Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISACA Kampala Chapter Annual Security Workshop Godffrey Mwika, CPA(K), CIA, CISA, CISM Risk Consulting Division KPMG East Africa SECURITY DECISIONS: THE.

Similar presentations


Presentation on theme: "ISACA Kampala Chapter Annual Security Workshop Godffrey Mwika, CPA(K), CIA, CISA, CISM Risk Consulting Division KPMG East Africa SECURITY DECISIONS: THE."— Presentation transcript:

1 ISACA Kampala Chapter Annual Security Workshop Godffrey Mwika, CPA(K), CIA, CISA, CISM Risk Consulting Division KPMG East Africa SECURITY DECISIONS: THE CHALLENGES FOR TODAY AND TOMORROW 1 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

2 Information Insecurity Real life cases of how businesses are losing cash without trace 2 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

3 Information insecurity Failure protect information assets from the following risks: - – Unauthorized access – Unauthorized use – Disclosure to unauthorized parties – Disruption of the information 3 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

4 Information insecurity Failure protect information assets from the following risks: - – Modification – Viewing, perusal, Inspection – Writing, Recording or Editing – Deletion or other forms of destruction 4 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

5 Information insecurity Generally its failure to ensure that the 3 key components of information security are established and operational i.e. CIA – Confidentiality ( C ) – Integrity ( I ) – Availability ( A ) The order of importance is debatable 5 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

6 Why information insecurity Reasons why information will be insecure: - – Software weaknesses – when applications are made insecure at development – When an organisation has not classified its information – restricted, confidential, protect, public, unclassified etc 6 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

7 Why information insecurity Reasons why information will be insecure: - – Lack of capacity – Inadequate IT Resources to assess and mitigate against security risks, – Poor or Non – existent Risk Management Framework for information security risks hence no mitigating factors 7 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

8 Why information insecurity Reasons why information will be insecure: - – Governance issues – Tone at the top on IS Risks is wrong or missing – Wrong attitude – ‘Snakes are not dangerous till they bite me’ – Underestimating the people risk factor 8 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

9 Why information insecurity Reasons why information will be insecure: - – Poorly defined business processes – this includes issues like lack of separation of duties and conflicting roles (Labour cost) – Fraudulent intentions – Where fraudulent managers and staff prefer insecure systems. 9 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

10 Why information insecurity Reasons why information will be insecure: - – Resistance to change – security comes with responsibility, roles definition, process designing/redesigning and people may resist – Ignorance and General lack of knowledge 10 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

11 Information Insecurity – Losses When business information is insecure and the weaknesses are exploited, the result is either: - – Direct cash losses – direct benefits to the people exploiting the security gaps – Indirect cash losses to an organisation as a result of the security gaps 11 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

12 Suppliers Master Data Insecurity Creation of non-prequalified suppliers and deletion after fraud payments have been made Amending suppliers details for fraudulent payments Violation of Separation of duties in systems Create, use and delete scheme A company pays for poor quality work or no work at all 12 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

13 POP and Goods receipts Insecurity System holds on order matching are overridden to allow wrong or inadequate receipts to be delivered Exaggerated usage reports to reconcile ghost deliveries Un-reconciled production reports Accounting for cost of production based on actual usage only (end to end) and without stepwise business process WIP management 13 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

14 POP and Goods receipts Insecurity Contract /Order breakdown into small bits to skip certain levels of management approval Creation of orders for unwanted items in the mix of wanted ones Buying with a view to write off Generating GRN/SRN for non-existent technical and complicated services – when there is no control of services in the system – using heavy terminology to confuse accounts 14 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

15 Payments Insecurity Procure to payment manned by a single person (intentional or unknown). Cutting on labor costs and loss of cash IT unlimited and uncontrolled access to the business process modules No relationship between POP, suppliers master and Payment System Manual payments to capture in the system later 15 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

16 Payments Insecurity Down payments that are never recovered on final payment Access controls over the payment master Duplicate supplier payments undetected by the system Deliberate disputes created by suppliers to recover un-reconciled amounts in a company Approving many small immaterial payments and preparing a final single payment 16 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

17 Customers master Insecurity Creating customers, trading on credit and deleting from database Varying credit limits, trading and reversing Posting ‘erroneously’ trading and reversing the posting Endless unexplained postings into an a customers account Inter-account transfers that are ‘due to error’ 17 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

18 Customers master Insecurity Deleting invoices from a customers accounts and describing as an error Unapproved credit notes posted in customers accounts without support Confused customers accounts that take too long to reconcile while goods are shipped Customers switching between cash and credit terms temporarily 18 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

19 Sales Order processing Insecurity Unprotected price master Big customers orders placed on the eve of a price increase to frustrate price increases and favor an individual Moving customers to price regimes they don’t deserve Hedging orders floated in the system to await a favorable price Fraudulent and unnecessary promotions 19 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

20 Inventories Insecurity Product master changes to accept wrong goods which are later written off as obsolete goods Changes of product usage to cover stock losses Deletion of missing/misappropriated inventories from the database Malicious issues and receipts Weighbridge fraud – ‘cheating the system’ 20 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

21 Governments systems Insecurity Unrecorded receipts Parallel systems to beat IT based systems Ghost payments Deliberate system crashes Bureaucracy Resistance to ICT Most old government staff ignore IT Young government staff take advantage 21 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

22 Overtime and payroll Insecurity Recording un-worked hours Varying the value of hours worked Paying twice for same hours even more than 24 hours a day Running parallel payroll systems for bank and for accounting and then creating reconciling differences that are never resolved. Editing salaries and wages after computation but before transmission to increase net pay 22 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

23 Taming Insecurity Align ICT to business needs – A MUST DO. Define your data and classify it correctly. Various information has different levels of insecurity Define all process level risks and implement controls for that Use CAATs for continuous auditing procedures Establish a Risk Management System that includes all business process owners 23 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

24 Taming Insecurity Have a clear ICT Security policy Define security roles and separate duties between ICT & Business and between Business process owners Develop and implement monitoring reports that can be reviewed by managers continuously Conduct proper investigations and Punish violations mercilessly as a deterrent 24 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

25 Questions ? 25 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015

26 Ahsanteni Sana ……….. Be Secure Kwaheri! 26 Godffrey Mwika, Risk Consulting, KPMG East Africa 5/8/2015


Download ppt "ISACA Kampala Chapter Annual Security Workshop Godffrey Mwika, CPA(K), CIA, CISA, CISM Risk Consulting Division KPMG East Africa SECURITY DECISIONS: THE."

Similar presentations


Ads by Google