Knowing the Unknown: Lessons for the Proactive Manager
In the spirit of Halloween, this newsletter includes festive and playful language to add some seasonal fun. Our intention is solely to entertain and engage, and not to offend or upset anyone. We hope you enjoy the light-hearted theme, and we appreciate your understanding. Happy Halloween!
Prudent managers are aware of the sticky spider webs and haunted houses, called risks, in their processes and have their own protective elixirs, called controls, to prevent, detect and deter them from occurring. A Proactive Manager has a plan to ward off the nasty spirits before they strike!
There are known knowns, things we know that we know; and there are known unknowns, things that we know we don’t know. But there are also unknown unknowns, things we do not know we don’t know.
Donald Rumsfeld
While this quote pertains to threats or risks from terrorism and defending a nation, it also holds true for keeping UCSF’s assets and reputation safe. We need to understand the known risks in our processes and implement controls to prevent the ghosts and goblins of errors and malfeasance from haunting us. Proactive Managers also anticipate the unknown unknowns of the spooky forces that lie in wait and have a plan to keep us all from the graveyard of failed organizations.
In 2019, how many people anticipated all the risks associated with a global pandemic (clearly the gravest of unknown unknowns) and had a complete response plan? Likely few. It is rarely possible to know every potential risk that might plague our operations, which is why managers and departments need to be resilient and agile.
A&AS is here to fill your metaphorical candy bags with tasty control treats by helping you identify hidden tricks that can ruin your Halloween. We do audits, advisories and consultations on governance, risks and ineffective internal controls that could haunt your department. We won’t do a seance, but we will do consultations and targeted training on preventing fraud, the worst of all tricks. For more information on setting up a consultation or training for your department contact [email protected]. For other fraud-related information and links to our anti-fraud webinars/trainings go to Fraudprevention.ucsf.edu.
- Q&A With Chief Information Security Officer
- Phantom Fraudsters Haunting Higher Ed
- Eerie Risks Posed by AI-powered Fraud
- Understanding Why Controls Fail
- Fraud Case Study 1: When Treats Turn Into Tricks
- Fraud Case Study 2: Vampiric Use of P-Cards Plagues Colleges
- Fraud Case Study 3: Brouhaha in Iowa Over Misuse of Equipment and Staff
Q&A With Chief Information Security Officer
Q: What are the primary cybersecurity risks facing UCSF, and what controls are in place to mitigate these risks?
A: UCSF operates within the two most frequently attacked industries, healthcare and higher education. Presently, the biggest cyber risks and threats facing us are third-party risk, ransomware, software vulnerabilities, and credential theft. For most threats, we employ a “defense-in-depth” approach, meaning there are multiple controls that help mitigate risk in a particular area. Controls can be technical or administrative. Some of our most important ones include detection and response appliances and software, a powerful email security gateway, multifactor authentication (Duo), and our vulnerability management program. Examples of administrative controls we use include security assessments, contractual language, and security awareness training.
Q: We hear reports all of the time about AI being used against UCSF to target us for fraud and theft. Could you tell us a little about what's going on with AI?
A: AI has been a boon to people on both sides of the law. Some of the first and most obvious applications of generative AI by attackers have been in the area of social engineering. Poor grammar and spelling are often hallmarks of phishing messages, but attackers can use generative AI to produce much more believable messages these days. AI is also being used to increase the effectiveness of password cracking/stuffing tools and to write malware that is becoming increasingly difficult to detect and block.
Q: Is UCSF using its own AI to defend against these AI attacks we hear about?
A: Most of the time when people are talking about AI, they’re referring to generative AI, where a user is using AI to create a new artifact. Many of UCSF’s security controls have employed machine learning and artificial intelligence for years, determining what baseline and anomalous behavior look like. You can’t take one step at a conference without tripping over a security vendor eager to tell you how AI is being used to improve their products dramatically.
Q: Can you share stories about UCSF leaders having their own departmental level controls in place to address the risks that they knew or anticipated?
A: Enterprise information security is most effective in large organizations when it’s managed centrally, especially when it comes to technical controls, but there is definitely a place for departmental-level controls. In particular, it’s crucial for departments to track their assets, including data and systems. Sensitive data lives in every corner of UCSF, and the first step in protecting it appropriately is knowing where it is. The most risk-aware UCSF leaders have a good handle on their assets and make sure that their departments are engaged with central IT.
Q: What proactive measures do you believe are most effective in warding off potential risks and ensuring our organization remains secure (what message would you offer a Proactive Manager)?
A: It’s essential for leaders to do a good job managing asset lifecycle. Make sure to budget for software/hardware replacement before a solution is no longer supported (meaning a vendor is no longer issuing security patches). Having end-of-life systems like Windows 7 on the network is a risk not only to a department but to our whole enterprise.
Phantom Fraudsters Haunting Higher Ed
The most common hex cast upon higher education is corruption. This occurs when employees misuse their influence in a business transaction in a way that violates their duty to gain a direct or indirect benefit – examples include bribery and conflict of interest. Other common jinxes include billing schemes, skimming, expense reimbursement fraud and inventory theft. The Association of Certified Fraud Examiners (ACFE) Report to the Nations recently concluded that the scourges of fraud are more likely to be cast (committed) by managers and executives with 5 or more years of service. The ACFE also noted a new trend for schemes, which is that over 50% of fraud cases now involve two or more people, making it more difficult to detect and leading to higher losses. Since more people have transitioned to remote or hybrid work, the ACFE has found that it has become increasingly more difficult to detect these schemes.
Controls to prevent corruption include our leaders promoting strong ethical practices and training, segregation of duties and an increased perception of detection. Controls for billing schemes and skimming include the creation of separate purchasing and payment functions, tight controls on vendor set-ups and changes, segregation of duties and, again, an increased perception of detection. The belief a department does reviews, audits, data analytics or has some kind of control reporting will help deter would-be fraudsters. Quite simply, if we take away the perceived opportunity (of getting away with it) the goblins will leave us alone!
Factors contributing to the malevolent forces of fraud in a post-COVID world include manipulating staffing changes, the shift to remote work, operational process changes and internal control changes. Experts noted that the quick infusion of COVID-related funding, combined with a short spend time, were also major factors contributing to fraud in higher ed. This reminds us of the importance of taking a new look at our controls, and evaluating whether they were designed for how we used to do things before COVID, before we had certain re-organization(s), or when we had higher staffing levels. When our conditions change, our controls need updating too!
Here is a link to an informative video on controls that may be a resource for you: https://www.youtube.com/watch?v=tZsK72PdCBo
Eerie Risks Posed by AI-powered Fraud
When evaluating ongoing risk(s), a recent article by the Institute of Internal Auditors (IIA) identified several spooky risks posed by AI-powered fraud that might affect organizations such as UCSF. Risks include identity and impersonation fraud, where deepfake technology is used by fraudsters to convincingly mimic our own executives or employees, leading to unauthorized transactions and data breaches.
AI can also generate fake documents and data that appears to be authentic, tricking employees into making critical errors. Sophisticated phishing attacks are another risk, as AI can automate and scale these attempts, making them more convincing and harder to detect. Additionally, AI can create self-learning bots that identify and exploit new security vulnerabilities, further increasing the risk of breaches and unauthorized activities. Always a major risk to UCSF is the theft of sensitive information, such as patient and research data or intellectual property.
To mitigate risks, the article recommends enhancing security measures, utilizing our own AI tools for anomaly detection, conducting regular threat assessments, and involving internal audit in proactive risk management. Collaboration across departments and leadership engagement is also crucial.
Here are some control treats that will help you fight the tricks associated with AI and fraud:
- Create a “house style” to make communications more difficult for AI to emulate.
- Teach employees how to recognize the signs of AI fraud and respond to suspicious requests.
- Assess whether leaders (in your department or unit) have considered all AI risks that could have a significant impact.
- Set up multilayered controls that combine AI-powered fraud detection with human oversight.
- Involve leadership in attack simulation exercises, as they are the most likely to be impersonated.
- Stress test business procedures to determine how many levels of sign-off are required to send money.
- Don’t wait for the risk to arrive to combat it. Take an offensive approach to stay one step ahead.
- Be an early adopter of AI tools to more quickly understand the risks associated with them.
Here are links to the IIA story and an informative video from the ACFE on AI and Fraud.
https://internalauditor.theiia.org/en/articles/2024/june/the-fraudsters-have-ai-too/
https://vimeo.com/user25326105/download/882288004/e11d7692bd
Understanding Why Controls Fail
A control is what we put in place to counter the wicked risks that can occur in our processes. Control elixirs exist at both the department and system levels. For example, BearBuy, as a system, has controls in place to make sure users cannot exceed maximum daily purchase limits. But we also need to keep in mind the controls that exist within a department, for example, to ensure the same user does not use MyExpense or a P-Card to buy the same items on the same day. Each purchase may be under the system limit, but combined, there is a gap that a pro-active manager must recognize and design their own powerful concoction or control, to cover.
The key to a successful potion is the people doing the control need to know why their behavior is so important (e.g., I am matching this receipt to a transaction because if I don’t, someone might steal from the university). Consider this: In 90% of the cases where wrongdoing occurred, the existing controls would have been sufficient to stop the problem, but human behavior at an important moment in the process failed. Employees at the department level need to know their behavior matters and is important because their action is the control.
Top 10 reasons why controls fail.
- Insufficient skills (not trained to do what they were asked to do).
- Lack of situational awareness (didn’t recognize the red flags when they appeared).
- Blind trust (not opening the support docs).
- Willful blindness (transactions were under budget so no one looks).
- Inadequate information (but approved anyway).
- Weak or lack of support docs (but approved anyway).
- Culture of not questioning (especially of those in leadership positions).
- Time Pressure (not given enough time to process or check support docs).
- Frustration/Fatigue (tired of calling attention to the same problems and give-up/give-in).
- Intentional override (someone in a position to bypass their own controls).
We are encouraged to remember this acronym: “LADR”: Look (at individual transactions and support docs). Ask (questions about what you see or don’t see. Doubt (is what you’re shown what it purports to be). Resolve (before you approve anything resolve that doubt).
Fraud Case Study 1: When Treats Turn into Tricks
The San Mateo County DA’s Office indicted the former Chancellor of the San Mateo Community College (SMCC) on 21 charges, stemming from an alleged “pay-to-play” scheme. At the heart of the allegations, the Chancellor allegedly accepted gifts from construction companies, ranging from trips, lavish dinners, free work on his house and luxury box tickets for sporting events and concerts in exchange for using his influence to corruptly steer contracts their way. The charges also included failure to report these gifts and lying on his Form 700.
He allegedly used his position to influence the public procurement process by pressuring others to change their scores during the RFP process and also to reopen or extend the bidding period beyond the closed date to favor one vendor. That vendor, initially the highest bid, changed pricing and subsequently won as the lowest bid.
This story should remind us of these important rules/policies:
- “An employee must comply with the provisions of state and federal law and University policy governing the acceptance of gifts and gratuities.” (PPSM-82)
- UC officers and employees must avoid the appearance of favoritism in all of their dealings on behalf of the University.
- Employees must disqualify themselves from any university decision if they have a financial interest or received a gift of $500 or more in the 12 months prior to the decision.
- No solicitation of gifts or gratuities from a current or potential vendor seeking to business with UC.
- Designated employees must disclose gifts greater than $50 in value during a calendar year from any source in their assigned disclosure category in Form 700.
- You may not receive gifts with a total value exceeding $500 from a single source in your assigned disclosure category in any calendar year
Fraud Case Study 2: Vampiric Use of P-Cards Plagues Colleges
The former Chair in the Dept. of Emergency Medicine at a SUNY campus faces criminal charges alleging that he stole over $1M in state funding through his abuse of the school’s Purchase card over a seven-year period. The list of abuses included: $115K in cash advances (not paid back), $348K on personal travel, $176K on pet care, $109K to NY sports club membership dues/ personal training, $52K in catering, $46K in tuition payments for his children and other personal expenses.
Stories of misuse of Purchase Cards and Travel Cards are repeatedly highlighted in this newsletter because it is a persistent risk that can cause financial loss and reputational harm. Imagine if someone in your department charged $176K in pet care and $100K on a gym membership, and no one ever noticed. Those in control positions need to remind users that purchases are for legitimate business needs only (and the Pet Hotel and Downtown Sports Club are not). Transactions need to be reviewed and reconciled with receipts and questioned for business need (not just be approved because they are under budget). To be a proactive, vigilant leader, ask questions such as:
- Do the receipts match the stated purpose?
- Why are we paying for “miscellaneous supplies” at Home Depot?
- Why does this one person have so many lost receipts for entertainment?
Link to story: https://www.silive.com/crime-safety/2024/07/staten-island-doctor-accused-of-over-1m-theft-from-suny-downstate-medical-center.html
Fraud Case Study 3: Brouhaha in Iowa Over Misuse of Equipment and Staff
The manager of a University of Iowa machine shop that made Hi-Tech tools and parts for Physics and Astronomy experiments was charged with misuse of state resources after whistleblowers reported that he used university equipment and staff to manufacture equipment sold through his own business netting him over $900K in ill-gotten booty.
With all of the research performed at UCSF, this story should serve as a reminder that departments need to put controls in place that ensures their equipment, supplies and materials are inventoried and used for their intended purposes. Leaders are also encouraged to create environments where employees, who might be directed to do improper work, feel free to make reports to them. Internal fraud can also be reported directly to Audit & Advisory Services at [email protected], or through the whistleblower hotline at https://www.ucop.edu/uc-whistleblower/index.html.
Link to story: https://www.radioiowa.com/2024/09/04/university-of-iowa-employee-accused-of-pocketing-nearly-1-million/