As the University’s observance of Internal Audit Awareness Month draws to a close, Tom York said it is important for employees to consider three key areas throughout the year – information security, internal controls and fraud detection and mitigation.
“Compliance is not the same as cybersecurity,” said York, director of internal audit. “While we have a strong program to ensure compliance with statutory and regulatory requirements, improving our cybersecurity posture goes well beyond these tasks.”
The Verizon 2014 Data Breach Investigation Report for the Public Sector describes four areas that account for 98 percent of security breaches in public sector entities. They are:
- Miscellaneous errors (34 percent)
This category covers any mistake that compromises security, primarily posting of private data to public sites, sending information to the wrong recipients (whether in the post or by email) and failing to dispose of assets securely (shredding paper or wiping hard drives). In 49 percent of cases, these incidents involved printed documents
- Insider misuse (24 percent)
This category covers situations when employees (or former employees) with access rights use their privileges to access data, either in person or across the network. With the right credentials, a person can easily copy files to a USB drive without anyone noticing. Campus units can mitigate insider misuse by regularly reviewing access privileges, assigning access on a least-privilege basis and promptly revoking access for those who change jobs or leave the organization
- Crimeware (21 percent)
Human behavior is a factor in the success of cyber attacks — if users refrained from clicking on links, opening unfamiliar attachments or typing NinerNet passwords into untrusted websites, attackers would have a much harder time.
- Theft/loss (19 percent)
Employees are not just making mistakes with data but with assets that hold data, too. Staff members should be trained on proper asset disposal procedures - not only paper documents and computers, but USB drives, CDs, DVDS and any other media that can store university data.
With regard to internal controls, York explained University Policy 804 Standards of Ethical Conduct defines expectations for employees.
In part, the policy states “Internal controls are the processes employed to help ensure that the University's business is carried out in accordance with these standards, University policies and procedures, applicable laws and sound business practices. They help to promote efficient operations, accurate financial reporting, protection of assets and responsible fiscal management. All members of the University community are responsible for internal controls. Each business unit or department head is specifically responsible for ensuring that internal controls are established properly documented and maintained with respect to activities within their jurisdiction. Any individual entrusted with funds, including principal investigators, is responsible for ensuring that adequate internal controls exist over the use and accountability of such funds.”
York stated that these controls can be preventive, such as requiring NinerNet credentials to access University IT resources, which prevents unauthorized access, or detective, such as the review and approval of purchase card transactions that detects unauthorized activity.
“Controls are not perfect and absolute. They can be defeated by errors in judgment, management overrides and collusion,” said York. “Good controls promote good performance, performance that meets standards, and performance that achieves unit objectives. Management at all levels must understand and require adherence to our structure of internal controls.”
Fraud detection and mitigation comprise the third key area for year-round campus awareness, and the Association of Certified Fraud Examiners publishes a Report to the Nations on Occupational Abuse every two years.
York stated this report studied thousands of fraud cases from around the world, and the research consistently showed that the median length of a fraud case prior to detection is 18 months.
And the most likely detection method? In 42 percent of the cases, it was a tip, with tips from employees (49 percent) as the leading source.
The report also noted that the vast majority of occupational fraudsters are first-time offenders; only 5 percent had been convicted of a fraud-related offense prior to committing the crimes reported. Furthermore, 82 percent of fraudsters had never been punished previously or terminated by an employer for fraud-related conduct.
“So what can we do to detect and mitigate our risk to fraud? The major fraud cases that we have worked at UNC Charlotte could have been exposed sooner had a supervisor checked more closely and asked one or two more questions,” said York.
Other recommended fraud controls are:
- Appropriately separating key duties and tasks among several staff members
- Regularly reconciling financial transactions and reviewing for proper documentation
- Training staff on the warning signs or “red flags” of possible fraudulent behavior
“We in the Internal Audit Department would like to thank our campus clients and customers for their support not only during Internal Audit Awareness Month but throughout the year,” York said. “We realize that we may not be your most favorite visitor, but we do appreciate the cooperation that we receive when we come around. Internal audit is ready to help you assess your current internal controls, present training and share some ideas on process improvements.”
For more information visit the internal audit website, email Internal_Audit@uncc.edu or stop by the department offices, located on the third floor of Cato Hall.