QJRN/400 Sniffs Out Fraud, One Journal Receiver at a Time
October 7, 2008 Alex Woodie
QJRN/400 from Cilasoft is a database auditing tool for the IBM System i server that relies on the operating system’s extensive journaling function to dig up evidence of malfeasance or fraud by users. Clever System i users will be able to hide their tracks to some extent. But when every little action is tracked and recorded, it’s just a matter of piecing the puzzle together, and that’s where QJRN/400 excels.
Cilasoft was founded 10 years ago in southern France by Guy (pronounced “Gee”) Marmorat, the company’s CEO and technical manager, and the head developer of QJRN/400. At the time, many companies that relied on the iSeries server were concerned about the possibility of fraud by internal users and subsidiaries.
Many of the clients were private banks and other financial services firms, Marmorat says. “Some of them were African companies. Because Africa is–sorry to say–number one in the world for fraud. Big companies asked me to come in and monitor activity of all these people.”
This created an opportunity for QJRN/400, which provides an extensive array of filters, alerts, and reporting mechanisms to automatically track and notify administrators of suspicious transactions or other events. The software enables administrators to receive an alert if QJRN/400’s filters catch anything. Common items to monitor include price lists, authorization lists, transactions greater than a given amount, or countries or users that fall onto a black list.
The alerting function provides customers an element of real-time security, but QJRN/400 can also look into fraud after the fact. The same filters can be used to pour through many gigabytes of past transactions, providing a powerful forensic tool. However, this use of QJRN/400 must be thought out carefully, as loading too many days’ worth of journal receivers can easily fill a server’s hard disks.
Cilasoft estimates that QJRN/400 has saved its 200 customers more than €400,000 (more than $550,000 at current exchange rates) by detecting fraud. Half of this came during one harrying episode at a major brewery in Africa several years ago. The brewery’s managers had become suspicious of certain employees, and hired Marmorat to secretly install QJRN/400 to detect what was going on with the brewery’s AS/400 accounting system.
QJRN/400 ran for three months and uncovered evidence of about €200,000 in fraudulent transactions by a group of 10 employees. Here’s how it worked: The perpetrators would arrange to sell kegs of beer to a group of participating outsiders. Instead of charging them full price, however, the insiders would go into the AS/400 beer keg pricing file, and change the list price by a small amount. Then they would submit an invoice, which would be run against the price list, per the company’s business rules. After running the invoice, they would re-enter the original price on the list before anybody noticed, and collect their fee from the participating beer keg buyers.
The brewery, which processed thousand of invoices every day, was blind to the fraudulent transactions, which represented less than two-tenths of a percent of the total.
“It was impossible to check everything because of the number of transactions,” Marmorat says. “Also the price difference was not enormous, but at the end of the day, it’s big enough.”
The volume and duration of the fraud made it very profitable for the perpetrators. An investigation ensued, and 10 people were convicted and jailed, but not before they threatened to harm Marmorat, who had helped foil their plan and land them behind bars. “Because the amount was so enormous in Africa, they even tried to kill me,” he says.
Not every QJRN/400 installation results in such a clear-cut case of fraud. In some cases, QJRN/400 has discovered bugs and errors in ERP systems. And in recent years, regulatory compliance has provided a new role for QJRN/400. Instead of looking for fraud, the product’s fine-tooth comb can be used to provide a detailed audit trail, thereby satisfying some of the IT-related requirements of Sarbanes-Oxley, HIPAA, 21 CFR Part 11, and assorted other regulations.
Regulatory compliance provided a challenge for QJRN/400, Marmorat says. “The auditors require monthly reports, and it’s impossible to have one month’s receivers online, so I have to extract from the receivers to keep what I want to be the new source of my reports, and then to do my reports,” he says. “This is the difficulty, and we have all this functionality incorporated into the product” to address these challenges, he says.
Cilasoft is currently working on the next major release of QJRN/400. Version 4.11 will feature templates for specific ERP systems, such as JD Edwards and BPCS, thereby enabling customers to get the software up and running more quickly. QJRN/400 4.11 is due to ship in January.
While the South American software market seems a little more receptive to QJRN/400, Marmorat is not giving up on the North American AS/400 market, which has been a challenge for Cilasoft, among many other software companies. The company first broke into the North American market two years ago, but didn’t have the right mix of partners, according to Marmorat. “I think we made a mistake in our strategy,” he says. “Now we have some partners that are very committed, very involved, and deliver a good quality of service in the USA and Canada too, so we are very happy now.”
Cilasoft currently has 10 partners in the U.S. and one in Canada. Marmorat is considering opening an office in the U.S., but the current economic situation has put any plans on hold. For now, the company will likely focus on lower-cost methods of product promotion, such as the recent Webinar on QJRN/400 hosted by Marmorat that turned up some good leads.
QJRN/400 version 4 is available. Pricing is tier-based and ranges from $7,000 for P05 box to $47,000 for a P50 box. For more information, visit www.cilasoft.com.