Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
A Wake Up Call to All Information
Security and Audit Executives:
Become Business-relevant
By Patrick Taylor
C
hief information security officers (CISOs) and chief
audit executives are feeling plenty of heat in today’s
corporate environment. Both are at the center of new,
highly visible US legislation that includes the Sarbanes-Oxley
Act, Patriot Act, Gramm-Leach-Bliley Act and Health
Insurance Portability and Accountability Act (HIPAA).
While preventing and detecting losses, both positions are
expected to protect the corporate officers from ending up in
jail. And finally, both are considered “overhead” cost and their
budgets tend to end up on the corporate cutting-room floor.
Talk about a no-glory, high-stress position with all risk and
no reward. Under these elements, most CISOs and chief audit
executives keep one eye on their job and the other on their
“career dissipation light.”
Most CISOs and chief audit executives have dreamt about
becoming “business-relevant” by finding a true and
measurable return on investment—to stand shoulder-to-
shoulder with business unit executives and claim a traceable
portion of the bottom line. That is what they want and that is
why they need to protect their budgets and, in some cases,
their careers.
In the midst of the increasing pressure from regulations,
CISOs and chief audit executives face new risks from
enterprise rollout of business software packages, such as SAP,
PeopleSoft and Oracle. While the built-in controls within these
business systems are designed to prevent fraud and errors, the
implementation of these controls is counterproductive and has
not been effective in combating fraud.
In this complex environment, business process integrity
monitoring offers the potential to identify fraud and payment
errors as they occur, to prevent financial leakage before money
leaves the enterprise. Finally, CISOs and audit executives
possess the means to deliver a hard return on investment and
measurable results to the bottom line.
New Systems Create Risk
The advent of enterprise resource planning (ERP)
applications, in addition to e-commerce-driven solutions, has
streamlined many business processes, reduced overhead and
created new productivity gains in the way business is
conducted. However, by eliminating a paper trail and
increasing the number of users accessing corporate systems,
the Information Age has opened the door for insider deceit,
theft and fraud.
While these efficiencies are too great to go back to the old
days of “approved” stamps and paper files, businesses and risk
managers must find a new means to replicate the function of
the long-replaced control department that once sifted through
invoices, purchase orders and payment vouchers to make sure
that all the numbers matched up.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2004
Fraud—A Growing Problem
While Internet-related hacks make the headlines for
disrupting business and putting personal information at risk,
internal fraud remains the dirty little secret for many
businesses. For this reason, enterprises have historically
focused on perimeter defenses, such as network firewalls and
virtual private networks, to keep unauthorized outsiders from
accessing internal systems. However, industry reports
demonstrate the huge financial losses inflicted by fraud.
In its 2003 study of global economic crime,
PricewaterhouseCoopers surveyed 3,600 organizations and
found that the average company lost US $2.2 million to fraud.
According to the survey, all industries were affected, with
more than 30 percent of respondents reporting fraud.1 The
PricewaterhouseCoopers survey also cited fraud’s impact on
“reputation, brand image and staff morale” as more damaging
than the actual financial loss. In its 2004 Report to the Nation,
the Association of Certified Fraud Examiners reported that the
average company loses 6 percent of total revenue to fraud
every year.2
Unfortunately, automated business systems are frequently a
facilitator of fraud. As users become more familiar with a
system over time, they figure out the logic behind it and learn
how to beat the system for their benefit. These “business
hackers” are now able to game the system. Systems-based
fraudulent schemes can include:
• False (or “ghost”) vendors who invoice the organization
• Ghost employees on the payroll
• Accounts payable tampering to redirect payments
• Fabricated commissions
• Fictitious invoices, refunds or expense claims from valid
vendors, customers or employees
Most enterprises do not have to look far to find examples of
potential fraud in their business. Traditional fraud detection
looks for vendors with billing addresses similar to those of
employees. However, an employee can target a valid vendor by
changing the vendor’s mailing address just before the batch
print run of checks. After checks are printed, the employee
then goes back into the system to reenter the original valid
address. When dealing with employees who figure out that
they can go into the system to cover their tracks, the evidence
of fraud is now transient.
Authorized insiders often circumvent internal controls to
bypass inefficient processes. While this flexibility can boost
productivity, it also opens the door for fraud and errors by
overriding proper approvals and potentially creating duplicate
accounts or introducing systems-based errors.
Misuse and abuse of the system often create an opportunity
for other, less moral insiders to commit fraud. For example, if
an employee sees that an invoice is paid twice or a single
invoice is booked twice, he then recognizes the opportunity to
commit fraud by routing the second payment for personal benefit.
The opportunity to commit fraud has also increased. The
number of transactions per employee has increased
dramatically with automated systems. As businesses share
more information with vendors, suppliers and contractors by
linking their systems, fraud has the potential to pervade an
enterprise in unforeseen places. With the number of
transactions rising, internal auditors cannot keep pace by
relying upon sampling-based audits.
The June 2002 Gartner report, Moving to Transaction Incident
Monitoring for IS Security,” sums up the insider risk by stating:
Historically, hackers have not really been a problem. The
major threat comes from technology-minded insiders who
have knowledge about processes, business system
customizations and technologies. Insiders such as current
employees, recently terminated employees, subcontractors and
consultants are significantly more dangerous than outsiders.
Any individual familiar with internal business processes
represents a significant threat. Most instances of computer
crime involve insiders abusing processes and circumventing
control measures to take money or cause damage. In some
business environments, such as ERP or CRM, 95 percent of
fraud comes from insiders or internal users with access to
key data transactions.3
System Controls—The First Line of Defense
To identify and prevent fraud, enterprises are increasingly
reliant upon the built-in controls of their ERP applications. For
example, segregation of duties can protect a company by
enforcing a control rule that does not allow the same person to
approve an invoice and a related payment voucher.
While these control functions can be incredibly detailed,
maintaining and updating the control functions are often
overlooked, because they are considered a heavy burden for
which no one has time. Keeping up with new users,
eliminating old users and adding new roles for existing users
can be a daunting task. In many cases, these control functions
are never implemented properly due to their complexity and
need for understanding of all business processes.
While internal auditors often identify vulnerabilities within
a business system, their recommendations for more stringent
system controls are in many cases overruled because of direct
costs of implementing and maintaining those controls or
because they introduce unwelcome inefficiencies.
Business Process Integrity Monitoring—
From Concept to Implementation
While the Information Age has increased the opportunity
for fraud (and for deceitful employees to cover their tracks),
enterprises are now recognizing their need for an independent
review of individual business transactions. In essence,
businesses need an automated control department to audit
human judgment without adding overhead.
While the concepts of continuous audit have been around
for more than a decade, technological limitations stood in the
way of practical solutions. Recent advancements of enterprise
financial applications, networking technology and software
analysis create an opportunity to increase financial
transparency. Solutions for business process integrity
monitoring leverage these advances to focus on financial
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2004
systems that are most frequently the target or source of fraud
or errors—accounts payable and payroll.
However, the same technologies and applications are easily
extended to monitor the integrity of other business processes,
such as order to cash and financial reporting.
The accuracy, effectiveness and success of business process
integrity monitoring depend upon four main elements:
• Continually updated primary data from all relevant financial
systems
• A universal ontology for analysis of common information
across multiple financial systems
• Independent analysis that simulates the tests and knowledge
base of auditors and fraud examiners
• Alerts that allow auditors to track down precise instances of
financial leakage and reports that document transaction
integrity
Primary Data and Continuous Updates
Because business systems allow for information to be altered
with little documentation of what actually transpired, common
account payable schemes can involve the changing of a mailing
address or routing number just before payments are made and
then changing the information back shortly after. Business
process integrity monitoring must continually pull information
directly from the various financial applications, independent of
the financial systems, to detect the temporary changes.
Primary data are essential for business process integrity
monitoring to detect this elementary scheme. Primary data
refer to the lowest level of business activity—not bits and
bytes, but rather the underlying results.
While comprehensive data acquisition provides the
foundation, a business process integrity monitoring system is
irrelevant if the data acquisition process disrupts the accepted
business practices for appropriate transactions. Data acquisition
must be practical. It cannot introduce an extra load that
significantly degrades overall performance of the business
system. Furthermore, a business process integrity monitoring
system’s data acquisition must not lower the reliability of the
business system.
Universal Ontology
As business process integrity monitoring collects information,
it must organize that data into a useful format that can be
analyzed. The acquired data must be processed into a unified
schema or universal ontology, which allows heterogeneous data
from multiple data sources to be analyzed on a one-to-one basis.
This ontology is essential for business process integrity
monitoring to leverage its reasoning and analysis across
multiple business systems. Business process integrity
monitoring should be applied across all business systems,
including:
• Legacy software applications customized for the specific
enterprise
• Enterprise resource planning applications, such as SAP,
PeopleSoft, J.D. Edwards or Oracle
• Customer relationship management modules within the ERP
system or separate applications, such as Siebel, Goldmine or
Salesforce.com
A February 2004 survey from the Hackett Group, an
Atlanta-based research firm, highlighted the importance of a
universal ontology. The Hackett Group study concluded that
the average US $1 billion company operates 48 separate
financial systems and manages 2.7 ERP systems.4
 Independent Analysis
The analysis of business process integrity monitoring must
be based on a series of tests that auditors or fraud examiners
would apply if they were evaluating the integrity of the
transaction. Inherently, this process is nearly impossible with
simple, rules-based audit tools that test for threshold violations.
However, advanced computer analysis for business process
integrity monitoring can be tuned to:
• Make temporal comparisons—This is the ability to reason
about current and historical information, including the current
and previous states of a transaction, a vendor or an employee.
• Identify a level confidence—How likely is something to have
occurred? Some tests can increase or decrease the confidence
assigned by other tests.
• Determine an impact—Similar to confidence, analysis
should calculate and assign an impact to an event or
irregularity.
• Adjust alerts incrementally—With continual updates,
analysis should be incremental, whereby an irregularity that
initially looks moderately confident may later increase or
decrease in confidence (and impact) as additional
transactions are considered.
• Correlate multiple events and transactions—Trends and
patterns should be identified from individual events and
transactions, each of which individually might seem
innocuous.
Benefits of Business Process
Integrity Monitoring
CISOs and audit executives can achieve immediate value
from business process integrity monitoring by preventing
financial loss, easing the burden of internal controls and
empowering businesses to continually improve their operations.
Business process integrity monitoring identifies anomalies
that would have otherwise gone undetected in manual, sample-
based or retrospective audits. However, business process
integrity monitoring can also reduce financial leakage and
unnecessary losses from ever happening by quickly identifying
any anomaly and empowering businesses to act before assets
leave their possession. Businesses can then take action and
prevent the error or fraud from recurring. Business process
integrity monitoring identifies the root cause of the problem,
which then empowers a CISO or audit executive to correct the
underlying breakdown that allowed the anomaly to occur.
Business process integrity monitoring can also act as a
detective control that eliminates the need for excessive
restrictive controls. Enterprises can greatly reduce their overall
cost of maintaining controls while monitoring the effectiveness
of their documented controls for compliance requirements.
Automated monitoring and analysis reduces the time
required to identify anomalies among business processes.
Security personnel and auditors then have more time to focus
on analysis and long-term correction of the identified
anomalies, which empowers CISOs and audit executives to
contribute greater value to the business. With an increased
transparency and visibility into financial operations, business
process integrity monitoring provides the means for businesses
to identify inefficient and ineffective components within
business processes.
Conclusion
As technology continues to streamline internal business
processes, enterprises should continue to evaluate how these
efficiencies might create vulnerabilities and opportunities for
fraud and errors. Armed with business process integrity
monitoring, the CISO and chief audit executive can finally get
a seat at the big table—the one reserved for those linked to
positive fluctuations in the bottom line. Finally, “overhead
managers” have a reason to smile.
Endnotes
1
Economic Crime Survey 2003, PricewaterhouseCoopers,
2003, p. 3
2
2004 Report to the Nation on Occupational Fraud and Abuse,
Association of Certified Fraud Examiners, 2004, p. iii
3
Van Mien, A. Dang; J. Green-Armytage; Moving to
Transaction Incident Monitoring for IS Security, Gartner,
19 June 2002, p. 22
4
Enterprises Ignore IT in Compliance Efforts, The Hackett
Group, February 2004
Patrick Taylor
is a leader in the convergence of controls monitoring,
information security and the implementation of technology to
boost corporate governance. As CEO of Oversight Technologies,
he is responsible for understanding customer needs for business
process integrity monitoring and making sure those needs are
met in Oversight’s product development. As a respected
information security industry insider who served in various
product management and strategic marketing roles with Internet
Security Systems and Symantec, Taylor is a frequent speaker at
conferences. In addition to his previous experience with ISS and
Symantec, Taylor has worked in leading roles with ORACLE,
Red Brick Systems, GO, Air2Web and Fast-Talk.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2004