What is Data Analytics?

Data is all around us. It is in our cars, phones, watches and the computer systems used throughout the University of Kentucky. It enables us to do sophisticated things, such as paying for meals electronically or sending an email. Things that few people could have imagined even 30 years ago.

 

What’s more, the amount of data around us is growing exponentially. The problem is, all this data is virtually useless unless it is applied to a specific task. So how do we harness all that data for a useful purpose? Here at UK, data is applied to many tasks and produces most of what you see and use today on campus. All with the help of data analytics.

 

While it is a concept that has been around for a long time, most people would be hard-pressed to tell you precisely what data analytics is or what benefits it offers. Simply put, data analytics is the process of taking raw data and massaging it until a meaningful insight can be obtained. This process usually involves writing a computer program, which can then be used to solve the problem of diving into huge data files or databases and extracting useful information from them.

  

What are the Benefits of Data Analytics?

 

1. Cost-effective – A computer program can quickly and easily sift through vast stores of data, far more efficiently than a human ever could.

2. Comprehensive – In traditional auditing, where there is a large amount of data, only a portion of the data is examined, known as a test sample. However, data analytics can process 100 percent of the data, giving the most complete depiction of the information.

3. Accurate – People are flawed and can make mistakes. A well-tested Data Analytic program can perform the function with total accuracy each time it is run.

4. Repeatable and Reproducible – The data analytic can be operated continuously and is easily adapted to run for additional units.   

 

The University of Kentucky depends on many computer systems in both its campus setting and its hospital. These systems are inundated with data every second of every day. To get the most out of its systems and provide the best possible experience for its students and employees, data analytics is a vital tool for managing the vast amounts of data that must be processed.

 

Data Analytics in Internal Audit

 

UK Internal Audit (UKIA) uses data analytics to identify outliers that could be indicative of reporting errors, conflicts of interest, or even fraud. For example, an analytic may be used to determine whether there has been any suspicious credit card activity in a particular unit.

 

However, once written, that data analytics program can be used again and again, and across multiple units, making it a very cost-effective risk-mitigation tool. It can even be run on a regular schedule, such as monthly or quarterly. Data analytics, executed repeatedly for auditing purposes, is referred to as Continuous Auditing. Such constant monitoring has already proven to be a significant enhancement to UKIA’s assurance programs for the University.

 

 

For more information on data analytics or to schedule a review in your unit, please contact UKIA at 859.257.3126, or visit our website at https://www.uky.edu/internalaudit/.

 

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.

Photo by: Christiaan Colen

Connected mobile devices, including smartphones, tablets, and laptops, have become a ubiquitous presence in every-day life that offers always-on connectivity, no matter the location. In fact, 95 percent of Americans now own a cell phone of some kind, with 77 percent owning a smartphone – up from 35 percent just eight years ago.[1]

When such devices are used to store and transmit sensitive data, the added convenience carries with it a significant risk. At a University where such stored data may include information on thousands of students, patients, payment transactions and proprietary research, that risk can be enormous, as the risk of lost or compromised data is compounded by the financial loss stemming from fines and fees, as well as damage to the University’s reputation.

For a case in point, a Texas-based academic medical center was recently fined more than $4.3 million in Health Insurance Portability and Accountability Act (HIPAA) violation penalties. The fines were a result of three data breach incidents that involved the theft of a single unencrypted laptop and two unencrypted USB drives from an employee’s residence. Combined, these devices contained the protected health information of more than 33,500 individuals.[2]

 

The Risks

Here at the University of Kentucky, data is classified into three categories[3]:

• Confidential Data – High-risk data that requires protection by law. Examples include patient health data subject to HIPAA, or student records subject to the Family Educational Rights and Privacy Act.
• Private Data – Moderate-risk data that requires protection by contractual obligation. Examples include non-confidential research data or data covered by non-disclosure agreements.
• Public Data – Low-risk data that needs protection at the discretion of the data owner. Examples include departmental websites, campus maps, or directory data.

It is imperative for data classified as confidential or private to be adequately safeguarded to meet regulatory and contractual requirements. Failure to mitigate the risks associated with mobile devices may result in a substantial financial and reputational loss for the University.

 

12 Tips for Securing Your Mobile Data

By employing some relatively simple security precautions, individuals and units can help to minimize the risks associated with sensitive data stored on mobile devices.

1. Minimize your mobile data footprint – One of the easiest ways to secure data on mobile devices is to simply remove it from the device. Take an inventory of the sensitive data you store on smart devices and determine if it is necessary to have that data on the go, or is saving it creating unnecessary risk?
2. Be mindful of physical security – One laptop is stolen every 53 seconds, and more than 70 million smartphones are lost each year.[4] Do not leave mobile devices unattended, especially in public areas or while traveling. When not in use, store your device in a locked, secure area.
3. Avoid the use of untrusted, potentially unsecured wireless networks – UK has several secure options, depending on your location:
   • UK’s campus - use the secure eduroam wireless network.
   • UK HealthCare areas - use the ukhc-guest, gobigblue, or ukhc-clinical networks, depending on device type and ownership (contact the UK Healthcare Information Technology (IT) Service Desk for more details and configuration assistance).
   •  Off-campus - If you must use an untrusted network, configure your device to use UK’s VPN service to ensure that network communications are secured.
4. Encrypt your device – Encryption is one of the best methods of keeping sensitive data out of the wrong hands. In the event of device loss or theft, mobile device encryption – or lack thereof – may mean the difference between a relatively minor incident and a high-profile data breach leading to potentially devastating losses. IT units should ensure that required encryption standards are met for UK-owned devices. UK faculty and staff with personal mobile devices storing sensitive data should ensure that encryption is enabled on the device. Encryption technologies vary by device and manufacturer:
   • Apple iOS (iPhones, iPads): Encryption is activated when a passcode is set.
   • Android devices: Encryption is available, though it may not be enabled by default. Encryption options are available under the Security settings menu.
   • Windows computers: BitLocker encryption is available, though not enabled by default.
   • Apple (Mac) computers: FileVault encryption is available, though not enabled by default.
5. Use a strong password – Ensure that devices require a password to be unlocked. Passwords should be strong and difficult to guess. The most robust encryption may be rendered useless by a weak, easily-guessed password.
6. Configure your device to receive automatic security updates – Many emerging security threats rely on unpatched vulnerabilities to spread quickly. Device and application updates should be downloaded and installed frequently.
7. Keep track of your device’s location – Enable your device’s location service features, such as Find My iPhone (for iPhones) or Find My Device (for Android devices). In the event of a loss, such features may allow you to locate or remotely wipe the device.
8. Install only trusted applications – Avoid untrusted applications that may access or transmit sensitive information on your device. If in doubt about an application, contact your IT support personnel before installing.
9. Be familiar with your unit’s security policy and procedures – IT support units should establish Information Security and “Bring Your Own Device” policies and ensure that they are regularly communicated to faculty and staff.
10. Register your device with AirWatch (MC users only) – Faculty and staff on the Medical Center (“MC”) domain should install AirWatch, a mobile security suite implemented for enhanced security and compliance with HIPAA and other regulatory requirements. AirWatch ensures that certain security-related features, such as encryption and password protection, are enabled. For more details and installation instructions, visit https://spwww.ukhc.org/airwatch/SitePages/Home.aspx or contact the UK Healthcare IT Service Desk.
11. Dispose of devices securely – Never sell, give away, dispose of, or otherwise transfer ownership of your device until it has been entirely and securely wiped to remove all data.
12. Report security breaches immediately – UK Administrative Regulation 10:8 and UK HealthCare Policy #A13-010 require that users be diligent in their protection of data and response to security threats. Known or suspected breaches – including mobile devices that may have been lost, stolen, or otherwise compromised – must be reported immediately through either the IT Security & Policy Office at cybersecurity@uky.edu
    
    or ITS User Services at 218help@uky.edu or 859-218-4357. Losses or breaches in UK HealthCare areas must also be reported to the Chief Privacy Officer in the Office of Corporate Compliance at 859-323-1184. Swift reporting is critical.

There is no question that mobile devices enhance our productivity and quality of life. By taking a proactive approach and implementing sound policies and procedures to safeguard mobile data, device owners and IT units can significantly reduce the risk associated with the loss or compromise of sensitive data as we take our work “on the go.”

For more information about mobile device security, or to schedule an IT consultation to review practices for handling mobile devices and sensitive information in your unit, please contact UKIA at 859-257-3126.

 

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.

 

 

Additional Resources:

• https://www.uky.edu/its/sites/www.uky.edu.its/files/UK%20Best%20Practices%20for%20Data%20Protection.pdf
• https://www.uky.edu/its/sites/www.uky.edu.its/files/5steps-ITSlogo.pdf
• https://www.uky.edu/its/sites/www.uky.edu.its/files/ISS-6-3%20Smart%20Phone%20and%20Mobile%20Storage%20Device%20Standard.pdf
• https://www.uky.edu/its/sites/www.uky.edu.its/files/ISPO-1-0%20Information%20Security%20Policy.pdf
• https://www.uky.edu/its/sites/www.uky.edu.its/files/Best%20Practices%20in%20Securing%20Sensitive%20Personal%20Information.pdf
• https://www.uky.edu/its/sites/www.uky.edu.its/files/ISPO-9-0%20Security%20Breach%20Notification%20Policy.pdf

[1] https://www.pewinternet.org/fact-sheet/mobile/

[2] https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html

[3] https://www.uky.edu/its/policies/data-classification

[4] https://www.forbes.com/sites/steveolenski/2017/12/08/is-the-data-on-your-business-digital-devices-safe/#397fb7994c6a

The faculty and staff of the University of Kentucky travel throughout the Commonwealth, the United States, and the world while supporting the mission of UK. As more employees travel, the likelihood of improper activity through travel expenditures can increase. According to the ACFE 2018 Report to the Nations, inappropriate expense reimbursements constituted 14 percent of all fraud schemes.[1] The keys to preventing these situations are being familiar with the types of travel schemes typically attempted, as well as having prevention and detection controls in place.

 

Travel Schemes

Supervisors should be aware of the most common travel schemes and how they are perpetrated:

 

• Multiple Reimbursements – The employee will request reimbursement numerous times for the same purchase.
• Fictitious Expenses – The employee will create false expenditures and request reimbursement for those items. 
• Overstate Expenses – The employee requests reimbursement for an amount higher than the original cost. 
• Mischaracterized Expenses – The employee requests reimbursement for a personal expense but claims it was a business expense.

Below are examples of how such schemes may be committed:

 

1. Additional Car Mileage – when an employee requests reimbursement for more mileage than they actually drove for business purposes.
2. Unallowable Expenses –when an employee submits an expense for reimbursement that is unallowable per the University of Kentucky or the grant.
3. Personal Expenses – when an employee purchases items for personal use, but classifies them as a business expense in order to be reimbursed. This often includes business trips that are extended for personal reasons.
4. Out of Pocket Expenses – when an employee requests reimbursement for expenses that they did not incur by over-claiming out-of-pocket expenses, such as tips for hotel bellhops or cabs, that only take cash. Supervisors must be careful because travelers are legitimately stuck in these situations and are unable to show proof of payment.
5. Unused Expenses – when employees request reimbursements for a conference that they originally registered for but ultimately did not attend.
6. Altered Receipts – when an employee uses a blank receipt to create a receipt for an item they did not actually purchase – or alters a receipt to increase the cost of an item --  and asks for reimbursement for the false amounts.

Prevention and Detection Controls

The University of Kentucky Business Procedures Manual (BPM) contains a travel policy which defines reimbursable expenses and non-reimbursable expenses for travel, as well as the responsibilities for the Supervisor/Department Administrator. As the first line of defense in preventing improper travel reimbursements, supervisors are responsible for understanding these BPMs and conducting the following:

 

• Ensuring all employees comply with the University travel policy.
• Verifying the business purpose of travel.
• Confirming that the travel expenses are the most economical available at the time(s) needed.
• Comparing reimbursement requests against the conference or event agenda to ensure that all days requested are business-related.
• Approving TRIP travel expense reports in a timely manner.

 

Additionally, to prevent improper travel reimbursements from happening in the first place, departments also need to have strong internal controls. Some controls that should be established are:

• Require original documentation to be submitted with each travel expense.
• Initiate a formal review process in which the department has many different levels of review and approval. Departments need to ensure they establish segregation of duties within the department when reviewing and approving travel expenses.
• Train the staff. Supervisors and reviewers should know which travel expenses are allowable or unallowable per the University policy or grant agreement. 
• Question expenditures that look extraordinary or abnormal so that employees know reviews are being performed.
• Treat travel reimbursements consistently by having employees reimbursed through an employee expense report or by using a ProCard. Employees going between the two payment methods could allow for duplicate payment.
• Supervisors should perform monthly reviews to ensure travel expenses are meeting the standards established by the University or the department.

 

Lastly, the tone set for the department by management is critical. If the employees see upper management breaking the rules, then employees will likely follow their actions. Leading through example is the best medicine to fight against improper travel reimbursements.

 

  

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.

 

[1] ACFE 2018 Report to the Nations. Association of Certified Fraud Examiners, ACFE 2018 Report to the Nations, https://s3-us-west-2.amazonaws.com/acfepublic/2018-report-to-the-nations....

With tightened budgets in higher education, decreased funding from the state and increased expectations for state-of-the-art facilities, the University must carefully account for every dollar no matter the source of funding. Reconciliations of University accounts are one of the most effective methods available to meet this need, yet UK Internal Audit (UKIA) has recently noted a number of units that don’t perform this essential process on a regular basis, if at all.

Without a complete and thorough reconciliation process in place, issues like accounting misclassifications, unsubstantiated expenditures, and missing documentation can put the unit – and the University – at risk. The impact of these occurrences includes the potential for paying for another unit’s expenses, accounts going over budget, or schemes for personal profit going unnoticed, all of which preclude a department’s ability to plan and appropriately budget.

 

Reconciliation Requirements

Reconciliations simply refer to the process of comparing two sets of records to ensure that they agree with each other, i.e., that the money leaving an account matches the amount that is shown to be spent. There are two main types of reconciliations, bank reconciliations, and balance sheet reconciliations. Bank reconciliations involve confirming that the general ledger statement matches the corresponding bank statement. Balance sheet reconciling, on the other hand, is the process of verifying the reliability of accounting records by comparing general ledger balances with another internal or external statement or document. For UK, the policy for this involves comparing supporting documentation maintained by the department with the information in the SAP system.

During the reconciliation process, there are five requirements that all transactions should meet:

1. Reasonable – A payment should be fair and sensible and not be excessive. It should reflect a prudent decision to incur the cost on behalf of University business

2. Allowable – It should be a necessary, reasonable, and appropriate purchase of goods or services that are permitted by University policy.

3. Allocable – A cost incurred that is for the benefit of a cost object and directly related to its purpose.

4. Accurate – All payments should be correct in its details, and adequately represent the transaction.

5. Appropriate – Transactions should be suitable in its circumstances, and proper for usage by the University.

Vetting transactions frequently for all these requirements is essential. However, this is not always done. Sometimes a few of the requirements are checked for, but not all five. For instance, the reconciler may check to make sure that a purchase was approved and accurate but may not check to make sure it is reasonable or allowable. It is critical that transactions are assessed for all five requirements to protect the University.

 

Reconciler Duties

While carrying out their duties, reconcilers must not only make sure they have all the documentation and information needed to reconcile; they must also have a discerning eye for what they are checking. Extra attention must be paid on high-risk items such as food, computer equipment or easily resold objects. The reconciler should also be particularly vigilant on areas with a high potential for inappropriate activities to occur, such as payments for personal service contracts, special activities, and travel expenses.

Reconciliations should also be timely. Ledgers should be checked for all cost objects on a monthly basis and corrected immediately. Errors left unchecked can significantly affect the department’s ability to adapt and plan. Furthermore, the reconciler should perform variance analysis to compare actual operations to budgeted amounts. Once reconciliations are complete, they should be reviewed and approved by appropriate management personnel in order to properly safeguard against reconciliation errors.

As we work together to develop solutions that will help the University of Kentucky to overcome the financial challenges it now faces, outstanding financial stewardship is imperative, and consistent and timely reconciliations are an essential component. If your unit would benefit from some additional financial guidance, please contact University Financial Services or UKIA.

 

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.

In the mid-1850s, at the Palace of Khorsabad in Iraq, archaeologists found a simple lock and key system which dated back to 4000 B.C.E. The lock used pins of different lengths to secure the door, and the owner would then use a key which pushed the pins of the lock, allowing entry. In this way, you could protect valuables without constant monitoring. From our earliest beginnings, humans have been trying to protect valuables from theft and destruction. In our modern age, as data itself became valuable, and then became digitized, the methods for guarding these valuables have changed, but the concepts have stayed the same.

 

Access Control

The most basic and necessary rule in information security is called the “principle of least privilege,” which requires that each user have access to only the data and resources which are necessary to complete his or her job duties. In other words, don’t give a master key to a person who only needs access to one room. In information technology (IT), this principle is one aspect of the concept of “access control.” Access control is a physical or logical constraint placed on an entry point to data, prohibiting or deterring accessibility, like that of a lock and key. Some examples of physical access controls are dead man doors, video cameras, alarm systems, and electronic doors. Examples of logical access controls include password policies, time-of-day restrictions, two-factor authentication, and user permissions to a database.

At the University of Kentucky (UK), linkblue accounts are created for every employee, student, and external learner (persons affiliated with UK who may need some access to University systems). Once this account is created, it can be used to control access by setting up groups, database roles and account authentication for an application, with privileges broadening as the employee is assigned new tasks. As UK Internal Audit conducts IT audits at the University, it is common to come across deficits in these access controls, specifically logical access control in user account management.

 

The Risk

When employees leave the University or transfer jobs within the University, they likely would no longer need the access they had in their old position, but access may not be properly modified when they leave, which can lead to privilege misuse. In the 2018 Verizon Data Breach Investigations Report, it was found that 12 percent of breaches involved privilege misuse.[1] For example, an employee may use their access to review personnel or patient information which is out of the scope of their job.

 

Best Practices

When a user leaves the University, their account should be disabled. If they change jobs within the University, management should review their access and make the necessary changes. Additionally, it is important to note that access to some systems, including cloud services or local applications, may be managed with a local account, not the linkblue account. Local accounts should have a local password policy, or criterion, in place to make sure they meet complexity standards so that hackers cannot guess passwords. The 2017 Verizon Data Breach Investigations Report stated that data breaches involving stolen or weak passwords accounted for approximately 80 percent of the hacking-related violations.[2] Local accounts need to be manually modified or disabled when a user changes jobs or leaves the University.

Another best practice for access control is to prohibit or restrict the use of shared accounts. Shared accounts preclude the identification of a specific user which reduce the usefulness of logins. If you can’t track what a user is doing, there is more potential for misuse. Automatic de-provisioning, disabling application guest and default accounts, along with monitoring administrative account activity are other access control strategies which should be employed.

 

Policy and Procedure

One of the most effective ways to manage access control is through effective governance. Policies and procedures should be established and approved by management to ensure the implementation of adequate access controls, and practices should be monitored to make sure employees follow the policies and procedures. An access control policy and procedure should clearly outline the rules for access authorization, establishment, modification, and termination. It should describe deprovisioning steps during staff terminations and contain specifics relating to standard and high-risk terminations. It should include access criteria such as separation of duties, regular, guest and shared accounts, and document the resources to which staff can be assigned and the various access levels permitted. Once management approves the policy and procedures, it should then be communicated to the users, so they understand the importance of gaining access to only what they need to complete their job.

 

User account management is an essential aspect of logical access control. IT professionals across campus should be diligent in their efforts to manage users’ access through established best practices and effective policies, thus ensuring a more secure IT and University environment.

For more information about cybersecurity, or to schedule an IT consultation review in your unit, please contact UKIA at 859.257.3126.

 

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.

[1] 2018 Data Breach Investigations Report. enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf. 

[2] 2017 Data Breach Investigations Report. www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf

Established in 1865 as a land-grant institution, the University of Kentucky (UK) has always made serving the people of the Commonwealth of Kentucky its mission. Today, UK continues to expand its impact on the lives of Kentuckians through its extensive network of clinics, partnerships, and projects that are focused on healthcare, agriculture, education, and research services. In fact, these ancillary facilities bring the University of Kentucky – and its full range of resources – to all 120 Kentucky counties as they work to address issues of importance to all Kentuckians. These ancillary locations include:

 

• UK HealthCare Clinics and Offices
• Other Colleges and Universities
• UK Affiliated Organizations
• Cooperative Extension Services

 



 

In the process, Kentuckians are exposed to UK’s brand through their friends and neighbors who are hired by UK to work in these facilities and represent UK in their communities. As UK employees, they are expected to be good stewards of their respective resources – in accordance with UK policies and procedures – regardless of where they are located or how their office is funded.

 

Trending Concerns for Ancillary Locations

University of Kentucky Internal Audit (UKIA) conducts reviews as well as advisory consultations and provides units with expert analyses and advice to maximize effectiveness and efficiency and minimize risks to the University. These ancillary locations are no exception. UKIA works with all facilities to ensure that policies and procedures are appropriate and executed across the state. Some of the most commonly found concerns are within the following categories:

1. Cash Handling Procedures
2. Inventory Control Protocols
3. Vendor and/or Contract Management
4. Administrative Procedures
5. Information Technology

 

While the same issues are found in many reviews conducted across campus, the proximity of these ancillary locations to UK’s main campus makes it more difficult for the issues to be properly addressed and remedied.

Through its reviews, UKIA has noted that the employees in these affiliate organizations and/or remote locations often feel a dual-allegiance. Though UK employees, they see themselves first and foremost as active and essential members of their communities who desire to support local businesses through their work at UK. Moreover, their office’s distance and infrequent communication with UK’s main campus can cause the employees to feel disconnected from the University. Together, these conditions make it all the more important that employees of these ancillary locations align their practices with the University’s objectives and regulations.

Risk Mitigation Tips

UKIA understands that these units are sometimes small with limited personnel, yet the depth and complexity of their work make aligning with UK regulations more challenging. Additionally, access to subject matter experts, administrative expertise and other resources may be limited and information system capabilities may impede communication. To help overcome these challenges, UKIA notes three recommendations for each concern that are effective and workable in any size unit.

Cash Handling Procedures

As noted in many business journals, the number one indicator when it comes to occupational theft is access to cash. However, there are safeguards units can implement to reduce the opportunity of adverse cash events in ancillary locations and improve oversight. UKIA suggests these three critical activities:

1. Accept alternate forms of payment to limit cash transactions.
2. Create a checklist of the steps to complete transactions from point-of-sale to depositing.
3. Create a database of subject matter experts so that employees know who to contact when a certain type of question or problem arises. These contacts can be on campus, at another location or even another department.  

 

Inventory Control Protocols

  Properly managing inventory is one of the most critical – and challenging – processes for any unit. UKIA suggests the following, ensuring proper separation of duties for each:

1. Develop instructions for defining and counting inventory at each respective location. As simple as this sounds, these necessary tasks provide critical guidance for a function that may not be done frequently.
2. Define each task as it relates to the inventory function and ensure that all staff know who is responsible for each function.
3. Perform regular reconciliations and obtain proper approvals for any adjustments. 

 

Vendor and/or Contract Management

Remote locations may limit vendor availability, necessitating the creation of new vendor accounts. However, these vendors may not be able to meet all specifications or offer the best quality merchandise.  Here are three suggestions:

1. Work with UK Purchasing to establish an approved list of vendors for your area, as proximity can drive vendor availability.
2. Document your RFP process.
3. If a single source exists in your area for services and is being considered, justification should be appropriately documented.

 

Administrative Procedures

In smaller units, as these ancillary units typically are, daily operational tasks must either be shared amongst the personnel or handled by a single person. These activities range from budgeting to office management, but ensuring proper guidance is difficult when the office’s remote location precludes daily oversight. UKIA has three simple suggestions to assist ancillary locations with this challenge:

1. Create an administrative manual describing common fundamental activities shared throughout the office. 
2. Consider templates or procedural guides for infrequent administrative activities. 
3. Create a training program for critical regulations to ensure understanding and awareness. These regulations may vary by industry, but adherence to certain regulations across all industries. Critical regulations include the Fair Labor Standard Act regarding Nonexempt Overtime Compensation and HIPAA and FERPA regarding the handling of sensitive information. 

 

Information Technology

Prompt IT support may be more challenging at ancillary locations. Consequently, critical information systems activities are managed on-site. However, the vendors, processes and continuity plans should be approved and monitored by the Central Office to ensure consistency throughout. UKIA recommends these three simple activities to assist:

1. Create a list of all applications in use by each ancillary location. Although many serve the same general purpose, the location could determine application requirements.
2. Verify employee access to these applications is appropriate for the employees’ individual roles. Through fieldwork, UKIA has determined that ancillary employees generally have close to full privileges to local applications. This access could create segregation of duty concerns when local access is linked to SAP or central office access.
3. Establish a deprovisioning process to use as employment turns over to help restrict both physical and logical access.

 

Please note that it is the unit’s responsibility to implement appropriate procedures and establish protocols to reduce risks associated with the above common ancillary concerns. 

If you would like UKIA to assist your unit through a review or consultation, visit https://www.uky.edu/internalaudit/contact or contact UKIA at 859.257.3126.

 

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.