THOMAS P.

DiNAPOLI COMPTROLLER

STATE OF NEW YORK

OFFICE OF THE STATE COMPTROLLER
110 STATE STREET ALBANY, NEW YORK 12236

STEVEN J. HANCOX DEPUTY COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY Tel: (518) 474-4037 Fax: (518) 486-6479

February 25, 2011 Mr. Thomas F. Perillo, Superintendent Greater Amsterdam School District 11 Liberty Street Amsterdam, NY 12010 Report Number: S9-10-44 Dear Superintendent Perillo and Members of the Board of Education: A top priority of the Office of the State Comptroller is to help school district officials manage their resources efficiently and effectively and, by so doing, provide accountability for tax dollars spent to support district operations. The Comptroller oversees the fiscal affairs of districts statewide, as well as compliance with relevant statutes and observance of good business practices. This fiscal oversight is accomplished, in part, through our audits, which identify opportunities for improving district operations and Board of Education governance. Audits also can identify strategies to reduce costs and to strengthen controls intended to safeguard district assets. In accordance with these goals, we conducted an audit of six school districts throughout New York State. The objective of our audit was to determine if school districts have adequate internal controls over their online banking processes to safeguard district monies. We included the Greater Amsterdam School District (District) in this audit. Within the scope of this audit, we examined the District’s policies and procedures and reviewed all transactions associated with online banking for the period July 1, 2009 through August 31, 2010. Following is a report of our audit of the Greater Amsterdam School District. This audit was conducted pursuant to Article V, Section 1 of the State Constitution, and the State Comptroller’s authority as set forth in Article 3 of the General Municipal Law. This report of examination letter contains our findings specific to the District. We discussed the findings and recommendations with District officials and considered their comments, which appear in Appendix B, in preparing this report. District officials generally agreed with our findings and recommendations and plan to initiate corrective action. At the completion of our audit of the six school districts, we prepared a global report that summarizes the significant issues we identified at all of the school districts audited. Summary of Findings Although the District had adequate controls over online banking transactions, the District’s cash assets were put at risk due to the Internet usage associated with one of the District’s computers.

One computer, which is used in the on-line banking process, had an Internet history containing malware (malicious software) and phishing1 sites, and pornographic and other websites that maliciously track user names and passwords. District officials asserted that the websites were apparently visited due to three specific computer viruses. However, our research on these viruses (see Appendix A) does not support the District’s assertion. The viruses do not launch pornographic and other web sites. They are related only to financial fraud (e.g., they attempt to steal user IDs and passwords). In addition, our analysis did not identify any “back doors” that would allow a remote user to access and control the compromised computer’s resources, or any viruses known to generate a history of pornographic sites. As noted above, the District has adequate controls in place over online banking. Online banking duties are appropriately segregated between four employees and the proper authorization step is in place. Bank accounts also are properly monitored to ensure online banking transactions are authorized. Controls could be further enhanced if the Board restricted online banking access to only District computers. We examined all 1,347 online transfers2 performed during the audit period, totaling $147 million, and found all were in accordance with the District’s policies and accurately recorded. Background and Methodology The District is located in Montgomery County and serves the City of Amsterdam and the Towns of Amsterdam, Florida, Mohawk, Perth, Charlton, Duanesburg, and Glenville. The District is governed by a seven-member Board of Education (Board). The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board. The District has six schools in operation and employs approximately 560 staff. District enrollment for the 2009-10 school year was approximately 3,700 students. The District’s general fund expenditures for the 2009-10 school year were approximately $51.8 million, with a cash balance of approximately $24.8 million at June 30, 2010. Recently, there has been a significant increase in fraud involving the exploitation of valid online banking credentials. Online banking fraud typically originates through fake email messages or malicious software (malware). The targeted user may receive an email that either contains an infected attachment or directs the recipient to an infected website. Once the recipient opens the attachment or visits the website, malware containing a key logger (which captures the user’s keystrokes) is installed on the computer. The key logger harvests log-in information allowing the perpetrator to masquerade as the legitimate user or create another user account. Thereafter, fraudulent electronic cash transfers are initiated and directed to bank accounts in the United States or foreign countries. Good controls over computer usage, specifically Internet usage, reduce the risk of fraud involving the exploitation of school district bank accounts. During our audit period, the District made 1,347 online transfers totaling approximately $147 million for the period July 1, 2009 through July 31, 2010. The Business Office staff comprises
Phishing refers to fraudulent attempts to gain sensitive or confidential information from a computer user by means that appear to be trustworthy. 2 Online transfers include the transfer of money from a District account to a non-District account (wire transfers) and the transfer of money from one District account to another (intra-bank transfers).
1

2

four account clerks, the District Treasurer (Treasurer), and the Business Manager. The District’s online banking transactions consist of intra-bank transfers (from one school account to another, such as general fund checking to the general fund money market) and wire transfers (from a District account to a non-District account, such as general fund checking to a utility company). To complete our objective, we interviewed District officials and reviewed policies to determine the District’s procedures related to online banking. We reviewed supporting documentation,3 bank statements, and financial reports to determine the validation and the recording of each online banking transaction for the audit scope period. We also reviewed computers used for online banking for adequate software protections and updates and for Internet usage patterns. We conducted this performance audit in accordance with generally accepted government auditing standards (GAGAS). Those standards require that we plan and perform our audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Audit Results Online Banking Transactions – Effective internal controls over online banking include policies and procedures to properly monitor and control online banking transactions. A comprehensive online banking policy clearly describes the online banking activities the District will engage in, specifies which District employees have the authority to process transactions, establishes a detailed approval process to verify the accuracy and legitimacy of transfer requests, and requires a monthly report of all online banking transactions. It is important for someone independent of the online banking process to review this report and reconcile it with the monthly bank statement to verify that all transactions were properly approved and appropriate.4 Further, authorized online banking users should access bank accounts only from their District computers, rather than personal computers, to avoid security risks. The District has designed adequate internal controls over online banking. The District has policy guidance in place to monitor and control its online banking transactions. The policy assigns duties to District employees with no one employee performing all aspects of the transaction. The policy also provides guidance for user names and passwords and establishes who will review and authorize the transactions, who will perform monthly bank reconciliations, and who will report to the Board at monthly meetings. The District uses online banking with 21 bank accounts maintained at two banks. The Treasurer and two account clerks have unrestricted access to the online banking website to perform their authorized duties, while the Business Manager has read-only access authorized by the District and controlled by the bank. The District has also designated the Business Manager to administer user rights for online banking. Two other account clerks who have read-only access may be granted full access by the Business Manager to perform online banking transactions when an authorized employee is absent.
3 4

This includes vendor invoices and other vendor documentation. The OSC Cash Management Technology Guide, available at www.ocs.state.ny.us/localgov/pubs/publisting.htm, provides guidance for online banking and includes an overview and list of best practices.

3

To initiate wire transfers, the account clerks enter data from source documents into the online banking website. The bank sends an email to the Business Manager asking for transaction approval. After the Business Manager reviews the data and authorizes the transfer, Business Office personnel print a confirmation report from the website and keep it on file to verify the transfer was completed. For intra-bank transactions, the Treasurer receives a document for approval from the account clerks, with transfer data such as bank accounts and amounts. After the Treasurer reviews and approves the transactions, the account clerks enter the data into the online banking website and retain a confirmation report on file. Bank reconciliations are performed by an account clerk who is not responsible for the online banking transactions against the applicable bank accounts.5 The Treasurer reviews the reconciliations and maintains them on file. The bank reconciliations are included in the Treasurer’s report submitted to and reviewed by the Board monthly. We reviewed 1,347 transfers made between July 1, 2009 and July 31, 2010 to determine that transfers were properly recorded, appropriate, complied with policies and were proper. Of the 1,347 transactions, 1,067 transfers totaling $123.1 million were between District accounts; the other 280 transfers totaling $23.9 million were made from District to non-District accounts. The transfers between District accounts were mostly for biweekly payroll transactions and for vendor check payments made from general fund. We found that all transactions were accurately recorded and all transfers between District accounts were accurate. Further, the transfers from District to non-District accounts were appropriate and proper. However, the four Business Office personnel have user names and passwords that are not computer-specific, allowing them to potentially access the online banking website from any computer. Although these users generally access the website from their District computers, the District’s policy does not prohibit them from using other computers to do so. The District can further reduce the risk of unauthorized access by modifying its online banking policy to prohibit access to bank accounts from non-District computers. Information Technology Controls – District officials are responsible for maintaining adequate controls over employee computer usage, especially on the Internet. These controls include an Internet usage policy that establishes the District’s expectations for employees who use a District computer. Additionally, the use of website filtering software can restrict access to Districtapproved websites only, and careful monitoring of Internet access helps to ensure appropriate use. Without a strict user policy and monitoring systems in place, inappropriate Internet usage could put District computers at risk, including those used to access on-line banking websites specific to the District’s bank accounts. The District has a computer usage policy that provides guidance and procedures for proper usage, and specifically states that the same standards of acceptable staff conduct that apply to any aspect of job performance apply to use of District computers. Employees are expected to communicate in a professional manner consistent with applicable District policies and regulations
5

The account clerks are each assigned bank accounts from which they may transfer money for properly authorized transactions. For example, a clerk assigned the school lunch fund may transfer money only from the bank account in which the lunch fund monies are maintained.

4

governing the behavior of school staff. The policy also states that employees who use a District computer must each sign a computer user agreement indicating they understand what is expected of them. Additionally, the District has website filtering software that prohibits access to various websites that are deemed not work-related. However, District officials could not provide us with the user agreements for staff involved in online banking, and said that these individuals had been with the District long before the policy took effect.

To determine if the information technology controls are operating effectively we reviewed the hardware, software, Internet history, and related information on the four6 users’ computers that are involved in online banking activity. This review included analyzing the Internet history (cookies7) on each machine to determine whether the Internet activity was appropriate and if the activity is putting District monies at risk. Three of the four computers used for online banking had adequate website filtering software and were being used in accordance with District computer usage policy. However, our August 11, 2010 examination of one computer found it contained a history of questionable Internet usage. Further, we observed a “how to delete Internet history” window open in the help screen on that computer later the same day, and some of the history and Internet cookie files had been deleted. Based on a report8 provided to us by the District’s Information Technology Department (IT Department), we determined that this computer had been used to access websites containing information on malware, phishing and pornography, and numerous other non-work related websites. On August 19, 2010, we told the Superintendent of the Internet content on the computer. District IT staff could not explain why the website filtering software did not detect and prevent access to this prohibited content. On August 20, 2010, the Superintendent and IT Director told us that IT personnel found computer viruses which caused the questionable website visits without the user’s knowledge. However, our research on these viruses does not support the District’s assertion. The viruses do not launch pornographic and other web sites. They are related only to financial fraud (e.g., they attempt to steal user IDs and passwords). In addition, our analysis did not identify any “back doors” that would allow a remote user to access and control the compromised computer’s resources, or any viruses known to generate a history of pornographic sites. The Superintendent informed us of the District’s plan to sanitize the computer. We asked the Superintendent to ensure that the computer (including the hard drive, Internet history, files, etc.) was left intact with the histories maintained, and to make it available for our further review the following week. The District Superintendent agreed; however, when we arrived on-site on August 25, 2010, we found the computer hard drive was inoperable. Since our examination of the computer and the information it contained was inhibited by the damaged hard drive, we could not use additional tools to confirm our research about the viruses. Appendix A details the OSC investigation of the viruses identified by the District. Regardless of the source of the Internet history contained on the computer, accessing non-workrelated websites from the computers the District uses for online banking drastically increases the
6 7

The Business Manager, Treasurer, and two account clerks A cookie (also tracking cookie, browser cookie, and HTTP cookie) is a small piece of text stored on a user's computer by a web browser. 8 All activity was between 8:00 a.m. and 4:00 p.m. weekdays.

5

risk that the computer could be infected with viruses and/or malicious software. Accessing the online banking website with an infected computer – especially when the District’s website filtering software failed to block or deny access to the high-risk sites – puts the District’s 21 bank accounts with approximately $24.8 million at June 30, 2010 at risk for theft. Recommendations 1. The District should ensure that all staff has completed and signed the computer user agreement required by District policy. 2. The Board should modify the online banking policy to prohibit staff from accessing District bank accounts from non-District computers. 3. The District should monitor computer usage and ensure that the website filtering software is properly working to deny user access to inappropriate websites. 4. The IT Director should immediately sanitize the computer that has had inappropriate Internet use and implement adequate security updates and controls. District officials should closely monitor the use of this computer to prevent inappropriate activities from occurring in the future. The Board has the responsibility to initiate corrective action. Pursuant to Section 35 of the General Municipal Law, Section 2116-a (3)(c) of the Education Law, and Section 170.12 of the Regulations of the Commissioner of Education, a written corrective action plan (CAP) that addresses the findings and recommendations in this report must be prepared and provided to our office within 90 days, with a copy forwarded to the Commissioner of Education. To the extent practicable, implementation of the CAP must begin by the end of the next fiscal year. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. The Board should make the CAP available for public review in the District Clerk’s office. Our office is available to assist you upon request. If you have any further questions, please contact Ann Singer, Chief of Regional and Statewide Projects, at (607) 721-8310. Sincerely,

Steven J. Hancox, Deputy Comptroller Office of the State Comptroller Division of Local Government and School Accountability

6

APPENDIX A EXAMINATION OF THE DISTRICT’S VIRUSES
After reviewing the virus information provided to our auditors by the District’s IT Director, we determined that the viruses afflicting the computer were not likely to have caused the trail of pornographic website history and cookies. The screen shots provided by the IT Director revealed three suspect installations. The first is a downloader which acts as a carrier for other arbitrary threats, and is most commonly used to download further viruses and Trojans (malware that appears to perform a desirable function but instead facilitates unauthorized access). For this reason, this particular Trojan can be very dangerous, as it can deliver not just a single threat but a combination of several threats. The second virus was a fake antivirus. This particular Trojan functions by installing several fake files on the computer’s hard drive and immediately flagging them as viruses, though they are just arbitrary files. It then prompts the computer user to activate the “antivirus” software by going to the site provided by links in a pop-up window and entering credit card information. This virus is part of the financial fraud/phishing family of viruses. The final installation to be identified by the computer’s antivirus software was not itself a virus, but a script that looks for vulnerabilities in particular software, and reports any findings back to a command and control server. This mechanism is known as a “heuristic detection tool.” Because these malicious installations identified by the antivirus are related only to financial fraud, and the antivirus did not identify either any back doors that would allow a remote user to use the compromised computer’s resources, or any viruses known to generate a history of pornographic sites, we initially determined that the viruses were not responsible for the presence of pornographic material, history, and cookies on the computer. Further investigation into the websites that were visited by the computer showed that several of the sites hosted malware or acted as an intermediary to malicious sites. However, only one of these sites also hosted pornography. The rest of the pornographic sites were not identified as hosting malware, nor were they associated with any known malware, which indicates that no known viruses direct a user’s computer to the pornographic sites found in the investigated cookies associated with the user’s name. Finally, research we performed on “porn viruses” found that the majority of viruses that do generate traffic to pornographic sites have known virus definitions and would have been blocked by the computer’s antivirus software. These “porn viruses” also tend to become installed on a computer through visits to such sites or the downloading of such material (i.e., a user is not likely to download a “porn virus” itself from visiting a legitimate site, but is quite likely to get such a virus inadvertently from visiting a pornographic site). This information further supports our conclusion that the website history was user-generated and not the result of the malicious software found on the computer. Rather, the viruses are a result of unregulated Internet traffic.

7

APPENDIX B RESPONSE OF DISTRICT OFFICIALS
The District officials’ response to this audit can be found on the following page.

8

9

Sign up to vote on this title
UsefulNot useful