The Security Catalyst had an interesting post last week, The
Psychology of Fraud -Revisited.
In the post, Sarbanes-Oxley auditors are criticized for focusing on
minutia that is costing corporations millions, while the real cause of
fraud is corrupted humans.
In developing this argument, the author draws upon a model developed
in the early 1950's by Dr. Donald Cressey, a criminologist whose
research focused on embezzlers, called the fraud triangle. Where Dr.
Cressey's triangle consisted of pressure, rationalization, and
opportunity, the Security Catalyst altered the points of triangle for
IT fraud to include the following definitions:
- Access. Physical or logical ability to enter, touch, or reach a
resource. In computers, this is often controlled by network rules and
a user id and password.
- Knowledge. To be familiar or have experience with an object or
resource. This means having the concepts and ability on what to do
after you have accessed the resource.
- Intent. The purpose or an anticipated outcome that guides a person's
planned actions. Knowingly causing damage to the resource.
These make a great deal of sense, but the rest of the argument is lost
on me. The author tries to make the case that access rights should not
be scrutinized to the degree they are currently in SOX audits because
it is only a portion of the fraud triangle. Improper access doesn't
necessarily mean that someone has knowledge or intent.
The post even states "You can't audit against knowledge and intent."
Well, if you can't audit knowledge and intent, don't you have to audit
access? In the absence of a way to detect someone with the knowledge
and intent to perpetrate fraud, don't you have to ensure access is
being provided on an as needed basis?
In my opinion, the author's own statements actually justify why
auditors give access rights the demanding scrutiny they do today. If
access rights are poorly documented and managed, the odds are that
much greater that a person who already has the knowledge and intent
will get the golden key that completes their fraud triangle.
SOX does not prevent or reduce corporate fraud. Its requirements exist so
that a prosecuting attorney can presumptively use a corporation's records as
legal evidence against the corporation's management. Viewed in that light,
the requirements make perfect sense.
Geoff N. Hiten
Senior SQL Infrastructure Consultant
Microsoft SQL Server MVP
<jmichaud@.ecora.com> wrote in message
news:1185212726.689666.6170@.n2g2000hse.googlegroup s.com...
> The Security Catalyst had an interesting post last week, The
> Psychology of Fraud -Revisited.
> In the post, Sarbanes-Oxley auditors are criticized for focusing on
> minutia that is costing corporations millions, while the real cause of
> fraud is corrupted humans.
> In developing this argument, the author draws upon a model developed
> in the early 1950's by Dr. Donald Cressey, a criminologist whose
> research focused on embezzlers, called the fraud triangle. Where Dr.
> Cressey's triangle consisted of pressure, rationalization, and
> opportunity, the Security Catalyst altered the points of triangle for
> IT fraud to include the following definitions:
> - Access. Physical or logical ability to enter, touch, or reach a
> resource. In computers, this is often controlled by network rules and
> a user id and password.
> - Knowledge. To be familiar or have experience with an object or
> resource. This means having the concepts and ability on what to do
> after you have accessed the resource.
> - Intent. The purpose or an anticipated outcome that guides a person's
> planned actions. Knowingly causing damage to the resource.
> These make a great deal of sense, but the rest of the argument is lost
> on me. The author tries to make the case that access rights should not
> be scrutinized to the degree they are currently in SOX audits because
> it is only a portion of the fraud triangle. Improper access doesn't
> necessarily mean that someone has knowledge or intent.
> The post even states "You can't audit against knowledge and intent."
> Well, if you can't audit knowledge and intent, don't you have to audit
> access? In the absence of a way to detect someone with the knowledge
> and intent to perpetrate fraud, don't you have to ensure access is
> being provided on an as needed basis?
> In my opinion, the author's own statements actually justify why
> auditors give access rights the demanding scrutiny they do today. If
> access rights are poorly documented and managed, the odds are that
> much greater that a person who already has the knowledge and intent
> will get the golden key that completes their fraud triangle.
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment