Information Technology and Security

Technology is something of a double-edged sword. Its complexity often gives fraudsters both a tool to perpetrate a fraud and a way of hiding a fraud that’s been committed. Sometimes, it gives the fraudster a place to hide.

Often, our unquestioning reliance on computers leads us to overlook fraud when it takes place. To be fair, however, technology also puts at our disposal ways of detecting fraud that would have been unthinkable a generation ago. In IT, as in other areas, it must nonetheless be conceded that fraudsters are often a step or two ahead of those trying to prevent fraud.

Information technology fraud has many aspects, all of which are difficult to detect. We are going to limit our coverage to the IT fraud risks, red flags and best practices to prevent fraud that directly pertain to governments.

In the days of computer-generated payroll and direct deposits, the old control of handing out paychecks to individuals to identify ghost employees is a thing of the past—employees, including ghost employees, in remote locations get paid automatically.

Not so long ago, issuing a warrant to a vendor involved generating a piece of paper. That piece of paper took time to process, required a physical endorsement, and required alteration to redirect it to a payee other than the person for whom it was intended. Electronic payments circumvent all of these potential pitfalls.

In the area of software development, time records may be overstated. Faulty or incomplete specification may lead to unwarranted additional charges. Programmers may purposely leave vulnerabilities in the software allowing them to later siphon off funds or gain access to confidential information.

With some of the traditional fraud detection methods no longer effective, preventive internal controls become increasingly important.

Risks Risks Risks
General Guidance Information technology has proven itself to be a double-edged sword. On one side, it has enabled us to store, use and examine more information than one would have thought possible just a few decades before. On the other side, it has enabled fraudsters to use its strengths (and its weaknesses) to their own illicit ends.

National Association of State Controllers (NASC) Control Questionnaire for Information Systems and Technology

COBIT Overview from ISACA

ISACA Home Page

US Government Accountability Office: Federal Information System Controls Audit Manual

Logical Access

Anyone can see all electronic information.

Users can access data they should not be able to view.

Monitor displays sensitive information while employees are away from their work area.

Passwords are easily obtained from an issuing source.

Encrypt sensitive data.

Review user access roles for appropriateness and update when duties change.

Terminate access immmediately when employees leave service.

Require session timeouts.

Require mixed use of characters/numbers/letters.

Require frequent changes.

Do not allow passwords to be used more than once.

Physical Access

Easy access to equipment.

Laptops/USB Devices not monitored.

Cleaning crews and visitors can take sensitive documents from workstations.

Photocopies and scans store digital images of sensitive data.

Lock server rooms.

Have a sign-out process.

Encrypt devices.

Identify work areas that need to lock documents away on nights and weekends.

Limit access to removable disks.

Theft of Personally Identifiable Information (PII) Lack of controls over physical access to IT equipment and logical access to systems.

Establish protocols and department head approval for physical and logical access to information systems and the protection of any Personally Identifiable Information (PII).

State and local governments should consider using the same data requirements that the federal government uses for outside vendors:

Theft or Misuse of IT Inventory

Lack of periodic inventory.

Encrypt and scan laptops/USB devices for improper files before/after each use.