I just read this short article and found it pretty interesting, yet alarming. The article sums up PWC’s 2011 Global Economic Crime Survey. The survey results show that cyber crime and fraud increased the most from the previous year. 45% of organizations said they had suffered from fraud in the past year and 40% had suffered from cyber crime. Just as an interesting side note, the article also states that they typical fraudster is a women age 31-40 with a college degree, and in the U.S. 40% of internal cyber crime perpetrators were women compared to 19% globally.
My first reaction is that maybe forensic auditors/accountants/IT security experts should become a regular part of an engagement team due to the massive amount of fraud and cyber crime being committed. Although this would increase the cost of an engagement, the increase in cost would most likely be less than the cost of recouping from fraud or cyber crime. According to the article the cost of frauds over $100,000 has increased from 44% to 54% over two years and 10% of respondents reported frauds costing five million or more.
The internal controls a company has in place to detect and prevent fraud are mainly designed in regards to internally generated fraud. What about externally generated fraud? I think audits should test the controls that a company puts in place to detect and prevent external fraud. If a company has no controls in place, the auditors should help develop a set of controls. This would all be done by the forensic auditors/accountants and is why they need to become a regular part of an engagement team. Although costly, I feel the benefit of adding a forensic component to an engagement team outweighs the cost, especially with the direction the fraud trend is heading.
I also think more rigorous testing should be done in the area of IT internal controls. For the most part internal controls are in place to keep company insiders from doing what they aren’t supposed to. Due to the increase in cyber crime, I think that IT audits should begin placing an emphasis on the controls in place to detect and prevent the clients from suffering from externally generated cyber crimes. I think this should become a major part of an IT audit, rather than just focusing on keeping company insiders from accessing places they aren’t supposed to.
What do you think?