Monticello Central School District Physical Controls for Information Technology

Background

The Monticello Central School District (District) encompasses 191 square miles and is located in the Towns of Thompson, Forestburgh, Bethel, Fallsburg, and Mamakating in Sullivan County. The District is governed by the Board of Education (Board) which comprises nine elected members. The Board is responsible for the general management and control of the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board.

There are six schools in operation within the District, with approximately 3,600 students and 740 employees. The District’s budgeted expenditures for the 2005-06 fiscal year were $60 million, funded primarily with State aid, real property taxes, and grants.

District personnel use desktop and laptop computers that are networked together through assorted servers and switches. The servers and switches are stored in various rooms and closets throughout the District. District personnel use computers for the District’s day-to-day operations which include maintaining attendance and grading records and financial transactions.

Objective

The objective of our audit was to examine the adequacy of the District’s physical controls for information technology (IT).,¹ Our audit addressed the following related question:

Did the Board take adequate steps to protect its IT infrastructure against potential physical damage?

Scope and Methodology

Our overall goal was to assess the adequacy of the internal controls put in place by officials to safeguard District assets. To accomplish this, we performed an initial assessment of the internal controls so that we could design our audit to focus on those areas most at risk. Our initial assessment included evaluations of the following areas: cash receipts and disbursements, purchasing, payroll and personal services, and IT systems. Based on that evaluation, we determined that controls appeared to be adequate and limited risk existed in most of the financial areas we reviewed. We did determine that risk existed in the area of IT. Therefore, we examined physical controls for IT for the period July 1, 2005 to April 27, 2007.

We conducted our audit in accordance with generally accepted government auditing standards (GAGAS). More information on such standards and the methodology used in performing this audit are included in Appendix B of this report.

Comments of District Officials and Corrective Action

The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report.

The Board has the responsibility to initiate corrective action. Pursuant to Section 35 of the General Municipal Law, Section 2116-a (3)(c) of the Education Law and Section 170.12 of the Regulations of the Commissioner of Education, the Board must approve a corrective action plan that addresses the findings in this report, forward the plan to our office within 90 days, forward a copy of the plan to the Commissioner of Education, and make the plan available for public review in the District Clerk’s office. For guidance in preparing the plan of action, the Board should refer to applicable sections in the publication issued by the Office of the State Comptroller entitled Local Government Management Guide.

¹ Information Technology can be defined as the development, installation, and implementation of computer systems and applications.