[read complete report - pdf]

Audit Objective

Determine whether the Watervliet City School District’s (District) Board and District officials ensured information technology (IT) assets and data were safeguarded.

Key Findings

The Board and District officials did not ensure the IT assets and data were safeguarded. Officials did not:

• Establish written procedures for managing, limiting and monitoring user accounts.
• Disable 72 unneeded network accounts in a timely manner.
• Monitor compliance with the acceptable computer use policy (AUP). As a result, 12 of 13 computers we tested accessed nonbusiness websites prohibited by the policy.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Review network user accounts and permissions, and disable unnecessary accounts and unneeded permissions.
• Monitor employees’ Internet use to ensure compliance with the District’s AUP.

District officials generally agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.