“Recently, MTN was defrauded of millions of rands in air time by a Russian hacker, which highlighted the issue of managing IT-related fraud.”
Protecting reputation and asset value from the onslaught of cybercrime
Forensic audit services such as forensic accounting, investigative and legal services are often swathed in an air of mystery. Even the most senior officers in an organisation do not necessarily understand forensic involvement and may have only limited insight into its essential role in securing good governance, reputation and asset value.
However, as the risk of fraud and corruption becomes greater and ever more complex, forensic audit services are an essential arrow in the quiver of risk management protocols. That applies to both sides of the issue: identifying and preventing risk on the one hand, and investigating and prosecuting fraud on the other.
In previous decades, the focus was mainly on the latter function. Forensic audit services were essentially reactive in nature and were used mainly to investigate and gather evidence of fraud for presentation in a disciplinary forum or court of law. More recently, this aspect of the broader auditing function has come to include a range of disciplines and technologies aimed at detecting and preventing fraud. Investigations now include a wide spectrum of forensic methodologies which are used to investigate criminal irregularities ranging from computer-based fraud to fraud-related financial statement misconduct – and just about everything in between.
Especially within the framework of King III, forensic audit services have taken on a broader role in both business and government than before. Fraud has become more complex as technology has evolved, and fraudsters have become more organised too. Just as a group of like-minded professionals would organise themselves into a firm to provide a range of specialist services, criminals now also organise into syndicates to pool their various skills.
Local and international syndicates are, however, not the only cause for concern. Other cases are perpetrated by individuals or small groups working from within the organisation or gaining access through its information or computer system.
The problem is that the proliferation of technology has actually made businesses and organisations potentially more vulnerable to fraud. For instance, an executive might receive highly confidential e-mails on his or her smartphone and might store passwords or other critical information on that device. Should this be stolen, a knowledgeable thief could gain access to confidential personal and business information, as well as to the entire business system.
Historically, both business and government have been slow to recognise the fact that information is a commodity and is in fact a contemporary organisation’s most valuable asset. Fraud and corruption involving cash amounts have therefore become less of a risk than they once were, as money is mostly handled and transferred electronically. A real risk to an organisation may therefore be that of perpetrators gaining access to its computer system, banking details and/or confidential records.
Recently, MTN was defrauded of millions of rands in air time by a Russian hacker, which highlighted the issue of managing IT-related fraud. As more and more transactions take place online, and a new generation of computer-savvy fraudsters becomes more sophisticated, the risk of IT fraud is increasing exponentially.
Businesses all over the world find themselves in a continuously changing operating environment and oversight functions therefore need to evolve accordingly to stay relevant in the face of potential fraud risk.
The alleged fraud at MTN demonstrates how vulnerable even large companies can be to incidents like these. It is therefore crucial, from both a management and stakeholder point of view, to mitigate against these risks in key areas by having a proper fraud risk management plan in place, supported by effective policies and procedures.
In part, this means clearly defining the processes that should be followed in the case of a material breach to any IT system. It also means placing effective system controls to detect and prevent the occurrence of fraud, and so mitigate against risk.
If fraudulent activity has been perpetrated, the role of the forensic audit team is to minimise the extent of the fraud and to identify and bring the perpetrator or perpetrators to justice. Early warning systems are invaluable, as are specialised investigative services.
The stakes for companies are high, not only in terms of revenue loss, but in terms of customer trust and reputation in the marketplace. This may be one of the greatest unrecognised threats when it comes to IT-related fraud. After the initial loss of monetary value to the company, there is the less tangible cost of loss of reputation and business.
South Africa has some of the best corporate governance and risk management guidelines in the world, but to become meaningful these need to be translated into actively enforced policies and procedures by alert managements.
Author: McComb Taylor, BCom, LLB, MCom, Dip (Insolvency Law), and an Admitted Attorney, he is Head of Forensic Audit Services, SekelaXabiso.