As any auditor knows internal fraud is as old as business. The classic case involves the secretary who is responsible for accounts payable as well as procurement. He generates bogus invoices and pays them to bogus companies. I have a friend in Chicago whose business was ruined this way. A law firm here in Michigan lost millions to the Nigerian 419 scam because their secretary had access to the firm’s funds. ( By the way check out this article. A couple of con artists in Toronto have received jail terms. Nigerians are not responsible for all advance-fee scams! )
Modern accounting controls are supposed to prevent this kind of fraud. The real danger is that controls are not keeping pace with technology. Since the introduction of the first commercial computer (UNIVAC, on this date in 1951) computers have been used to make the fraudster’s job easier. This article mentions three cases of admittedly low tech fraud but involving IT staff. In one case a mid level IT manager at the Canadian Defense Department created bogus orders for Tempest Terminals that were funneled through a supplier, HP, to front companies from which he would get kick backs. The point is that IT staff are not above sneaking a buck out of the till now and then. Imagine the consequences if a developer or internal admin monkeys with the workings of your automated billing and receivables software?
What could an insider accomplish with a few simple credentials? Access to the treasury system for instance. Most large organizations swap millions into overnight instruments to take advantage of the best interest rates only to swap them back into their working accounts during the day. Skimming a piece of that transaction could be simple.
It is probably a good time to review internal controls at your organization. Rolling out a new layer of authentication could cut short any existing fraudulent operations. Strong authentication for any treasury function should be mandated. Monitoring of transactions and data transmissions is another step. And an audit of existing controls, including a test would be good.