How CPAs can fight phishing fraud
What can practice and management CPAs learn from the MacEwan University cybercrime?
TORONTO – For every cybercrime reported by the media, there are multitudes that are kept quiet, either on advice from legal counsel or by management decision. So says Chartered Professional Accountant Bridget Noonan, a partner at Clearline Consulting in B.C., in reference to the $11.8 million cybercrime at MacEwan University.
“The good news for us is that there is yet another fraud that has been publicized,” says Noonan. It’s an opportunity to learn from the mistakes of others.
As reported by Canadian Accountant, MacEwan accounts payable staff were convinced to change a vendor’s electronic banking information by a series of fake emails from a fraudster. Edmonton-based Clark Builders had been a MacEwan vendor since 2003 and was owed a $9-million final payment for completion of work on a new building. The fraudster created a copycat website and convinced MacEwan staff to send payment to another bank account.
It was Clark that contacted MacEwan, wondering when they would be paid. “They [MacEwan] were conducting business with a large entity [Clark] whose controls likely required timely follow-up on non-payment of receivables as part of their own processes,” says Noonan. “If that call had not been made we can only speculate the magnitude of payments which may have been issued.”
Sending a series of fraudulent communications to a potential victim is commonly known as “phishing” in cybercrime. It’s one of the most basic of frauds, with a long history of similar crimes in the pre-digital age as well. “This was not a sophisticated fraud,” says Noonan. “There’s a Canadian Government publication advising of this fraud as a 2017 trend. However, I’m afraid that many entities would likely have found themselves in the same position. You just haven’t been targeted … yet.”
Internal controls for the digital age
Chartered Professional Accountants, especially those practitioners who advise the SME business sector, can learn from the lax internal controls of MacEwan. “Many entities have failed to update or implement controls that address the electronic nature of the cash-processing environment,” says Noonan. “If you look to MacEwan’s published cash internal control documents, you’ll see that the policies rely heavily on the paper flow of documentation.”
Noonan points out that, “The value of what might be referred too as ‘old-style controls or auditing’ will never be lost, regardless of the integration of data analytics and artificial intelligence.” The fraud, Noonan reminds us, could have been detected with one call to Clark Builders.
Canadian Auditing Standards require that auditors consider areas that may be susceptible to fraud, and design audit procedures to respond to these risks. Auditors are also required to meet with management and corporate governance to discuss the fraud risks and integrate the assessment into the fraud audit procedures.
“This provides no guarantee that the external auditor will identify the fraud,” acknowledges Noonan, “however, you would look to this process to provide some insight into the quality controls around fraud risk.”
Processes should also updated for the digital age. MacEwan’s accounting staff may not have been aware that entire websites could be cloned to perpetrate cybercrime. “All entities,” says Noonan, “need to find the time and resources to ensure controls are keeping up with new business processes.”
High-profile cases such as these can be leveraged by CPAs in advisory or consulting roles. But if you’re running a company, Noonan says “Ensure that your corporate training sessions include fraud education. Start with your external auditor. If they are unable to support you, I would recommend looking to the Association of Certified Fraud Examiners and the Canadian Competition Bureau to get started.”
Cavalier attitudes towards cybercrime simply don’t cut it in the digital age. “We all have the tendency to say ‘it won’t happen to us,’” says Noonan, “but in today’s world that can be a very costly assumption. We all need to ensure that education and discussions around susceptibility to fraud is ongoing.”
It’s critical, stresses Noonan, to follow fraud trends and provide your staff with the tools and resources they need to be professionally skeptical at all times.
Colin Ellis is the editor-in-chief of Canadian Accountant.