Just like you, I would really love to know as much as possible about the Bermuda triangle. I mean the 500,000 square mile body of water bordered by Puerto Rico, Florida, and Bermuda. Many scientists are still baffled by the strange occurrences reported around this triangle; it is still a mystery. Like these scientists, I do not have an explanation yet for why ships and air crafts tend to disappear in this region. I guess I just like the sound of the name Bermuda, yeah! just kidding!
There is still good news for us though. While we might not have an explanation or any useful application of theories behind the phenomena surrounding the mysteries of the Bermuda triangle, some decades ago, Donald R. Cressey, a well-known criminologist, developed a very useful triangle called the Fraud Triangle. While this triangle is not as mystical as the Bermuda triangle, it holds a lot of answers for preventing fraud in an organization.
Cressey studied the circumstances that led embezzlers to temptation and he came up with this hypothesis: “Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-sharable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.” Cressey then came up with the elements of the fraud triangle which are: Opportunity, Pressure (incentive or motivation) and Rationalization (sometimes called justification or attitude).
While the fraud triangle can be easily applied to the different processes involving direct access to or custody of financial assets, I wish to consider the value of the triangle in the information technology environment; focusing on IT general controls (ITGC), especially for employees at the center of applying controls in the IT environment. I would like to highlight two of the IT general controls and the importance of evaluating the opportunity, pressure, and rationalization which could encourage fraud in an IT environment (directly or indirectly as seen when IT personnel colludes with other employees that have direct access to financial resources)
Access controls:
These controls are for preventing unauthorized access to an IT environment. However, in terms of business objectives, these controls directly or indirectly prevent fraud. It is harder to modify or delete data from a system you cannot access. On the other hand, a trusted person (which could be someone with authorized access) could become a trust violator, if there are some other elements of the fraud triangle present along with the opportunity to commit fraud. For instance, pressure due to financial challenges or some form of rationalization could encourage a system administrator to grant more access than necessary to a fraud perpetrator. An administrator colluding with someone in the purchasing department who could make unauthorized purchases or create a fictitious employee account is a good example. This could happen in an IT environment with limited audit trails as well as unsupervised opportunity for employee who perform incompatible duties with a lot of freedom within the access control environment.
Possible solutions:
- Segregation of incompatible duties is really important in the access control environment. If this is too costly to achieve, then activities log review by someone like a supervisor of employees performing incompatible duties could help reduce the opportunity element of the fraud triangle.
- It is key to include in the risk assessment matrix the elements of the fraud triangle which could be relevant to the people applying the access controls in an IT environment. This would be part of the control environment component of the COSO framework.
- It is paramount to monitor hiring and compensation practices that could create undue pressure or serve as incentives to allow fraud.
- Although, it is not a good idea to poke into the personal affairs of employees, it is beneficial to provide support programs for employees with financial difficulties or other form of support such as counselling to help manage mental or emotion issues which could lead to some rationalizations common to fraud perpetrators.
Change Managements Controls:
These controls are meant to ensure that changes are authorized, tested before implementation, and are approved before being migrated to the production environment. The change management controls also assist in preventing the opportunity element of the fraud triangle from existing in an IT environment (although this seems like a secondary purpose).
Most of the possible solutions mentioned for access controls also apply to change management controls.
In conclusion, if you are looking for a way to add more value to your audit process, preventing fraud by assessing the existence of the three elements of the fraud triangle within an IT environment will be a good move.
While the Bermuda triangle seems mystical and scary, there is a useful triangle that is not as mystical which could help your organization in the journey of preventing or mitigating risks around fraud, the fraud triangle.