Embed Size (px)
Citation preview
TOOLS AND TIPS FOR MINIMIZING RISKS CES WEST DISTRICT
NOVEMBER 29, 2012 1
TOPICS NCSU Internal Audit: Who are We and How Can We Help?
Self Assessments: Why Do Them?
Fraud Awareness and How to Report Suspected Fraud at NCSU
IT Security Tips
Questions
2
3
Provide tools for you to assess your offices
Preparation for future agency or sponsor audits
Assistance in identifying business &
technology risks
Assistance in potential misuse
cases
Operational and IT audits to
improve efficiency and effectiveness
Recommendations for process
improvements
HOW CAN WE HELP?
WHAT CAN WE NOT DO?
4
WHY NOT? Maintain
independence AND Avoid conflict of interest
Assume responsibility or
ownership of processes and
procedures
Establish requirements
Develop or write policies
Make management
decisions
CES SELF ASSESSMENT TOOLS
5
http://internalaudit.ncsu.edu/campus-tools/self-assessment-tools/ces/
SELF ASSESSMENTS: WHY DO THEM?
6
Identify risks
Help to avoid potential fraud
Improved CED oversight
Increased awareness of policies and procedures
Identify training needs
Heighten your awareness – especially of “gray areas”
CONDUCTING SELF ASSESSMENTS
Slide
• Receipt Self Assessment Tool 8 • Disbursement Self Assessment Tool 9 • Timesheet Self Assessment Tool 10 • Contracts and Grants Self Assessment Tool 11 • Business Practices Self Assessment Tool 12
7
RECEIPT PROCESS Goals • Keep track of receipts • Involvement of enough people to limit potential
or perception of misuse • Sufficient documentation to support compliance
to NCSU and County guidelines, as appropriate
How To’s • Self Assessment Tool • Monthly Reconciliations • Online Training Opportunities (Course Handouts
and Resources): – http://www.fis.ncsu.edu/controller/training/class_resources.asp
8
DISBURSEMENT PROCESS Goals • Ensure that money is being spent according to
respective guidelines with sufficient supporting documentation (5 W’s)
• Accurately reflect travel expenses, including completing a travel authorization (when applicable)
How To’s • Self Assessment Tool • Monthly Reconciliations • Online Training Opportunities (Course Handouts
and Resources): – http://www.fis.ncsu.edu/controller/training/class_resources.asp – http://www.fis.ncsu.edu/FinTraining/FocusGroup/job_aids/
9
TIMESHEETS AND LEAVE Goals • Appropriate review by the supervisor to identify
and correct errors that could result in University violation of FLSA
• Record all types of leave in the University’s Web Leave System • Understand the importance of compensatory time
http://www.ncsu.edu/human_resources/hrim/comp_time.php
How To’s • Self Assessment Tool • Online Training Opportunities (Supervisor and
employee training and guidance): http://www.ncsu.edu/human_resources/classcomp/timerecdefault.php
10
CONTRACTS AND GRANTS Goals • Meet sponsors’ requirements and increase
preparedness for external audits • Thorough documentation (Always provide the 5
W’S): • WHO, WHAT, WHEN, WHERE, and WHY
How To’s • Self Assessment Tool • Reconcile contract or grant expenditures just as you
would any other account • Online Training Opportunities:
• Sponsored Programs and Regulatory Compliance Service (SPARCS): http://www.ncsu.edu/sparcs/training/index.html
• Contracts and Grants: http://www.ncsu.edu/cng/training/index.php
11
BUSINESS PRACTICES
12
Goals • Avoid common issues such as not redacting
employee’s information (personal or financial) or entire purchase card number from Office forms or documentation loaded into the financial system
• Promote an environment of solid controls over business processes to prevent and detect errors
How To’s • Self Assessment Tool • Online Training Opportunities: Office of General
Counsel “Public Records: Preservation, Release, and Disposition”
http://www.ncsu.edu/general_counsel/training/PublicRecordsTutorial.html
FRAUD AWARENESS
13
Occupational Fraud: “the use of one’s occupation for personal enrichment through the deliberate misuse or
misapplication of the employing organization’s resources or assets.”
Source: The Association of Certified Fraud Examiners, 2002 Report to the Nations on Occupational Fraud and Abuse
HOW OCCUPATIONAL FRAUD IS COMMITTED
The Fraud Triangle
Source: TheIIA.org 14
PROFILE OF A FRAUDSTER
• Intelligent • Inquisitive • Risk taker • Hard worker • Between 31 and 45 years old • With organization 1-5 years • No criminal history • Most likely in 1 of 6 departments
Who is most likely to commit fraud?
About 80% of the population, given the right combination of opportunity, motive and ability to rationalize the act.
Source: ACFE.com 15
Fraud Reported in Higher Education
• Former Georgia Tech worker gets jail time for mail fraud; pleads guilty to 22 counts (2008) – Access to P-cards – April 2002 – 2007 – Bought more than 3,800 personal
items, costing over $316,000 – Created fake receipts, submitted to
supervisor, and made false entries in the accounting records
Video
Source: http://www.bizjournals.com/atlanta/stories/2008/08/18/daily29.html 16
FRAUD REPORTED IN HIGHER EDUCATION
• Box office and business operation of UNC Performing Arts series cannot account for $123,500 (2012)
• Occurred from 2007 to 2011 • Audit found $121,000 in cash revenue and
$2,500 in checks missing • Same employee prepared, deposited, and
recorded cash from ticket sales • Deposits were delayed at times for two or
three weeks • The SBI is currently investigating; a
definitive suspect has not yet been determined
Source: http://www.newsobserver.com/2012/11/13/2481665/unc-audit-uncovers-123500-missing.html
17
Fraud at NCSU
• Fictitious or inflated business/travel expenses
• Employees performing work for personal companies during University work hours
• Use of University funds for personal benefit/purchases
• Theft of University assets • Use of University resources for personal
benefit
WARNING SIGNS, RED FLAGS, AND COMMON INDICATORS
Source: ACFE.com 19
• Illegible receipt • Altered receipt • Substitute receipt • Summary receipt
• “When I get time” • “Will request new receipt” • “Have requested credit” • “Will look into”
• Patterns of “honest errors” • Blames vendor • Blames system • Changes subject
• Missing documents • Lost receipts • Credit card slip only • Order form only • Shipped off campus
Avoid Oversight
Deflect Issue
WARNING SIGNS, RED FLAGS, AND COMMON INDICATORS
Delay Oversight
Delay Oversight
Hide Nature of
Transaction
Source: University of South Florida Internal Audit 20
DETECTION OF FRAUD SCHEMES
pennyscribbler.wordpress.com jimunro.blogspot.com
Source: ACFE.com 21
DETECTION OF FRAUD SCHEMES Initial Detection of Occupational Frauds
Source: ACFE.com 22
HOW TO REPORT SUSPECTED FRAUD AT NCSU
• NC State Internal Audit Hotline • Phone: 919-515-8355 and leave a detailed
voicemail • Phone: 919-515-8862 to speak with the
Director • Fax: 919-513-2122 to provide a written report • Website:
http://www.ncsu.edu/internal_audit/hotline/ – Complete form in detail – Can be anonymous
• Office of the State Auditor • 919-730-TIPS
Source: http://www.ncsu.edu/internal_audit/hotline/ 23
IT SECURITY TIPS
24
IT SECURITY TIPS
• University Security Policies • Physical Security • Password Security • Desktop Firewall • System Update • Basic Security Hardening • Remote Connection • Mobile Device Security • Secure Cloud Computing • Safe Social Interaction
25
UNIVERSITY SECURITY POLICIES
• Computer Use Policy (POL 08.00.01) http://policies.ncsu.edu/policy/pol-08-00-01 – Broad outline of acceptable use of university IT resources
• Computer Use Regulation (REG 08.00.02) http://policies.ncsu.edu/regulation/reg-08-00-02 – More details on acceptable use – Limited personal use allowed; expect no privacy – No commercial gain; no University endorsement
• Data Management Procedures (REG 08.00.03) http://policies.ncsu.edu/regulation/reg-08-00-03 – Assigns data stewards and data custodians – Makes you responsible for data security, privacy, appropriate
use, disposition of data in your custody
26
PHYSICAL SECURITY
• Protect laptops, iPads, … under lock and key • Never leave mobile devices unattended • Avoid shoulder surfing • Use password-protected screen savers • Practice CTRL+ALT+DELETE password locking • Use privacy screens • Safely store software media • Work with IT to backup important data • Prevent fire/water damage to hardware/media • Protect mobile devices like your wallet/purse!
27
PASSWORD SECURITY • NC State Password Standard
www.ncsu.edu/security/prr/computer-use/PasswordStandard20070509.doc
– Min Password Length: 8 – Max Password Age: 30, 90, 365 – Allow password re-use: No
• Pick strong, complex passwords that you can remember, but “impossible” for others to guess
• No dictionary words or well-known phrases • Use passphrases instead of passwords • Use separate work and personal passwords • Never send passwords in email • Never share passwords with anyone, ever!
28
DESKTOP FIREWALL
• Desktop firewalls: – Allow legitimate access to your computer – Block unauthorized access attempts to/from
your computer
• Work with IT support to ensure that: – Your desktop firewall is enabled – Only legitimate access is allowed into and
from your computer
29
No! Yes!
SYSTEM UPDATE
• Fully updated systems are less likely to be infected with viruses or malware, or hacked
• Work with IT to ensure system update is turned on and patches are appropriately applied
• Install University-approved anti-virus software, and automatically update signatures
– TrendMicro: http://oit.ncsu.edu/antivirus – Approved Alternate Antivirus Products:
http://oit.ncsu.edu/antivirus/clients-alternate-approved
• Install an OIT-endorsed anti-malware product – MalwareBytes or Spybot – Search & Destroy: http://oit.ncsu.edu/computing/fall-2009-keep-your-computer-secure
30
BASIC SECURITY HARDENING
• Ensure that a password/PIN is required to access computers or other devices
• Only install University-approved software to reduce Trojan-horse style attacks
• Work with your IT support staff to: – identify and remove unnecessary programs – disable unnecessary services – remove unnecessary user accounts – rename and disable the Guest account – rename the Administrator account – setup a strong Administrator password
31
REMOTE CONNECTION
• Use WolfTech SSL VPN for remote access to university network (RDP), S-drive, H-drive, K-drive, … (http://www.wolftech.ncsu.edu/support/support/NCSU_VPN)
• Secure your home network – wireless security, firewall, antivirus, anti-malware, etc.
• Avoid using work credentials from untrusted computers; you may be at risk to key loggers and man-in-the-middle attacks
• Https is secure, http is not • Avoid downloading sensitive University data onto
non-University devices • Remember to logout when finished using remote
devices!
32
MOBILE DEVICE SECURITY
• OIT Mobile Device Security Guideline – Covers device, data, and communication security – Includes DIY steps for Android, BlackBerry, iOS,
Mac OS X, Windows 7, Windows Vista laptops – http://oit.ncsu.edu/mobile-device-security-steps
• Setup passwords/PINs • Use antivirus/anti-malware protection • Update device and software • Encrypt sensitive data • Set strong Tethering password if used • Set Bluetooth passkey or disable if not in use
33
SECURE CLOUD COMPUTING • Cloud computing services: GoogleDrive, Amazon,
Apple iCloud, DropBox, MS SkyDrive, MS Office365, MS SharePoint, MS Access Online, …
• Consult with Extension IT and OIT S&C before storing University data in the cloud
• Can you tell what country your data reside in? • Good security practices are still needed – strong
passwords, no password sharing, etc. • Be careful of data leaks though re-sharing of access • Read the fine print – is it o.k. for Google, MS, Apple,
etc. to read the data? When I click “I Agree” am I agreeing on behalf of NCSU?
• Are you prepared for disappearing clouds?
34
SAFE SOCIAL INTERACTION
• Never, ever: – send usernames, passwords, PINS in email to anyone – share credentials (e.g., Unity/password) with anyone – share your session with anyone – click on links in unsolicited or untrusted email
• Consult IT before using social media (e.g., Facebook, YouTube, My Space, GooglePlus, LinkedIn, etc.) for work
• Avoid: – Baiting attacks - Tailgating attacks – Quid pro quo attacks - Pretexting attacks
• Report suspicious emails or phone calls to your IT support staff – you may be the target of a spear phishing attack
“it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system”
– Kevin Mitnick
35
GENERAL RECOMMENDATIONS
Communicate • If it doesn’t seem/feel right or you don’t know, don’t
do it! • Ask your County or College Business (as applicable);
Personnel; or Research Office first • Call the County or NCSU Central Groups such as the
CES Extension IT (919-513-7000), Controller’s Office, HR, Contracts & Grants, SPARCS, or IAD
NCSU Internal Audit Division Cecile Hinson, Director, (919) 515-8862
Jordan Holaren, Audit Manager, (919) 515-6849 Leo Howell, Audit Manager, (919) 515-8863
36
QUESTIONS??
37
