The Idaho Press-Tribune and the Idaho Mountain Express report that someone with access to administrative computers in a Sun Valley, Idaho, fire station deleted electronic documents and stole physical documents typically used in forensic audits to detect financial wrongdoing soon before a citywide audit was scheduled to begin. The city's mayor said it was an internal break-in and there was no evidence of external access. While it is unclear exactly what is missing, documents include work-hour and payroll records for the fire department, which stored personnel and payroll records for many years and throughout different administrations. The city was in the process of moving records to city hall when the incident occurred. The city has copies of some — but not all — of the records.
While an investigation is ongoing in the case, auditors can benefit from considering several types of strategies to prevent, detect, or respond effectively to similar situations involving unauthorized access, modification, or deletion of official administrative records maintained in computer systems.
A fundamental requirement of an effective IT governance structure includes establishing a rigorous system of internal controls over the access and use of computer-based information systems by authorized users. Whenever such systems are being created, modified, moved, or replaced, auditors can help managers by assessing risks and the adequacy of an organization's IT governance structure as well as its controls over system access to help ensure that, for example, only a limited number of people or roles have authority to modify or delete records. This is also an important part of any solid fraud risk assessment and mitigation plan. Auditors should be familiar with relevant guidance contained in recently updated COBIT 5 as well as The IIA's Global Audit Technology Guides.
A rigorous set of internal controls won't entirely prevent a determined, authorized individual from committing fraudulent acts. Therefore, auditors should consider tools that may be available to help address this risk. Large, decentralized organizations with varied business lines should consider implementing an automated file access monitoring and auditing system, which will help determine who is reading from and writing to important files as well as alert an appropriate overseer when a new file or folder is created, renamed, moved, or deleted. These systems also can identify specific but potentially important information, such as domain names of computers accessing sensitive administrative information. These systems often can be overlaid or integrated with an existing administrative system, whether stand-alone or server- or Web-based.
A business continuity plan also should be in place for public administration organizations, and a key part of such plans is a data recovery strategy in the event of a disaster, accident, deliberate attack, or as a result of fraudulent activity.