WIXLIB

TOOLS AND TIPS FOR MINIMIZING RISKSCES WEST DISTRICTNOVEMBER 29, 20121

TOPICSNCSU Internal Audit:Who are We and How Can We Help?Self Assessments: Why Do Them?Fraud Awareness and How to ReportSuspected Fraud at NCSUIT Security TipsQuestions2

Provide tools foryou to assessyour officesPreparation forfuture agency orsponsor auditsRecommendationsAssistance inpotential misusecasesfor processimprovementsOperational andIT audits toimproveefficiency andeffectivenessAssistance inidentifyingbusiness &technology risksHOW CAN WE HELP?3

WHAT CAN WE NOT DO?EstablishrequirementsAssumeresponsibility orownership ofprocesses andprocedures4Develop orwrite policiesWHY NOT?MaintainindependenceAND Avoidconflict ofinterestMakemanagementdecisions

CES SELF ASSESSMENT lfassessment-tools/ces/5

SELF ASSESSMENTS: WHY DO THEM?Heighten yourawareness –especially of“gray areas”Identify trainingneedsIncreasedawareness ofpolicies andprocedures6Identify risksHelp to avoidpotential fraudImproved CEDoversight

CONDUCTINGSELF ASSESSMENTSSlide Receipt Self Assessment Tool8 Disbursement Self Assessment Tool9 Timesheet Self Assessment Tool10 Contracts and Grants Self Assessment Tool 11 Business Practices Self Assessment Tool712

RECEIPT PROCESSGoals Keep track of receipts Involvement of enough people to limit potentialor perception of misuse Sufficient documentation to support complianceto NCSU and County guidelines, as appropriateHow To’s Self Assessment Tool Monthly Reconciliations Online Training Opportunities (Course Handoutsand training/class resources.asp

DISBURSEMENT PROCESSGoals Ensure that money is being spent according torespective guidelines with sufficient supportingdocumentation (5 W’s) Accurately reflect travel expenses, includingcompleting a travel authorization (when applicable)How To’s Self Assessment Tool Monthly Reconciliations Online Training Opportunities (Course Handoutsand er/training/class ocusGroup/job aids/

TIMESHEETS AND LEAVEGoals Appropriate review by the supervisor to identifyand correct errors that could result in Universityviolation of FLSA Record all types of leave in the University’s WebLeave System Understand the importance of compensatory timehttp://www.ncsu.edu/human resources/hrim/comp time.phpHow To’s Self Assessment Tool Online Training Opportunities (Supervisor andemployee training and guidance):http://www.ncsu.edu/human resources/classcomp/timerecdefault.php10

CONTRACTS AND GRANTSGoals Meet sponsors’ requirements and increasepreparedness for external audits Thorough documentation (Always provide the 5W’S): WHO, WHAT, WHEN, WHERE, and WHYHow To’s Self Assessment Tool Reconcile contract or grant expenditures just as youwould any other account Online Training Opportunities: Sponsored Programs and RegulatoryCompliance Service .html Contracts and p

BUSINESS PRACTICESGoals Avoid common issues such as not redactingemployee’s information (personal or financial) orentire purchase card number from Office forms ordocumentation loaded into the financial system Promote an environment of solid controls overbusiness processes to prevent and detect errorsHow To’s Self Assessment Tool Online Training Opportunities: Office of GeneralCounsel “Public Records: Preservation, Release,and Disposition”http://www.ncsu.edu/general counsel/training/PublicRecordsTutorial.html12

FRAUD AWARENESSOccupational Fraud: “the use of one’s occupation forpersonal enrichment through the deliberate misuse ormisapplication of the employing organization’sresources or assets.”Source: The Association of Certified Fraud Examiners, 2002 Report to the Nations on OccupationalFraud and Abuse13

HOW OCCUPATIONAL FRAUD IS COMMITTEDThe Fraud Triangle14Source: TheIIA.org

PROFILE OF A FRAUDSTER IntelligentInquisitiveRisk takerHard workerBetween 31 and 45 years oldWith organization 1-5 yearsNo criminal historyMost likely in 1 of 6 departmentsWho is most likely to commit fraud?About 80% of the population, given the right combination ofopportunity, motive and ability to rationalize the act.Source: ACFE.com15

Fraud Reported in Higher Education Former Georgia Tech workergets jail time for mail fraud;pleads guilty to 22 counts(2008)– Access to P-cards– April 2002 – 2007– Bought more than 3,800 personalitems, costing over 316,000– Created fake receipts, submitted tosupervisor, and made false entriesin the accounting recordsVideoSource: /18/daily29.html16

FRAUD REPORTED IN HIGHER EDUCATION Box office and business operationof UNC Performing Arts seriescannot account for 123,500 (2012) Occurred from 2007 to 2011Audit found 121,000 in cash revenue and 2,500 in checks missingSame employee prepared, deposited, andrecorded cash from ticket salesDeposits were delayed at times for two orthree weeksThe SBI is currently investigating; adefinitive suspect has not yet beendeterminedSource: -audit-uncovers-123500-missing.html17

Fraud at NCSU Fictitious or inflated business/travelexpenses Employees performing work for personalcompanies during University work hours Use of University funds for personalbenefit/purchases Theft of University assets Use of University resources for personalbenefit

WARNING SIGNS, RED FLAGS, ANDCOMMON INDICATORS19Source: ACFE.com

WARNING SIGNS, RED FLAGS, ANDCOMMON INDICATORS Missing documentsLost receiptsCredit card slip onlyOrder form onlyShipped offcampus “When I get time” “Will request newreceipt” “Have requestedcredit” “Will look tDeflectIssueHideNature ofTransactionSource: University of South Florida Internal Audit Patterns of“honest errors” Blames vendor Blames system Changes subject Illegible receiptAltered receiptSubstitute receiptSummary receipt

DETECTION OF FRAUD s.com21Source: ACFE.com

DETECTION OF FRAUD SCHEMESInitial Detection of Occupational Frauds22Source: ACFE.com

HOW TO REPORT SUSPECTED FRAUD AT NCSU NC State Internal Audit Hotline Phone: 919-515-8355 and leave a detailedvoicemail Phone: 919-515-8862 to speak with theDirector Fax: 919-513-2122 to provide a written report Website:http://www.ncsu.edu/internal audit/hotline/– Complete form in detail– Can be anonymous Office of the State Auditor 23919-730-TIPSSource: http://www.ncsu.edu/internal audit/hotline/

IT SECURITY TIPS24

IT SECURITY TIPS 25University Security PoliciesPhysical SecurityPassword SecurityDesktop FirewallSystem UpdateBasic Security HardeningRemote ConnectionMobile Device SecuritySecure Cloud ComputingSafe Social Interaction

UNIVERSITY SECURITY POLICIES Computer Use Policy (POL -01– Broad outline of acceptable use of university IT resources Computer Use Regulation (REG 8-00-02– More details on acceptable use– Limited personal use allowed; expect no privacy– No commercial gain; no University endorsement Data Management Procedures (REG 8-00-03– Assigns data stewards and data custodians– Makes you responsible for data security, privacy, appropriateuse, disposition of data in your custody26

PHYSICAL SECURITY 27Protect laptops, iPads, under lock and keyNever leave mobile devices unattendedAvoid shoulder surfingUse password-protected screen saversPractice CTRL ALT DELETE password lockingUse privacy screensSafely store software mediaWork with IT to backup important dataPrevent fire/water damage to hardware/mediaProtect mobile devices like your wallet/purse!

PASSWORD SECURITY NC State Password swordStandard20070509.doc– Min Password Length: 8– Max Password Age: 30, 90, 365– Allow password re-use: No Pick strong, complex passwords that you canremember, but “impossible” for others to guess No dictionary words or well-known phrases Use passphrases instead of passwords Use separate work and personal passwords Never send passwords in email Never share passwords with anyone, ever!28

DESKTOP FIREWALL Desktop firewalls:– Allow legitimate access to your computer– Block unauthorized access attempts to/fromyour computer Work with IT support to ensure that:– Your desktop firewall is enabled– Only legitimate access is allowed into andfrom your computerNo!Yes!29

SYSTEM UPDATE Fully updated systems are less likely to beinfected with viruses or malware, or hacked Work with IT to ensure system update is turnedon and patches are appropriately applied Install University-approved anti-virus software,and automatically update signatures– TrendMicro: http://oit.ncsu.edu/antivirus– Approved Alternate Antivirus ernate-approved Install an OIT-endorsed anti-malware product– MalwareBytes or Spybot – Search & ep-your-computer-secure30

BASIC SECURITY HARDENING Ensure that a password/PIN is requiredto access computers or other devices Only install University-approved softwareto reduce Trojan-horse style attacks Work with your IT support staff to:––––––31identify and remove unnecessary programsdisable unnecessary servicesremove unnecessary user accountsrename and disable the Guest accountrename the Administrator accountsetup a strong Administrator password

REMOTE CONNECTION Use WolfTech SSL VPN for remote access touniversity network (RDP), S-drive, H-drive, K-drive, (http://www.wolftech.ncsu.edu/support/support/NCSU VPN) 32Secure your home network – wireless security, firewall,antivirus, anti-malware, etc.Avoid using work credentials from untrustedcomputers; you may be at risk to key loggers andman-in-the-middle attacksHttps is secure, http is notAvoid downloading sensitive University data ontonon-University devicesRemember to logout when finished using remotedevices!

MOBILE DEVICE SECURITY OIT Mobile Device Security Guideline– Covers device, data, and communication security– Includes DIY steps for Android, BlackBerry, iOS,Mac OS X, Windows 7, Windows Vista laptops– http://oit.ncsu.edu/mobile-device-security-steps 33Setup passwords/PINsUse antivirus/anti-malware protectionUpdate device and softwareEncrypt sensitive dataSet strong Tethering password if usedSet Bluetooth passkey or disable if not in use

SECURE CLOUD COMPUTING 34Cloud computing services: GoogleDrive, Amazon,Apple iCloud, DropBox, MS SkyDrive, MS Office365,MS SharePoint, MS Access Online, Consult with Extension IT and OIT S&C before storingUniversity data in the cloudCan you tell what country your data reside in?Good security practices are still needed – strongpasswords, no password sharing, etc.Be careful of data leaks though re-sharing of accessRead the fine print – is it o.k. for Google, MS, Apple,etc. to read the data? When I click “I Agree” am Iagreeing on behalf of NCSU?Are you prepared for disappearing clouds?

SAFE SOCIAL INTERACTION Never, ever:–––– Consult IT before using social media (e.g., Facebook,YouTube, My Space, GooglePlus, LinkedIn, etc.) for workAvoid:–– send usernames, passwords, PINS in email to anyoneshare credentials (e.g., Unity/password) with anyoneshare your session with anyoneclick on links in unsolicited or untrusted emailBaiting attacksQuid pro quo attacks- Tailgating attacks- Pretexting attacksReport suspicious emails or phone calls to your IT supportstaff – you may be the target of a spear phishing attack“it is much easier to trick someone into giving a password for asystem than to spend the effort to crack into the system”– Kevin Mitnick35

GENERAL RECOMMENDATIONSCommunicate If it doesn’t seem/feel right or you don’t know, don’tdo it! Ask your County or College Business (as applicable);Personnel; or Research Office first Call the County or NCSU Central Groups such as theCES Extension IT (919-513-7000), Controller’sOffice, HR, Contracts & Grants, SPARCS, or IADNCSU Internal Audit DivisionCecile Hinson, Director, (919) 515-8862Jordan Holaren, Audit Manager, (919) 515-6849Leo Howell, Audit Manager, (919) 515-886336

QUESTIONS?37

Compliance Service (SPARCS): . No dictionary words or well -known phrases Use passphrases instead of passwords . – Covers device, data, and communication security – Includes DIY steps for Android, Bl