Fraud Incident Response Planning Essentials

21
6/20/2014 1 Copyright © FraudResourceNet LLC Fraud Incident Response Planning Essentials June 11, 2014 Richard Cascarino, CFE Richard Cascarino & Associates Copyright © FraudResourceNet LLC President and Founder of White Collar Crime 101 • Publisher of White-Collar Crime Fighter • Developer of FraudAware ® Anti-Fraud Training • Monthly Columnist, The Fraud Examiner, ACFE Newsletter Member of Editorial Advisory Board, ACFE Author of “Fraud in the Markets” Explains how fraud fueled the financial crisis. About Peter Goldmann, MSc., CFE

description

FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware. The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts. FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again. White-Collar Crime Fighter Newsletter Subscribe Now at No Cost! FraudResourceNet has made the premier Anti-Fraud newsletter, White-Collar Crime Fighter freely available to all. All this is required is to complete the registration form with your work email address! The widely read newsletter, White-Collar Crime Fighter brings you expert strategies and actionable advice from the most prominent experts in the fraud-fighting business. Every two months you'll learn about the latest frauds, scams and schemes... and the newest and most effective fraud-fighting tools, techniques and technologies to put to work immediately to protect your organization. When it comes to fraud, knowledge of the countless schemes, how they work and red flags to look for will help keep you, your organization and your clients safe. At FraudResourceNet we understand this and take great pride in providing our FREE White Collar Crime Fighter newsletter -- filled with exclusive articles and tips to provide the knowledge you need. Make sure you stay informed. Sign up for White Collar Crime Fighter newsletter and we’ll keep you up-to-date on special promos, training opportunities, and other news and offers from FraudResourceNet! Signing up is easy and FREE. If you have not already subscribed to our newsletter, please sign up to get started! Sign up for the White Collar Crime Fighter Newsletter (a $99 value ... now completely FREE)

Transcript of Fraud Incident Response Planning Essentials

  • 1. 6/20/2014 1 CopyrightFraudResourceNet LLC Fraud Incident Response Planning Essentials June11,2014 RichardCascarino,CFE RichardCascarino&Associates CopyrightFraudResourceNet LLC President and Founder of White Collar Crime 101 Publisher of White-Collar Crime Fighter Developer of FraudAware Anti-Fraud Training Monthly Columnist, The Fraud Examiner, ACFE Newsletter Member of Editorial Advisory Board, ACFE Author of Fraud in the Markets Explains how fraud fueled the financial crisis. About Peter Goldmann, MSc., CFE

2. 6/20/2014 2 CopyrightFraudResourceNet LLC AboutRichardCascarino,MBA,CIA,CISM, CFE,CRSA Principal of Richard Cascarino & Associates based in Colorado USA Over 30 years experience in IT audit training and consultancy Past President of the Institute of Internal Auditors in South Africa Member of ISACA Member of ACFE Board of Regents (Higher Education) CopyrightFraudResourceNet LLC This webinar and its material are the property of FraudResourceNet LLC. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited. Webinar recording link will be sent via email within 5-7 business days. NASBA rules require us to ask polling questions during the Webinar and CPE certificates will be sent via email to those who answer ALL the polling questions The CPE certificates and link to the recording will be sent to the email address you registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client. Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout. Webinar Housekeeping 3. 6/20/2014 3 CopyrightFraudResourceNet LLC Theviewsexpressedbythepresentersdonotnecessarilyrepresenttheviews, positions,oropinionsofFraudResourceNetLLC(FRN)orthepresenters respectiveorganizations.Thesematerials,andtheoralpresentation accompanyingthem,areforeducationalpurposesonlyanddonotconstitute accountingorlegaladviceorcreateanaccountantclientrelationship. WhileFRNmakeseveryefforttoensureinformationisaccurateandcomplete, FRNmakesnorepresentations,guarantees,orwarrantiesastotheaccuracyor completenessoftheinformationprovidedviathispresentation.FRN specificallydisclaimsallliabilityforanyclaimsordamagesthatmayresultfrom theinformationcontainedinthispresentation,includinganywebsites maintainedbythirdpartiesandlinkedtotheFRNwebsite Anymentionofcommercialproductsisforinformationonly;itdoesnotimply recommendationorendorsementbyFraudResourceNetLLC 5 Disclaimers CopyrightFraudResourceNet LLC TodaysAgenda IntroductionStatisticsontheFraudProblem IncidentResponsePlan IncidentResponseTeam WhyConductanInvestigation? PlanningtheInvestigation InvestigativeTeamsandResources Collecting&PreservingEvidence WitnessInterviews ForensicProcedures FindingsoftheInvestigation ConclusionsandQuestions6 4. 6/20/2014 4 CopyrightFraudResourceNet LLC Fraud: The Big Picture According to major accounting firms, professional fraud examiners and law enforcement: Fraud costs the world $1 TRILLION per year. (5%) (ACFE) Business losses due to fraud increased 20% in last 12 months, from $1.4 million to $1.7 million per billion dollars of sales. (Kroll 2010/2011 Global Fraud Report) 75% of the companies surveyed experienced at least one incident of fraud in the last 12 months (KPMG) Average cost for each incident of fraud is $160K (ACFE) Approximately 67% of corporate fraud committed by insiders (Kroll) CopyrightFraudResourceNet LLC TheWorstCanHappen "Don't look at the past and assume that's the future. Look at the enemy's strengths and your vulnerability. You've got to realize that the worst case does sometimes happen." --Richard Clarke Former Special Advisor for Cybersecurity 5. 6/20/2014 5 CopyrightFraudResourceNet LLC Fraud 3KeyElements 9 CopyrightFraudResourceNet LLC Fraud ItsNotAQuestionof If 10 Itisnotamatterofif,butwhen. Havinganincidentresponseplanputs youinthebestpositiontorespond quicklyandeffectively. Preincidentplanning Ongoingincidentmanagement Postincidentremediation 6. 6/20/2014 6 CopyrightFraudResourceNet LLC Polling Question 1 TheThreeElementsofFraudare: a) Incentive,RationalizationandOpportunity b)Opportunity,MeansandMethod c)RationalizationMeansandOpportunity d)Opportunity,IncentiveandMeans CopyrightFraudResourceNet LLC GoalsofIncidentResponse Confirmordispelincident Promoteaccurateinfoaccumulation Establishcontrolsforevidence Protectsprivacyrights Minimizedisruptiontooperations Allowforlegal/civilrecriminations Provideaccuratereports/recommendations 7. 6/20/2014 7 CopyrightFraudResourceNet LLC IncidentResponseTeam Leader Seniorinternalauditor Legalcounsel Investigationdepartmenthead Sr.auditcommitteemember Riskmanagementdirector Corporatesecuritydirector Externalauditor? Externalinvestigativefirm? 13 CopyrightFraudResourceNet LLC FraudIncidentResponse Team Legalresources:Inhouse& outsidecounsel Regularvs.indep.externalcounsel HR Internalaudit Externalaudit Internalorexternalinvestigator(s) Auditcommitteerepresentative 14 8. 6/20/2014 8 CopyrightFraudResourceNet LLC IncidentResponseMethodology Preincidentpreparation Detection InitialResponse Strategyformulation Duplication Investigation UTSA IS 6353 Security Incident Response Security measure implementation Network monitoring Recovery Reporting Follow-up CopyrightFraudResourceNet LLC IncidentResponsePlan PreincidentPlanning Createateam&aplan Defineroles&responsibilities Trainstaffonplandetailsand responsibilities Processforescalation: allegation>incident> investigation Documentretentionpolicies Internalvs.external legal/investigative professionals Fraudriskassessment: Prioritizerisksanddevelop responseplansforeach Standardizeevidencecollection protocols Restrictaccesstoincident detailstoneedtoknowbasis Formalizeregulatory complianceproceduresfor responseandnotification 16 9. 6/20/2014 9 CopyrightFraudResourceNet LLC Polling Question 2 PreincidentPreparationincludes: a)Identifyingthescopeofsuspectedfraud b)Determiningtimeframesforlegalexperts c)Definingrolesandresponsibilities d)Identifyingfailedbusinessprocesses CopyrightFraudResourceNet LLC IncidentResponsePlan After ItHasOccurred Identifyscopeofsuspected fraud(individualorcollusion?) Seekexpertadvice(external auditor,counsel,etc) Secure&preservefinancial andnonfinancialinformation Determinetimeframeforwho (LE/regulators)needstoknow what/when Adheretorelevant legal/regulatory notificationmandates& timeframes Ongoing&appropriate communication Considernotifyinglaw enforcementifsuspect criminalactivity Identifyweak/failedICs& businessprocesses 18 10. 6/20/2014 10 CopyrightFraudResourceNet LLC IncidentResponsePlan After ItHasOccurred Alertyourfraudincidentmanager thatanallegationorsuspicionexists Documentdate,timeanddetailsof initialtip/discovery Takenotesonallobservationsand actions ifsomethingisworth takingamentalnote,itiswortha writtennote) Maintainconfidentiality(enforce need toknowruleaboutthe suspectedact).Unwarranted disclosurecanseriouslydamage potentialsuccessfulinvestigations. Donotimmediatelyconfrontthe suspect. Writeoutinfullthesuspectedact orwrongdoingincluding: Whatisallegedtohave occurred Whoisallegedtohave committedtheact Istheactivitycontinuing Wherediditoccur Whatisthevalueoftheloss orpotentialloss Whoknowsoftheactivity (Continued) 19 CopyrightFraudResourceNet LLC IncidentResponsePlan After ItHasOccurred Identifyalldocumentaryandother evidenceconnectedtotheincident: Invoices Contracts Purchaseorders Checks Computers/mobiledevices (Email) Credit/Pcardstatements Obtainevidenceandplaceina securearea.(Wheneverpossible withoutalertinganysuspects) Protectevidencefromdamageor contamination Listeachitemindividuallytaking noteofacquisition(incl.time,date andlocation)andwheretheitem wassecurelystored Identifyallpotentialwitnesses Unlesselectronicevidenceisinthe processofbeingdestroyeddonot gointothesuspect/target computersystems Ifpossible,secureand/orremove suspectsaccesstorelevant computers/systems.Donotallow ITdepartmenttoexamine computer(s) Considerotherpotentialsuspects 20 Source:Deloitte 11. 6/20/2014 11 CopyrightFraudResourceNet LLC Polling Question 3 Responseafteranincidentincludes: a)Standardizingevidencecollectionprocedures b)Protectingevidencefromdamageorcontamination c)Formalizingregulatorycomplianceproceduresfor responseandnotification d)Prioritizingrisksanddevelopresponseplansforeach CopyrightFraudResourceNet LLC WhatPromptsanInvestigation? Internalevents Accountingirregularity Employeeallegation/whistleblower Companycomplianceaudit Externalevents Governmentaudit,investigation, subpoena,searchwarrant Competitorcomplaint Informationsecuritybreach 22 12. 6/20/2014 12 CopyrightFraudResourceNet LLC WhyConductanInvestigation? Partofaneffectivecompliance program Limitsharmtothecompany Formulateadefensetopossible allegations Mayhaveanobligationunder certainlaws(SOX)andregulations toinvestigateorselfdisclose Creditforcooperationfromgovt. (FCPA) 23 CopyrightFraudResourceNet LLC Polling Question 4 Reasonsforconductinganinvestigationinclude: a)Itcanlimitharmtothecompany b)Fraudriskassessmentmaysuggestonebecarried out c)Restrictaccesstoincidentdetailstoneedto knowbasis d)Youcanstandardizeevidencecollectionprotocols 13. 6/20/2014 13 CopyrightFraudResourceNet LLC PlanningtheInvestigation Stopsuspectconductimmediately Whataretheimmediate concerns/uncertainty? Assetprotection/evidencepreservation(Image suspectsharddriveIMMEDIATELYorwait?) Whatinformation/evidencedoyouneedto collect? Aretherelegalconstraintsconcerningthe collectionoftherequiredinformation/evidence? 25 CopyrightFraudResourceNet LLC PlanningtheInvestigation Whatistheappropriatescopeofthe investigation? Considerationsshouldinclude: Whatis.are theultimateobjective(s)of theinvestigation? Whatlevelofdiscretionisrequired? Whatarethetimeconstraints,ifany? Whataretheresourceconstraints,ifany? Doyouwanttheinvestigationtobe privileged? Avoidartificiallynarrowscope 14. 6/20/2014 14 CopyrightFraudResourceNet LLC Internalvs.External Resources Investigativeresources:Internalor external.Dependson Resourceavailability&time constraints Knowledge&experience Technologyrequirements Target(s)oftheinvestigation Financiallossamount Potentialfor criminal/regulatoryviolation(s) Needsofyourexternalauditor Cost CopyrightFraudResourceNet LLC PreservingEvidence Informationpreservation: Timeurgency isessentialtopreventsuspect(s)from destroying/deletingevidencebeforecollection Distributeapreservationnoticetokeystaff Ensureproperbackuptaperotation(stopifneedto preserverelevantevidence) Dumpster/RecoverableItems 15. 6/20/2014 15 CopyrightFraudResourceNet LLC CollectingEvidence Informationcollection: Whatisavailable? Dontforgetmobile communication/computingdevices &othermobilestoragedevices (thumbdrives,etc.) Chainofcustody Generally,moreisbetter CopyrightFraudResourceNet LLC WheretheEvidenceResides Volatiledatainkernelstructures Slackspace Freeorunallocatedspace Thelogicalfilesystem eventslog applicationlogs theregistry theswapfile specialapplicationfiles temporaryfiles therecyclebin theprinterspool emailsentorreceived 16. 6/20/2014 16 CopyrightFraudResourceNet LLC ForensicProceduresforData Collection/Preservation/Review Useforensictechnology: DigitalEvidenceForensics/DiskImaging ForensicDataAnalytics eDiscovery tools/techniques(Emails,business docstobedonebyanexpert) CopyrightFraudResourceNet LLC eDiscoveryTools/Techniques eDiscoveryworkflow/process(shouldbe formalizedinadvance who willreviewdocs forrelevance,preservation procedures,etc.) ApplyPredictiveCoding(Legaltoolfor streamliningdocumentreviewusinga documentreviewplatform) 17. 6/20/2014 17 CopyrightFraudResourceNet LLC Polling Question 5 Acriticalaspectofobtainingevidenceis: a)Ensuringtaperetentionpoliciesareadheredto b)Generally,lessisbetter c)Ensuringswapfilesaredeleted d)MaintainingtheChainofCustody CopyrightFraudResourceNet LLC WitnessInterviews Preparation Reviewdocuments WhoWhenWhereWhatorder Conductingtheinterview Neutral/objectivefinderoffact Neveralonesomeonetakesnotes Limitinformationsharing Rightkindsofquestionswhen Legalconsiderations Upjohnwarning:Lawyerreps company Preservingprivilege Providingcounseltothewitness 18. 6/20/2014 18 CopyrightFraudResourceNet LLC WhenNOTtoInvestigateMaybe Amountstolenisminimal Nothingmorethanaredflag(needadditional evidence) Wanttoavoidnegativepublicity Perpetratorresigns/departsonown Confession Lawenforcementtakesover CopyrightFraudResourceNet LLC FindingsoftheInvestigation Writtenororalreport?(Writtenmaynotbenec. Ifyoudontprosecuteandjustreprimand) Determinewhattodowithcurrentemployees involvedinconductatissue Consultwithcounseltodetermineifmandatory disclosureisrequired Considerimplementing strongercontrolsor companypolicies 19. 6/20/2014 19 CopyrightFraudResourceNet LLC IncidentResponsePlan PostIncidentRemediation Assessgapsandevaluateeffectivenessofplan,procedures,and training Adjustincidentresponseplan&protocols;communicateandtrain Testincidentresponseplanperiodicallyandstayawareofinternal &externalrisks Maintainanincidentreportinaccordancewithrelevantlegal& regulatorystandards Improveweak&failedICsandbusinessprocesses Restorecustomer/clientrelationsasnecessary CopyrightFraudResourceNet LLC IncidentResponsePlan InformationSecurityBreach Promptnotificationofappropriateregulators(esp.financial institutions) Promptnotificationoflawenforcement(Usuallyfederal) Mobilizeeffortstocontaintheincidentpreventfurther breaches/damage Notifycustomersimmediately Activateremediationmeasurescardreplacement,credit monitoringservices,etc. Trainemployeestorecognizebreachredflagsquickly. 20. 6/20/2014 20 CopyrightFraudResourceNet LLC CommonMistakes Failuretomaintainproperdocumentation Failuretonotifydecisionmakers Failuretocontroldigitalevidence Failuretoreporttheincidentinatimelymanner Underestimatingthescopeoftheincident Noincidentresponseplaninplace Technicalmistakes Alteringdateandtimestampsonevidencesystemsbeforerecordingthem Killingrogueprocesses Patchingthesystembacktogetherbeforeinvestigation Notrecordingcommandsused Usinguntrustedcommandsandtools Overwritingevidencebyinstallingtools CopyrightFraudResourceNet LLC IncidentResponseChecklist Question Have you developed and implemented a written data security breach disclosure and notification process? Do you have in place a manual or automated system for tracking privacy incidents to ensure all are detected, reported and responded to in a consistent way? Are you aware of Federal and state privacy regulations? Do you have an incident response process that includes: Who to contact when they suspect a loss or compromise of PII data? An evaluation of the scope, the amount of damage and the number of individuals affected by the data breach. Notification of the individuals whose data has been compromised. Public relations management. Mitigation and forensics. Regulatory reporting. Do you have a help desk and call procedure for all individuals whose data may have been compromised? Have you ensured the enterprise breach disclosure effort is scalable to address the scope of the breach? Are you prepared to offer appropriate remediation measures that are timely and effective? Examples include free credit monitoring services, fraud alert services, identity monitoring and personalized remediation services. 21. 6/20/2014 21 CopyrightFraudResourceNet LLC Questions? Any Questions? Dont be Shy! CopyrightFraudResourceNet LLC Peter Goldmann FraudResourceNet LLC 800-440-2261 www.fraudresourcenet.com [email protected] Richard Cascarino, MBA,CIA,CRMA,CFE,CISM Cell:+19702911497 SouthAfrica+27(0)789807685 Tel+13037476087(SkypeWorldwide) Tel:+19703675429 eMail:[email protected] Web:http://www.rcascarino.com Skype:Richard.Cascarino Thank You!