I talk to a lot of users of ERP systems and their feeling about security cover the full range. Many are overly complacent, but occasionally I run into the excessively paranoid. Still, it’s important to understand what can happen. This story is a couple years old, but the lessons in it are perfect for medium-sized businesses.
The article, Lessons from an $8 million fraud includes accidental excessive approval rights, incomplete segregation of duties, work-arounds to “get things done”, manipulation of multicurrency, and exploiting other user’s passwords. All of this started with an accident.
I’ve said before that it’s my opinion that we tend to catch fraud at rough break points. If you don’t catch a fraud at $1,000, your next chance is at $10,000 and then $100k, and finally beyond $1 million. In this case, it started with $1,100. The company had a perfect chance to catch this at around $80k and missed it.
There are a lot of little lessons in here and it’s definitely worth the read.