Background

The Gilboa-Conesville Central School District (District) is located in one town in Delaware County, three towns in Greene County and five towns in Schoharie County. The District is governed by the Board of Education (Board) which comprises five elected members. The Board is responsible for the general management and control of the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board.

There is one school building in operation within the District, which houses Kindergarten to Grade 12 students. The District employs approximately 100 people and has an enrollment of approximately 393 students. The District’s budgeted expenditures for the 2006-07 fiscal year are approximately $8.6 million, funded primarily with State aid, real property taxes and grants.

The Board has the responsibility to establish appropriate internal control policies and procedures to protect the assets of the District, including computerized data. The Board also has the responsibility to ensure that these policies and procedures are effectively implemented, monitored, and updated as necessary.

The District contracts with a company for the support of its computers and other related technology and equipment.1 An employee of the company is at the District at least twice per week to maintain the District’s four servers and various software applications. According to District officials, the company maintains approximately 120 District owned networked computers and 50 laptop computers. In addition to maintenance, the company provides recommendations on various technology products.

Objective

The objective of our audit was to determine if the Board had properly designed internal controls over computerized data and if these controls were operating effectively to adequately safeguard District assets. Our audit addressed the following related questions:

• Did the Board establish comprehensive policies and procedures concerning access rights and computer usage to monitor and control access to computerized data and hardware?
  
  
• Did the Board establish policies and procedures to ensure computerized data is physically secure and establish plans to prevent or help address potential disasters to equipment and data?
  

Scope and Methodology

Our overall goal was to assess the adequacy of the internal controls put in place by officials to safeguard District assets. To accomplish this, we performed an initial assessment of the internal controls so that we could design our audit to focus on those areas most at risk. Our initial assessment included evaluations of the following areas: cash receipts and disbursements, purchasing, payroll and personal services, capital assets and consumable inventories. Further, we reviewed the District’s internal controls and procedures over the computerized financial databases. Based on that evaluation, we determined that controls appeared to be adequate and limited risk existed in most of the financial areas we reviewed. We did determine that risk existed related to the security of computerized data and, therefore, we examined internal controls over computerized data for the period July 1, 2005 to November 20, 2006.

Our audit disclosed areas in need of improvement concerning information technology controls. Because of the sensitivity of this information, certain specific vulnerabilities are not discussed in this report but have been communicated to District officials so they could take corrective action.

We conducted our audit in accordance with generally accepted government auditing standards (GAGAS). More information on such standards and the methodology used in performing this audit are included in Appendix B of this report.

Comments of District Officials and Corrective Action

The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report. District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.

The Board has the responsibility to initiate corrective action. Pursuant to Section 35 of the General Municipal Law, Section 2116-a (3)(c) of the Education Law and Section 170.12 of the Regulations of the Commissioner of Education, the Board must approve a corrective action plan that addresses the findings in this report, forward the plan to our office within 90 days, forward a copy of the plan to the Commissioner of Education and make the plan available for public review in the District Clerk’s office. For guidance in preparing the plan of action, the Board should refer to applicable sections in the publication issued by the Office of the State Comptroller entitled Local Government Management Guide.
____________________________________

¹The support contract includes the following services to be provided by the company: cabling/networking support; server/desktop hardware support; firewall support; desktop software support; content filtering; printer/printing support; and accounting application support.