The Board of Director's are consistently talking about how they can create the correct "Tone at the Top" when it comes to ethics and compliance. Global corporations realize the importance of these issues in order to create a focus on competitive advantage and other new "Carrots" rather than the old motivators of fear, uncertainty and doubt (FUD Factor). Employees who are "Beaten with a Stick" in order to comply with federal laws and state rules of conduct are looking for new vision and new methods to improve the health of organizational ethics. An interview with Perry Minnis, Alcoa's Director of Ethics and Compliance highlights this point:
Organizations have always confronted ethics problems, but it seems that only in the last 25 years or so that ethics has grown from an academic discipline into a mandatory department at most corporations. How has this happened?
I believe the heightened awareness can be attributed to several factors: the defense contracting scandals during the Reagan Administration; the issuance, in the early 1990s, of the Federal Sentencing Guidelines, which established criteria for assessing the completeness of ethics and compliance programs; the emergence of high profile scandals - Enron, Tyco, WorldCom, etc.; and the passage of the U.S. Sarbanes-Oxley Act and the associated provisions of the New York Stock Exchange and SEC requirements. Plus companies now have a general sense that a reputation for ethical behavior is a competitive advantage. It engenders customer loyalty and employee allegiance.
Mr. Minnis and other officers like him who are charged with creating the right "Tone at the Top" must cooperate with a multitude of players within the enterprise to address this cultural awareness. Part of this strategy should include the check-up for fraud and the signs that it may be present in certain business units or processes within the organization.
In this Fraud Prevention Check-up tool we are especially pleased to see question number 7:The use of automated tools to help prevent fraud from occuring will continue to be just that, a tool. It's imperative that anyone utilizing such mechanisms for early warning remember the taxonomy for an "Incident:"
To what extent has the entity established a process to detect, investigate and resolve potentially significant fraud? Such a process should typically include proactive fraud detection tests that are specifically designed to detect the significant potential frauds identified in the entity’s fraud risk assessment. Other measures can include audit “hooks” embedded in the entity’s transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading edge fraud detection methods include computerized e-mail monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.
"Attackers use tools to exploit vulnerabilities to create an action on a target that produces an unauthorized result to obtain their objective."
While the ethics and compliance department teams up with the IT and Security departments to create the policies and implement the tools to deter, detect and defend against fraud, the opposing force is also gaining ground. Hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs are using their own tools to test and to exploit your vulnerabilities.
The three areas that you need to focus on continue to be:
- Design
- Implementation
- Configuration
- Probe
- Scan
- Flood
- Authenticate
- Bypass
- Spoof
- Read
- Copy
- Steal
- Modify
- Delete
- Increased Access
- Disclosure of Information
- Corruption of Information
- Denial of Service
- Theft of Resources
- Challenge, Status, Thrill
- Political Gain
- Financial Gain
- Damage
