Date: | 01/11/2024 |
---|---|
Referenced Sources: | Office of the Inspector General Advisories |
Off-boarding and strong banking controls can mitigate the risks of fraud, misappropriation and abuse of public assets.
Date: | 01/11/2024 |
---|---|
Referenced Sources: | Office of the Inspector General Advisories |
Off-boarding and strong banking controls can mitigate the risks of fraud, misappropriation and abuse of public assets.
The Massachusetts Office of the Inspector General (OIG) has a statutory mission under Chapter 12A of the Massachusetts General Laws to mitigate and prevent fraud, waste and abuse of public funds and assets at the state and municipal levels. Pursuant to this authority, the OIG is issuing this advisory recommending that public entities ensure that they adopt and implement strong banking controls to assist them in mitigating the risks of fraud and the misappropriation of assets.
Public entities’ failure to implement employee cybersecurity training, system access controls, and treasury/financial system controls allows those with fraudulent or nefarious intent to capitalize on such vulnerabilities and exploit public assets.
There are 104 public retirement boards in Massachusetts, which include municipal, county, state and specialty group retirement boards with varying portfolios, staffs and sophistication. Off-boarding and strong banking controls can mitigate the risks of fraud, misappropriation and abuse of public assets.
In February 2021, one or more bad actors gained access to the email account of the former executive director of one of the Commonwealth’s retirement boards. At the time of the executive director’s departure, that retirement board did not have offboarding procedures in place to (1) notify its leadership staff and vendors of the organizational change; (2) update the signatory lists on file with its financial institutions to prevent unauthorized transactions; and (3) close the executive director’s email account. Through these gaps in controls and a series of unfortunate missteps, the bad actor(s) was/were able to fraudulently transfer $3.5 million of pension fund assets to an unknown foreign bank account(s).1 In addition, the retirement board’s failure to regularly review and reconcile its account statements enabled the fraud to go undetected for eight months, making recovery of the funds more complicated and less likely to be successful.
The Cybersecurity and Infrastructure Security Agency defines cybersecurity as “the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity and availability of information.”2 While no control, procedure or safeguard can eliminate all risks, the retirement board’s leadership and staff should have taken basic steps to mitigate the risk of fraud by having controls in place to detect such activity in a timely manner.
The OIG strongly recommends that all retirement boards, state agencies and municipalities implement the controls described herein to lessen the risks of public funds being misappropriated.