Page 597 - ITGC_Audit Guides
P. 597
GTAG — IT Fraud Risks
Other IT fraud vulnerabilities that should be considered
during the risk assessment include:
• Fictitious billings for services or misappropriation of
employee, customer, or company confidential data
for personal gain by an independent contractor or an
onshore or offshore programmer.
• Copyright infringement and loss of intellectual prop-
erty when employees or contractors copy or download
files illegally.
• Misappropriation of company data by third-party
service providers that process employee and/or
customer information, or other company confiden-
tial information.
The following are some examples of best practices in
addressing IT fraud risks.
• Completing periodic enterprise wide IT fraud risk
assessments.
• Instituting periodic security and fraud awareness
training for all employees.
• Enforcing segregation of duties.
• Restricting access to systems and data on a business
need to know.
• Implementing strict password and identity manage-
ment policies and practices.
• Logging, monitoring, and auditing employees’
network actions.
• Using extra caution with system administrators and
privileged users.
• Using layers of defense against network intrusions.
• Developing an effective incident response plan and
assembling an incident response team.
• Deactivating computer access upon an employee's
termination of employment.
• Collecting and saving forensic data for use in investiga-
tions.
• Allowing for secure back-up and recovery processe.
• Implementing good vulnerability management
programs.
8
