Portville Central School District

Internal Controls Over Selected Financial Activities - EXECUTIVE SUMMARY

The Portville Central School District (District) is governed by the Board of Education (Board) which comprises nine elected members. The Board is responsible for the general management and control of the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board.

The District uses a computerized financial system to perform the District’s accounting functions. The Board appointed a claims auditor whose employment commenced on January 17, 2006 to assume the Board’s powers and duties with regard to approving District claims for payment. The District entered into an inter-municipal agreement with 17 other school districts and the Cattaraugus-Allegany Board of Cooperative Educational Services (BOCES) to provide for the internal audit function beginning December 18, 2006.

Scope and Objective

The objective of our audit was to examine the internal controls over the District’s internal audit, claims processing and computerized data functions for the period July 1, 2005 to August 31, 2007. Our audit addressed the following related questions:

• Are internal controls over the District’s computerized data designed appropriately?
• Are internal controls over the District’s claims processing function designed appropriately and operating effectively?
• Has the District appropriately established the internal audit function?

Audit Results

The Board and District officials need to strengthen controls over the District’s computerized financial system. We found that users of the system had the ability to change the access rights of other District users, as well as change District accounting data, without supervisory approval. We also found that users were able to override the software’s application controls and allow purchase orders to be generated even if funds were not available. In addition, District management does not generate audit logs and they do not use any other means of determining who has accessed the system and what transactions were performed. Unless the District reduces these risks, and the Board monitors the implementation of enhanced controls, unauthorized users may be able to access applications and make unauthorized changes to data that are not detected. Finally, the District has not developed a formal disaster recovery plan for its information technology systems. As a result, there is a significant likelihood that, in the event of a disaster, critical information systems or data will not be available for District financial operations.

The District is not properly administering the claims processing function. We reviewed 50 claims totaling $188,532 for evidence of proper documentation and audit. We found one or more exceptions in 35 claims totaling $130,727. Exceptions included purchase orders dated after the date of purchase, insufficient itemization and lack of proper receipt confirmation. As a result, the District may be paying claims that are not for valid and appropriate District purposes.

The BOCES employee serving as the internal auditor is not independent in performing the internal audit function. This current arrangement is likely to put the BOCES employee in the position of evaluating significant District services or programs that are provided to the District by the BOCES, the individual’s employer.

Comments of District Officials

The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report. District officials generally agreed with our recommendations and indicated that they either have or plan to initiate corrective action.