The Afton Central School District (District) is governed by the Board of Education (Board) which comprises five elected members. The Board is responsible for the general management and control of the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board.

The Board is responsible for appointing a claims auditor in compliance with the State Education Department’s (SED) regulations. The claims auditor is responsible for auditing, and approving or disapproving all District claims for payment.

The District uses one networked¹ computer system, supported by seven servers located at the District, to process and store financial and non-financial data.² The financial data is stored on a separate and dedicated server. The Information Technology (IT) administrator, an employee of the Broome-Tioga Board of Cooperative Educational Services (BT BOCES), oversees the network system by contract between the District and the BT BOCES.

Scope and Objectives

The objective of our audit was to determine if internal controls over the claims auditor and computerized data and hardware were appropriately designed and operating effectively to safeguard District assets for the period July 1, 2005 through December 18, 2006. Our audit addressed the following related questions:

• Did the Board appoint a claims auditor in accordance with SED regulations?
  
  
• Did the Board establish comprehensive policies and procedures to safeguard computerized data and assets?

Audit Results

The Board did not appoint a claims auditor in accordance with SED regulations. The Board appointed the Vice President of the Board as the District’s claims auditor for the 2005-06 fiscal year. Subsequent to this appointment, the Board realized that a Board member cannot be the claims auditor. In June 2006, they rescinded the appointment of the Board member and then appointed an employee from the Delaware Chenango Madison Otsego Board of Cooperative Educational Services to serve as the District’s claims auditor. However, this arrangement is specifically prohibited by SED regulations.

The Board has not established comprehensive policies and procedures to sufficiently address the safeguarding of computerized data and assets. Specifically, formal policies and procedures relating to acceptable computer usage; addition, modification and deletion of user access rights; and remote access have not been adopted. Further, computer equipment is not physically secure and the Board has not developed a formal disaster recovery plan.

Comments of District Officials

The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report. Except as specified in Appendix A, District officials generally agreed with our recommendations and indicated they planned to initiate corrective action. Appendix B includes our comments on the issues raised in the District’s response letter.

_____________________________________

¹ A networked computer system is two or more computers connected together using a telecommunication system for the purpose of communicating and sharing resources.
² Non-financial data includes such items as student attendance records, grades, data generated by students and staff.