If you haven’t noticed yet, the current crisis has created a wealth of opportunity for fraudsters and other ne’er-do-wells.
Every finance, shared services and GBS executive I have talked to since the start of the crisis has reported a much higher rate of fraud attempts and over the past several weeks, reports of cyberattacks have increased at a rate of three to five times compared to pre-Covid.
The business continuity plans that we all managed to implement have, in the main, been a great success. But global processes have been interrupted, with policy changes and work-arounds, exposing us to greater risk than we anticipated, which can have a direct affect on cashflow at a time when this is at its most critical. The determination to keep the engine of business running in a crisis has also led to a sense of “OK, these are not normal times” in response to unusual approaches to ensuring successful business transactions. The human behavioural changes are everywhere. Our risk management approach and our policies and controls have not moved so fast.
We know from our practice that pre-Covid-19, many global organisations had up to 20% of the access credentials and userids for their core financially relevant systems that were redundant, outdated and presented a clear threat. And this accounts for THOUSANDS of wrongly authorized access points to corporate applications. Whilst most firms had a reasonable handle on their direct employees, the governance over the access rights of temporary workers, service providers, outsourcers, suppliers, business partners, consultants et al tends to be much weaker.
There are countless examples of former employees (in the broadest sense above) having inappropriate access to their former employers’ purchasing, inventory, HR, payroll and financial systems.
Even before this crisis, Big 4 Audit firms commented “The sudden rise in focus on attestation over user access is linked to the fact that PCAOB Audit Firm Inspections last year were very hot on this issue and so external audit firms have been taking a firm line on this with their clients, which in turn means the clients are getting audit issues raised where they might not have done before.”
Now in 2020, it is still surprising to learn that the majority of global businesses do not have an effective Joiners, Movers, Leavers (JML) process for both permanent and temporary staff.
The current lockdown situation is providing an extra “dynamic” to the JML challenge with wholesale working from home and massive organisational changes underway, not least for digitization initiatives that have become essential for a post-COVID world. Working from home on personal devices, with systems and processes not designed for working in seclusion, possibly with the fear of losing a job and related benefits, dwindling retirement portfolios can create pressures, rationalization and opportunity for fraud, waste and error.
The move from the age of the “ERP behemoth” to the post-modern “hub and spoke” ERP centric architecture is further challenging the status quo.
Addressing risks from imperfect JML-processes is becoming more relevant by the day. Now is the time to tackle the growing user access risk profile as a trigger to proactively addressing the JML-conundrum.
There are strategic multi-year technology based initiatives that can be contemplated but there are quicker, sharper, more effective ways to address the issue in the near term.
Knowing the scale of the risk can be the start point for a much needed systemic control. Consider a one off User Access review and attestation cycle, showing the size and severity for your organisations could open the eyes of all involved across the “Lines of Defence” and be the catalyst to enhance your risk management processes ahead of the “Great Recovery”.
To give you more insight in the why, what and how of this issue, we will shortly be running a webcast titled “Addressing User Access Risk – From Probable Threat to Effective Control”. Keep your eyes peeled for this as we share the experiences of your peers around the world.
Thanks for reading!