"Spring Cleaning" Ideas and Tips for Closing the Fiscal Year
As we move through Spring and FY24 concludes, we are reminded of the importance of conducting a “Spring Cleaning” for our work lives. This edition of the Audit & Advisory Services (A&AS) Newsletter focuses on best practices and helpful hints for going through the metaphorical garages & closets that exist in our departments, both physical and virtual, to clean out, update or purge our systems, applications, records, and data. We encourage supervisors and managers to check access to accounts and chart strings, look for and remove employees who have retired, transferred, or changed roles. We conclude this issue with current news stories showing what can happen when we fail to do these chores.
As a reminder, A&AS is here to serve the UCSF community by doing audits, advisories and consultation on risks and internal controls. We also conduct training at the department level on preventing, detecting, and deterring fraud and other risks. For more information on setting up a consultation or training for your department contact [email protected]. For other fraud-related information and links to our anti-fraud webinars/trainings go to Fraudprevention.ucsf.edu.
A house can only be clean if all the members make efforts in this regard. It is not a solo undertaking but requires joint collaboration.
Unknown
- Q&A With Interim Senior Vice President & Chief Financial Officer for UCSF Health
- Resources and Requirements for Records Management and Retention
- Review Access for Systems, Applications and Data
- Records Management Refresher
- Fraud Case Study 1: Verification of Goods & Services Would Have Prevented Fraud
- Fraud Case Study 2: Fraudster Bypasses Internal Controls and Uses Fear Tactics
- Fraud Case Study 3: Scientists Use Leadership Positions to Further Personal Purchases
- Fraud Case Study 4: Don't Let the Years of Service Fool You
- Avoiding Fraud: Keeping Accurate Records
Q&A With Interim Senior Vice President & Chief Financial Officer for UCSF Health
Q: When you hear (or read) about fraud cases like the ones listed below, what goes through your mind?
A: 99.9% of employees want to do the right thing and are here to support our mission. We all want to assume good intent of the people we work with, but it only takes a small number of bad actors to do harm to the Organization. All types of employees in all types of different jobs have committed fraud. Some are brand new employees, but just as many are trusted individuals that have longevity in the Organization and who are seen as being beyond reproach. I want to make sure we have the correct processes and controls in place to prevent this from occurring.
Q: As the Interim SVP & CFO for UCSF Health, what is your biggest fear (or fears) in regard to fraud?
A: I worry the most about hackers and bad actors getting control of our Electronic Health Record (EHR). The EHR is the life blood of any Health Care Organization. If it’s compromised, it not only has huge financial ramifications, but impacts our quality of care and our ability to provide care.
Q: In any of your prior jobs did you ever experience fraud and what did you learn from that/those experience/experiences?
A: Yes, at a prior organization we were billed by contractors for work not performed and in another instance we were billed repeatedly for the same work. Both instances could have been prevented through the invoice approval process. Most organizations have controls in place whereby multiple levels/individuals sign off on invoices. In these instances, the controls were in place, but the fraud occurred because the individuals signing off on the invoices didn’t really know what they were signing. They weren’t intentionally a part of the fraud, but they allowed it to happen because they didn’t do their due diligence before signing off for approval.
Q: What is your message on fraud to the readers of this newsletter?
A: Know what you are signing. Ask questions. If something doesn’t seem right, it probably isn’t. Don’t assume everything you are being asked to sign is correct. Don’t assume it’s ok if you see someone in an area where they don’t belong or asking for information they normally wouldn’t need to do their job. Be observant; it’s ok to ask questions or escalate potential issues to your supervisor. Also, if you aren’t sure your area has the right controls in place, ask our internal auditors, they have an advisory/consultation function in place that can help.
Resources and Requirements for Records Management and Retention
The university creates, gathers, and maintains operational and historic records of its activities in compliance with federal and state laws and regulations as well as university policy. The University of California Records Management Program establishes policy and provides guidelines for best practice lifecycle management of university records.
The Records Retention Schedule formalizes the decisions on retention periods and provides guidance for all University departments and offices in administering the retention or disposition of their records. The Manual (an online searchable database) contains disposition schedules for records classified by functions. Retention does not apply only to paper records, but to electronic records too. This means it is necessary to erase certain computer files, including emails, over time, or they too will be discoverable.
Compliance with the records retention schedule is crucial for avoiding legal risks and maintaining operational efficiency. Proper records management safeguards against data breaches, supports data integrity, and ensures we uphold the trust of our clients and stakeholders.
Review Access for Systems, Applications and Data
With our organization and operations heavily dependent on diverse systems, applications, and data, user access management can become challenging and cumbersome. However, inadequate management can expose the organization to unauthorized access, leading to significant financial losses, system disruptions, and reputational harm. Therefore, it is crucial to periodically perform user access reviews to ensure that only authorized personnel have access to systems and data. Here is what you can do to perform user access reviews:
- Review your user accounts and passwords to ensure that they are properly secured (https://it.ucsf.edu/how-to/manage-your-ucsf-password).
- If you are a manager/supervisor, review accounts created for users within your responsible department/unit/group to verify the access permitted to users aligns with their assigned roles/responsibilities and adjust user access permission accordingly.
- Ensure to include all areas where user access was individually granted, including departmental/shared servers, BOX folders, and individual applications/databases (including centrally/departmentally managed) in the reviews.
- Review privileged, service, and functional accounts created/used for your department/unit/group to ensure they are still in use and properly managed (For the definition and requirements for “Privileged, service, and functional accounts”, please see UC Account and Authentication Management Standard (https://security.ucop.edu/files/documents/policies/account-and-authentication-management-standard.pdf)
- Delete any inactive or unnecessary accounts. Pay attention to accounts created for (or service/functional accounts used by) users who were separated or transferred.
- Use strong passwords if University password policy requirements are not enforced. (https://it.ucsf.edu/standard-guideline/unified-ucsf-enterprise-password-standard)
Records Management Refresher
Got ROT? Tired of sifting through your email, share drives, Box folders looking for an important record? Now is a great time to review, retain, and purge your administrative records and information according to University policy requirements...and to get rid of ROT (redundant, old, or trivial) documents! Everyone at the University who handles administrative records is responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of these records, in accordance with relevant law and University policy and practice.
How long should a record be kept? The UC Record Retention Schedule Knows. Check the UC Records Retention Schedule (UC RRS) for the category of record and look at the “Retention Period” column. Effective records and information management can help ensure better regulatory compliance, reduces risk, and streamlines searches when you and your teammates need to find something quickly.
Your unit has transitioned to a paper-less environment, so you’re covered, right? Nope! The UC RRS is media neutral, which means it doesn’t matter whether it’s paper or electronic. It’s just as important to go through the same exercise with your digital files. Go through your email account, share drives, Box folders, DocuSign completed queue.
What is a record? If it documents a decision, it’s a record. A non-record is material that is of immediate value only. It may be a copy of a record or a document with short term value. These materials can be disposed of as soon as they are no longer needed. The term “administrative record” is used to describe any record that documents or contains valuable information related to the organization, functions, policies, decisions, procedures, operations, or other business activities of the university. For more information, see UC RMP-2.
Where to begin? Here are a few basic elements to maintaining records and information:
- Inventory your information
- Determine the best storage place
- Create procedure and protocol for access and destruction
- Identify and adhere to a taxonomy and file name structure
- Schedule regular and routine review and disposition, following the UC RRS.
- Communicate to teammates
Have questions? Please write to [email protected].
Fraud Case Study 1: Verification of Goods & Services Would Have Prevented Fraud
Multiple insiders were involved in a conspiracy to commit fraud at Tuskegee University.
- Ten people were indicted on charges of Conspiracy to Commit Theft of Federal Grant funds. One conspirator, a Purchasing Manager, created fake Purchase Orders (POs) that were sent to a conspirator who worked in Account Payable. This person approved and entered the POs into the accounting system, causing checks to be issued. A third conspirator signed the checks, while a fourth assigned federal grant codes confirming sufficient funds were available to cover the checks. The checks were sent to non-university employees who cashed them and shared the proceeds with the group.
- The scheme illustrates the need for principal investigators/award administrators to independently verify charges to their federal grants.
Fraud Case Study 2: Fraudster Bypasses Internal Controls and Uses Fear Tactics
Arizona State University (ASU) employee bypassed procurement controls.
- Auditors uncovered evidence that an IT Manager embezzled nearly $125,000 through misuse of a Purchase-card (P-Card) to buy personal items (Christmas trees, gaming consoles, smart watches, and gift cards) by forging receipts, lying on expense reports, and bypassing internal controls. The audit report said that appropriate policies and procedures were in place, but transaction approvers allowed the employee to bypass controls when he claimed that normal procurement took too long and he had “an immediate need to support senior leaders.”
- This scheme shows how fraudsters will use exceptions to normal procurement methods, prey on fears, and avoid any added review of their transactions.
- The end of FY24 is great time for supervisors/managers to review purchases made with P-Cards and other procurement methods (BearBuy, AllScripts or Office Deport) and confirm there was clear business purpose (to buy Christmas trees?). Did the purchaser have correct access to the accounts used, and can we account for the ordered items?
Fraud Case Study 3: Scientists Use Leadership Positions to Further Personal Purchases
GA Tech scientists defrauded the university, CIA, and DOD.
- Three former researchers, one of whom was the Chief Scientist at the GA Tech Research Institute, were sentenced for their roles in using a P-card to finance over $200,000 in personal items (four-wheelers, flat screen T.V, Apple computers, iPads, Kindles, cameras, 3D printers and more). Prosecutors said they, “Took advantage of their positions to line their own pockets … when they misused grant money from projects funded by the DOD and CIA….”
- This illustrates the need to question long-term employees or those in authority as they are statistically the most likely to commit fraud.
- The last two stories underscore the need to take time to review support documents at the time of approval or review at the end of the month. If you do not receive a report listing P-Card or Corporate Card transactions, ask for one from U.S. Bank or Supply Chain Management.
Fraud Case Study 4: Don't Let the Years of Service Fool You
Indiana University (IU) Foundation employee of 30+ years embezzled $326K in donations:
- A 30+ year employee pleaded guilty to stealing foundation money. Prosecutors said, “For years, the defendant abused her position to steal donations dedicated to advancing educational programs in our state.” As the only cash counter, she was in a position to pocket cash before recording it in the accounting system. To cover her tracks, she withheld checks from the daily deposits and substituted them in a later deposit to conceal the missing cash. She also wrote checks from her personal bank account to make up the discrepancies between the substituted donor checks and the stolen cash. With control over the cash recording process, she manipulated accounting records to appear balanced, while siphoning off the donations.
- Separation of duties would have prevented this from occurring. As FY24 ends, it is important to review staffing reports and job duties. Was someone given an interim assignment or had a change in duties thereby giving them control over multiple parts of financial transactions? Did departmental processes change, thereby making the old controls obsolete? These are all things worth considering when making sure there is still separation of duties in your department as we move into FY25.
Avoiding Fraud: Keeping Accurate Records
University of Michigan (UM) was wrongfully accused of selling access to datasets with student work. They were able to prove they didn't by retaining and being able to produce accurate consent and access records.
- Media and public outcry wrongfully accused UM of selling access to a dataset containing student papers, audio recordings of class lectures and small group discussion from 1997 to 2007. However, the data was actually part of a free, open access resource set up by UM to which the students consented. The website was actually “scraped” for useful data by a vendor who tried sell it to an AI company.
- Although UM was not at fault, the incident serves as a reminder of the need for transparency and accountability around data and the importance of keeping accurate & up-to-date access records. Maintaining such records is not just for compliance, but also fosters a culture of trust and integrity.