Quis Custodiet Ipsos Custodes?

March 9, 2023

Latin for “who will guard the guards themselves?” – Roman poet Juvenal.

Generally used to describe a situation in which a person or body having power to supervise or scrutinise the actions of others, is not itself or themselves subject to supervision or scrutiny.

Detecting unauthorised changes to records in a table is crucial for maintaining data integrity and ensuring that financial data is accurate and trustworthy. Unauthorised changes to financial data can lead to serious consequences, such as financial loss, legal and regulatory non-compliance, and reputational damage. In this article, we will discuss how data analytics can be used to detect unauthorised changes to records in Microsoft SQL Server, the risks involved with making unauthorised changes to financial data records, and the obstacles to identifying changes made to records on a database or record level.

I recently performed a forensic data analysis of a case in which several transactions were identified where suppliers were paid significantly more than the amounts approved on the original purchase order (PO).

The organisation has a strict policy that dictates that no supplier invoice is approved for payment if the amount on the invoice differs from the approved PO by more than 3%. Such cases must be returned to both the supplier and the PO approver to either change the invoice or process a new PO.

Interestingly, the data analytic clearly and easily picked up these exceptions through a simple comparison between supplier invoice and PO values. The data showed no sign that someone tried to hide the excessive payments, as might be expected. The only real weakness was that nobody searched for these exceptions before.

Everyone involved in the investigation initially thought it is a open and shut case of financial personnel abusing their power and paying excessive amounts to suppliers. We assumed they receive kickbacks from suppliers.

However, I became concerned when we started interviewing the financial personnel who approved payment of the supplier invoices.

I’m as sceptical as the next forensic investigator but the people seemed really shocked when we showed them the evidence. Each one of them was adamant that, when they approved the supplier invoice for payment, the PO value agreed 100% with the invoice value.

We had no option but to consider the possibility that someone else might have changed the PO value to temporarily match the supplier invoice value. At first glance it seemed impossible since the system didn’t allow changes to approved PO’s. You are only allowed to cancel a PO and create a new one.

That left us with only one other possibility.

The system’s data is stored in tables in a Microsoft SQL Server database. It is not only possible but easy to change a PO’s value directly in the database and change it back to the original value is just as simple. In addition, such changes would not be recorded in the application’s audit trails.

We knew that only database administrators or DBA’s had access to MS SQL Server data tables and could make these changes. DBA’s are the guardians of the company’s databases. Would they do something like that? The organisation depends on them and trust them. It’s also very difficult to check up on what they do. How do you guard against the guardians?

Since no audit trail existed to see if a DBA made changes to PO values, we decided to set a trap. We implemented an independent secret continuous monitoring analytic that compares the MS SQL Server data table on a frequent basis.
Within 2 days the continuous monitoring tool informed us that a change was made to an approved PO. We jumped into action and with the assistance of the Finance department approved payment of an inflated supplier invoice that was received the previous day. Half and hour later the continuous monitoring tool informed us that the same PO was changed back to its original value. During the whole time we monitored who was working on the MS SQL Server database and identified the DBA on duty at the time.

The DBA was called in and admitted to the whole scam when presented with the evidence. He worked with several suppliers and received kickbacks.

The phrase “who guards us against the guardians” is a relevant question in the context of detecting unauthorised changes to records. It refers to the challenge of ensuring that those responsible for protecting data are not themselves engaging in unauthorised activity. Insider threats are a significant challenge in detecting unauthorised changes, as individuals with legitimate access to data may be the ones making the changes. Data analytics can help mitigate this risk by providing an objective means of detecting anomalies and identifying suspicious activity.

Obstacles to Identifying Changes Made to Records

Identifying unauthorised changes to records can be challenging due to several obstacles. Some of these obstacles include:

  • Data Volume: With large amounts of data, identifying unauthorised changes to records becomes increasingly difficult. It may require significant manual effort to review all changes made to records.
  • Data Complexity: Data is often complex, with multiple data sources and interdependencies. This can make it difficult to track changes and determine the cause of changes.
  • Insider Threats: Insider threats are a significant challenge in detecting unauthorised changes to records. Insiders with legitimate access to the data can easily make changes without detection.

Detecting Unauthorised Changes with Data Analytics

Data analytics can be used to detect unauthorised changes to records in Microsoft SQL Server. By analysing data logs and comparing data before and after changes, anomalies can be detected, and suspicious activity can be flagged for further investigation. Some of the data analytics techniques that can be used include:

  • Change Point Analysis: Change point analysis involves analysing data over time to identify when changes occurred. By analysing patterns and trends, it can help identify when unexpected changes occurred and flag them for further investigation.
  • Anomaly Detection: Anomaly detection involves identifying unusual or unexpected data patterns. This can be used to detect unauthorised changes to records that deviate from normal patterns.
  • Machine Learning: Machine learning algorithms can be used to analyse large volumes of data and identify patterns and anomalies that are difficult to detect manually. For example, anomaly detection algorithms can identify unusual activity that may indicate unauthorised changes.

The risk of unauthorised changes is one of the most severe risks facing any organisation. When perpetrated by employees with administrative access or so-called super users, it is almost undetectable and could be causing damage to the organisation for a very long time before it is detected.

We will always have to trust our guardians to have our best interest at heart. There is no way around that. Data analytics and more specifically independent continuous monitoring, might very well become our ultimate guardians that guards us against unauthorised changes.

Written by Anton Bouwer, Director, RSM South Africa and Beta Software (distributor of Arbutus data analytics software)

About Arbutus Data Analytics:

Arbutus is arguably the most powerful Data Analytics software on the market, empowering an organisation to transform its data into valuable business insights. BETA Software is appointed as the authorised distributor of Arbutus in Sub-Saharan Africa and is the biggest Arbutus user in South Africa. Please see www.betasoftware.co.za for more information.

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by close to 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework. Please see www.barnowl.co.za for more information.

About BarnOwl GRC integrated with Arbutus data analytics
BarnOwl GRC is fully integrated with Arbutus data analytics giving you the ultimate in real-time risk management and continuous monitoring. BarnOwl GRC, underpinned by real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability with real time insights facilitating effective business decision making and business improvement.

Useful links:

Arbutus BarnOwl integration part #1 and Arbutus BarnOwl integration part #2