Produced by: Internal Audit (617) 552-8689
Save the Date…..
Wednesday, December 2, 2009
10-11:30
Fraud: A Guide to Protecting Yourself and Boston College
(Walsh Hall Function Room)
Fraud is a “hot” topic in today’s world, and it is not likely to fade any time soon. The challenge for us, as Boston College employees, as well as in our personal life, is taking preventative action so that it doesn't happen. In this interactive session, we focus on fraud issues, the appropriate actions to resolve each concern, and maintaining the University’s integrity.
Who Should Attend?
Anyone who wants to learn more to maintain high professional and ethical standards in their work environment.
To register, email employee.development@bc.edu
or call x28532.
Fall 2009
Contents
Information Technology
Controls
Ask the Auditor
Professional Standards and Business Conduct
Tips for Preventing
Identity Theft
In the News….
2
3
4
4
National Cyber Security Awareness Month (NCSAM), has been conducted every October since 2001. It is a national public awareness campaign to encourage everyone to protect their computers and the nation’s critical cyber infrastructure. This year’s theme is “Our
Shared Responsibility”.
As the Internet becomes pervasive, individuals are online from home, school, work, and in between on mobile devices. The economy and much of the everyday infrastructure we rely on uses the Web. Ultimately, the cyber infrastructure is only as strong as the weakest link. No individual, business, or government entity is solely responsible for cyber security. Everyone has a role and everyone needs to share the responsibility to secure their part of cyber space and the networks they use.
Read more at: http://www.staysafeonline.info/ncsam

2 AUDITNEWS
Internal Audit will be offering a one hour presentation on Information Technology Controls in the upcoming semester. The seminar is available to all University employees who are interested in learning more about
IT control topics including:
 Password Control
 External Threats / Internet Safety
 Physical Security
 Backups
 Data Security
 Segregation of Duties
In addition to outlining best practice IT control procedures; the seminar will identify the necessary Boston
College policies and resources to ensure compliance with University regulations and identify the appropriate individuals for questions and concerns.
The training will be presented by the Assistant Director, IT Audit and will also include audiovisual materials to supplement the presentation. Be on the look out for the scheduled date and time to be released by
Human Resources.
Please contact Travis Looker at 2-4336 with any questions or comments.
See http://www.bc.edu/offices/audit/fraud/fraudprevent.html
for more information on fraud prevention.
Whose role is it to prevent fraud?
It is important to distinguish between Internal
Audit's role and University management's role concerning white-collar crime. Many individuals believe that frauds and other transgressions are only the concern of Internal
Audit and Campus Police.
However, this is incorrect. University management is responsible for maintaining an adequate system of internal control by analyzing and testing controls. Internal Audit's role is to independently evaluate the adequacy of the existing system of internal control by analyzing and testing controls. We also perform fraud investigations, and promote a positive control environment throughout the
University.
What are some signs of fraud?
Be on the lookout for changes in human behavior or personal lifestyle changes. Other indications of fraud could include:
 alteration of documents
 duplicate payments
 journal entries without documentation
 failure of employees to take vacations
 significant increases or decreases in account balances
 products or services purchased in excess of needs
 missing documentation
It is important to recognize that as a Boston College employee, you have stewardship responsibility for safeguarding University assets under your purview.
What are some things that I can do to protect assets?
 review company contracts
 create periodic job rotation
 track unsuccessful attempts to access a computer
 encrypt data files and data transmissions
 maintain appropriate backup of files
 request an information system security review

Questionable accounting practices and allegations of financial fraud have recently dominated the headlines.
Good internal controls can provide
Management with reasonable assurance that operations
 are efficient and effective
 have reliable financial reporting
 properly safeguard assets
 comply with laws and regulations
However, internal controls, no matter how well designed and operated, can provide only reasonable guarantees to
Management that an organization is achieving its objectives. The likelihood of success is affected by limitations inherent in all internal control systems.
These include the realities that human judgment in decision-making can be faulty, persons responsible for establishing controls need to consider their relative costs and benefits, and breakdowns can occur because of human failures such as simple error or mistake.
Additionally, controls can be circumvented by collusion of two or more people.
Boston College has issued policies and procedures designed to provide guidance to employees concerning employee code of conduct and business ethical issues. These policies and procedures should be thoroughly reviewed to ensure an understanding of the code of conduct required of
Boston College employees.
Sound business practice requires that
Boston College employees and students assume responsibility for safeguarding and preserving the assets and resources of the
University, particularly those for which he or she is responsible.
In accordance with the University
Professional Standards and Business
Conduct Policy, each University employee is expected to report any instance of suspected ethical misconduct to the Internal Audit
Department.
An anonymous Business Ethics
Hotline (2-3194) has been established for employees and students to convey their concerns to Internal Audit. If you believe that fraud or ethical misconduct has occurred, you should contact the Business Ethics Hotline at extension 2-3194. The suspected abuses will be investigated and an examination of supporting documentation will be performed. If, based on our review, we conclude that there is reasonable evidence of exploitation; we will schedule an immediate audit.
This Business Ethics Hotline should not be used for technology abuses. The mission of Information Technology's
Computer Policy and Security group is to create an environment in which the community's need to protect information is balanced with the community's need for privacy. Send an email to security@bc.edu if you:
 suspect or know that your computer/server has or is being attacked.
 have received offensive or threatening email or voice mail.
 suspect that someone knows or is using your PIN or password for a Boston College system.
 are aware of software copyright violations here at
Boston College.
3
To read more about Professional Standards and Business Conduct -- General Policy go to: http://www.bc.edu/offices/policies/meta-elements/pdf/policies/I/1-100-010.pdf
To read more about Professional Standards and Business Conduct -- Reporting of Fraud go to: http://www.bc.edu/offices/policies/meta-elements/pdf/policies/I/1-100-015.pdf
To read more about Professional Standards and Business Conduct -- Use of University
Technological and Information Resources go to: http://www.bc.edu/offices/policies/meta-elements/pdf/policies/I/1-100-025.pdf

4 AUDITNEWS
 The next time you order checks, have only your initials (instead of first name) and last name put on them. If anyone takes your check book they will not know if you sign your checks with just your initials or your first name but your bank will know how you sign your checks.
 When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line. Instead, just put the last four numbers. The credit card company knows the rest of the number and anyone who might be handling your check as it passes through all the check processing channels won't have access to it.
 Put your work phone # on your checks instead of your home phone.
 Never have your SS# printed on your checks. You can add it if it is necessary. But if you have it printed, anyone can get it.
 Place the contents of your wallet on a photocopy machine and copy both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel if your wallet is stolen. If traveling, copy your passport. Keep all photocopies in a safe place.
 Only you should know your password. If anyone requests your password, even if they identify themselves as authorized to know this information, advise them that you are not permitted to provide your password and immediately advise your supervisor of this request.
According to an InformationWeek, article dated August 19, 2009, identity theft malware (viruses, worms, Trojans, etc.) surged 600%. The article states, “In the first half of 2009, the number of computer users affected by malware engineered to steal personal information has risen by 600% compared to the January through June period in 2008, according to
PandaLabs, part of computer security company Panda Security. In quantitative terms, Panda reports identifying 391,406 computers infected with identity-theft malware in the first six months of the year.”
Identity thieves are using new and varied malware to obtain sensitive information. In the past, thieves primarily used spoofing, especially to bank sites, to trick users into entering login information. Now these thieves are targeting a variety of services (Paypal, Amazon, etc.) where payment account information may be stored or entered. According to
InformationWeek, the methods to transmit identity theft malware have also varied. Email was the primary means to distribute malware. Now social sites have become a major focus of identity thieves.
Read more at: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=219400767