The Importance of Financial Controls Testing
Between July 2022 and January 2024, Victorian Auditor’s General Office (VAGO) uncovered 212 fraud cases¹, including employees and scammers exploiting vendor or supplier financial records. Departments also notified of 4 cases where bank details in their master file were changed due to a cyber-attack.
Cybercrime threatens wellbeing and security of the community and imposes significant costs on individuals, organisations and governments. It covers a range of activities like phishing, malware, data theft or manipulation, extortion and ransomware, and is a major threat to financial institutions and businesses worldwide. With cybercrime-related money laundering possibly reaching $10.3 trillion (USD) by 2025, it’s crucial for organisations to be proactive.²
Financial controls testing assists in ensuring financial systems and practices are robust and capable of withstanding cyber-attacks.
Why Financial Controls Testing Matters
Some of the ways that bad actors use to conduct financial crime is by compromising the systems, process or convincing an employee to make payments to the wrong entities, individuals or accounts.
- Phishing: Fake emails or messages that convince staff into providing or modifying sensitive information.
- Compromised Suppliers: Sending emails from compromised vendors or suppliers with fake or modified invoices.
- Compromised Internal Staff: Sending emails internally to illicit an action, change of details or urgent payment.
- Malware: Harmful software designed to exploit system vulnerabilities.
- Shell Companies: Legitimate companies are sometimes used for fraudulent activities, creating challenges for scam victims trying to recover their money.
- Supply Chain Risk: With no proper policies and procedure to categories third party suppliers or their tiering can expose the organisation.
Insights from Financial Controls Assessments
Recent assessments by Trinity revealed key vulnerabilities across multiple organisations:
- Manipulation of Banking Details: By impersonating (or using a compromised account) an approved supplier employee using email or phone, it may be possible to update banking details without proper verification.
- Modification of Existing Invoices: By resending recent invoices of onboarded suppliers, it may be possible to either succeed in getting invoices paid twice or paid to a new account specified in the updated invoice. A common threat vector by malicious actors.
- Urgent Request by Superior: By using an organisations communication platform such as Teams or email, send an urgent request from the Chief Financial Officer (CFO) to a finance staff member requesting rapid payment of a specific invoice. This simulates a compromised internal account and verifies if additional controls are in place to prevent the action from occurring.
- Technical Controls: Although the human factors aspect is important, the existing technical controls must be reviewed for adequacy. These include email server security, external email banners, phishing controls and regular assessments. Weakened technical controls expose the organisation further by allowing malicious or suspicious content into an environment.
Practical Steps for Better Financial Controls
- Enforce Policies: Ensure strict adherence to policies for modifying sensitive supplier details or payment processing.
- Train Staff: Regular training to help staff recognise phishing and other cyber threats.
- Verify Information: Harden verification processes during business onboarding, such as checking ABN details beyond it being valid or active.
- Use Technology: Implement technical controls such as hardened 365/email systems, email filtering, bank detail verification and automated anomaly detection systems.
Conclusion
Financial controls testing is vital in the fight against cyber threats. Regular assessments and improvements help ensure that financial systems are secure and resilient. By enforcing policies, training staff, verifying information, and using technology, businesses can protect their financial operations from cyber threats.
At Trinity Cyber Security, we consider these factors and many more when conducting any engagements with the organisation context in mind. Please feel free to reach out to us on 1800 430 933 or email [email protected] to discuss how we can support the continuous journey to improve the cyber security posture of an organisation.
Sources
¹ https://www.audit.vic.gov.au/sites/default/files/2023-11/20231124_AFR-Report-2022-23.pdf
² https://www.upguard.com/blog/the-impact-of-cybercrime-on-the-economy