Handling Accountability Issues

March 26, 2008 by Thomas Neudenberger

Polk County School District is the eighth-largest in Florida and among the 40 largest in the United States. The district has nearly 95,000 students at almost 160 schools. It is also the largest employer in Polk County, with over 15.000 employees – of which more than half are teachers. An operation of this size requires a tremendous number of financial transactions every day – transactions that are difficult to monitor and control.

Some years ago, a school secretary paid many of personal bills from the school district’s accounts. The secretary would create fake requisitions and invoices for nonexistent vendors using PO boxes she had rented, and then forwarded the district’s checks to her debtors. Her setup was so perfect, that she got away with it for several years. The fraud was discovered by accident, as it is in most cases, and luckily stopped. But the damage was done and could not be repaid.

Boosting salary 65 percent with overtime pay

In a more recent case, a school secretary at Daniel Jenkins Academy in Haines City used her data access to approve overtime for herself. Overtime of about 5–15 hours a year is the norm. When Polk school auditors did a routine report on overtime pay, the secretary was at top of the list with overtime of more than $22,000, which boosted her annual salary about 65 percent. The secretary resigned under the threat of dismissal. But her boss, the school’s principal, was also roped into the affair. She faces a letter of reprimand for failing to supervise her assistant properly.

In individual schools, principals act as CEO of their organizations. Their assistants have access to the principals’ SAP logons and passwords to do their work, a practice that is also fairly well-established in the corporate world. Usually, approving payroll is a function limited to principals. But the secretary misused the trust that she had been granted. This incident raised a clear accountability issue for the school district, since it could not use its SAP solution for clearly tracking whether the principal or the assistant was actually responsible for the approvals.

The school is not alone in facing this challenge. Companies are used to protecting user profiles with passwords. They have been doing so since the first computers appeared in 1963. Yet most companies don’t realize that this factor is a key that opens the door to multimillion- and even multibillion-dollar fraud cases. This approach to security is based on the incorrect assumption that no one would ever use someone else’s user profile. But the security world knows that that is exactly what white-collar criminals do.

Internal fraud grows fast

Internal fraud is one of the fastest growing crimes in North America. In 2006, a single incident averaged $159,000 in damages. Every fourth incident involved over $1 million, and nine cases exceeded $1 billion, says Certified Fraud Examiners. It usually takes an average of 15 months to detect internal fraud and it is normally detected and stopped only by internal whistle blowers, as in the case of the school district. Punishment is often very difficult. Many successful fraud cases are never even detected, because the thief is smart enough to stop in time.

To ensure clear accountability, companies must uniquely identify the actual user behind the user profile when someone uses an SAP application and executes critical tasks. Like most SAP customers, Polk County School District uses SAP software for most of its business processes like HR, payroll, finance, asset management, purchasing, warehousing, work orders, or projects. Accountability has always been a major concern, and password sharing was unfortunately a common practice, just as it is in many other companies.

In addition, user IDs and passwords were written down and posted on or near workstations at an alarming rate. It became a high priority for the school to come up with a solution that would help it fight internal fraud.

Accountability for each critical mouse click

To address the problem, the Polk County School District implemented bioLock, an SAP-certified biometric access control and fraud mitigation solution from SAP partner realtime North America Inc. The bioLock technology protects every transaction, field, InfoType, data element, and any task in the SAP solution completely independently of the SAP user profile by adding a “biometric door lock.”

Polk County School District decided to apply the lock to almost every important mouse click for HR or financial transactions, wire transfers, and purchase orders. Within the bioLock application, the district uses biometric templates to define who has access to a requisition release or payroll approval.

This approach offers clear accountability to Polk County School District. It did not need to protect every named SAP user in the organization with bioLock, just the ones that needed to access its most critical tasks, the power users. Generally, only a few hundred users have to access what would be considered highly critical transaction. These users are protected with the bioLock.

As recent studies have noted, 2007 will be remembered as the year of data breaches. The cases discovered in 2008 might well event that level. The Polk County School District has created an outstanding example for compliance efforts. Why believe that Scott can log on only as Scott? Millions of dollars spent on segregation of duties based on user roles are worthless. An intruder simply needs to use a different user profile to circumvent traditional approaches.

Tags: , , ,

Leave a Reply