14
Accounting
MSADA
Trust But Verify: Is Your IT Staff Stealing from You? By Michael Hammond Joining
2012, Michael is the DiIT Audit Services at O’Connor & Drew, P.C. Michael has twenty years of extensive Information Technology expertise in various disciplines, including operations, control design, and testing. the firm in
rector of
In the digital age where the competitive advantage can come from strong technology, your IT infrastructure, more than ever, is one of the most critical components to growing and supporting your business. But how much do you really know about what it takes to run it and who you have entrusted to maintain it for you? If you are not a technology company, it is wise to leave the Information Technology to the experts, but it is still part of your business. Therefore, you need to ensure that you are managing it with every bit of rigor that you manage the rest of your business and understand the basics on how it should operate, the expenses, and operating costs. Just as there is financial fraud, there can be fraud in your IT environment as well. Some common IT fraud risks to consider: • Is your IT staff buying hardware or software and reselling it on auction sites? • Is your IT staff buying hardware or software and returning it to the vendor in the form of cash or credit? • Does your controller know the difference between a Cisco ASA 5505 and a Cisco ASA 5585? (By the way, the difference could be over $180,000!) APRIL 2015
• Have you recently purchased a large number of IT assets and thought to yourself, why do we need 25 MS CALs and just what do they actually do? • Is staff piggybacking on your technology resources for personal use? Are they buying an “extra” computer and taking it home? IT fraud risks are not restricted to IT staff as the perpetrators, even some computer savvy employees within your company can be stealing your assets: • Running personal or seedy websites from within your network. You may not notice the website being hosted from within your network, but maybe an unexplained slowness despite IT purchasing increasing levels of bandwidth. • Using your Internet connection to host their own email or file sharing server. Peer-to-Peer file sharing still exists and despite the cost of storage being cheaper than ever, it can cost you money. To compound the storage cost, they may even be using your network as the repository to house these illegal files. Another critical area of fraud in your IT environment relates to the security of your information. Secure asset disposition is critical to the protection of data at rest through the ends of its lifecycle. You rely on your IT staff to remove obsolete hardware, but are you retaining “death certificates” of the destroyed hard drives? Data that remains on those hard drives could contain confidential company information, or worse, Federal or state regulated personal sensitive information. Your IT staff may think that they are helping the company by saving a few dollars by not destroying the drives, and who doesn’t need a little more hard disk space at home, but this practice can cause serious harm to your organization. Finally, are you getting the service that you pay for from your IT vendors?
Massachusetts Auto Dealer www.msada.org
• Businesses rely on the knowledge that an outside vendor brings to the table. But unless you are educated and knowledgeable about IT, how do you know if your vendor is charging you for the services that they did actually perform? • Implementing and fixing technology related portions of your business could often take longer than expected. Company management often expects software to perform correctly straight out of the box, but more often a custom configuration is needed to get the functionality that you desire. To achieve this, qualified IT professionals are hired and the hours can quickly add up, but are those hours realistic? Would you know how to verify an estimate? To mitigate IT fraud risk there are many layers of controls. The first is to allow your controller to obtain the training needed to accurately understand requests for IT purchases and how to reconcile purchase orders against invoices. The next best control point to reduce IT asset fraud is to capture a reasonably accurate IT asset inventory at the time of purchase. After the purchase, perform an audit of your IT assets, both hardware and software. Annually, reconcile the list of devices against purchase orders. There are automated asset management products on the market that can assist in performing this function, or consider a manual review yearly as part of your continuous IT monitoring program. Information Technology is a business enabler. Don’t let IT fraud diminish its value or your bottom line. t If you have any questions about IT fraud risk or IT security in general, feel free to contact O’Connor & Drew, P.C. at (617) 471-1120 or Michael Hammond at mhammond@ocd.com.