Greater Amsterdam School District Audit

8/7/2019 Greater Amsterdam School District Audit

1/9

THOMAS P. DiNAPOLICOMPTROLLER STATE OF NEW YORK

OFFICE OF THE STATE COMPTROLLER110 STATE STREET

ALBANY, NEW YORK 12236

STEVEN J. HANCOX

DEPUTY COMPTROLLERDIVISION OF LOCAL GOVERNMENT

AND SCHOOL ACCOUNTABILITYTel: (518) 474-4037 Fax: (518) 486-6479

February 25, 2011

Mr. Thomas F. Perillo, SuperintendentGreater Amsterdam School District11 Liberty StreetAmsterdam, NY 12010

Report Number: S9-10-44

Dear Superintendent Perillo and Members of the Board of Education:

A top priority of the Office of the State Comptroller is to help school district officials managetheir resources efficiently and effectively and, by so doing, provide accountability for tax dollarsspent to support district operations. The Comptroller oversees the fiscal affairs of districtsstatewide, as well as compliance with relevant statutes and observance of good businesspractices. This fiscal oversight is accomplished, in part, through our audits, which identifyopportunities for improving district operations and Board of Education governance. Audits alsocan identify strategies to reduce costs and to strengthen controls intended to safeguard districtassets.

In accordance with these goals, we conducted an audit of six school districts throughout NewYork State. The objective of our audit was to determine if school districts have adequate internalcontrols over their online banking processes to safeguard district monies. We included theGreater Amsterdam School District (District) in this audit. Within the scope of this audit, weexamined the Districts policies and procedures and reviewed all transactions associated withonline banking for the period July 1, 2009 through August 31, 2010. Following is a report of ouraudit of the Greater Amsterdam School District. This audit was conducted pursuant to Article V,Section 1 of the State Constitution, and the State Comptrollers authority as set forth in Article 3of the General Municipal Law.

This report of examination letter contains our findings specific to the District. We discussed thefindings and recommendations with District officials and considered their comments, whichappear in Appendix B, in preparing this report. District officials generally agreed with ourfindings and recommendations and plan to initiate corrective action. At the completion of ouraudit of the six school districts, we prepared a global report that summarizes the significantissues we identified at all of the school districts audited.

Summary of Findings

Although the District had adequate controls over online banking transactions, the Districts cashassets were put at risk due to the Internet usage associated with one of the Districts computers.


2/9

One computer, which is used in the on-line banking process, had an Internet history containingmalware (malicious software) and phishing1 sites, and pornographic and other websites thatmaliciously track user names and passwords. District officials asserted that the websites wereapparently visited due to three specific computer viruses. However, our research on these viruses(see Appendix A) does not support the Districts assertion. The viruses do not launchpornographic and other web sites. They are related only to financial fraud (e.g., they attempt tosteal user IDs and passwords). In addition, our analysis did not identify any back doors thatwould allow a remote user to access and control the compromised computers resources, or anyviruses known to generate a history of pornographic sites.

As noted above, the District has adequate controls in place over online banking. Online bankingduties are appropriately segregated between four employees and the proper authorization step isin place. Bank accounts also are properly monitored to ensure online banking transactions areauthorized. Controls could be further enhanced if the Board restricted online banking access toonly District computers. We examined all 1,347 online transfers2 performed during the auditperiod, totaling $147 million, and found all were in accordance with the Districts policies andaccurately recorded.

Background and Methodology

The District is located in Montgomery County and serves the City of Amsterdam and the Townsof Amsterdam, Florida, Mohawk, Perth, Charlton, Duanesburg, and Glenville. The District isgoverned by a seven-member Board of Education (Board). The Superintendent of Schools(Superintendent) is the chief executive officer of the District and is responsible, along with otheradministrative staff, for the day-to-day management of the District under the direction of theBoard. The District has six schools in operation and employs approximately 560 staff. Districtenrollment for the 2009-10 school year was approximately 3,700 students. The Districts generalfund expenditures for the 2009-10 school year were approximately $51.8 million, with a cashbalance of approximately $24.8 million at June 30, 2010.

Recently, there has been a significant increase in fraud involving the exploitation of valid onlinebanking credentials. Online banking fraud typically originates through fake email messages ormalicious software (malware). The targeted user may receive an email that either contains aninfected attachment or directs the recipient to an infected website. Once the recipient opens theattachment or visits the website, malware containing a key logger (which captures the userskeystrokes) is installed on the computer. The key logger harvests log-in information allowing theperpetrator to masquerade as the legitimate user or create another user account. Thereafter,fraudulent electronic cash transfers are initiated and directed to bank accounts in the UnitedStates or foreign countries. Good controls over computer usage, specifically Internet usage,reduce the risk of fraud involving the exploitation of school district bank accounts.

During our audit period, the District made 1,347 online transfers totaling approximately $147million for the period July 1, 2009 through July 31, 2010. The Business Office staff comprises

1 Phishing refers to fraudulent attempts to gain sensitive or confidential information from a computer user by meansthat appear to be trustworthy.2 Online transfers include the transfer of money from a District account to a non-District account (wire transfers)and the transfer of money from one District account to another (intra-bank transfers).

2


3/9


4/9

To initiate wire transfers, the account clerks enter data from source documents into the onlinebanking website. The bank sends an email to the Business Manager asking for transactionapproval. After the Business Manager reviews the data and authorizes the transfer, BusinessOffice personnel print a confirmation report from the website and keep it on file to verify thetransfer was completed. For intra-bank transactions, the Treasurer receives a document forapproval from the account clerks, with transfer data such as bank accounts and amounts. Afterthe Treasurer reviews and approves the transactions, the account clerks enter the data into theonline banking website and retain a confirmation report on file.

Bank reconciliations are performed by an account clerk who is not responsible for the onlinebanking transactions against the applicable bank accounts.5 The Treasurer reviews thereconciliations and maintains them on file. The bank reconciliations are included in theTreasurers report submitted to and reviewed by the Board monthly.

We reviewed 1,347 transfers made between July 1, 2009 and July 31, 2010 to determine thattransfers were properly recorded, appropriate, complied with policies and were proper. Of the1,347 transactions, 1,067 transfers totaling $123.1 million were between District accounts; the

other 280 transfers totaling $23.9 million were made from District to non-District accounts. Thetransfers between District accounts were mostly for biweekly payroll transactions and for vendorcheck payments made from general fund. We found that all transactions were accuratelyrecorded and all transfers between District accounts were accurate. Further, the transfers fromDistrict to non-District accounts were appropriate and proper.

However, the four Business Office personnel have user names and passwords that are notcomputer-specific, allowing them to potentially access the online banking website from anycomputer. Although these users generally access the website from their District computers, theDistricts policy does not prohibit them from using other computers to do so. The District canfurther reduce the risk of unauthorized access by modifying its online banking policy to prohibit

access to bank accounts from non-District computers.

Information Technology Controls District officials are responsible for maintaining adequatecontrols over employee computer usage, especially on the Internet. These controls include anInternet usage policy that establishes the Districts expectations for employees who use a Districtcomputer. Additionally, the use of website filtering software can restrict access to District-approved websites only, and careful monitoring of Internet access helps to ensure appropriateuse. Without a strict user policy and monitoring systems in place, inappropriate Internet usagecould put District computers at risk, including those used to access on-line banking websitesspecific to the Districts bank accounts.

The District has a computer usage policy that provides guidance and procedures for properusage, and specifically states that the same standards of acceptable staff conduct that apply to anyaspect of job performance apply to use of District computers. Employees are expected tocommunicate in a professional manner consistent with applicable District policies and regulations

5 The account clerks are each assigned bank accounts from which they may transfer money for properly authorizedtransactions. For example, a clerk assigned the school lunch fund may transfer money only from the bank account inwhich the lunch fund monies are maintained.

4


5/9

governing the behavior of school staff. The policy also states that employees who use a Districtcomputer must each sign a computer user agreement indicating they understand what is expectedof them. Additionally, the District has website filtering software that prohibits access to variouswebsites that are deemed not work-related. However, District officials could not provide us withthe user agreements for staff involved in online banking, and said that these individuals had beenwith the District long before the policy took effect.

To determine if the information technology controls are operating effectively we reviewed thehardware, software, Internet history, and related information on the four6 users computers thatare involved in online banking activity. This review included analyzing the Internet history(cookies7) on each machine to determine whether the Internet activity was appropriate and if theactivity is putting District monies at risk.

Three of the four computers used for online banking had adequate website filtering software andwere being used in accordance with District computer usage policy. However, our August 11,2010 examination of one computer found it contained a history of questionable Internet usage.Further, we observed a how to delete Internet history window open in the help screen on thatcomputer later the same day, and some of the history and Internet cookie files had been deleted.

Based on a report8 provided to us by the Districts Information Technology Department (ITDepartment), we determined that this computer had been used to access websites containinginformation on malware, phishing and pornography, and numerous other non-work relatedwebsites.

On August 19, 2010, we told the Superintendent of the Internet content on the computer. DistrictIT staff could not explain why the website filtering software did not detect and prevent access tothis prohibited content. On August 20, 2010, the Superintendent and IT Director told us that ITpersonnel found computer viruses which caused the questionable website visits without theusers knowledge. However, our research on these viruses does not support the Districtsassertion. The viruses do not launch pornographic and other web sites. They are related only to

financial fraud (e.g., they attempt to steal user IDs and passwords). In addition, our analysis didnot identify any back doors that would allow a remote user to access and control thecompromised computers resources, or any viruses known to generate a history of pornographicsites. The Superintendent informed us of the Districts plan to sanitize the computer. We askedthe Superintendent to ensure that the computer (including the hard drive, Internet history, files,etc.) was left intact with the histories maintained, and to make it available for our further reviewthe following week. The District Superintendent agreed; however, when we arrived on-site onAugust 25, 2010, we found the computer hard drive was inoperable. Since our examination ofthe computer and the information it contained was inhibited by the damaged hard drive, we couldnot use additional tools to confirm our research about the viruses. Appendix A details the OSCinvestigation of the viruses identified by the District.

Regardless of the source of the Internet history contained on the computer, accessing non-work-related websites from the computers the District uses for online banking drastically increases the

6 The Business Manager, Treasurer, and two account clerks7 A cookie (also tracking cookie, browser cookie, and HTTP cookie) is a small piece of text stored on a user'scomputer by a web browser.8 All activity was between 8:00 a.m. and 4:00 p.m. weekdays.

5


6/9

risk that the computer could be infected with viruses and/or malicious software. Accessing theonline banking website with an infected computer especially when the Districts websitefiltering software failed to block or deny access to the high-risk sites puts the Districts 21 bankaccounts with approximately $24.8 million at June 30, 2010 at risk for theft.

Recommendations

1. The District should ensure that all staff has completed and signed the computer useragreement required by District policy.

2. The Board should modify the online banking policy to prohibit staff from accessingDistrict bank accounts from non-District computers.

3. The District should monitor computer usage and ensure that the website filtering softwareis properly working to deny user access to inappropriate websites.

4. The IT Director should immediately sanitize the computer that has had inappropriateInternet use and implement adequate security updates and controls. District officials

should closely monitor the use of this computer to prevent inappropriate activities fromoccurring in the future.

The Board has the responsibility to initiate corrective action. Pursuant to Section 35 of theGeneral Municipal Law, Section 2116-a (3)(c) of the Education Law, and Section 170.12 of theRegulations of the Commissioner of Education, a written corrective action plan (CAP) thataddresses the findings and recommendations in this report must be prepared and provided to ouroffice within 90 days, with a copy forwarded to the Commissioner of Education. To the extentpracticable, implementation of the CAP must begin by the end of the next fiscal year. For moreinformation on preparing and filing your CAP, please refer to our brochure, Responding to anOSC Audit Report, which you received with the draft audit report. The Board should make the

CAP available for public review in the District Clerks office.

Our office is available to assist you upon request. If you have any further questions, pleasecontact Ann Singer, Chief of Regional and Statewide Projects, at (607) 721-8310.

Sincerely,

Steven J. Hancox, Deputy ComptrollerOffice of the State Comptroller

Division of Local Governmentand School Accountability

6


7/9

APPENDIX A

EXAMINATION OF THE DISTRICTS VIRUSES

After reviewing the virus information provided to our auditors by the Districts IT Director, we

determined that the viruses afflicting the computer were not likely to have caused the trail ofpornographic website history and cookies.

The screen shots provided by the IT Director revealed three suspect installations. The first is adownloader which acts as a carrier for other arbitrary threats, and is most commonly used todownload further viruses and Trojans (malware that appears to perform a desirable function butinstead facilitates unauthorized access). For this reason, this particular Trojan can be verydangerous, as it can deliver not just a single threat but a combination of several threats.

The second virus was a fake antivirus. This particular Trojan functions by installing several fakefiles on the computers hard drive and immediately flagging them as viruses, though they are just

arbitrary files. It then prompts the computer user to activate the antivirus software by going tothe site provided by links in a pop-up window and entering credit card information. This virus ispart of the financial fraud/phishing family of viruses.

The final installation to be identified by the computers antivirus software was not itself a virus,but a script that looks for vulnerabilities in particular software, and reports any findings back to acommand and control server. This mechanism is known as a heuristic detection tool.

Because these malicious installations identified by the antivirus are related only to financialfraud, and the antivirus did not identify either any back doors that would allow a remote user touse the compromised computers resources, or any viruses known to generate a history of

pornographic sites, we initially determined that the viruses were not responsible for the presenceof pornographic material, history, and cookies on the computer.

Further investigation into the websites that were visited by the computer showed that several ofthe sites hosted malware or acted as an intermediary to malicious sites. However, only one ofthese sites also hosted pornography. The rest of the pornographic sites were not identified ashosting malware, nor were they associated with any known malware, which indicates that noknown viruses direct a users computer to the pornographic sites found in the investigatedcookies associated with the users name.

Finally, research we performed on porn viruses found that the majority of viruses that dogenerate traffic to pornographic sites have known virus definitions and would have been blockedby the computers antivirus software. These porn viruses also tend to become installed on acomputer through visits to such sites or the downloading of such material (i.e., a user is not likelyto download a porn virus itself from visiting a legitimate site, but is quite likely to get such avirus inadvertently from visiting a pornographic site). This information further supports ourconclusion that the website history was user-generated and not the result of the malicioussoftware found on the computer. Rather, the viruses are a result of unregulated Internet traffic.

7


8/9

APPENDIX B

RESPONSE OF DISTRICT OFFICIALS

The District officials response to this audit can be found on the following page.

8


9/9

9

Greater Amsterdam School District Audit

Documents

Transcript of Greater Amsterdam School District Audit