THOMAS P. DiNAPOLI STEVEN J.

HANCOX
COMPTROLLER STATE OF NEW YORK DEPUTY COMPTROLLER
OFFICE OF THE STATE COMPTROLLER DIVISION OF LOCAL GOVERNMENT
110 STATE STREET AND SCHOOL ACCOUNTABILITY
ALBANY, NEW YORK 12236 Tel: (518) 474-4037 Fax: (518) 486-6479

February 25, 2011

Mr. Thomas F. Perillo, Superintendent

Greater Amsterdam School District
11 Liberty Street
Amsterdam, NY 12010

Report Number: S9-10-44

Dear Superintendent Perillo and Members of the Board of Education:

A top priority of the Office of the State Comptroller is to help school district officials manage
their resources efficiently and effectively and, by so doing, provide accountability for tax dollars
spent to support district operations. The Comptroller oversees the fiscal affairs of districts
statewide, as well as compliance with relevant statutes and observance of good business
practices. This fiscal oversight is accomplished, in part, through our audits, which identify
opportunities for improving district operations and Board of Education governance. Audits also
can identify strategies to reduce costs and to strengthen controls intended to safeguard district
assets.

In accordance with these goals, we conducted an audit of six school districts throughout New
York State. The objective of our audit was to determine if school districts have adequate internal
controls over their online banking processes to safeguard district monies. We included the
Greater Amsterdam School District (District) in this audit. Within the scope of this audit, we
examined the District’s policies and procedures and reviewed all transactions associated with
online banking for the period July 1, 2009 through August 31, 2010. Following is a report of our
audit of the Greater Amsterdam School District. This audit was conducted pursuant to Article V,
Section 1 of the State Constitution, and the State Comptroller’s authority as set forth in Article 3
of the General Municipal Law.

This report of examination letter contains our findings specific to the District. We discussed the
findings and recommendations with District officials and considered their comments, which
appear in Appendix B, in preparing this report. District officials generally agreed with our
findings and recommendations and plan to initiate corrective action. At the completion of our
audit of the six school districts, we prepared a global report that summarizes the significant
issues we identified at all of the school districts audited.

Summary of Findings

Although the District had adequate controls over online banking transactions, the District’s cash
assets were put at risk due to the Internet usage associated with one of the District’s computers.
One computer, which is used in the on-line banking process, had an Internet history containing
malware (malicious software) and phishing1 sites, and pornographic and other websites that
maliciously track user names and passwords. District officials asserted that the websites were
apparently visited due to three specific computer viruses. However, our research on these viruses
(see Appendix A) does not support the District’s assertion. The viruses do not launch
pornographic and other web sites. They are related only to financial fraud (e.g., they attempt to
steal user IDs and passwords). In addition, our analysis did not identify any “back doors” that
would allow a remote user to access and control the compromised computer’s resources, or any
viruses known to generate a history of pornographic sites.

As noted above, the District has adequate controls in place over online banking. Online banking
duties are appropriately segregated between four employees and the proper authorization step is
in place. Bank accounts also are properly monitored to ensure online banking transactions are
authorized. Controls could be further enhanced if the Board restricted online banking access to
only District computers. We examined all 1,347 online transfers2 performed during the audit
period, totaling $147 million, and found all were in accordance with the District’s policies and
accurately recorded.

Background and Methodology

The District is located in Montgomery County and serves the City of Amsterdam and the Towns
of Amsterdam, Florida, Mohawk, Perth, Charlton, Duanesburg, and Glenville. The District is
governed by a seven-member Board of Education (Board). The Superintendent of Schools
(Superintendent) is the chief executive officer of the District and is responsible, along with other
administrative staff, for the day-to-day management of the District under the direction of the
Board. The District has six schools in operation and employs approximately 560 staff. District
enrollment for the 2009-10 school year was approximately 3,700 students. The District’s general
fund expenditures for the 2009-10 school year were approximately $51.8 million, with a cash
balance of approximately $24.8 million at June 30, 2010.

Recently, there has been a significant increase in fraud involving the exploitation of valid online
banking credentials. Online banking fraud typically originates through fake email messages or
malicious software (malware). The targeted user may receive an email that either contains an
infected attachment or directs the recipient to an infected website. Once the recipient opens the
attachment or visits the website, malware containing a key logger (which captures the user’s
keystrokes) is installed on the computer. The key logger harvests log-in information allowing the
perpetrator to masquerade as the legitimate user or create another user account. Thereafter,
fraudulent electronic cash transfers are initiated and directed to bank accounts in the United
States or foreign countries. Good controls over computer usage, specifically Internet usage,
reduce the risk of fraud involving the exploitation of school district bank accounts.

During our audit period, the District made 1,347 online transfers totaling approximately $147
million for the period July 1, 2009 through July 31, 2010. The Business Office staff comprises

1
Phishing refers to fraudulent attempts to gain sensitive or confidential information from a computer user by means
that appear to be trustworthy.
2
Online transfers include the transfer of money from a District account to a non-District account (wire transfers)
and the transfer of money from one District account to another (intra-bank transfers).

2
four account clerks, the District Treasurer (Treasurer), and the Business Manager. The District’s
online banking transactions consist of intra-bank transfers (from one school account to another,
such as general fund checking to the general fund money market) and wire transfers (from a
District account to a non-District account, such as general fund checking to a utility company).

To complete our objective, we interviewed District officials and reviewed policies to determine
the District’s procedures related to online banking. We reviewed supporting documentation,3
bank statements, and financial reports to determine the validation and the recording of each
online banking transaction for the audit scope period. We also reviewed computers used for
online banking for adequate software protections and updates and for Internet usage patterns.

We conducted this performance audit in accordance with generally accepted government

auditing standards (GAGAS). Those standards require that we plan and perform our audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objective. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit objectives.

Audit Results

Online Banking Transactions – Effective internal controls over online banking include policies
and procedures to properly monitor and control online banking transactions. A comprehensive
online banking policy clearly describes the online banking activities the District will engage in,
specifies which District employees have the authority to process transactions, establishes a
detailed approval process to verify the accuracy and legitimacy of transfer requests, and requires
a monthly report of all online banking transactions. It is important for someone independent of
the online banking process to review this report and reconcile it with the monthly bank statement
to verify that all transactions were properly approved and appropriate.4 Further, authorized online
banking users should access bank accounts only from their District computers, rather than
personal computers, to avoid security risks.

The District has designed adequate internal controls over online banking. The District has policy
guidance in place to monitor and control its online banking transactions. The policy assigns
duties to District employees with no one employee performing all aspects of the transaction. The
policy also provides guidance for user names and passwords and establishes who will review and
authorize the transactions, who will perform monthly bank reconciliations, and who will report
to the Board at monthly meetings. The District uses online banking with 21 bank accounts
maintained at two banks.

The Treasurer and two account clerks have unrestricted access to the online banking website to
perform their authorized duties, while the Business Manager has read-only access authorized by
the District and controlled by the bank. The District has also designated the Business Manager to
administer user rights for online banking. Two other account clerks who have read-only access
may be granted full access by the Business Manager to perform online banking transactions
when an authorized employee is absent.

3
This includes vendor invoices and other vendor documentation.
4
The OSC Cash Management Technology Guide, available at www.ocs.state.ny.us/localgov/pubs/publisting.htm,
provides guidance for online banking and includes an overview and list of best practices.

3
To initiate wire transfers, the account clerks enter data from source documents into the online
banking website. The bank sends an email to the Business Manager asking for transaction
approval. After the Business Manager reviews the data and authorizes the transfer, Business
Office personnel print a confirmation report from the website and keep it on file to verify the
transfer was completed. For intra-bank transactions, the Treasurer receives a document for
approval from the account clerks, with transfer data such as bank accounts and amounts. After
the Treasurer reviews and approves the transactions, the account clerks enter the data into the
online banking website and retain a confirmation report on file.

Bank reconciliations are performed by an account clerk who is not responsible for the online
banking transactions against the applicable bank accounts.5 The Treasurer reviews the
reconciliations and maintains them on file. The bank reconciliations are included in the
Treasurer’s report submitted to and reviewed by the Board monthly.

We reviewed 1,347 transfers made between July 1, 2009 and July 31, 2010 to determine that
transfers were properly recorded, appropriate, complied with policies and were proper. Of the
1,347 transactions, 1,067 transfers totaling $123.1 million were between District accounts; the
other 280 transfers totaling $23.9 million were made from District to non-District accounts. The
transfers between District accounts were mostly for biweekly payroll transactions and for vendor
check payments made from general fund. We found that all transactions were accurately
recorded and all transfers between District accounts were accurate. Further, the transfers from
District to non-District accounts were appropriate and proper.

However, the four Business Office personnel have user names and passwords that are not
computer-specific, allowing them to potentially access the online banking website from any
computer. Although these users generally access the website from their District computers, the
District’s policy does not prohibit them from using other computers to do so. The District can
further reduce the risk of unauthorized access by modifying its online banking policy to prohibit
access to bank accounts from non-District computers.

Information Technology Controls – District officials are responsible for maintaining adequate
controls over employee computer usage, especially on the Internet. These controls include an
Internet usage policy that establishes the District’s expectations for employees who use a District
computer. Additionally, the use of website filtering software can restrict access to District-
approved websites only, and careful monitoring of Internet access helps to ensure appropriate
use. Without a strict user policy and monitoring systems in place, inappropriate Internet usage
could put District computers at risk, including those used to access on-line banking websites
specific to the District’s bank accounts.

The District has a computer usage policy that provides guidance and procedures for proper
usage, and specifically states that the same standards of acceptable staff conduct that apply to any
aspect of job performance apply to use of District computers. Employees are expected to
communicate in a professional manner consistent with applicable District policies and regulations

5
The account clerks are each assigned bank accounts from which they may transfer money for properly authorized
transactions. For example, a clerk assigned the school lunch fund may transfer money only from the bank account in
which the lunch fund monies are maintained.

4
governing the behavior of school staff. The policy also states that employees who use a District
computer must each sign a computer user agreement indicating they understand what is expected
of them. Additionally, the District has website filtering software that prohibits access to various
websites that are deemed not work-related. However, District officials could not provide us with
the user agreements for staff involved in online banking, and said that these individuals had been
with the District long before the policy took effect.

To determine if the information technology controls are operating effectively we reviewed the
hardware, software, Internet history, and related information on the four6 users’ computers that
are involved in online banking activity. This review included analyzing the Internet history
(cookies7) on each machine to determine whether the Internet activity was appropriate and if the
activity is putting District monies at risk.

Three of the four computers used for online banking had adequate website filtering software and
were being used in accordance with District computer usage policy. However, our August 11,
2010 examination of one computer found it contained a history of questionable Internet usage.
Further, we observed a “how to delete Internet history” window open in the help screen on that
computer later the same day, and some of the history and Internet cookie files had been deleted.
Based on a report8 provided to us by the District’s Information Technology Department (IT
Department), we determined that this computer had been used to access websites containing
information on malware, phishing and pornography, and numerous other non-work related
websites.

On August 19, 2010, we told the Superintendent of the Internet content on the computer. District
IT staff could not explain why the website filtering software did not detect and prevent access to
this prohibited content. On August 20, 2010, the Superintendent and IT Director told us that IT
personnel found computer viruses which caused the questionable website visits without the
user’s knowledge. However, our research on these viruses does not support the District’s
assertion. The viruses do not launch pornographic and other web sites. They are related only to
financial fraud (e.g., they attempt to steal user IDs and passwords). In addition, our analysis did
not identify any “back doors” that would allow a remote user to access and control the
compromised computer’s resources, or any viruses known to generate a history of pornographic
sites. The Superintendent informed us of the District’s plan to sanitize the computer. We asked
the Superintendent to ensure that the computer (including the hard drive, Internet history, files,
etc.) was left intact with the histories maintained, and to make it available for our further review
the following week. The District Superintendent agreed; however, when we arrived on-site on
August 25, 2010, we found the computer hard drive was inoperable. Since our examination of
the computer and the information it contained was inhibited by the damaged hard drive, we could
not use additional tools to confirm our research about the viruses. Appendix A details the OSC
investigation of the viruses identified by the District.

Regardless of the source of the Internet history contained on the computer, accessing non-work-
related websites from the computers the District uses for online banking drastically increases the

6
The Business Manager, Treasurer, and two account clerks
7
A cookie (also tracking cookie, browser cookie, and HTTP cookie) is a small piece of text stored on a user's
computer by a web browser.
8
All activity was between 8:00 a.m. and 4:00 p.m. weekdays.

5
risk that the computer could be infected with viruses and/or malicious software. Accessing the
online banking website with an infected computer – especially when the District’s website
filtering software failed to block or deny access to the high-risk sites – puts the District’s 21 bank
accounts with approximately $24.8 million at June 30, 2010 at risk for theft.

Recommendations

1. The District should ensure that all staff has completed and signed the computer user
agreement required by District policy.

2. The Board should modify the online banking policy to prohibit staff from accessing
District bank accounts from non-District computers.

3. The District should monitor computer usage and ensure that the website filtering software
is properly working to deny user access to inappropriate websites.

4. The IT Director should immediately sanitize the computer that has had inappropriate
Internet use and implement adequate security updates and controls. District officials
should closely monitor the use of this computer to prevent inappropriate activities from
occurring in the future.

The Board has the responsibility to initiate corrective action. Pursuant to Section 35 of the
General Municipal Law, Section 2116-a (3)(c) of the Education Law, and Section 170.12 of the
Regulations of the Commissioner of Education, a written corrective action plan (CAP) that
addresses the findings and recommendations in this report must be prepared and provided to our
office within 90 days, with a copy forwarded to the Commissioner of Education. To the extent
practicable, implementation of the CAP must begin by the end of the next fiscal year. For more
information on preparing and filing your CAP, please refer to our brochure, Responding to an
OSC Audit Report, which you received with the draft audit report. The Board should make the
CAP available for public review in the District Clerk’s office.

Our office is available to assist you upon request. If you have any further questions, please
contact Ann Singer, Chief of Regional and Statewide Projects, at (607) 721-8310.

Sincerely,

Steven J. Hancox, Deputy Comptroller

Office of the State Comptroller
Division of Local Government
and School Accountability

6
 APPENDIX A

EXAMINATION OF THE DISTRICT’S VIRUSES

After reviewing the virus information provided to our auditors by the District’s IT Director, we
determined that the viruses afflicting the computer were not likely to have caused the trail of
pornographic website history and cookies.

The screen shots provided by the IT Director revealed three suspect installations. The first is a
downloader which acts as a carrier for other arbitrary threats, and is most commonly used to
download further viruses and Trojans (malware that appears to perform a desirable function but
instead facilitates unauthorized access). For this reason, this particular Trojan can be very
dangerous, as it can deliver not just a single threat but a combination of several threats.

The second virus was a fake antivirus. This particular Trojan functions by installing several fake
files on the computer’s hard drive and immediately flagging them as viruses, though they are just
arbitrary files. It then prompts the computer user to activate the “antivirus” software by going to
the site provided by links in a pop-up window and entering credit card information. This virus is
part of the financial fraud/phishing family of viruses.

The final installation to be identified by the computer’s antivirus software was not itself a virus,
but a script that looks for vulnerabilities in particular software, and reports any findings back to a
command and control server. This mechanism is known as a “heuristic detection tool.”

Because these malicious installations identified by the antivirus are related only to financial
fraud, and the antivirus did not identify either any back doors that would allow a remote user to
use the compromised computer’s resources, or any viruses known to generate a history of
pornographic sites, we initially determined that the viruses were not responsible for the presence
of pornographic material, history, and cookies on the computer.

Further investigation into the websites that were visited by the computer showed that several of
the sites hosted malware or acted as an intermediary to malicious sites. However, only one of
these sites also hosted pornography. The rest of the pornographic sites were not identified as
hosting malware, nor were they associated with any known malware, which indicates that no
known viruses direct a user’s computer to the pornographic sites found in the investigated
cookies associated with the user’s name.

Finally, research we performed on “porn viruses” found that the majority of viruses that do
generate traffic to pornographic sites have known virus definitions and would have been blocked
by the computer’s antivirus software. These “porn viruses” also tend to become installed on a
computer through visits to such sites or the downloading of such material (i.e., a user is not likely
to download a “porn virus” itself from visiting a legitimate site, but is quite likely to get such a
virus inadvertently from visiting a pornographic site). This information further supports our
conclusion that the website history was user-generated and not the result of the malicious
software found on the computer. Rather, the viruses are a result of unregulated Internet traffic.

7
 APPENDIX B

RESPONSE OF DISTRICT OFFICIALS

The District officials’ response to this audit can be found on the following page.

8
9