Office of Auditor General - Audit Buzz, October 2020 Issue

Fairfax County Public Schools sent this bulletin at 10/15/2020 04:00 PM EDT

Having trouble viewing this email? View it as a Web page.

Audit Buzz Newsletter

October 2020

In this issue of Audit Buzz, we summarize the status of current engagements, including two audits presented at the October 14, 2020 Audit Committee meeting: (1) FY 2020 LSAF, and (2) Procurement and Contract Management, and provide an office update into OAG's first NASBA accredited training, “Understanding the Mindset of Fraudsters.” We also discuss Ransomware in this month's entry into the Knowledge Hive. Lastly, in honor of National Get Smart About Credit Day, we highlight FCPS Regulation 5350, which details the specific controls and procedures FCPS has implemented to reduce the risk that procurement cards are used for unintended purposes.

As always, we appreciate the cooperation and courtesies extended to our staff by FCPS management and staff during all past, current, and future audit engagements.

Engagement and Office Updates

Current Engagement Update

OAG is in the planning phase of both the Fidelity of Implementation of School Board Actions and the Hiring and Onboarding Practices audits. These audits are being performed in accordance with the FY 2021 OAG Audit Plan.
OAG presented on the results of two audits at the October 14, 2020 Audit Committee meeting: (1) FY 2020 LSAF, and (2) Procurement and Contract Management. Keep reading this issue of Audit Buzz to learn more about the two completed audits.
OAG has also been serving as the project liaison for a comprehensive program review of FCPS’ special education. We are still in the process of evaluating proposals to identify the best qualified vendor for the review, which is slated to kick-off in Fall 2020. Be on the lookout for more updates in the future.

FY 2020 Local School Activity Funds Audit

OAG presented the results of the FY20 School Activity Funds audit at the October 14, 2020 Audit Committee meeting. This audit was performed in accordance with the FY 2020 OAG Audit Plan.

This audit focused on the school activity accounts for Fairfax County Public Schools (FCPS) from July 1, 2019 to June 30, 2020. The school activity accounts were examined as of year-end at the 203 sites in the division. The primary objectives of the audit were to perform the following:

Determine if cash balances were properly stated as of June 30, 2020.
Determine the level of compliance with FCPS policies and procedures.

In OAG's opinion, the local school activity fund Statement of Cash Receipts and Disbursements presents fairly, in all material respects, the school activity funds cash balance as of June 30, 2020, and the recorded cash transactions for the year then ended using the cash basis of accounting, which is a comprehensive basis of accounting other than generally accepted accounting principles.

As it relates to the level of compliance with FCPS policies and procedures, OAG identified six observations. Management concurred with each of the observations.

Click here to read the FY20 School Activity Funds audit report.

Click here to read the Observations Noted report.

Procurement and Contract Management Audit

OAG presented the results of the Procurement and Contract Management audit at the October 14, 2020 Audit Committee meeting. This audit was performed in accordance with the FY 2020 OAG Audit Plan.

This audit focused on the procurement and contract management of sole source contracts executed under the current version of Regulation 5012, Purchasing Goods and Non-Professional Services Using Appropriated and Non appropriated Funds, effective, May 10, 2019. Therefore, the audit scope period was June 1, 2019, through December 31, 2019. The primary objectives of the audit were to perform the following:

Evaluate if there is adequate management control framework in place with respect to governance and internal control to effectively support contracting and procurement activities.
Determine compliance with Virginia Public Procurement Act, Fairfax County Purchasing Resolution and FCPS Policies and Regulations.

Based on a trend analysis, OAG noted that the utilization of the sole source procurement method has been trending downward during recent fiscal years. The number of newly awarded sole source contracts decreased by 79.25% and the active sole source contracts decreased by 28.04% from FY 2016 to FY 2019. While OAG did not identify any findings, two audit observations were noted with management concurrence.

Click here to read the full Procurement and Contract Management audit report.

Fighting Fraud - Understanding the Mindset of Fraudsters

OAG delivered our first NASBA accredited training earlier this month, on the topic of “Understanding the Mindset of Fraudsters”. With 20 participants, we presented on topics such as the profile of fraudsters, early warning signs of fraud, and the remediation strategies which can be put in place to reduce the likelihood and/or impact of fraud.

One class activity consisted of brainstorming words that come to mind when asked “When fraud comes to mind…?” While the ending result, which can be seen below, is in the form of a cute birdie, if you look closely, the collage of words which make up the bird are a little more worrying! This is a great example of how frauds are often committed by trusted individuals, who at first glance may be the ones least expected. Always remember, “Trust but verify.”

Fraud words arranged in the shape of a bird.

Image created at WordArt.com.

The National Registry of CPE Sponsors, under the National Association of State Boards of Accountancy, or NASBA, was created to help recognize Continuing Professional Education (CPE) program sponsors. As a sponsor, FCPS makes a commitment to meeting the highest CPE program standards. Professionals holding certifications such as Certified Public Accountant (CPA), Certified Internal Auditor (CIA), or Certified Fraud Examiner (CFE) are required to obtain CPE credits in order to maintain the certification status. Other professional standards, such as the GAO Yellowbook, also provide minimum CPE requirements for auditors. Going forward, OAG will continue to provide trainings to employees with no additional costs.

Be on the lookout for information on future OAG sponsored trainings.

Knowledge Hive

In this edition of the Knowledge Hive, we provide information on Ransomware, which is something that recently affected FCPS. Read on to learn more about what ransomware is, how it can affect an organization, and some steps that can be taken to reduce the likelihood or impact of attacks.

21st Century Threats: What is Ransomware?

By Lorena Villarroel and Chris Elliott

As the world becomes more reliant on technology, the risks organizations face are consistently evolving and becoming more sophisticated. FCPS recently became victim of a ransomware attack, which is a cyberattack designed to prevent users from accessing files, and in some cases, an attack which extracts and holds data hostage until a ransom is paid. These attacks are becoming more frequent and have expanded into many different industries, including governmental and educational entities. Cybersecurity Ventures, who publish Cybercrime Magazine, predicts that ransomware will attack a business every 11 seconds by the end of 2021.

While the attack against FCPS did not result in any virtual learning delays, it was recently confirmed that the personal information of some students and employees may have been impacted. According to a September 20, 2020 article published by Infosecurity Magazine, "FCPS is the 206th public sector entity in the US to be impacted by ransomware so far in 2020 and the 53rd school district."

In September alone, at least four other school districts across the U.S. were victimized by ransomware. One ransomware attack interrupted both in-person and virtual learning in a large district by setting one of the district’s communications systems offline, requiring them to postpone classes. Another school district experienced a ransomware attack which disabled their servers and access to emails, leading to the cancellation of remote classes as students were told not to log on to the learning systems or use any district device. As is the case with FCPS, ransomware attacks can also target the personal information of staff and/or students, or other sensitive data.

Legacy systems and resource limitations have made school districts and other governmental entities susceptible to this form of cyberattack, but having adequate controls in place to prevent the likelihood of an attack or mitigate the significance of one can help to reduce the negative consequences of ransomware. According to the Center for Internet Security (CIS), some preventive measures include:

Performing regular system backups and ensuring that backups are stored off-site or out-of-band, using a backup strategy that allows multiple iterations of the backups to be saved and stored, in case the backups include encrypted or infected files, and routinely testing backups for data integrity.
Ensuring operating systems, applications, and software are regularly updated and patched
Having adequate policies and procedures, including a response plan for suspected attacks.
Provide education to help users identify suspicious emails or links and ensure that users are aware of the potential dangers of opening unsolicited emails.

Be smart about the links you click on, and if something does not look right or looks too good to be true, it may be a malicious attempt to infiltrate FCPS systems.

Did you Know?

National Get Smart About Credit Day

Today, October 15, is National Get Smart About Credit Day.

Procurement cards provide an efficient and effective method for purchasing goods and services; however, internal controls are needed to ensure that funds are used for their intended purposes. In order to mitigate risks associated with procurement cards, FCPS has Regulation 5350, Procurement Card Management. Regulation 5350 defines key procurement concepts, assigns divisionwide responsibilities, and provides specific procurement card procedures, or controls, related to:

Control and Custody of Procurement Cards
Preapproval of Purchase
Accounting for Procurement Card Transactions
Reconciliation
Disputes
Record Retention
Prohibited Use
Payment
Support

Regulation 5350 also provides notice of Audit and Compliance monitoring, performed internally by the Department of Financial Services, and by OAG and external auditors.

Just like in our personal lives, it is important FCPS employees Get Smart About Credit by following the procurement card procedures developed by management.

Next Audit Committee Meeting

The next Audit Committee meeting is scheduled to occur virtually at 5:30 PM on November 11, 2020.

The agenda for the meeting will be available on BoardDocs prior to the meeting.

Fraud, Waste & Abuse Hotline:
(571) 423-1333 (anonymous voicemail)
InternalAudit@fcps.edu (email is not anonymous)

Office of Auditor General Website | Audit Buzz Archive

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visit subscriberhelp.govdelivery.com.