“A
small business owner on the Gold Coast was crippled financially due to an
employee siphoning money from the business accounts into her own account. This
continued undetected for six months resulting in a loss of approximately
$115,000 – a huge loss for a small business. Ultimately, the business closed
down after struggling to meet its debts. The employee was able to perpetrate
the fraud as another employee had left the business and provided her with her
password for accounting and bookkeeping. Other than passwords, there were no
other control measures used by the business to protect its data and systems.
Therefore, the fraudster had both passwords required to gain access to various
accounts and found it quite easy to move monies into her own account.
Being
only 18 years old, she used the money to purchase a car, play the pokies at the
casino, and buy gifts for her friends and family and jewellery for herself.
Once found, although the car was repossessed and resold to regain some of the
loss, no other monies were recovered by the business.
When
interviewed by local radio, the business owner was asked if he was aware that
there are IT Governance controls that he could follow to help minimise this
problem occurring again. The owner replied that he had not been aware of the
risks associated with online accounting and banking, and regardless, was not a
big enough business to take on board IT Governance control measures – that they
would be too costly.”
I don’t agree with the business owner’s view as any IT Governance
framework would have benefited his business and would have made any fraudulent activity
stand out and ultimately made it more difficult for it to occur in the first
place.
Small businesses are usually in the mindset that ITG
frameworks, such as COBIT 4.1, are not relevant to them due to their size
whereas this scenario goes to show that in fact it is as important to them as
it is for a medium or large organisation as it could result in the closure of
that small business if the appropriate systems are not in place.
I recommend that all small businesses adopt some type of IT
Governance within their organisation, for example COBIT 4.1. COBIT 4.1 has four
domains: Plan and Organise, Acquire & Implement, Deliver and Support and
Monitor and Evaluate.
Governance ensures that the management practices used are
aligning the IT with the objectives of the business. The organisation needs to
ask itself what risks are relevant to them and which systems relate to those
risks which can be implemented.
When referring to the Cresseys fraud triangle below, it demonstrates
accurately what has happeded in this particular scenario as the owner of this
small business took no action to stop fraud from occurring and also took no
notice or care with the financial statements and the various transactions that
were occurring.
A perfect example of poor IT Governance is the case involving Clive Peeters vs Sonya Causer, a $20m fraud case over a 2 year period from 2007 to 2009, resulting in massive losses for the company. According to the charges, Ms Causer took between $64,941 to $572,000 at a time, often in multiple transactions, to a total of $19.4 million. But after getting payments approved, she allegedly changed the account details so the money was siphoned into her own accounts.
The fraud was detected when senior staff were reconciling ledgers at the end of the 2008-09 financial year, but not before the company began a $38 million cost-cutting restructure to stem an cash-flow problem caused by the fraud. The company hopes to recover $16.4 million of the stolen money, after paying legal and land transfer fees, and expects to make a profit this financial year after last year's $9 million after-tax loss (Battersby, L. 2009). Read more: http://www.theage.com.au/national/electrical-store-20m-fraud-case-in-court-20091218-l5vh.html#ixzz1rzLJ851D
This case shows specific areas of poor IT governance and overall management within the organisation which could have bee avoided using the appropriate measures.