The Northville Central School District (District) is located in the Towns of Bleecker, Mayfield, and Northampton in Fulton County; Benson and Hope in Hamilton County; and Edinburg in Saratoga County. The District is governed by the Board of Education (Board) which comprises five elected members. The Board is responsible for the general management and control of the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board.

There is one school in operation within the District, with approximately 560 students and 115 employees. The District’s budgeted expenditures for the 2005-06 fiscal year were $8.2 million, funded primarily with State aid, real property taxes and grants.

Scope and Objective

The objective of our audit was to determine if the District has implemented proper internal controls related to its computer data and procurement procedures for the period July 1, 2005 to October 31, 2006. Our audit addressed the following related questions:

• Are internal controls appropriately designed and operating effectively to ensure that computer data is adequately safeguarded?
  
  
• Are internal controls over the District’s procurement procedures appropriately designed and operating effectively?

Audit Results

We found that the Board has not established and implemented effective controls to protect its computer systems and data from loss or unauthorized use. The District does not have a comprehensive computer data policy that adequately addresses all major areas of concern, such as physical and environmental safeguards and access controls. We also found that, while passwords are used, they do not inhibit unauthorized access because they are very basic and users do not have to change them. Further, the District does not adequately restrict access to its computerized financial system based on users’ duties and responsibilities, and the system does not produce an audit log to identify users who accessed the system and the transactions they processed. As a result, an unauthorized user could change data (e.g., pay rates or vendor information) and the activity could go undetected. Additionally, since the Board has not adopted a formal disaster recovery plan, District personnel have no guidelines to follow in the event of an emergency to minimize the loss of computer data or to implement data recovery procedures.

We also found that District officials did not adhere to the Board’s procurement policy that requires obtaining quotes for purchases not subject to formal competitive bidding procedures. We reviewed 55 purchases totaling $23,536 that required written or verbal quotes, based on the District’s purchasing policy, and found no evidence that District personnel had attempted to obtain quotes for any of them. Further, although the District has established a purchase order system, we found this system was bypassed through the use of confirming purchase orders. When purchase orders are processed after an order is placed or goods are received, there is an increased risk that inappropriate purchases will be made. The Board responded to the noncompliance we identified during this audit by revising the procurement policy and directing its enforcement. We commend District officials for their prompt corrective action.

We also examined a sample of 90 claims, totaling $208,252, paid during our audit period, to determine if they represented authorized and valid District expenses. Although we did not identify any material exceptions in the claims we reviewed, we recommend that District officials develop comprehensive guidance for the claims auditor and monitor claims payment activity to prevent the occurrence of future inappropriate payments.

Comments of District Officials

The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report. District officials generally agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.