3. Be aware of fraud
As technology companies delay or cut back on spending, they may open themselves up to far costlier problems, such as intellectual property (IP) infringement and identity theft. According to the 2008 BDO Seidman RiskFactor Report for Technology Businesses, IP infringement ranked sixth as the most common technology risk factor, reported by 84 percent of the top 100 public United States technology companies.
To combat intellectual property infringement:
United States technology companies should be aware that intellectual property can be stolen or misappropriated in many different ways including: making and selling an unauthorized copy of computer software, trademark infringement by selling goods identified with a counterfeit mark, or a trade secret being stolen from its owner and used to benefit a competitor.
To mitigate the risk of infringement, businesses must assess the magnitude and likelihood of the threats. Then they need to implement prevention and detection measures specific to IP fraud, especially as they look to expand their global reach and leverage operational processes with resellers and international business partners.
To address identity and other types of IT-related theft:
Technology companies should familiarize themselves with the Identity Theft Enforcement and Restitution Act, which expands the ability of the United States government to prosecute identity theft and allows victims to obtain restitution. In addition, companies should become acquainted with the Identity Theft Red Flag Regulations related to the Fair and Accurate Credit Transaction Act (FACT) from 2003 which address the prevention and reporting of identity theft.
In October 2008, the Federal Trade Commission (FTC) announced the extended deadline for compliance with the Identity Theft Red Flag Regulations until May 1, 2009. The delay was granted given the confusion and uncertainty about the applicability of the rule, and to allow companies to take the appropriate care and consideration in developing and implementing their programs.
Many technology companies are still in need of guidance, as they are not aware that they engage in activities that bring them under the scope of the new rules. Other entities that are generally not regulated by the FTC were also unaware of the rules. All financial institutions and creditors (such as telecommunications firms, technology retailers and service providers) will all be required to comply with the Red Flag regulations.
4. Strengthen risk management controls
Companies should ensure that risk management controls and monitoring controls are robust, including segregation of duties. Particular focus should be placed on risk identification, and the development of comprehensive fraud prevention programs across all business lines and operations. IT controls should also be reviewed to ensure a direct link to the financial applications supporting the financial reporting process. Many companies are instituting controls of this nature using independent resources, reporting directly to the audit committee or board of directors.