In-house applications, which are software applications developed by an organization for its own internal use, are becoming more and more prevalent. UKIA’s clients say it is because they “can create it themselves for less” and that “any purchased product will have to be customized and is therefore a waste of time and money.

UK Internal Audit (UKIA) conducts information technology (IT) audits around the University and across the state. Through these reviews, UKIA has noted both advantages and disadvantages associated with developing in-house applications.

 

Advantages:

• Software can be written to operate using the organization’s business procedures, whereas third-party software often requires the organization to conform to business practices set by the application developer. These preset business practices may not serve the organization as well as the dependable procedures the organization has developed for itself.
• The expenses of in-house applications are controlled. The organization determines the priorities for the in-house software development, including flexible customization and phased functionality enhancements. Moreover, an organization using an in-house application won’t be beholden to vendor fee increases due to the expense associated with migrating to another product.

 

Disadvantages:

Conversely, building and maintaining an in-house application with proper information security can be a daunting and exhausting task. UKIA has uncovered a few key disadvantages with in-house applications which include, but are not limited to:

Business Continuity for in-house applications is often hindered by inadequate system documentation and back-up on a secondary server. UKIA has found departments facing problems with operational continuity of their in-house application due to the departure of the application developer and the critical design and information not being adequately documented. These systems can be hard to maintain, improve, and expand because there is a general lack of understanding of the system. The staff who were experts on the application may have left the department, and staff who entered the field after it became a "legacy" application never learned how to use it and have no documentation from which to learn. Additionally, if the in-house application runs on only antiquated hardware, the cost of maintaining the system may eventually outweigh the cost of replacing both the application and hardware unless some form of emulation or backward compatibility allows the software to run on new hardware.

Upgrades and Patches are necessary for in-house applications to keep current with operating systems and technology trends. Departments with in-house applications may find that current security patches are unavailable and cannot be applied. There can also be production configurations that cause security problems. These issues can put the application at risk of being compromised by attackers or knowledgeable insiders.

System Integration may pose issues for in-house application as developers often neglect to follow a comprehensive development methodology and do not factor in the possibility of future need for integration with other systems. Integration with newer systems may also be difficult because new software may use completely different technologies. Integration across technology is quite common in computing, but integration between newer technologies and substantially older ones is not common.

Security from an audit standpoint could be considered the most important risk factor of all. Hackers employ a variety of techniques to gain access to sensitive data, disable operations, and administer other malicious activities aimed at the information systems. However, many in-house application developers are so focused on functionality and features that information systems security is an afterthought. Time and again, this approach to information systems security has proven to be disastrous because vulnerabilities go undetected, allowing information systems to be attacked and damaged. Security should be considered in every step of the development process.

Most large organizations like the University of Kentucky have already installed antivirus applications, firewalls and Intrusion Detection Systems (IDSs) to protect their networks and host operating systems. However, in several of its IT reviews, UKIA has noted that in-house developed applications receive relatively little attention by the unit’s IT staff, who assume that they are protected by firewalls and other defenses at the network perimeter. Yet these in-house applications are the major reason organizations invest in IT in the first place, and the data they contain is often among the organization's most valuable assets. 

Though a critical component of a layered defense, firewalls cannot detect and stop the types of threats directed at in-house applications. Other widely deployed tools, intrusion detection systems, perform only passive monitoring and after-the-fact forensics rather than preventing attacks, which have moved to the information systems, circumventing network-based firewalls. Malware, such as worms, propagate so quickly that signature-based antivirus protection is useless and intrusion detection systems do not provide protection, only faster notification that your security has failed.   

Consequently, from UKIA’s perspective, if the creation and development of your In-house application is not properly planned, adequately documented and strategically focused, the likelihood of these disadvantages emerging is more likely than not.

We’ll go into more detail on specific in-house application vulnerabilities in a future edition of Reed’s Read. Meanwhile, for a review of your unit’s specific IT security risks, including an assessment of your in-house applications, contact UKIA at 859.257.3126.

If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.

There are many benefits for a department of the University of Kentucky to institute an internship program, from the additional assistance and fresh perspective of the students to the opportunity for your staff to cultivate their leadership and organizational skills. But perhaps more rewarding is seeing the benefits such a program affords the students, such as the ability to put the skills they have been learning in class into action, acquiring valuable experience, and having the opportunity to expand their professional network. Some may even earn school credit, though it isn’t a requirement

UK Internal Audit (UKIA) has benefitted from its internship program so immensely that this year, it expanded its ten-year-old program to 10 interns, nearly doubling the size of its department during the spring semester. For the first time, the cohort of students was expanded outside of the audit profession to include cybersecurity, communications and risk analysis interns.

“Our division is thrilled to be part of our students’ overall educational experience,” explained Joe Reed, Chief Audit Executive with UKIA. “It is both precious and rewarding. We welcome the opportunity to balance classroom learning with its practical application.”

The students ranged from Accounting and Finance majors/double-majors to Business and Economics/Accounting and Information Communication Technology majors. Three earned class credit, one worked unpaid, and two teams of three students each worked with UKIA as a semester-long assignment for their 500-level Internal Audit class. Their assignments were equally varied and involved assisting with the following:

 

• Pre-planning research and analytics for a compliance audit.
• Identifying inventory process weaknesses and proposing improvement strategies for an inventory audit.
• Reviewing planning documents and participating in some interviews for an information security audit.
• Creating an access database to help UKIA track the access our staff members have to various databases across campus.
• Interviews and analysis of chief business process challenges in units of varying sizes for a joint project with University Financial Services and Purchasing.
• Communicating the results of follow-up audits.
• Categorizing information from various sources to help populate UKIA’s risk database.

“These are actual projects that provide the students invaluable experience while affording us some additional manpower to help us meet our goals,” said Reed. “The program has been a tremendous success for us.”

When asked about their experience, the students were also very complimentary. The student teams all noted how different the actual experience was from any of the case studies that they had worked on in class, and how valuable it was to put their skills to work in a professional setting. Second, the internships opened their eyes to new career opportunities they had not previously considered.

“As a University, we must remain steadfast in our focus on preparing our students for the utmost success in the future, even as we work to overcome operational challenges that accompany tighter budget restrictions, said Reed. “As UKIA’s interns clearly demonstrate, developing an internship program is one way we can successfully accomplish both.”

To develop an internship program for your department, contact the James W. Stuckert Career Center at ukcareercenter@uky.edu or 859-257-2746, or check out other internship job descriptions at https://www.uky.edu/careercenter/handshake.

A recent newspaper article reported that personnel at a SEC University were ratifying contracts without proper authority. This activity includes implementing and executing contractual obligations for the University. Unbeknownst to these departments, overpayments of $171K occurred.

Recent UKIA audit evaluations have identified similar weaknesses due to inappropriate contracting authority. In several instances, UKIA noted that the proper University officials were not involved in contracting activities. Such procedural gaps have resulted in the following:

• Violating Kentucky Revised Statues leading to fines and penalties

• Redundant services resulting in a waste of resources

• Higher pricing to the University

• Conflicts of interest

The University of Kentucky has stopgaps in place to ensure contracts are ratified appropriately. Unfortunately, when our departmental practices do not strategically align with our policies, opportunities for waste, fraud and abuse increase. In our current environment, which could be considered the ‘new normal,’ inappropriate practices such as these could have a tremendous impact on our ability to continually meet our mission.

The University has delegated the procurement function, including contracting, to the Purchasing Division. Departments requiring contract services should provide Purchasing with the following:

• complete information on the needs

• scopes and time frames

• special qualifications

• estimated costs

• source of funds

• any other information that may be available about requirements

UKIA can help you locate gaps in your processes that leave your unit vulnerable to inappropriate activities. Let us help you improve your operations BEFORE something happens. Call us at 257-3126, or check out UKIA’s services here. OR, if you just need some tools or training to make what you already have in place more efficient and effective, the UK Purchasing Division offers a number of resources here.