[read complete report - pdf]

Audit Objective

Determine whether Cornwall Central School District (District) officials established adequate internal controls over the District’s user accounts and software updates to help prevent unauthorized use, access and loss.

Key Findings

District officials did not establish adequate internal controls to safeguard the District’s user accounts. Specifically:

• Network user accounts were not adequately managed.
• Officials did not monitor compliance with the District’s Acceptable Use Policy (AUP).
• The Board did not adopt adequate information technology (IT) policies or a disaster recovery plan.

Sensitive IT control weaknesses, including issues related to software updates, were communicated confidentially to officials.

Key Recommendations

• Develop written procedures for managing system access that include periodically reviewing user access and disabling unnecessary network user accounts.
• Monitor Internet use to ensure employees comply with the AUP.
• Adopt comprehensive IT policies and a disaster recovery plan.

District officials generally agreed with our findings and indicated they plan to initiate corrective action.