investigation. Computers in most circumstances are glorified book keepers, after all. They are an inconvinience to thieves who wish to steal assets and an unreliable ally to spies. They are merely part of a business and their defence should form part of a corporate plan.