Call Us Today (713)781-9040

The Integrated Security Function: Augmenting the audit function through covert information gathering By John Beard

The Association of Certified Fraud Examiners estimates that crime costs companies $3.5 trillion each year. These crimes take at least eight major forms: white collar crime; organized crime; internal pilferage and embezzlement; computer related crime; external attack including robbery, hijacking, and shoplifting; vandalism; terrorism and industrial espionage.[1] Publicly traded companies under the Sarbanes-Oxley Act (SOX) are required to have anti-fraud programs within their organizations. By and large, these programs are detective in nature as opposed to being proactive or preventative. Why is this? The answer lies in the culture of businesses in contrast to governmental entities. In the United States, governmental entities such as the National Security Agency, Federal Bureau of Investigation, and the Central Intelligence Agency use proactive approaches to detect potential security breaches that could be harmful to the country. This task is accomplished in many ways including but not limited to: data analysis, surveillance, interrogation, and managing operatives.

Business can employ similar techniques to produce a more proactive process that can potentially head-off many costly and embarrassing events. For the process to work there are basic organizational requirements: Executive support (tone-at-the-top); coordination among security personnel, internal audit personnel, and operating personnel. This level of interaction can be very beneficial to an organization. This process can be subdivided into two segments: administrative security and operational security.

Administrative security includes: personnel, communications policies and procedures, document controls, access to physical areas, employee identification (ID), trash disposal, travel security, and physical facility security.

Operational security activities are divided into security surveys, crisis response management, executive protection, information processing, and briefing and debriefing programs. These are designed to anticipate and protect against possible or probable security related contingencies.

Most everyone has heard of crisis response management and executive protection processes. What is more than likely to appear strange to the reader are the briefing and debriefing processes. We want to look at only one portion of this process today.

We’ll take a dive into these processes. In the briefing process, management is presented with the current trends in developments that could negatively impact the business. For example, nationalization of business enterprises by foreign governments, terrorist activities in proximity of company locations, etc. On the debriefing side this is maybe not so obvious. Done consistently, this program can provide a wealth of information ranging from commercial data of importance to the company for planning to information, which if tracked over time can indicate the targeting of company officials or assets. This targeting can have objectives ranging from economic intelligence to physical threats. The following is a hypothetical example of how an organization can be assessed for the potential of having a productive intelligence gathering program put into place and become operational.

  • Basis – the information obtained and attitudes observed during
    • Briefing/debriefing phase
    • The survey phase
    • Information volunteered as part of a suggestion or other company program
  • Criteria for selection are the results of a survey at a given location
    • Who is cooperative
    • Who volunteers information
    • Who seems to be “plugged in”
    • Who has outside-of-company industry contacts
  • Prospects for long-term company association of the individual
    • Estimates of incentives
      • Money
      • Tenure
      • Preferential treatment
      • Other
    • Suasion that can be exercised
      • Function of incentives
      • Other aspects
    • Screening
      • Prospect of polygraph
      • Voice stress analyzer
      • Operational testing
      • Other
    • Main elements
      • Identifying
      • Contacting
      • Assessing
      • Obtaining discrete cooperation
      • Obtaining information
      • Presenting in a usable form
  • Targeting Guidelines
    • Moonlighting employees
    • Employees living beyond means
    • Individuals in sensitive positions
    • Individual usually involved with competitors

The foregoing outline is just a hypothetical example of one phase of the Integrated Security Program. In today’s global economy, supported by extremely good but venerable communications systems and data processing systems, organizations would be wise to consider part, or all, of a broad-based approach to managing threats. Oh, you may ask, what does internal auditing have to do with this program? Internal auditors are typically assigned to audit all functions and geographic locations of a company over a period of time acting as the ‘eyes and ears’ of management. These people are generally curious and are comfortable doing analytics and asking probing questions. This would be helpful in the identification process for potential cooperatives.

ResultQuest can assist in all areas of helping your organization set up and adopt this proactive methodology.

[1] Information source – ASIS International