Accountability In The Computer Environment

Office of Inspector General

INTERNATIONAL CONSORTIUM ON GOVERNMENTAL FINANCIAL MANAGEMENT

Information, Technology, Accountability

MARCH 22, 1999 Presented by Deputy Inspector General

Accountability In The Computer Environment

Office of Inspector General

Conducting Audits and Investigations in a Computer Environment?

Accountability In The Computer Environment

Office of Inspector General

USAID Is:
U.S. Governments Principal Foreign Assistance Management Agency 94 Countries 2,200 Employees $7 Billion (1999)

Accountability In The Computer Environment

Office of Inspector General

USAIDs Mission:
Contribute to U.S. national interests through the results it delivers by supporting the people of developing and transitional countries in their efforts to achieve enduring

economic and social progress and to participate more fully

in resolving the problems of their countries and the world.

Accountability In The Computer Environment

Office of Inspector General

USAIDs Objectives:
Economic Growth & Agricultural Development Democracy Education & Training Population & Health Environment Disaster Assistance

Accountability In The Computer Environment

Office of Inspector General

USAIDs Methods of Operation

Grants

Contracts
Delivers thru:

- Recipient Governments - Private Voluntary Organizations - Non-governmental Organizations

Accountability In The Computer Environment

Office of Inspector General

USAIDs Office of Inspector General (OIG)

Auditors -126 Investigators - 30 Overseas Offices - 6

Accountability In The Computer Environment

Office of Inspector General

Office Locations
Budapest
Washington, D.C. San Salvador Dakar Cairo Manila

Pretoria

Accountability In The Computer Environment

Office of Inspector General

OIGS MISSION

To promote and preserve USAIDs effectiveness, integrity and efficiency.

Accountability In The Computer Environment

Office of Inspector General

USAIDs Accountable Resources

Annual Program Funding--$7 billion Available Funds (pipeline)--$9.7 billion Annual Operating Funds--$485 million

Annual OIG funds--$30 million

Accountability In The Computer Environment

Office of Inspector General

Challenges to Accountability
Many Missions, Projects, Locations, and Delivery Vehicles Cultural Differences Accounting and Legal Frameworks Increasing Reliance on Computers

Accountability In The Computer Environment

Office of Inspector General

Computer Challenges
Today Most Records Are in the Computer

Some Authorizations do not Leave Paper Trails

Soon, Electronic Signatures Will Eliminate Most Paper Records

Accountability In The Computer Environment

Office of Inspector General

Computers Make us Vulnerable in New Ways

Mistakes Can be Repeated Thousands of Times Each Day Controls May Not be As Effective as Manual Processes Data and Money Subject to Remote Theft or Destruction Operations More Vulnerable to Disruption

Accountability In The Computer Environment

Office of Inspector General

Weak Systems Effect the U.S. Governments Ability to:

Safeguard Assets from Fraud and Abuse

Protect Sensitive Information from Disclosure

Reliably Account for Resources Comply With Laws and Regulations Prevent Disruption of Critical Operations

Accountability In The Computer Environment

Office of Inspector General

Many Threats Exist

Inside From Current Employees and Contractors Outside from Ex-employees

Outside Contractors
Hackers Organized Crime Terrorists and Espionage

Accountability In The Computer Environment

Office of Inspector General

Computer Security: Audits Found Problems With:

Entity-wide security program (17 of 17) Access controls (23 out of 23) Application software (14 out of 18)

Segregation of duties (16 out of 17)

System software (9 out of 9)

Service continuity (20 out of 20)

Accountability In The Computer Environment

Office of Inspector General

Computers Vulnerable to Attacks

Attackers have:

shut down systems and networks

corrupted sensitive data

destroyed, modified, and stolen money, data, and software

installed malicious code

Accountability In The Computer Environment

Office of Inspector General

Computer Vulnerable to Attacks (Cont.)

Carnegie-Mellon University reports that from 1991 through 1994

500% increase in computer intrusions

700% increase in the number of sites affected

Accountability In The Computer Environment

Office of Inspector General

Types of Malicious Code

Virus Trojan Horse Worm

Logic Bomb
Trap Door

Accountability In The Computer Environment

Office of Inspector General

Weak Computer Security Results In:

Defense Department Faced About 250,000 Attacks in 1995.

Most Attacks Go Undetected

FBI estimates computer fraud cost $136 million in 1997 In One Case, 13,000 employees had access to sensitive medical and personnel data Stolen Personal Information Is Used to Steal Peoples Identity, Obtain Credit Cards and Drivers License

Accountability In The Computer Environment

Office of Inspector General

Good Planning and Management are Key to Strong Systems!!

Legislation=Best Practices: Manage as a Strategic Investment Improve Mission Results, Not Just Lower Costs Manage Risks

Measure Progress Against Plan

Deal With Problems Decisively

Accountability In The Computer Environment

Office of Inspector General

To Ensure Accountability, We Must be Able to:

Audit Computerized Information

Audit System Development and Operations

Audit Security Issues

Investigate Information in Computers

Accountability In The Computer Environment

Office of Inspector General

Auditing Computer Systems

Computers Are Key to Improve Operations Specialized Area Requires Specialized Training CISA is baseline Auditor Qualification Supplemented by Computer Specialists

Accountability In The Computer Environment

Office of Inspector General

Tools To Audit Computerized Data

For Simple Systems we use Auditors, Supplemented by Technical Staff Who Use Commercial Database Software (Access) to Analyze Informal Databases

Use (Lotus Notes) for Narrative Information

Accountability In The Computer Environment

Office of Inspector General

Tools (Cont.)
Special Software to Help do Sophisticated Analysis Designed for Auditors--Simple and User Friendly

Can Compare Multiple Databases

Supports Audits and Investigations. Can Identify

Ghost Employees
Duplicate Invoices Payments to Employees

Accountability In The Computer Environment

Office of Inspector General

Tools (Cont.)
Complex Computer Systems Require Technical Assistance We Use a Technical Assistance Group To: Retrieve Data Help Auditors Analyze Data Provide Training, and Technical Help

Accountability In The Computer Environment

Office of Inspector General

Auditing System Development Practice

Use CISA Auditors and Technical Staff

Cover Requirements, Life Cycle Process, Documentation, Testing, and Implementation

We Ask: Are Sound Practices Applied to Development?

Accountability In The Computer Environment

Office of Inspector General

Auditing Operational Systems

Accounting, Budget, Procurement, Performance Systems

Financial and CISA Auditor Background

Supported by Technical Staff Accounting Standards, Internal Controls, and System Requirements We Ask: Do Systems Provide Reliable Data and Safeguard Resources?

Accountability In The Computer Environment

Office of Inspector General

Auditing Computer Security

The Major Threat to Resources and Sensitive Data

Work Closely With USAID Staff to

Help Improve Security Program Operations

Identify and Correct Vulnerabilities

Ensure Security is Built Into New Systems

Accountability In The Computer Environment

Office of Inspector General

Investigating Computer Information

U.S. Codes Do Apply to Computer Fraud

Accountability In The Computer Environment

Office of Inspector General

THE END
THANK YOU