Controls Archives

Over the course of the past nine months, many of our clients’ business processes were shaken up, employees shifted to working in isolation, and internal controls became dismembered.

Monitoring an organization’s pulse can be a challenge, but during these unprecedented times it can feel almost impossible. Unfortunately, sitting back and just hoping for the best is not the right response; there are serious money and reputational issues at play, no matter the size of your organization.

Although we live in an ever-changing world, there are three concrete things you can do to protect your organization from potential fraud:

1. Internally communicate

Remote work has the potential to make our teams feel disconnected and isolated. This can lead to various motivations and opportunities for fraud, especially if conditions persist for an extended period of time.

Now is the right time to establish an ongoing culture of communication within your organization. Start with planning out weekly team meetings with time for open conversations about what is and isn’t working well. The more receptive you can be to honest responses, the more trust you will build inside your company.

2. Re-establish internal control processes

Many of our business functions have permanently changed and responsibilities have shifted around. Now is the perfect time to map out your current control processes in writing (this exercise is sometimes easier said than done). Then, assess each process to see if proper segregation of duties, approvals, and information access are in place for each function.

3. Launch a whistleblower hotline

No matter the size or structure of your organization, implementing an ethics or whistleblower hotline can be one of the best investments you can make to protect your organization against fraud.

The Association of Certified Fraud Examiners found that 43% of detected fraud was uncovered due to a tip. Additionally, fraud losses at companies with a hotline were nearly half the amount of losses experienced by companies without a hotline; a $100,000 median loss compared to $198,000.

Tip hotlines have also had a positive impact on reducing the length of frauds, helping organizations detect fraud an average of six months faster.

In this unpredictable landscape, organizations should make it easy for their employees to report suspected fraudulent activity/theft, misconduct, or unethical behavior, and to remain completely anonymous throughout the entire reporting process. This is one of the most effective and inexpensive improvements you can make to your company.

The Dean Dorton team has streamlined our Whistleblower Hotline service to be an affordable plug and play option for a wide range of organizations. If you haven’t implemented a hotline yet, we would love to talk with you about your options.

Learn More about Dean Dorton’s Whistle Blower Hotline

Dean Dorton is here for you as your organization navigates through these unprecedented times. Contact us if you have questions about adapting and changing to this new landscape.

Nick Lynch, CPA/CFF, CFE
Consulting Associate Director
nlynch@deandorton.com • 859.425.7635

I never cease to be amazed at the creativity and effort of cyber criminals. Any time I think I’ve seen it all, our team runs across a new tactic that has caused significant harm to a business. This week we assisted a client that fell victim to a complex, yet simple cyber-scheme, leading to the compromise of bank accounts and the possible loss of millions of dollars. Please share this article with anyone in your organization who is involved in the banking and finance area. You do not want this happening to your organization.

Just when we get comfortable with the assumption that our controls are protecting us, cyber criminals find a new way to bypass security measures. This industry is ever-changing. We spend a lot of time preaching about multi-factor authentication (MFA) and for years banks have provided customers with comfort in this control. This week we saw that control fail, further enforcing the importance of layered security measures and continual risk assessment and control improvement.

It all started with a user in our client’s accounting department who had elevated administrative access to the corporate online banking platform. This user searched for their banking login page through a normal Google search. She clicked the search result and navigated to the bank login website (or so she thought). She entered her user ID, her password, and her rotating MFA token code to login as normal. Little did she know, the top result was not the site that she expected. The website in which she entered her sensitive information, including MFA token, was a fake site, mocked up to look identical to her real banking login site. The cyber criminals instantaneously initiated a login to the real banking site using her credentials and MFA token to gain access to the bank account. Think about the sophistication here—on average, MFA codes change about every 30 seconds.

Upon gaining access to the real account, the cyber criminals quickly moved to create additional user accounts. These accounts were used to initiate multiple wire requests for hundreds of thousands of dollars each (totaling close to $2 million in total). They then used the compromised account to approve the wires they had initiated with the fake user accounts. During this same time, they initiated attacks on the compromised user’s email to flood the inbox and distract the user from seeing any banking communication. Later they initiated a distributed denial of service (DDoS) on the user’s internal internet connection. This rendered the user’s internet connection basically useless. The cyber criminals attempted to limit the user’s ability to access the real bank account or any other online resources, thus helping to cover their tracks.

At the time of this article, the user is still working with the bank to recover a large portion of the funds that were not stopped before they were fully processed.

What are the critical lessons learned and how do we improve our controls to protect your organization?

Be sure you have a robust and continual user awareness training program.
- Users should be cautious of search results
- Users should be cautious about clicking links in emails and never click on links regarding banking
Review your online banking platform security and controls.
- Be sure all users’ logins have multi-factor authentication
- Be sure you are using all of the latest security controls offered by your bank
- Think through segregation of duties. First, an approver should not be able to create/initiate transactions. Second, a user who can approve/release funds should not have the ability to create users and manage user security.
- Your bank should provide controls that prevent any one single person from making changes to user security. Any security changes should require secondary approval and the secondary approver should not have any transaction approval authority.
- Many people ignore segregation of duties in smaller organizations, likely due to physical personnel limitations. This should not be an excuse. Leverage trusted advisors like your CPA or attorney to give you the secondary approval, if needed.
Continually evaluate your cyber risks and improve your controls. As we have seen here, very reliable controls like MFA can potentially now have vulnerabilities under certain targeted campaigns. Layer controls whenever possible.

Contact us to evaluate your cyber risks and improve controls before your organization becomes the next victim.

Cybersecurity Assessment Information