Posts Tagged ‘case study’

How To React To A Data Breach

Tuesday, August 2nd, 2016
Data Breach | Columbus Cybersecurity Series | Ohio CPA Firm

Would you be able to effectively manage the fallout of a data breach? If you aren’t sure, keep reading.

It was 2013 when a medium-sized library in Ohio found itself in the midst of a data breach that would later serve as a powerful case study warning against the very real threat of electronic fraud. While originally developed by the Ohio Auditor of State’s office as a tool for government entities throughout the state, Cash Management 240: Financial Fraud – A Case Study, has found usefulness beyond just the government sphere.

Leaders of not-for-profit organizations and for-profit business owners would also find value in this resource, which outlines:

  • the events that resulted in the occurrence of the data breach,
  • the reaction of entity officials during and after the breach was detected, and
  • the short- and long-term outcomes that resulted from the breach.

While I strongly recommend that you read the entire case study, I provide a brief overview of the story below.

How would you respond to a data breach?

Library officials were notified of the occurrence of fraudulent activity impacting the entity’s checking account in March of 2013. According to the bank, the fraudulent activity appeared to be limited to three transactions, totaling $144,743. Fortunately, bank officials were proactive in their efforts to recall the transactions.

In an effort to avoid further fraudulent activity, library officials decided to disconnect the accounting workstations from the entity’s network and proceeded to contact their technology vendor, who advised the library proceed with reformatting both accounting workstations immediately. Soon thereafter, library officials contacted the local police station to report the incident, closed the entity’s existing bank accounts and opened new ones, and notified employees of the data breach as well as the board of directors.

Due to the nature of the breach, it didn’t take long before the Ohio Auditor of State’s office and the FBI were notified of the incident as well. And, in an effort to try and reclaim some of the money that was stolen, a claim was filed with the entity’s insurance carrier. Finally, the library’s bank was able to successfully recover $54,910 of the amount that was stolen. In 2014, when the case study was released, the library was still in the process of negotiating with the bank regarding $89,833 that was still missing.

So, what do you think? Would you say that the library officials were effective in their management of the data breach? What would you do if your company or nonprofit found itself in a similar situation?

Well, according to the FBI, the library could have handled the situation better. For example, the library should have not reformatted the workstations. The FBI and local police force should have been contacted immediately. And finally, the entity should have followed all instructions mandated by the bank to eliminate the possibility of such fraudulent activity.

Since it’s 2013 data breach, the library:

  • Is now required by the bank to follow the ACH Originator Agreement.
  • Has designated one stand-alone PC to be used for online banking.
  • Has requested online access from only one IP address
  • Has purchased a cybercrime policy.
  • Revisited its banking RFP to include a section regarding online banking security minimums.

Do you have a plan to help deter cybercrime?

The above scenario is just one of the countless cybercrimes that occur every day and every type of businesses, entity and organizations are being impacted. If you don’t have a plan in place to help prevent cybercriminals from infiltrating your network and stealing your data for financial gain, or a strategy to recover once a breach has been identified, you are in a very vulnerable position.

I believe that in order to protect against a cybercrime attack, it’s important to be armed with as much knowledge as possible. On Sept. 7, 2016, FBI Agent David Fine will be the featured presenter of part two of the Columbus Cybersecurity Series. During this portion of the presentation, attendees will hear real-life examples of attacks on businesses, including what schemes are prevalent today. Audience members will also discover the very real impact these attacks have on companies and what they can do to deter an attack from occurring in their own business or organization.

The Columbus Cybersecurity Series is free to attend, but registration is required. You can RSVP here.

By Joe Welker, CISA (New Philadelphia office)

Share Button

Would You Know If Someone Was Stealing From Your Business?

Friday, May 20th, 2016
Employee Fraud- Ohio CPA Firm

According to the 2016 Report to the Nation on Occupational Fraud & Abuse by the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5 percent of its annual revenue to fraud. What are you doing to prevent fraud from occurring in your organization?

A 20-year employee at a city school charged with managing adult education programs was known as a hard worker who had secured her colleagues’ respect. But when external auditors came into the district to review the school’s financial records, it didn’t take long to realize that something just wasn’t adding up. Questions began to circulate and people starting comparing notes. It wasn’t until her co-workers started questioning how she could afford the costly gifts during the holidays and lavish purchases made to redecorate her home that all the pieces began to fit together. After all, that type of money was certainly not in line with her position’s established pay scale.

Read Also: Are Your Employees Skimming From The Top?

Warning Signs

The funds this woman used to redecorate her home were not acquired honestly. They were obtained as part of an embezzlement scheme that lasted for at least two years. Because she attempted to cover her tracks by destroying the financial records, forensic accounting professionals were called in to reconstruct the activity using the school’s enrollment records.

The fraudster was thwarted in this instance … but this is certainly not an isolated incident. In fact, it happens more than you might think.

According to the 2016 Report to the Nation on Occupational Fraud & Abuse by the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5 percent of its annual revenue to fraud. The group estimates that the potential financial loss to organizations worldwide due to fraud is at least $3.7 trillion dollars. The median loss in this particular study, which compiled data from 2,410 cases of occupational fraud in 114 different countries, was $150,000. Nearly one-quarter of all frauds in this worldwide study topped $1 million or more.

What Are You Doing To Prevent Fraud In Your Organization?

If you are looking to significantly decrease the fraud threat in your organization you must have a strategy in place to prevent and detect it. And if a fraudster is in your midst, implementation of anti-fraud controls are effective are an effective way to shut fraud down faster. The Report to the Nations states that the presence of anti-fraud controls correlated to fewer losses and quicker detection.

Which Control Is The Right Control?

According to the report, the top five anti-fraud controls utilized by organizations today are:

  1. External Audit of Financial Statements
  2. Code of Conduct
  3. Internal Audit Departments
  4. Management Certification of Financial Statements
  5. And External Audit Internal Control over Financial Reporting

But are they the most effective?

Over the course of this study, researchers found that the five most effective controls when it comes to preventing and stopping fraud are:

  1. Tips
  2. Internal Audits
  3. Management Review
  4. By Accident
  5. Account Reconciliation

A key opportunity to guard against fraudulent behavior is still being missed. For example, while tips were the most common detection method regardless of whether a hotline was in place, fraud schemes were detected by tip in 47.3 percent of cases at organizations that had fraud hotlines. In contrast, only 28.2 percent of cases were detected by tips at organizations without hotlines. It’s clear that businesses and organizations should invest in a fraud prevention strategy that encourages anonymous tips if they aren’t doing so already.

Is your business or organization at risk? Do you want to learn more about which controls are most effective at preventing and detecting fraud? To learn more on this topic, email Rea & Associates.

By Annie Yoder, CPA, CFE, CFF (New Philadelphia office)

Check out these articles for more fraud-prevention strategies:

Let’s Talk About The F-Word

Cost-Effective Ways To Deter Fraud

How Much Money Could You Be Losing From Fraud?

Share Button