Audit Objective

Determine whether Eastern Suffolk Board of Cooperative Educational Services (BOCES) officials managed user account access to the network and financial application.

Key Findings

Although BOCES officials restricted user account access to the financial application, they did not adequately manage user account access to the network. As a result, BOCES had an increased risk that the network could be accessed by unauthorized individuals. In addition to sensitive information technology (IT) control weaknesses that were confidentially communicated to BOCES officials, we found that officials did not:

• Disable 681 network user accounts (18 percent) that were not needed or logged in to for at least six months, including:
  • 165 student accounts,
  • 199 nonstudent accounts, and
  • 317 shared and service accounts.

Key Recommendations

• Periodically review all enabled network user accounts for necessity and disable unnecessary network user accounts in a timely manner.

BOCES officials agreed with our recommendation and indicated they plan to initiate corrective action.