CES WEST DISTRICT NOVEMBER 29, 2012 1 TOPICS NCSU Internal Audit: - - PowerPoint PPT Presentation

TOOLS AND TIPS FOR MINIMIZING RISKS

CES WEST DISTRICT

NOVEMBER 29, 2012

1

TOPICS

NCSU Internal Audit: Who are We and How Can We Help? Self Assessments: Why Do Them? Fraud Awareness and How to Report Suspected Fraud at NCSU IT Security Tips Questions

2

3

Provide tools for you to assess your offices Preparation for future agency or sponsor audits Assistance in identifying business & technology risks Assistance in potential misuse cases Operational and IT audits to improve efficiency and effectiveness

Recommendations

for process improvements

HOW CAN WE HELP?

WHAT CAN WE NOT DO?

4

WHY NOT? Maintain independence AND Avoid conflict of interest

Assume responsibility or

• wnership of

processes and procedures Establish requirements Develop or write policies Make management decisions

CES SELF ASSESSMENT TOOLS

5

http://internalaudit.ncsu.edu/campus-tools/self- assessment-tools/ces/

SELF ASSESSMENTS: WHY DO THEM?

6

Identify risks Help to avoid potential fraud

Improved CED

• versight

Increased awareness of policies and procedures

Identify training needs Heighten your awareness – especially of “gray areas”

CONDUCTING SELF ASSESSMENTS

Slide

• Receipt Self Assessment Tool

8

• Disbursement Self Assessment Tool

9

• Timesheet Self Assessment Tool

10

• Contracts and Grants Self Assessment Tool 11
• Business Practices Self Assessment Tool

12

7

RECEIPT PROCESS

Goals

• Keep track of receipts
• Involvement of enough people to limit potential
• r perception of misuse
• Sufficient documentation to support compliance

to NCSU and County guidelines, as appropriate

How To’s

• Self Assessment Tool
• Monthly Reconciliations
• Online Training Opportunities (Course Handouts

and Resources):

– http://www.fis.ncsu.edu/controller/training/class_resources.asp

8

DISBURSEMENT PROCESS

Goals

• Ensure that money is being spent according to

respective guidelines with sufficient supporting documentation (5 W’s)

• Accurately reflect travel expenses, including

completing a travel authorization (when applicable)

How To’s

• Self Assessment Tool
• Monthly Reconciliations
• Online Training Opportunities (Course Handouts

and Resources):

– http://www.fis.ncsu.edu/controller/training/class_resources.asp – http://www.fis.ncsu.edu/FinTraining/FocusGroup/job_aids/

9

TIMESHEETS AND LEAVE

Goals

• Appropriate review by the supervisor to identify

and correct errors that could result in University violation of FLSA

• Record all types of leave in the University’s Web

Leave System

• Understand the importance of compensatory time

http://www.ncsu.edu/human_resources/hrim/comp_time.php

How To’s

• Self Assessment Tool
• Online Training Opportunities (Supervisor and

employee training and guidance):

http://www.ncsu.edu/human_resources/classcomp/timerecdefault.php

10

CONTRACTS AND GRANTS

Goals

• Meet sponsors’ requirements and increase

preparedness for external audits

• Thorough documentation (Always provide the 5

W’S):

• WHO, WHAT, WHEN, WHERE, and WHY

How To’s

• Self Assessment Tool
• Reconcile contract or grant expenditures just as you

would any other account

• Online Training Opportunities:
• Sponsored Programs and Regulatory

Compliance Service (SPARCS):

http://www.ncsu.edu/sparcs/training/index.html

• Contracts and Grants:

http://www.ncsu.edu/cng/training/index.php

11

BUSINESS PRACTICES

12

Goals

• Avoid common issues such as not redacting

employee’s information (personal or financial) or entire purchase card number from Office forms or documentation loaded into the financial system

• Promote an environment of solid controls over

business processes to prevent and detect errors

How To’s

• Self Assessment Tool
• Online Training Opportunities: Office of General

Counsel “Public Records: Preservation, Release, and Disposition”

http://www.ncsu.edu/general_counsel/training/PublicRecords Tutorial.html

FRAUD AWARENESS

13

Occupational Fraud: “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.”

Source: The Association of Certified Fraud Examiners, 2002 Report to the Nations on Occupational Fraud and Abuse

HOW OCCUPATIONAL FRAUD IS COMMITTED The Fraud Triangle

Source: TheIIA.org 14

PROFILE OF A FRAUDSTER

• Intelligent
• Inquisitive
• Risk taker
• Hard worker
• Between 31 and 45 years old
• With organization 1-5 years
• No criminal history
• Most likely in 1 of 6 departments

Who is most likely to commit fraud? About 80% of the population, given the right combination of

• pportunity, motive and ability to rationalize the act.

Source: ACFE.com 15

Fraud Reported in Higher Education

• Former Georgia Tech worker

gets jail time for mail fraud; pleads guilty to 22 counts (2008)

– Access to P-cards – April 2002 – 2007 – Bought more than 3,800 personal items, costing over $316,000 – Created fake receipts, submitted to supervisor, and made false entries in the accounting records

Video

Source: http://www.bizjournals.com/atlanta/stories/2008/08/18/daily29.html 16

FRAUD REPORTED IN HIGHER EDUCATION

• Box office and business operation
• f UNC Performing Arts series

cannot account for $123,500 (2012)

• Occurred from 2007 to 2011
• Audit found $121,000 in cash revenue and

$2,500 in checks missing

• Same employee prepared, deposited, and

recorded cash from ticket sales

• Deposits were delayed at times for two or

three weeks

• The SBI is currently investigating; a

definitive suspect has not yet been determined

Source: http://www.newsobserver.com/2012/11/13/2481665/unc-audit-uncovers-123500-missing.html 17

Fraud at NCSU

• Fictitious or inflated business/travel

expenses

• Employees performing work for personal

companies during University work hours

• Use of University funds for personal

benefit/purchases

• Theft of University assets
• Use of University resources for personal

benefit

WARNING SIGNS, RED FLAGS, AND COMMON INDICATORS

Source: ACFE.com 19

• Illegible receipt
• Altered receipt
• Substitute receipt
• Summary receipt
• “When I get time”
• “Will request new

receipt”

• “Have requested

credit”

• “Will look into”
• Patterns of

“honest errors”

• Blames vendor
• Blames system
• Changes subject
• Missing documents
• Lost receipts
• Credit card slip only
• Order form only
• Shipped off

campus

Avoid Oversight Deflect Issue

WARNING SIGNS, RED FLAGS, AND COMMON INDICATORS

Delay Oversight Delay Oversight Hide Nature of Transaction

Source: University of South Florida Internal Audit 20

DETECTION OF FRAUD SCHEMES

pennyscribbler.wordpress.com jimunro.blogspot.com Source: ACFE.com 21

DETECTION OF FRAUD SCHEMES

Initial Detection of Occupational Frauds

Source: ACFE.com 22

HOW TO REPORT SUSPECTED FRAUD AT NCSU

• NC State Internal Audit Hotline
• Phone: 919-515-8355 and leave a detailed

voicemail

• Phone: 919-515-8862 to speak with the

Director

• Fax: 919-513-2122 to provide a written report
• Website:

http://www.ncsu.edu/internal_audit/hotline/ – Complete form in detail – Can be anonymous

• Office of the State Auditor
• 919-730-TIPS

Source: http://www.ncsu.edu/internal_audit/hotline/ 23

IT SECURITY TIPS

24

IT SECURITY TIPS

• University Security Policies
• Physical Security
• Password Security
• Desktop Firewall
• System Update
• Basic Security Hardening
• Remote Connection
• Mobile Device Security
• Secure Cloud Computing
• Safe Social Interaction

25

UNIVERSITY SECURITY POLICIES

• Computer Use Policy (POL 08.00.01)

http://policies.ncsu.edu/policy/pol-08-00-01

– Broad outline of acceptable use of university IT resources

• Computer Use Regulation (REG 08.00.02)

http://policies.ncsu.edu/regulation/reg-08-00-02

– More details on acceptable use – Limited personal use allowed; expect no privacy – No commercial gain; no University endorsement

• Data Management Procedures (REG 08.00.03)

http://policies.ncsu.edu/regulation/reg-08-00-03 – Assigns data stewards and data custodians – Makes you responsible for data security, privacy, appropriate use, disposition of data in your custody

26

PHYSICAL SECURITY

• Protect laptops, iPads, … under lock and key
• Never leave mobile devices unattended
• Avoid shoulder surfing
• Use password-protected screen savers
• Practice CTRL+ALT+DELETE password locking
• Use privacy screens
• Safely store software media
• Work with IT to backup important data
• Prevent fire/water damage to hardware/media
• Protect mobile devices like your wallet/purse!

27

PASSWORD SECURITY

• NC State Password Standard

www.ncsu.edu/security/prr/computer-use/PasswordStandard20070509.doc

– Min Password Length: 8 – Max Password Age: 30, 90, 365 – Allow password re-use: No

• Pick strong, complex passwords that you can

remember, but “impossible” for others to guess

• No dictionary words or well-known phrases
• Use passphrases instead of passwords
• Use separate work and personal passwords
• Never send passwords in email
• Never share passwords with anyone, ever!

28

DESKTOP FIREWALL

• Desktop firewalls:

– Allow legitimate access to your computer – Block unauthorized access attempts to/from your computer

• Work with IT support to ensure that:

– Your desktop firewall is enabled – Only legitimate access is allowed into and from your computer

29

No! Yes!

SYSTEM UPDATE

• Fully updated systems are less likely to be

infected with viruses or malware, or hacked

• Work with IT to ensure system update is turned
• n and patches are appropriately applied
• Install University-approved anti-virus software,

and automatically update signatures

– TrendMicro: http://oit.ncsu.edu/antivirus – Approved Alternate Antivirus Products:

http://oit.ncsu.edu/antivirus/clients-alternate-approved

• Install an OIT-endorsed anti-malware product

– MalwareBytes or Spybot – Search & Destroy:

http://oit.ncsu.edu/computing/fall-2009-keep-your-computer-secure

30

BASIC SECURITY HARDENING

• Ensure that a password/PIN is required

to access computers or other devices

• Only install University-approved software

to reduce Trojan-horse style attacks

• Work with your IT support staff to:

– identify and remove unnecessary programs – disable unnecessary services – remove unnecessary user accounts – rename and disable the Guest account – rename the Administrator account – setup a strong Administrator password

31

REMOTE CONNECTION

• Use WolfTech SSL VPN for remote access to

university network (RDP), S-drive, H-drive, K-drive, …

(http://www.wolftech.ncsu.edu/support/support/NCSU_VPN)

• Secure your home network – wireless security, firewall,

antivirus, anti-malware, etc.

• Avoid using work credentials from untrusted

computers; you may be at risk to key loggers and man-in-the-middle attacks

• Https is secure, http is not
• Avoid downloading sensitive University data onto

non-University devices

• Remember to logout when finished using remote

devices!

32

MOBILE DEVICE SECURITY

• OIT Mobile Device Security Guideline

– Covers device, data, and communication security – Includes DIY steps for Android, BlackBerry, iOS, Mac OS X, Windows 7, Windows Vista laptops – http://oit.ncsu.edu/mobile-device-security-steps

• Setup passwords/PINs
• Use antivirus/anti-malware protection
• Update device and software
• Encrypt sensitive data
• Set strong Tethering password if used
• Set Bluetooth passkey or disable if not in use

33

SECURE CLOUD COMPUTING

• Cloud computing services: GoogleDrive, Amazon,

Apple iCloud, DropBox, MS SkyDrive, MS Office365, MS SharePoint, MS Access Online, …

• Consult with Extension IT and OIT S&C before storing

University data in the cloud

• Can you tell what country your data reside in?
• Good security practices are still needed – strong

passwords, no password sharing, etc.

• Be careful of data leaks though re-sharing of access
• Read the fine print – is it o.k. for Google, MS, Apple,
• etc. to read the data? When I click “I Agree” am I

agreeing on behalf of NCSU?

• Are you prepared for disappearing clouds?

34

SAFE SOCIAL INTERACTION

• Never, ever:

– send usernames, passwords, PINS in email to anyone – share credentials (e.g., Unity/password) with anyone – share your session with anyone – click on links in unsolicited or untrusted email

• Consult IT before using social media (e.g., Facebook,

YouTube, My Space, GooglePlus, LinkedIn, etc.) for work

• Avoid:

– Baiting attacks

• Tailgating attacks

– Quid pro quo attacks

• Pretexting attacks
• Report suspicious emails or phone calls to your IT support

staff – you may be the target of a spear phishing attack

“it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system” – Kevin Mitnick

35

GENERAL RECOMMENDATIONS

Communicate

• If it doesn’t seem/feel right or you don’t know, don’t

do it!

• Ask your County or College Business (as applicable);

Personnel; or Research Office first

• Call the County or NCSU Central Groups such as the

CES Extension IT (919-513-7000), Controller’s Office, HR, Contracts & Grants, SPARCS, or IAD NCSU Internal Audit Division Cecile Hinson, Director, (919) 515-8862 Jordan Holaren, Audit Manager, (919) 515-6849 Leo Howell, Audit Manager, (919) 515-8863

36

QUESTIONS??

37