Compliance legislation 'making fraud easier'

Vastly increasing the amount of business information stored could be making life easier for fraudsters, according to analysts
Written by Will Sturgeon, Contributor

The complex and copious amounts of data being stored on corporate networks post-Sarbanes-Oxley may actually be creating greater opportunities for fraud — even though the law was a reaction to the huge corporate frauds which rocked Enron and WorldCom.

And data "gluttony", as one analyst branded it, may be setting companies up for a fall further on down the line.

Peter Dorrington, head of fraud solutions at SAS, told ZDNet UK sister site silicon.com companies are blindly storing vast amounts of data while giving little thought to what is actually being stored.

"There is just a lot of storage going on," said Dorrington. "But there is no interpretation of that data."

As such it will make the occasional instances of fraud or anomalous data far more difficult to spot.

"Fraudsters are reliant upon their transaction being a tree hidden a forest," said Dorrington, adding that the vast amounts of data being stored post-SOX are simply increasing the size and density of that forest.

"The more data there is, the easier it is to hide," said Dorrington. "And there is little thought being given to whether companies should look to understand what is going on within that data."

Dorrington believes many companies believe they are playing it safe by simply keeping everything — seeing it as the easiest way to ensure they keep the right things.

He said: "A lot of companies are still stuck at high-level tick-box mentality."

James Governor, analyst at Red Monk, said: "Any company which simply stores everything is creating problems for themselves further down the line."

"Storing everything is just abdicating responsibility, rather than following policy and understanding what they should be storing," said Governor.

He added that it may also be in breach of corporate policies which dictate certain data may only be kept on record for six or nine months. While such policies must be adhered to they create a no-win situation in which they also conflict with the retention requirements of other regulation such as SOX, said Governor.

"This is going to break a lot of corporate policy," he added.

And even if a fraud comes to light the sheer volume of unnecessary data being stored in order to cover all bases means companies are faced with the near impossible task of wading through it all.

Governor said: "If we think of finding fraud as being a hunt for a needle in a haystack then what many, many companies are now doing is comparable to pouring on a lot more hay."

"This is a very significant problem," Governor added. "Rather than just spending more and more money on storage it would make sense to invest a lot more money in working out exactly what companies need to store."

Shaun Fothergill, security strategist and compliance expert at Computer Associates, believes despite problems settling in, SOX will improve matters for business when implemented effectively. However, he warned on the fraud issue that compliance may start to throw up even more instances.

Fothergill said: "Compliance and regulation is forcing the business of IT to do things right. So organisations will begin to measure and monitor more than they did before."

"This may actually give the impression that more fraud is occurring when in fact organisations are just monitoring what they should have monitored in the first place. As the anomalies and fraud issues are corrected the indicators of problems will be moved from red to amber then to green.

"These new indicators will initially highlight greater deficiency when in fact the business and IT are just getting it right."

Such confusion may be one reason why the SOX deadline for companies based in European countries has been put back a further year this week. Originally the controversial section 404, which outlines the requirement to archive data, was to come into effect on 15 July 2005.

However, Mark Strauch, COO of business alignment firm Business Engine, warned: "The extension of the 404 deadline should not in any way be viewed by UK companies as a reason to postpone or sideline compliance projects in favour of other projects."

"The long-term potential for companies to credibly improve transparency within their organisations in line with section 404, should be seen as an opportunity to produce benefits in other areas, such as reducing risk by being able to see early on where problems lie, thus deal with issues more effectively."

Editorial standards