BUSCA

Links Patrocinados

Destaques NetSaber:
- Apostilas para Concursos Públicos
- Resumo de O Mundo de Sofia
- Telecurso 2000
- Apostila para Concursos
- Apostilas de Direito
- Apostilas de Contabilidade
- Resumo de O Guarani
- Resumo de Iracema
- Resumo de Dom Quixote
- Apostilas de Inglês
- Resumo de Dom Casmurro
- Apostilas de Informática
- Resumo de A Moreninha
- Apostilas para Vestibular
- Resumo de A Arte da Guerra
- Receitas Culinárias
- Dicionário de Português
- Frases e Citações
- Interpretação dos Sonhos
- Fontes Grátis
- Notícias
- Artigos
- Artigos sobre Fisioterapia
- Livros de Machado de Assis
- Livros de Casimiro de Abreu
- Download de Livros
- Livros de Filosofia
- Livros de Administração
- Livros de Direito
- Livros de Agronomia

INTERNAL AUDITORS have always had to play detective to some
degree as they sort through data and piece together facts.
Today, with threats to computer systems coming from all
over the globe instead of from just within organizations,
many auditors have to think like federal law enforcement
and intelligence agents as well. Cyber-crime has moved
information security considerably higher on the priority
list for many organizations. Online fraud is one of the
criminal threats that businesses are increasingly finding a
need to protect against. For auditors, this trend means a
growing need to help the organization track down cyber-
criminals and to learn how to stop Internet-based fraud
before it happens. Auditors might not have famed Hollywood
spy James Bond's high-tech gadgets at their disposal, but
there are tools they can use in the battle. The first is
knowledge.
"Auditors need to understand that there has
been a change in the paradigm of how business is being
conducted and how information is being stored, and they
need to be aware of the cyber-threat," says Howard Cox,
acting deputy general counsel with the Office of Inspector
General, U.S. Postal Service, and part of a group that
conducts IT audits of postal computer systems. "If you
don't recognize that the threat is out there, you can't
protect yourself against it."
To recognize the threat,
auditors must have a firm grasp of the technology and risk
issues behind the problem, says Alan Oliphant, an
information security and audit consultant in Edinburgh,
Scotland. "The majority of auditors still lag behind the
fraudsters when it comes to understanding cyber-
fraud."
DEFINING THE PROBLEM
Cyber-fraud has been a
threat to organizations since the early 1990s, when
business networks began connecting to the Internet. It can
affect any organization that uses the Web, from the largest
corporation or government to the smallest mom-and-pop
business, says Bill Jennings, director of the Financial
Services Group for Kroll Risk Consulting's Central
Region.
Internet connections have been cited for the
fourth year in a row as the most frequent point of attack
for cyber-crime by the 2001 Computer Crime and Security
Survey conducted by the Computer Security Institute (CSI)
and the U.S. Federal Bureau of Investigation. The
proportion of survey respondents who reported this
vulnerability rose from 59 percent in 2000 to almost 70
percent in 2001. In addition, the financial toll from
computer crimes and security breaches is continuing to
escalate. In fact, 64 percent of the 538 computer security
professionals surveyed from public and private
organizations in the United States acknowledged financial
losses from computer breaches. A substantial proportion of
these losses was attributed to financial fraud.
Although
there are numerous potential sources of internet-related
fraud, the most common, according to Cox, are:
*
Internal employees who use the Internet to anonymously gain
access to data that is not related to their jobs and then
misuse it for personal gain, compromising the
organization's security. These people usually are about to
be fired or are unhappy in their jobs.
* Disgruntled
contractors whose computer systems are linked to the victim
organization's computer systems. These offenders generally
are unhappy with the contractor relationship and want to
steal sensitive data, possibly to sell to competitors.
*
External third parties, or hackers. These can range from an
organization's business competitors to foreign governments
to organized crime rings stealing sensitive data such as
customer credit card information.
The perpetrators of
these cyber-crimes have one thing in common: They want to
compromise systems, steal data, or divert data. The reasons
are diverse, says Cox, whose group conducts criminal
investigations into hacking and hackers, but there aree primary motivations for using the Internet to commit
fraud. One, the Web is tapped into so many potential
sources of money, as more and more financial transactions
are conducted online. Two, the Internet is the perfect
venue for criminals to act anonymously because there are so
many ways of covering up identity. And three, new laws have
made obsolete some internal controls auditors have relied
on in a traditional environment.
For example, suppose an
auditor is looking at a claim submitted to a company about
a document he or she thinks the company never received,
such as a receipt from a credit card transaction. In a
paper world, the auditor would follow the paperwork and
seek an original document with a signature. Today, U.S. law
allows organizations to accept signed documents over the
computer instead of in writing.
This scenario represents
one of the most important controls that is compromised by
use of the Internet, says Oliphant, a frequent industry
speaker on the subject of cyber-fraud. There is little or
no physical evidence of transactions, such as credit card
purchases, that take place on the Web.
"With a physical
transaction in a shop, some form of signature on paper will
be available for forensic examination should a transaction
be suspect," Oliphant says. "In cyberspace, there is a
stronger element of trust."
If a company's auditors
believe a claim is false and they want to pursue the case,
their challenge is to determine the identity of the person
who hit the transmit button on the computer that sent the
document. This situation poses four problems for many
organizations that are not equipped to handle it, Cox
says:
* No proof of who sent the document.