Independent Assessment of the LOLC incident · On 14 March 2020, the threat actor also registered a...

Independent Assessment of the LOLC incidentReport developed for NorfundJune 30, 2020

Norfund - Independent Assessment of the LOLC incidentPwC 2

June 2020

Table of contentsPreface 3

Executive summary 4

1. Introduction 8

2. The LOLC incident 12

3. Payment process 17

4. IT 21

5. Governance 28


June 2020

Preface

This report is the result of an independent assessment PricewaterhouseCoopers AS (PwC) has performed on behalf of Norfund. We have assessed existing internal controls and routines regarding payments, IT security and governance relevant to the fraud that affected Norfund on 16 March 2020.

The project was conducted in May and June 2020, by a team from PwC, where Karina Folvik has been the project manager. The project team included Line Vervik Ellingsen, Joachim Kibsgaard-Petersen, and Jan Henrik Schou Straumsheim. The project team was assisted by Lars Erik Fjørtoft, Marius Istvan Harlem-Nilsen, Frode Hommedal, and Per Le. Torkil Hindberg has been the Engagement Partner for the project.

PwC would like to thank all participants for their contributions in both interviews and providing useful information.

PwC emphasizes that all assessments and recommendations in the report are our opinions.

We would like to thank Norfund for the opportunity to work with them on this engagement, and for their cooperation.

Torkil HindbergEngagement partnerPwC


June 2020

Executive summaryThe incident

On 16 March 2020, Norfund transferred USD 9 888 055 to a bank account in Banco Mercantil del Norte, Mexico, which Norfund believed belonged to its client, the Cambodian financial institution LOLC Plc. In fact the bank account was controlled by a threat actor, who managed to compromise an email account belonging to an employee at Norfund, registered fake domains and impersonated Norfund’s and LOLC’s employees in the conversation.

Prior to the fraud, on 27 September 2019, the threat actor had compromised an email account belonging to an employee at Norfund, and monitored Norfund’s communication for seven months. On 9 March 2020, the threat actor intercepted email correspondence between Norfund and LOLC about the forthcoming transaction.

The threat actor managed to change the bank account details in the disbursement notice and convinced Norfund that a Mexican bank was used to avoid using several bank intermediaries in the transaction. The threat actor used COVID-19 as a factor to convince LOLC that the bank transfer was delayed. At the same time, the threat actor sent emails to Norfund confirming that the funds were received by LOLC, to prevent further investigation on Norfund’s side.

On 24 April 2020 the threat actor tried to manipulate a transaction with another Cambodian client, First Finance Plc, and asked to change the bank account details to Banco Mercantil del Norte. Norfund’s investment manager requested First Finance to confirm the change of banking details. On 29 April 2020 Norfund received an email from First Finance stating that the account in Mexico did not belong to them. On 30 April 2020 Norfund received an email from LOLC stating that the bank account details in the transfer 16 March 2020 were incorrect. Following the discovery of the fraud and fraud attempt, Norfund immediately started investigating the incident in close cooperation with their bank DNB, their service provider Visolit, security advisors from PwC and Norwegian law enforcement.


June 2020

Norfund operates in several developing countries subject to high financial, legal, political and security risk. In PwC’s opinion, the Board of Directors and the Management has set a proper “tone at the top” and established a risk management system adapted to the company’s operations, goals and strategy. Managing financial and non-financial risks inherent to Norfund’s investments has been a high priority. However, it’s PwC’s assessment that the risk management framework could be further developed and improved to ensure Norfund’s operational resilience.

Over the past few years Norfund’s investment portfolio and organization has grown significantly. In PwCs opinion, the Management has continuous focus on risks related to the increasing complexity of the operations and defines proper risk-mitigating measures. However, PwC observed that Norfund’s implementation capabilities, i.e. the ability to put policies into action and effectively control IT vendors’ capability to implement required changes, should be strengthened.

5

Assessment

In the past few years, the cyber threat landscape has undergone significant changes. Tools, techniques and capabilities that were previously exclusively available to highly resourceful threat actors have not only become easily accessible to less-skilled threat actors, but have also become easier to use. While substantial in terms of the financial losses incurred by Norfund, the LOLC incident was by no means exceptional.

The technique used to defraud Norfund is commonly known as Business Email Compromise (BEC). In this type of scam, a criminal threat actor uses email to impersonate a business executive or other employees to request fraudulent payments. In Norfund’s case, the threat actor leveraged relatively simple techniques in terms of circumventing existing IT security controls. PwC found no signs of malicious software being used. At the time of the incident, Norfund was in the process of, but had not completed, implementing additional IT security controls that could have helped detect the breach. PwC’s assessment is that the fraud was carried out by a resourceful and highly motivated threat actor who had an in-depth knowledge of financial transactions, and access to a global payment infrastructure. By intercepting Norfund’s emails, the threat actor likely had extensive knowledge of Norfund’s operations, and was able to successfully manipulate communication between Norfund and its clients. The combination of the threat actor’s technical capabilities and understanding of Norfund’s communication with the clients made the fraud sophisticated and difficult to detect.

The combination of the threat actor’s technical capabilities and understanding of Norfund’s communication with the clients made the fraud sophisticated and difficult to detect.‘‘


June 2020

The key contributing conditions to the LOLC incident were:

• One of Norfund’s clients had been exposed to a similar fraud in 2018. Following the incident, Norfund made an assessment of IT security protocols and controls in the payment process, and identified measures to improve security. However, the implementation of these improvement measures was delayed due to a lack of dedicated internal resources to implement changes, and delayed response from Norfund’s external IT provider. Had the planned security measures been implemented earlier, it is likely that the threat actor’s approach would have been more difficult to execute.

• Norfund had outsourced IT to a professional service provider, but had neither ensured sufficient IT Governance capabilities, nor retained or acquired the expertise required to effectively manage the vendor and associated service agreements. Misaligned expectations between Norfund and the IT service provider, and an unclear division of roles and responsibilities, contributed to an inconsistent and inadequate handling of security incidents related to the email account compromise.

• With regard to the risks of cyber attacks and external fraud, there has been too little focus on “worst-case” thinking and risk assessment of potential losses. In spite of a robust risk management framework put in place, Norfund could have conducted a more structured assessment of how potential weaknesses in IT security and payment processes could be exploited by external threat actors.

PwC has reviewed Norfund’s IT security controls and internal controls related to the payment process, and concluded that no particular control failure was the root cause of the incident. Rather, it was the combination of several conditions that made Norfund more susceptible to the fraud. [...] no particular control failure was the

root cause of the incident. Rather, it was the combination of several conditions that made Norfund more susceptible to the fraud.

‘‘


June 2020

PwC’s recommendations

● Improve the approach and formal governance structure for operational risk management, and include operational risk into Norfund’s risk management framework

● Improve IT security training and include Norfund’s IT User policy in the onboarding program for new employees. We understand that Norfund has already taken steps to implement some of these measures.

● Review communication channels for changes in internal policies and procedures

● Consider training workshops when rolling out new policies and procedures to ensure that all employees understand the reason for changes and how such changes have to be implemented

● Review and further develop compliance activities and align controls with Norfund’s risk management strategy

GovernancePayments

● Improve the format and methods to transfer relevant knowledge, risk assessments and experience from investment project team to Back Office employees.

● Review control design in the payment process and clarify who should be responsible for performing control activities.

● Assess whether control activities in the payment process are adequate and effective to prevent external fraud.

● Consider training in international payment processes and systems to ensure an adequate understanding of the risks involved and available control mechanisms.

● Assess the manual processes with regard to their effectiveness and impact on the operational risk.

Based on PwC’s assessment of the incident and contributing conditions, PwC has several recommendations to improve Norfund’s operational resilience. PwC points out that detailed recommendations relevant to IT security and payment processes that can harm Norfund’s security, privacy considerations, or the ongoing police investigation are not presented in this report. Such recommendations have been communicated directly to Norfund’s Management and Board of Directors.

● Build sufficient IT Governance capabilities, and ensure sufficient resources and expertise to assess and manage Norfund’s needs for IT services and security requirements

● Formalize roles and responsibilities between Norfund and IT service providers to ensure that agreed-upon deliverables are effectively followed up

● Conduct an IT risk assessment to align IT security posture and key controls with the threat landscape, and allocate sufficient resources to ensure timely implementation of controls

IT

Introduction1


June 2020

1. Introduction1.1 Background

Monday, 16 March 2020, Norfund transferred USD 9 888 055 to a bank account in Banco Mercantil del Norte, Mexico, believing the transfer went to the financial institution LOLC Plc. in Cambodia.

Thursday, 30 April 2020, Norfund concluded that they had fallen victim to financial fraud. The threat actor had taken control over an email account of a Norfund employee based in Thailand - a technique commonly referred to as Business Email Compromise - and manipulated subsequent email communication to enable the transfer of funds to a bank account controlled by the threat actor, instead of LOLC Plc.

The incident was reported to the Oslo Police District, the Norwegian Data Protection Authority, and followed up with Norfund’s bank, DNB.

A more detailed overview of the incident is provided in section 2.1.

1.2 PwC’s mandate

As a result of the incident, Norfund’s Board of Directors hired PricewaterhouseCoopers AS (hereby referred to as “PwC”) to perform an independent assessment of existing internal controls and routines regarding payments, IT security and governance relevant to these areas. This report aims to provide an overview of root causes that contributed to the IT incident and subsequent fraud, and provide recommendations with respect to short and long term remediation activities in order to prevent similar incidents in the future.

The scope of this assessment is limited to processes and controls related to governance, payments and IT security relevant to the incident. This report is not a complete security assessment of Norfund.

9


June 202010

1.3 Approach

The assessment has been conducted by a project group from PwC and consisted of a review of Norfund’s internal documentation and interviews with stakeholders, employees and suppliers of external services within IT (Visolit and IT Consult), corporate banking (DNB) and accounting (NRP Procurator).

The aim of the interviews was to gain an understanding of existing controls and routines with respect to payments, IT security and governance relevant for these areas. The findings from the interviews would support the identification of root causes of the incident and provide recommendations regarding remediation activities going forward. PwC’s assessment of Norfund’s risk management and internal control is based on Integrated Framework for Internal Control developed by COSO1.

1.4 Acknowledgements

PwC would like to thank Norfund and the third-party providers for their support and insights during the course of this assessment.

Prior to the incident, Norfund had already identified and taken steps to implement several initiatives with respect to governance, payments and IT security. However, not all of the initiatives were fully implemented at the time of the incident.

In interviews, we observed a genuine interest and willingness to identify relevant remediating measures among Norfund’s Management and staff. PwC recognizes Norfund’s transparency and willingness to share their experiences so that others may learn from the incident. Further, Norfund and external third parties acknowledged that processes and internal controls have room for improvement.

1 Committee of Sponsoring Organizations of the Treadway Commission.


June 202011

1.5 Limitations

It is important to emphasize that this report is not an investigation and PwC’s assessment does not aim to identify who was responsible for the incident. The details of recommendations that if disclosed can harm Norfund’s security, privacy considerations or the ongoing police investigation have been communicated directly to Norfund’s management and Board of Directors.

1.6 Disclaimer

This report has been prepared solely for Norfund's internal use with the purpose set out in the engagement letter dated 5 May 2020.

Our assessment is based on interviews conducted with Norfund employees, representatives from their service providers, and information provided by Norfund. PricewaterhouseCoopers (PwC) has not independently verified the information and we therefore do not provide any assurance as to its completeness or accuracy. PwC has not performed any quality assurance or controls of Norfund’s business.

Norfund is entitled to use information from this report within their business, in accordance with the Terms and Conditions attached to our engagement letter. PwC does not accept any responsibility for losses suffered by Norfund or others as a result of distribution, reproduction or use of our final or draft report.

PwC holds the property right and other intellectual property rights to the report and ideas, concepts, models, information and know-how that are developed in accordance with our work.

Any actions based on the report are made on the person's own responsibility.

The LOLC incident2


June 2020

2. The LOLC incident2.1 The nature of the incident

On 16 March 2020, Norfund transferred USD 9 888 055 to a bank account in Banco Mercantil del Norte, Mexico, which Norfund believed belonged to its client, the Cambodian financial institution LOLC Plc. The bank account, seemingly registered in LOLC’s name, was in fact controlled by a threat actor.

Prior to the fraud, on 27 September 2019, the threat actor had compromised an email account belonging to an employee at Norfund, and monitored Norfund’s communication for seven months. On 9 March 2020, the threat actor intercepted communication between Norfund and LOLC about a forthcoming transaction.

When the threat actor observed this, they acted within 24 hours, forged bank account details in the disbursement notice, and registered a fake domain impersonating LOLC. The document was subsequently sent to Norfund using the fake domain to impersonate LOLC. In addition to changing the bank account details, the threat actor convinced Norfund that a Mexican bank was used to avoid using several bank intermediaries in the transaction.

On 14 March 2020, the threat actor also registered a fake domain to impersonate Norfund in their communication with LOLC. PwC has found evidence of 15 emails sent by the threat actor to Norfund during the week 10 March - 16 March to ensure the transfer of funds to the Mexican bank account. The threat actor leveraged the COVID-19 pandemic to convince LOLC that the bank transfer was delayed. At the same time, the threat actor sent emails to Norfund confirming that the funds were received by LOLC to prevent further investigation on Norfund’s side.

On 24 April 2020 the threat actor tried to manipulate a transaction with another Cambodian client, First Finance Plc, and asked to change the bank account details to Banco Mercantil del Norte. Norfund’s investment manager requested First Finance to confirm the change of banking details. On 29 April 2020 Norfund received an email from First Finance stating that the account in Mexico did not belong to them. On 30 April 2020 Norfund received an email from LOLC stating that the bank account details in the transfer 16 March 2020 were incorrect. Following the discovery of the fraud and fraud attempt, Norfund immediately started investigating the incident in close cooperation with their bank DNB, their service provider Visolit, security advisors from PwC and Norwegian law enforcement.

In the past few years, the cyber threat landscape has undergone significant changes. Tools, techniques and capabilities that were previously exclusively available to highly resourceful threat actors have not only become easily accessible to less-skilled threat actors, but have also become easier to use. While substantial in terms of the financial loss incurred by Norfund, the LOLC incident was by no means exceptional.

The Business Email Compromise (BEC) scam that was used against Norfund is a technique leveraged by financially motivated threat actors, who use email to impersonate business executives or other employees to request fraudulent payments. The actors often pay “runners” to open legitimate bank accounts that are used to transfer the money from the fraudulent transactions. Banks located in China and Hong Kong have recently been the primary destinations of fraudulent funds, but recently there has been an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey.

According to the FBI’s statistics, losses from Business Email Compromise (BEC) scams have increased every year since 2013. BEC scams have been reported in 177 countries. In the past three years (June 2016 - July 2019), 166 349 domestic and international incidents related to Business Email Compromise have been reported.

13


June 2020

The total loss related to these incidents amounted to USD 26.2 billion2. Small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defence.

In Norfund’s case, the threat actor leveraged relatively simple techniques in terms of circumventing existing IT security controls. PwC found no signs of malicious software being used. At the time of the incident, Norfund was in the process of, but had not completed, implementing additional IT security controls that could have helped detect the breach.

At the same time, PwC’s assessment is that the fraud was carried out by a resourceful and highly motivated threat actor who had an in-depth knowledge of financial transactions, and access to a global payment infrastructure. After seven months of eavesdropping on Norfund’s communications, the threat actor likely had extensive knowledge of Norfund’s operations, and was able to successfully manipulate communication between Norfund and its clients. The combination of the threat actor’s technical capabilities and understanding of Norfund’s communication with the clients made the fraud sophisticated and difficult to detect.

PwC has not identified any singular control failure as the root cause of the incident, which can be described as a normal accident3. Charles Perrow defines this as an “unanticipated interaction of multiple failures” in a complex system. In hindsight, the reasons why such accidents occur may be obvious. However, they are challenging to predict due to the number of actions and pathways that may lead up to them. James Reason expands on the phenomenon in his “Swiss Cheese Model”4. Reason argues that although an organization may have adopted a defence-in-depth approach to their control design, they may still be penetrated due to active failures, latent conditions, as well as the trajectory of the incident itself. According to good practice, several control layers can provide resilience that prevents an unwanted outcome in the event a single key control should fail. In Norfund’s case, however, a chain of unfortunate events, insufficient controls, and human error, all contributed to the incident.

2 Federal Bureau of Investigation, “Business Email Compromise the $26 billion scam”. Retrieved from: https://www.ic3.gov/media/2019/190910.aspx3 Perrow, Charles (1984 & 1999). “Normal Accidents: Living with High-Risk Technologies”, Princeton University Press, 1999.4Reason, James (2000), “Human error: models and management”, British Medical Journal, Retrieved from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1117770/ (17.06.2020)

1414

‘‘PwC has not identified any singular control failure as the root cause of the incident [...] however, a chain of unfortunate events, insufficient controls, and human error, all contributed to the incident.


June 2020

2.2 Timeline

15

27.09.2019A threat actor successfully compromises an employee’s email, likely via phishing.

20.02.2020The loan agreement between Norfund and the Cambodian financial institution LOLC Plc is signed.

11.2019 - 01.2020The threat actor uses the employee’s email to monitor correspondence between Norfund and its clients. During this period, automated alerts are sent from Microsoft to Norfund and IT Onsite.

09.03.2020Norfund inquires about the reason for using two correspondent/intermediary banks and requests a confirmation of the number of correspondent/intermediary banks, and bank account details in the agreed format of the disbursement notice.

25.02.2020LOLC sends Norfund the original disbursement notice, containing the bank account details at Sathapana Bank Plc in Cambodia, and two correspondent/intermediary banks. LOLC requests the payment to be made on 16 March 2020.

10.03.2020, 5:19 AM (UTC + 7:00)LOLC explains the reason for using two correspondent/intermediary banks, but suggests amending the bank account details from Sathapana Bank Plc to Foreign Trade Bank of Cambodia. According to LOLC, this would simplify the transfer and require only one correspondent bank to process the transaction.LOLC sends Norfund an updated disbursement notice.

On the same day, a threat actor registers a fake domain masquerading as LOLC. This domain will be used to send fake messages to Norfund impersonating LOLC’s executives.

10.03.2020, 9:49 AM (UTC +7:00)The threat actor, impersonating LOLC’s executive, sends an e-mail to Norfund explaining that Foreign Trade Bank of Cambodia will also require two correspondent/intermediary banks to process the transaction. The threat actor apologizes for confusion and suggests that the easiest way to transfer funds would be by amending the bank account details to Banco Mercantil del Norte, Mexico.

The threat actor manipulates the disbursement notice template, which was likely intercepted in the earlier email correspondence, and sends Norfund an updated disbursement notice.

16.03.2020The payment is executed, sending USD 9 888 055 to a bank account controlled by the threat actor.

On the same day, the threat actor, impersonating Norfund’s employee, sends an email to LOLC explaining that the payment will be delayed due to COVID-19.


June 2020

2.2 Timeline

16

31.03.2019LOLC contacts Norfund’s Project Manager again, by WhatsApp, requesting a confirmation of the transaction. On the same day, the threat actor, impersonating Norfund’s employee, sends an email to LOLC explaining that the payment was most likely held by the intermediary bank and has to be re-processed.

07-09.04.2020The threat actor, impersonating Norfund’s employee, sends emails to LOLC convincing them that Norfund is investigating the transaction.

26.03.2020LOLC informs Norfund’s Project Manager, likely by phone, that the funds have not been received. The Project Manager asks Back Office to investigate the transaction. Back Office sends LOLC a SWIFT message confirming the transaction. This message is likely intercepted by the threat actor.

16.04.2020LOLC informs Norfund that the funds still have not been received.

01.04.2020The threat actor, impersonating LOLC’s executive, sends an email to Norfund and confirms that the funds have been received. Norfund informs DNB that the funds have been received by the client and no further investigation is needed.

24.04.2020Norfund receives a confirmation of the transaction from DNB and forwards it to LOLC.

On the same day, a Project Manager working on a transaction between Norfund and another Cambodian client, First Finance, gets suspicious when First Finance changes the bank account details to Banco Mercantil del Norte, Mexico. Project Manager requests a confirmation of the bank account details from First Finance.

30.04.2020Following the investigation of the transaction with the beneficiary bank, LOLC sends an email to Norfund stating that the bank account in Banco Mercantil del Norte does not belong to LOLC.

Norfund connects the fraud attempt in the First Finance case with the transfer to LOLC, immediately notifies the bank, DNB, stops all outbound payments, and starts an internal investigation.

29.04.2020First Finance sends an email to Norfund’s Project Manager stating that the bank account in Banco Mercantil del Norte does not belong to them.

17.04.2020Norfund requests a confirmation of the transaction from DNB.

Payment process3


June 2020

3.1.1 Factual findings

Norfund has put in place segregation of duties between Front Office and Back Office functions. Finance and Back Office employees are independent of the Investment departments where deal execution takes place. From the interviews with Norfund’s staff, PwC learned that employees in the Investment departments are not authorized to make payments related to investment projects. All settlements in the investment projects are processed by the Back Office and executed by an external accountant, NRP Procurator. Regional offices are authorized to make payments related to local operating expenses, such as rentals and wages.

The Investment departments are responsible for sourcing new deals, negotiating commercial terms, drafting and signing contracts and performing due diligence of the investee. The Investment departments also collect payment information from an investee as a part of the investment agreement. The Finance department is responsible for transaction management once it has been activated and the funds have been requested by an investee.

With regard to the payment process, PwC observed that the responsibilities are divided between the Investment departments and Finance department. The Project Manager in the relevant Investment department is responsible for collecting payment information from the investee and signing off on payment instruction. The Head of the Finance department and EVP of the relevant Investment department are both responsible for reviewing and signing off on payment instructions. The Back Office controls the payment instruction and sends an execution order to NRP Procurator.

3.1.2 PwC’s assessment and recommendations

In PwC’s opinion the established segregation of duties between Front Office and Back Office is appropriate and reduces the risk of internal fraud. However, PwC observed that the division of responsibilities for control activities between the departments is somewhat unclear. Particularly, there are varying expectations to who should be responsible for ensuring that the payment information provided by the investee is correct. Better coordination across functions and improvements in the handover from the Investment departments to the Finance department will reduce the reliance on controls performed by the other department. It is also likely to reduce the duplication of effort, improve the allocation of internal resources to control activities, and reduce the risk of operational errors and external fraud.

Norfund should improve the format and methods to transfer relevant knowledge, risk assessments and experience from the investment project team to Back Office employees. Such methods might include arranging handover meetings with the project manager, project support and Back Office, and involving and introducing Back Office to the investee at an earlier stage of the investment process. We also recommend reviewing control design in the payment process and clarify who should be responsible for performing control activities.

18

3. Payment process3.1 Norfund has established appropriate segregation of duties in the payment process, but should improve procedures to ensure a better handover from the Investment departments to Finance department


June 2020

Interviews with DNB and Norfund’s employees confirmed that payment transactions where the country of the beneficiary bank differs from the country of the investee are not uncommon in Norfund’s operations. We do not have any evidence suggesting that an automated control could have identified the fraud based on the country of the beneficiary bank. However, some of the interviewees suggested that the fraud may have been identified earlier if controlling functions were aware of LOLC’s legal structure and the fact that the investee does not have operations in Mexico.


The employees PwC has interviewed demonstrated a good knowledge of their responsibilities and authorization level related to the payment process. The disbursement control procedures are clear and well-documented in pre-defined templates. The control procedures are designed to prevent operational errors and internal fraud, but can be further improved to prevent external fraud. For example, controls of the payment instruction in the Investment departments and Finance department are designed to check the same information several times, but do not perform an external verification of the bank details in the disbursement notice. In PwC’s opinion this appears ineffective and does not sufficiently address all the risks in the payment process. Furthermore, we assess that repetitive control procedures might lead to a false sense of reduced risk. Working under the assumption that others have previously performed the same control might reduce accountability and responsibility of the controlling function.

Based on the findings and discussions with Norfund’s employees we recommend Norfund to assess whether control activities in the payment process are adequate and effective to prevent external fraud. We also recommend that employees working with payments receive further training in international payment processes and systems to ensure an adequate understanding of the risks involved and available control mechanisms.


In the interviews with Norfund’s employees PwC learned that the payment process is initiated during the final phase of the investment process. The project manager collects payment information from the investee in a pre-defined disbursement notice template, fills in Norfund payment instructions, performs CP controls and sends the payment instructions to the Finance department. The payment instruction is controlled and signed off by EVP of the relevant Investment department, CFRO and further controlled by Back Office. Back Office sends the payment instruction to NRP Procurator, who further checks power of attorney and executes the payment.

Most international payments from Norfund are processed by the company’s corporate bank, DNB Bank ASA (hereby referred to as “DNB”). During interviews with DNB, the bank representatives stated that they rely on the payment information provided by the client in the online bank and expect Norfund to have a streamlined payment process and internal controls that ensure that the payment information is correct.

Norfund operates in several countries associated with high risk of corruption and money laundering and has implemented internal KYC procedures5 to mitigate the risk of corruption, money-laundering and/or conflict of interests. PwC observed that DNB has an ongoing communication with Norfund with respect to transactions to countries that might be subject to economic sanctions. PwC does not have any information indicating that the transaction with LOLC represented high risk in terms of country risk. Neither have we identified any communication between DNB and Norfund related to the risks on the payment to LOLC prior to the transaction.

5 Know Your Customer (KYC) refers to a set of procedures aimed to verify the identity, suitability and risks involved with a customer relationship.

19

3.2 Norfund has established clear procedures in the payment process, but these procedures were insufficient to prevent external fraud


June 202020

3.3 Norfund relies on manual processing of disbursement documentation and payments, but would benefit from system support to simplify and streamline controls


In interviews with Norfund and NRP Procurator, PwC learned that most of the payment process is performed manually. Disbursement notice is obtained by email and manually transferred to the payment instruction. Payment information is transferred from Front Office to Back Office and to settlement either by e-mail or as paper copy. Sign-off procedures are also highly manual and require additional controls to ensure that the payment information has not been altered in the process. Furthermore, processed payments, both in- and outbound, are entered manually in the portfolio system and in the general ledger system to keep track of the portfolio performance and the financial reporting.

To our understanding Norfund does not have a designated settlement system where the original payment information can be stored, reused in multiple payments, and checked in case of changes in bank account details.


Email is the main tool for communication and distribution of information in the payment process, and employees carry out manual tasks that could have been automated given proper system support. We have not found evidence that manual payment processing contributed to the LOLC incident, but reliance on manual processes and lack of automated solutions result in time consuming operations and increase the risk of human errors. Manual operations and lack of integration between portfolio management systems, general ledger and online banks also require time consuming reconciliations between the systems to ensure that transactions are properly recorded across all applications.

We recommend Norfund to assess the manual processes with regard to their effectiveness and impact on the operational risk. In addition, based on our knowledge of the best practices, we believe that a system for managing master data with original payment information helps prevent unauthorized changes of bank account details. It’s our understanding that, following the LOLC incident, Norfund has taken measures to establish a payment master data to ensure efficient controls in the payment process.

IT4


June 2020


In the past two decades, Norfund’s organization has grown with regard to the number of employees, as well as the assets they manage. Norfund has previously not had full-time employees that have worked exclusively with IT. Various IT roles and responsibilities have been distributed between staff members that have other functions. To illustrate, the responsibilities for managing the service agreement and deliverables are handled by two employees in the HR and Finance departments. Neither of these individuals have IT as their core competency. Norfund has outsourced a local IT helpdesk function, commonly referred to as “IT Onsite”. This function provides employees with first-line IT support (e.g. onboarding of new users, ordering new computers, distributing software licenses, managing the meeting room booking system, and supporting infrastructure). In the past nine years, this position has been filled by 14 different consultants from Visolit, other third parties and, in the recent period, IT Consult AS.

Norfund Management’s approach towards IT has been to outsource and procure services from a professional vendor. By outsourcing IT operations, Norfund has tasked an external vendor to take over the responsibilities that otherwise would have been carried out by an internal IT department. In interviews, PwC learned that Management expected the external vendor to provide guidance on Norfund’s needs, and be proactive in offering professional advice and/or services. On the other hand, in interviews with Norfund’s IT support and service providers, Visolit’s and IT Consult’s expectation was that Norfund should have a clear understanding of their own needs, and provide a clear description of required service and security level.

IT services are outsourced to an external vendor. Since 2010, Norfund has used Visolit6 as their IT service provider. The contract has been automatically renewed with one-year intervals since 2014. PwC’s review of the documentation related to the contractual agreement between Visolit and Norfund showed that the cooperation between the parties has been mostly conducted in the form of regular service review meetings to discuss the status of ongoing initiatives and changes to the contract’s agreed-upon deliverables. Norfund’s Management planned an evaluation of IT services in 2020. The minutes from the Management meetings in December 2019 PwC has reviewed show that Management was concerned that the company’s growth and increased complexity demanded a full assessment of the organization’s IT needs. Also, Management decided to hire an IT Architect to strengthen the capabilities and centralize the responsibilities for IT. This process did not lead to qualified applicants. In February 2020, Norfund tried again by using an external recruitment agency, where the position was renamed to Operational IT Manager, and successfully signed a candidate on 27 April. The start date was originally set for August 2020. However, the individual was engaged as a consultant on 18 May, until he will officially start in the position in August. The reason for the expedited onboarding of the employee was due to the LOLC incident. Management decided this would be beneficial in order to oversee the ongoing improvement initiatives.

6 Visolit is the trade name that was adopted by TeleComputing AS in January 2019.

22

4. IT4.1 Norfund has outsourced IT, but did not retain sufficient expertise to effectively manage their service provider


June 2020


Norfund operates in several countries and relies on efficient IT solutions to enable cooperation across borders. The organization’s size and strategic focus on investments make it well-suited for outsourcing of non-core functions. Norfund does not have the resources to independently design, implement and operate an IT infrastructure that suits their needs, and this is not to be expected given the size and nature of the organization. In outsourcing arrangements, clients often expect that vendors should anticipate the client’s needs and provide advice regarding services. At the same time, vendors often expect the clients to have a professional opinion on what services are best suited. In PwC’s opinion, the lack of dedicated resources and continuous monitoring of the relationship with vendors has contributed to an expectation gap between Norfund and their IT service providers.

IT is one of the most commonly outsourced functions, as it allows companies to reduce costs, achieve greater flexibility and efficiency, and gain access to expertise and technology. However, it requires the outsourcing company to retain sufficient resources to control and challenge the quality and performance of outsourced functions. In PwC’s opinion, Norfund did not have sufficient resources with in-depth IT knowledge or internal IT governance capabilities to effectively manage their IT service provider.

Increased reliance on the IT service provider may have an impact on Norfund’s ability to manage its operational risk. Norfund’s dependence on IT service providers should have triggered an IT security risk assessment and subsequent mitigation actions.

It’s PwC’s understanding that Norfund has started the work on improving their IT Governance, including steps to perform a complete assessment of the IT infrastructure and review the requirements to the external IT service provider. In PwC’s opinion it’s positive that Norfund has strengthened internal IT resources. Going forward, we recommend that Norfund regularly evaluates the quality and performance of the outsourced IT functions, and ensures sufficient internal resources to monitor and manage the IT service provider.

23


June 2020


The question of who is responsible for handling security incidents is central with regard to the email compromise that led to the LOLC incident. PwC reviewed the contractual agreement with Visolit, dated 21 June 2010, the agreement with IT Consult dated 18 December 2019 and an instruction to the first-line IT support dated April 2013. PwC did not find any documented descriptions of roles and responsibilities related to the handling of security incidents such as phishing.

During 2019 and leading up to the incident in 2020, Norfund received several alerts of suspicious activity and confirmed compromises of several email accounts. Three of the alerts were related to the email account that was targeted in the LOLC incident. The alerts came in the form of emails, automatically generated by Norfund’s Microsoft (Office) 365 tenant, and were sent to a Norfund employee and IT Onsite via email. In interviews, it was stated that the alerting function from Microsoft was enabled in November 2018. Initially, the alerts were sent exclusively to a Norfund employee, and the established practice for Norfund was to ensure that the alerts were forwarded to IT Onsite. In January 2019, changes were made so that the alerts were sent directly to IT Onsite. In our review, PwC has not been able to determine a consistent practice for alert handling by IT Onsite, but the documentation provided to us suggests that the first two low-severity alerts from Microsoft were not forwarded to Visolit.

On 3 January 2020, an automatic security mechanism in Microsoft Office 365 locked the employee’s account due to suspicious activity. The high-severity alert was sent to a Norfund employee and IT Onsite, and stated:

“[the employee] has been restricted from sending messages outside the organization due to potential compromised activity”.

The employee did not receive the alert, but notified the IT Onsite via Skype that his/her account has been locked. When attempting to send emails, the employee had received the following message, which he/she forwarded to IT Onsite:

“Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for assistance”.

On 6 January, IT Onsite forwarded the email alert and Skype correspondence with the employee to Visolit, and asked Visolit to have a look at the incident.

Visolit requested an update from the employee, asking if he/she still had trouble sending email. The employee responded the same day and stated that the issue had been resolved. PwC did not, however, find any documentation whether Visolit investigated the root cause of the incident, or what actions were taken to resolve it. The documentation provided to us shows that the email account was re-opened on 6 January, and the ticket in Visolit’s Incident Management System, which was categorized as having high priority, was resolved on 7 January. We were not able to confirm who actually re-opened the email account.

24

4.2 The division of roles and responsibilities for handling security incidents between Norfund and their IT service providers was unclear


June 2020


It is PwC’s opinion that unclear division of roles and responsibilities, and outdated procedural documents between Norfund, IT Onsite and Visolit, resulted in an inconsistent and inadequate handling of security incidents. We believe this likely contributed to the LOLC incident.

In PwC’s opinion, the first two alerts from Microsoft regarding the email compromise did not receive sufficient attention. Regarding the third alert, where the employee’s account was locked, we assess that the employee did what can be reasonably expected by notifying IT Onsite. In this case, IT Onsite sent the information from the employee along with the Microsoft alert to Visolit. The request to Visolit did not specifically ask for a root cause analysis. Regarding Visolit’s handling of the request, PwC’s opinion is that Visolit did not show a level of initiative that Norfund expected with regard to identifying the underlying cause.

Moving forward, PwC recommends that Norfund reviews and updates roles and responsibilities between themselves and their service providers to ensure that security incidents are handled efficiently.

25


June 2020


In the summer of 2018, one of Norfund’s borrowers, Alios, suffered an incident which appears similar to the LOLC incident. In this incident, a threat actor infiltrated the communication between Alios and Norfund, and manipulated Alios to make a payment to an account under the threat actor’s control. Following this incident, Norfund conducted an internal investigation in cooperation with third parties. It is PwC’s understanding that, based on the workshop with an external adviser and Visolit in July 2018, Norfund considered eight measures to strengthen IT security:

• Sender Policy Framework: A protocol that could reduce the risk of third parties impersonating a legitimate email sender’s domain.

• TC Secure Email: An email service from Visolit that would protect email content using encryption.

• Transport Layer Security: A protocol that would be used to encrypt email traffic between different servers.

• Microsoft Azure Information Protection and Rights Management: functionality that could be used to control access rights to documents and information.

• Data Loss Prevention: functionality that could prevent accidental or intended disclosure of information.

• Multi-factor authentication: functionality that would send a secondary code used to verify that the user who attempts to log in has a second authentication factor (typically a phone or app).

• Domain registration monitoring: a service that would send alerts when a third party registers a domain that matches or otherwise resembles Norfund’s name.

• Awareness training for employees and partners.

After consulting with external experts and Visolit, Norfund decided to migrate from Microsoft Exchange on-premise to Office 365, and implement three of the aforementioned measures, and sent a change request to Visolit on 29 August 2018. For the sake of Norfund’s security this report does not disclose the details of the change request.

Based on our interviews with Norfund and Visolit, and the documentation provided by Norfund, PwC observed that Norfund and Visolit conducted two status meetings in 2019, on 9 January and 6 August. The meeting notes do not contain any information regarding the change request Norfund placed in August 2018. During PwC’s incident response support to Norfund, we found that several measures ordered by Norfund in August 2018 were not implemented at the time of the LOLC incident.

PwC has not found evidence of discussions between Norfund and Visolit with regard to the potential risks related to delayed implementation of the aforementioned security controls. PwC has found limited documentation of the correspondence between Norfund and Visolit regarding the execution of the change request. It's PwC's understanding that the implementation of security controls was initially planned for a test group of pilot users. We found the first request to establish test users from Visolit to Norfund in April 2019, eight months after the initial change request. PwC did not find any evidence that the testing was completed. Norfund requested a status update from Visolit on 23 January 2020. On 26 March, IT Onsite sent a message to all users to register their devices, and the controls were implemented on 7 April 2020.

From our interviews and documentation review, we were not able to identify any particular factors that directly caused delayed implementation. Some of the interviewees stated that the terrorism incident that affected Norfund’s Nairobi office in January 2019 required resources that reduced their capacity to follow-up with Visolit. Also, PwC learned that Visolit’s project manager resigned around the same time.

Separate from the incident, PwC has found examples of inadequate security practices at Norfund, including the improper storage of privileged credentials, and sharing of passwords without appropriate measures in place.

26

4.3 Norfund’s IT security posture and key controls should be aligned with the threat landscape


June 2020


Since Norfund entered into their IT service agreement with Visolit in 2010, the cyber threat landscape has undergone significant changes. Tools, techniques and capabilities that were previously exclusively available to highly resourceful threat actors have not only become easily accessible to less-skilled threat actors, but have also become easier to use.

The LOLC incident, which was made possible by a technique commonly referred to as Business Email Compromise (BEC)7, has affected hundreds of thousands of businesses worldwide for several years, inflicting damages in the tens of billions (USD). Furthermore, several other Norwegian organizations have fallen victim to similar frauds, many of which have been highlighted in the news media. It is PwC’s view that these types of incidents are well-known, and that many of the aforementioned controls reduce the risk of BEC related fraud.

PwC’s assessment is that Norfund has a strong commitment to change and sets an appropriate “tone at the top”. It is PwC’s opinion that following the Alios incident, Norfund conducted a thorough assessment and identified appropriate measures to improve IT security. However, there is a need to improve capabilities to ensure that identified measures are implemented in a timely manner. In case of the Alios incident, the delayed implementation of security controls in Office 365 was not followed up adequately. The fact that it took almost two years to implement some of the security controls raises the question whether Norfund should have allocated more resources to manage the implementation of the changes; and whether Visolit should have taken more initiative in offering advice, helping Norfund understand the risks imposed, and driving the implementation.

7 Federal Bureau of Investigation, “Business Email Compromise”, Retrieved from: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise

Migrating to Microsoft Office 365 without key IT security controls being in place resulted in Norfund’s IT security posture not being aligned with their threat profile. It is PwC’s opinion that when the threat actor compromised Norfund’s email accounts in 2019 and 2020, these weaknesses were exploited and contributed to the LOLC incident. Without detailed knowledge of the threat actor’s capabilities, we cannot conclude whether the security controls could have prevented the fraud, or simply forced the threat actor to use other tools and methods.

PwC has been informed that Norfund has started a Security Uplift initiative, which aims to mitigate the IT security vulnerabilities exposed during the LOLC incident. To strengthen the initiative, we recommend that Norfund conducts an IT security risk assessment, which should cover the following aspects:

• Identifying their “crown jewels” i.e. IT and information assets they cannot afford to lose.• Further assessing their vulnerabilities i.e. weaknesses and flaws with regard to their IT

organization, processes, and technologies.• Assessing threat actors and scenarios i.e. determining what is most likely to negatively

affect their business.

We also point out that it’s crucial that the initiative allocates sufficient resources to ensure that identified security controls are implemented in a timely manner.

27

Governance5


June 2020


Norfund’s objective is defined by the Norfund Act of 1997. The Act states that “The purpose of the Norwegian Investment Fund for developing countries (NORFUND) is to assist in developing sustainable business and industry in developing countries by providing equity capital and other risk capital, and/or by furnishing loans or guarantees. The object is to establish viable, profitable undertakings that would not otherwise be initiated because of the high risk involved.”

Norfund operates in several developing countries subject to high financial, legal, political and security risk. In interviews with Norfund’s management and Board of Directors PwC has learned that managing financial and non-financial risks inherent to Norfund’s investments has been a high priority. Norfund’s risk management is aligned with the vital risks identified by the Board and management. The Board of Directors has established policies for business integrity, financial risk management, IT user policy, partner risk assessment, health and security, and ethical guidelines. Key risk information is presented in an annual risk report and gives management and the Board of Directors a high-level overview of the financial risks in Norfund’s portfolio. The report is also used by management to discuss and prioritize efforts based on the findings. The Board annually reviews the results of the internal controls and compliance tests, and approves the annual compliance plan. PwC has also learned that in 2020 Norfund has established a Risk and Audit Committee to strengthen the Board’s oversight over risk management and internal control. Also, an internal audit function will be established to strengthen the third line of defence going forward.

With regard to operational risk, it has been stated that the risk is present in all parts of the organization. The responsibility for operational risk management is divided between departments, and there is a general assumption that employees at all levels have a responsibility to identify, monitor and manage operational risk. Operational risks related to outsourced activities, e.g. IT services are generally expected to be handled by external providers. Also, change management and the implementation of measures identified in previous incidents took longer time than expected due to lack of dedicated resources.

29

5. Governance5.1 There is a need to improve the approach and formal governance structure for operational risk management as a part of Norfund’s risk management framework

“Operational risk can be defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”- Basel Framework, Basel Committee on Banking Supervision


June 2020


There are numerous potential threats that might threaten Norfund’s operational resilience. These threats have become more complex during a period of growth, geographic expansion, technological change and in an increasingly hostile cyber environment. Outsourcing of important activities might also add to the level of operational risk if not managed properly.

Based on the interviews with the Board of Directors and Management it’s PwC’s opinion that operational risk management to some extent has been driven in response to particular incidents, such as attempts of external fraud and terrorist attacks in Nairobi. With regard to the past incidents, we consider Norfund’s risk culture as open and focused on learning. Major incidents are reported to the Management and the Board of Directors, thoroughly assessed and result in a list of actions aimed to prevent such incidents in the future. We assess that Norfund takes adequate actions to identify and understand the risks at the Board and Management level, with a clear “tone at the top”. Also, the Management has continuous focus on risks related to the increasing complexity of the operations and defines proper risk-mitigating measures. However, there is room for improvement towards a more structured approach to operational risk management. PwC has also observed that Norfund’s implementation capabilities, i.e. the ability to put policies into action and effectively control IT vendors’ capability to implement required changes, should be strengthened.

In order to be able to respond to, recover and learn from operational disruptions Norfund’s risk management should cover all types of risk, including operational risk. Based on COSO framework for governance and internal control, which, in our understanding, is already implemented in several other aspects of risk management in Norfund, we believe that operational risk management should include the following aspects:

Control environmentNorfund should consider further clarifying the governance structure, role of the management, and the accountability in the operational risk management process. We understand this is part of the ongoing work on the compliance framework in Norfund.

30

Risk assessmentManagement should consider potential vulnerabilities and worst-case scenarios that might occur in Norfund’s operations. Based on the review of Norfund’s risk reports, it’s our understanding that the Board and management have assessed several aspects of operational risks such as those related to terrorist attacks on Norfund’s premises and employees. We also note that there is a Crisis Management Plan in place, as well as systematic training to ensure implementation. We recommend expanding the risk assessment to e.g cyber attacks, natural disasters, pandemic, external fraud and, last but not the least, failure in internal processes and systems.

Control activitiesInternal control activities should contribute to mitigate operational risks to an acceptable level. We recommend Norfund to further clarify at what levels of organization the internal controls should apply, who should be responsible for controls and how technology could be used to enable effective controls.

Information and communicationRelevant information captured from internal and external sources supports the functioning of internal controls. Internal communication should be improved to promote objectives and responsibilities for internal controls at all organizational levels. PwC’s assessment of internal communication, training and awareness is also described in the next section.

Monitoring and reportingThe results of internal controls related to operational risk should be evaluated to identify inadequate or ineffective activities and take corrective actions. We recommend Norfund to include operational risk reporting into the annual risk report to ensure that operational risk management is aligned with Norfund’s strategic objectives.


June 2020


In the interviews with Norfund’s management PwC learned that changes to the company’s internal control framework, policies and guidelines are suggested by management based on the identified needs, internal control findings and/or incident reporting. When necessary, the changes can be suggested by or discussed with employees from operational functions or external experts. Changes approved by management and the Board of Directors are communicated to the organization in different ways i.e. published on the intranet and/or communicated during corporate events such as town hall meetings (“Open Quarters”), competence building arenas (“Knowledge Sharing Lunches”) and the annual event - Norfund Week.

Norfund’s internal guidelines for the investment process were amended in 2018, following the Alios incident. The changes were suggested by the CFRO and approved by management on 13 August 2018. An updated version of the investment manual was published in Norfund’s documentation management system and made available for the investment department in October 2018. The interviews with Norfund’s management and employees showed different interpretations of how the changes regarding the documentation of payment information were to be implemented. This resulted in deviations in internal control procedures and may have led to a control failure, which contributed to the LOLC fraud. Also, there are indications that the internal documentation system has sometimes been unavailable due to technical problems, and employees might rely on the locally stored documentation and templates instead of using the last updated version. Some interviewees also pointed out that it might be difficult to identify what changes have been made to the documents.

Onboarding and training of new employees is conducted in the Norfund’s New Joiner program, and as an on-the-job training. HR has developed an onboarding checklist,

which includes, among other things, an introduction to Norfund’s Code of Conduct, IT systems, ESG policy, investment manual, handbooks, and presentations of Norfund’s departments. PwC’s review of internal documentation and interviews with employees showed that employees were not required to sign the IT User Policy. Also, the onboarding and training program for new employees did not include IT security training. We understand that, following the LOLC incident, the IT User Policy has been included into Norfund’s Code of Conduct which is routinely and annually signed by employees.


Based on a broader discussion with Norfund’s management and employees, and review of relevant documentation, it’s PwC’s opinion that Norfund has established necessary infrastructure for internal communication and training, both with regard to change management, and onboarding and training of new employees. In order to ensure that the required information is communicated to all employees and enables them to understand and carry out their responsibilities we recommend that Norfund:

• Include IT security training and Norfund’s IT User policy into the onboarding program for new employees

• Review communication channels for changes in internal policies and procedures• Consider training workshops when rolling out new policies and procedures to ensure

that all employees understand the reason for changes and how such changes have to be implemented

31

5.2 Norfund should strengthen internal communication, training and awareness to ensure that policies are properly implemented throughout the organization


June 2020


Norfund’s regional offices have a matrix structure and coordinate all investment activities in their geographic regions. There are three investment departments in Oslo: Clean Energy, Financial Institutions, and Scalable Enterprises (which also covers Green Infrastructure), with an EVP responsible for each investment area and oversight of investment activities across regional offices. The Investment departments and regional offices are responsible for sourcing the deals, portfolio building and ensuring that Norfund’s portfolio is growing in line with the objectives defined by the Board of Directors. Investment departments’ responsibilities also include investment-related control activities e.g. KYC and payments.

Finance department is responsible for financial controls, which also include control of in- and outbound payments and disbursement documentation. In 2018 Finance department’s responsibilities, qualifications, capacity and IT-systems were reviewed. Management recognized that portfolio growth and increased number of transactions required increased capacity in the Finance department. As a result of this assessment three new employees were hired between 2018 and 2020. Also, the internal organization of the Finance department was adjusted for the employees to build a better understanding and affiliation with business areas in the Investment department. Legal department constitutes the second line of defence. Norfund decided to establish the position of a Chief Legal Officer in 2018 as a result of increased focus on legal risks and a need to be able to control and monitor the performance of the external providers of legal services. A General Counsel was hired in 2019. The Legal department works closely with the Investment department and coordinates cooperation with external legal counsels and advises the Investment department on legal matters related to investment activities. The department is also responsible for the compliance framework.

During the assessment PwC observed that Norfund had put in place additional resources to develop the second line of defence. The responsibility for implementation and oversight of internal controls is divided between Legal and Finance departments. Among the company’s goals for 2019 were strengthening of internal control functions by centralizing these in the Finance department, and establishing a satisfactory internal control system. Also, the Legal department should, among other things, define compliance activities including performance of compliance controls, communication and training of the organization on strategic areas decided by the Board. We also observed that parts of Norfund’s Management is involved in control activities as part of day-to-day operations.

The internal control plan for 2019 included control and testing of the payment requests regarding compliance with internal guidelines. We observed that neither standard controls nor compliance tests identified the discrepancies in the interpretation of the requirements in the investment manual, which was implemented after the Alios incident in 2018.

32

5.3 Norfund needs better clarity and segregation of duties in controlling and compliance oversight functions


June 2020


As Norfund has expanded, most controlling activities still remain the responsibility of the Front Office. Based on the interviews with Norfund’s management, PwC understands that a need for a risk controlling/middle office function has been considered. In PwC’s opinion establishing a dedicated function responsible for quality assurance and proper control of risks related to investments would contribute to a more effective use of Front Office resources and improved risk management. Also, such a function should assist management in design and development of processes and controls to manage risks, and monitor the adequacy and effectiveness of internal control activities.

Further, in PwC’s opinion the risk of external fraud could have been reduced if the compliance tests were tailored in line with management’s intentions to improve security in the payment process after the Alios incident. We recommend Norfund to review and further develop compliance activities and align controls with Norfund’s risk management strategy.

33

© 2020 PricewaterhouseCoopers AS. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers AS, Advokatfirmaet PricewaterhouseCoopers AS, PricewaterhouseCoopers Accounting AS and PricewaterhouseCoopers Skatterådgivere AS which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

pwc.no

Date post:	17-Jul-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	3 times

Independent Assessment of the LOLC incident · On 14 March 2020, the threat actor also registered a...

Documents