denisismagilov - stock.adobe.com
Fraud isn't just for financial institutions -- all organizations, regardless of industry or size, must deal with fraudulent activities. This makes cyberfraud compliance a critical task for IT professionals, risk management teams and fraud prevention staff.
Ensuring fraud compliance starts with understanding the relevant statutes, standards, regulations and other legal requirements that address fraud from an IT perspective. One of the areas compliance auditors investigate is the detection and mitigation of fraudulent activities that use IT resources, such as applications, desktop devices, laptops, networks, servers, databases or user data.
Enterprise IT programs must first examine fraud in relation to security policies and procedures. The next step is to evaluate the use of those policies and procedures to ensure compliance with relevant statutes is achieved.
Here, IT leaders can examine the various applicable rules regarding fraudulent activities that result from cybersecurity breaches.
Standards and statutes for fraud compliance
In addition to data security and privacy regulations, there are standards that address security and fraud prevention. For example, the American Institute of Certified Public Accountants (AICPA) and Association of Certified Fraud Examiners have each completed research on fraud and published reports and guidance on the subject that cross most vertical markets. ISACA also provides extensive guidance for IT auditors conducting examinations for security breaches and fraud.
The AICPA defined cyberfraud as "the intentional act of depriving another of property or money by deception, misrepresentation or other unfair means using computers or other technologies." Internal auditors, IT auditors and certified public accountants increasingly face challenges from internal and external threat actors. The same is true of IT cybersecurity professionals. Below is a list of standards most relevant to cybersecurity professionals.
NIST Special Publication (SP) 800-53. This standard, Security and Privacy Controls for Federal Information Systems and Organizations, is widely used by federal, state and local government agencies. It is also one of the go-to standards within the private sector. It is available as a free download from NIST. The standard is logically organized and easy to follow when preparing a fraud compliance plan.
NIST SP 800-83. This document, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, provides detailed guidance on malware issues. These malware prevention and mitigation strategies can be of value to IT professionals. While it is not specifically an audit document, its guidance can be used to successfully identify potential fraud events and proactively mitigate them. Evidence of such identification and mitigation efforts can be important during an IT organization's audit.
International Organization for Standardization (ISO) 27001 and 27002. ISO publishes the widely used 27000 series of information security standards. The two most prominent standards include ISO 27001, Information technology -- Security techniques -- Information security management systems -- Requirements, and ISO 27002, Information technology -- Security techniques -- Code of practice for information security controls. These cybersecurity benchmarks can be used to address fraud compliance issues. Compliance with ISO 27001 and 27002 involves a comprehensive examination and audit of cybersecurity policies, procedures and administrative activities. It can take upwards of a year to achieve compliance with these standards. The process often requires the use of experienced auditors and examiners accredited in the standards.
Health Insurance Portability and Accountability Act (HIPAA) of 1996. The HIPAA Security Rule regulations are essential for healthcare institutions that use electronic health records, such as patient data. Compliance with this requirement is achieved by providing relevant evidence of support for the Security Rule controls via an audit.
Federal Financial Institutions Examination Council (FFIEC) Information Security Examination Handbook and Cybersecurity Assessment Tool (CAT). Compliance with this requirement is achieved through a detailed audit. Instructions on how to best meet the requirements are detailed in the FFIEC Information Security audit work program. The CAT provides a structured approach to evaluating a financial institution's level of readiness for a cybersecurity event.
State fraud regulations. Most states in the U.S. have regulations that address security and fraud issues. While most state regulations focus on financial and nonfinancial organizations -- not specifically IT and cybersecurity -- they are worth reviewing to ensure that IT cybersecurity initiatives are in alignment.
In most cases, a validation process such as an audit -- either internal or external -- is necessary to ensure compliance with specific standards and regulations. Preparation for an audit is essential. It is critical for IT leaders to first submit documentation asserting compliance with security and fraud controls. Secondly, they should provide real-time demonstration of compliance through audit interviews and live demonstrations. Finally, they should satisfy audit report findings and recommended actions in accordance with the specified time frames.