Orange Ulster Board of Cooperative Educational Services – Nonstudent Network User Accounts (2022M-154)

Issued Date
January 27, 2023

[read complete report – pdf]

Audit Objective

Determine whether Orange Ulster Board of Cooperative Educational Services (BOCES) officials established adequate internal controls over nonstudent network user accounts to help prevent unauthorized use, access and loss.

Key Findings

BOCES officials did not establish adequate internal controls over network user accounts to help prevent unauthorized use, access and loss. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found BOCES officials did not:

  • Disable 20 unneeded nonstudent network user accounts that had last log-on dates ranging from January 5, 2017 to October 29, 2021.
  • Ensure all employees complete IT security awareness training.

Key Recommendations

  • Develop written procedures for granting, changing and disabling network user accounts.
  • Evaluate all network user accounts and ensure unneeded user accounts are disabled in a timely manner.
  • Develop a process to identify and follow up with employees who have not completed the required IT security awareness training.

BOCES officials agreed with our findings and indicated they plan to initiate corrective action.