Wednesday, 17 April 2013

Risky business...






In the case of Boutique Technology the following aspects, with relevance to COBIT 4.1, resulted in fraudulent behavior:
1. Poor governance over processes:
    • Alan’s (CEO) complete disregard for policy and procedure - may filter down to staff and affect morale
    • No formal procedures for recruitment – no contracts to state pay rates, start and end dates etc
    • Only three staff looking after accounting, finance and human resource functions – lack of segregation of duties
2. Lack of IT architecture and controls –
    • No direct supervisor for the software development team – leaves team fairly much to their own devices
    • The company uses software created by the employees/software produced trialed internally – employees could manipulate the programs
3. Lack of monitoring and evaluation – No mention of monitoring of staff/processes or internal audit and definite lack of supervisory positions.   

This case reflects some issues relating to fraud present in a workplace I was involved in.  Lack of governance, specifically policy and procedure relating to payroll meant there was no approvals process, resulting in a lack of segregation of duties.   Employees therefore had unlimited access to the system and a number of ‘ghost’ employees were created resulting in money being siphoned from the organization. 

In smaller organizations there are limits on what processes can be utilized to overcome fraud.  It is not necessarily practical for organizations of this size to have IT architecture boards or internal audit committees.  I would recommend the following practical solutions to the CEO of Boutique Technology:
  • Governance:
    • Development of a clear business strategy
    • Formal recruitment procedures and approval processes for accounting, finance and human resources functions. 
  • IT:
    • Align IT objectives with business strategy through the introduction of an IT governance framework
  • Monitoring/Evaluation:
    • Hire qualified IT executives and provide direct supervision for the software development team
    • Monitoring processes and internal audit team to assess risk




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)