TIAA Anti-Crime Specialists have been alerted to vulnerabilities in the management and disposal of assets. Employees of organisations are misappropriating IT equipment (laptops, mobile phones and iPads), which are then sold via both online selling platforms and physical shops.

Fraud in asset management typically involves exploitation of systemic vulnerabilities and inadequate oversight within organisational processes.

Cases have revealed that senior staff, often those with responsibility for asset management, placed bulk orders for IT equipment and arranged for delivery to a secondary organisational registered site or personal address. These assets were then misappropriated and sold via online selling platforms or through physical shops. The key weakness in these cases was that one person could order, approve and take delivery of the items with no oversight or checks being undertaken.

Additional vulnerabilities have been noted in relation to stock rooms, particularly those in basement or low-traffic areas with limited CCTV coverage and high staff access, and inactive and unallocated devices often left enabled. Furthermore, the absence of a formal asset disposal policy allowed staff to take old or unused equipment home, potentially stripping them for parts, or selling them online.

Prevention Advice

Policy and Governance
  • Ensure a robust Asset Management Policy is in place. Review this annually or following an incident, to ensure it remains fit for purpose.
  • Enforce compliance with an Acceptable Use Policy to ensure all IT assets are used responsibly and appropriately to prevent unauthorised access, misuse and fraud.
  • Develop a policy that outlines the circumstances under which assets may be delivered to personal addresses. This should include the approval process, recording requirements and the use of vetted courier services with tracking and delivery confirmation.
Asset registers
  • Develop and maintain comprehensive asset registers for all asset types and regularly monitor these registers to ensure accuracy and compliance, and identify assets no longer required.
  • Assign IT assets to named individuals, with clear sign-in and sign-out procedures to ensure accountability and traceability.
  • Investigate any IT equipment that has been inactive for 90 days or more. Ensure it is either disabled, reassigned or securely stored and take further action where necessary to prevent misuse, including the ability to wipe assets remotely if required.
  • Ensure all asset access is disabled for staff who leave the organisation. This step should be formally included in the staff exit checklist.
Acquisition and financial controls
  • Implement a process whereby senior staff with budgetary authority are subject to secondary authorisation for high-value or bulk purchases.
  • Introduce clear segregation of duties for ordering, approving purchases, receiving goods, assigning assets, disposal and periodic reconciliations. This helps prevent individuals from exploiting gaps in oversight.
Storage, access and security
  • Restrict access to stock rooms and asset management systems to essential staff only. Consider using appropriate access controls to track who has accessed the store and when. Maintain an access log and conduct periodic reviews.
  • Avoid storing high-value equipment in low-traffic or isolated areas without appropriate security measures.
  • Consider strong access controls, such as, BitLocker encryption, two-factor authentication, passwords or biometrics to access systems. Security markings to assets can also be applied to deter theft and assist in recovery.
Delivery and Disposal
  • Conduct regular stocktakes and reconcile inventory with records to identify discrepancies early and take corrective action.
  • Develop and enforce a formal asset and IT equipment disposal policy, including disposal of items with residual value (e.g. scrap metal). This should include secure data wiping, de-registration of assets and responsible disposal methods.
  • Conduct regular audits of disposal processes to ensure compliance and prevent unauthorised removal and disposal.

 

Action Required

This fraud alert should be circulated to all relevant staff – Directors of Finance, Chief Executive Officers, Audit Committee Chairs, ICT managers, Asset Managers, and Heads of Procurement and Estates.

Organisations should consider a specific review to test the effectiveness of existing controls and the governance framework.

For further discussion, including investigation support and fraud awareness training, email: fraud@tiaa.co.uk