[read complete report – pdf]

Audit Objective

Determine whether Discovery Charter School (School) officials ensured network and financial software access controls were adequate.

Key Findings

School officials did not ensure that network and financial software access controls were adequate. As a result, data and personal, private and sensitive information (PPSI) are at greater risk for unauthorized access, misuse, or loss. In addition to finding sensitive information technology (IT) control weaknesses, which we communicated confidentially to officials, we found that:

• Officials did not adopt adequate network and financial software policies, establish an IT contingency plan, or provide IT security awareness training.
• 18 percent of the School’s enabled nonstudent user accounts were not needed, which created additional entry points for someone to inappropriately access the School’s network.
• Two of the three financial software user accounts unnecessarily had full access, and three individuals unnecessarily shared access to a user account with administrative permissions. As a result, users could alter data and conceal inappropriate activity with limited ability for officials to trace the activity to a specific user.
• The IT service provider’s contract did not define responsibilities. This can contribute to confusion over network responsibilities, which could expose the School’s IT assets to risk for unauthorized access, misuse or loss.

Key Recommendations

• Properly manage network and financial software user accounts and establish adequate written policies for network and financial software access.

School officials agreed with our recommendations and indicated they will initiate corrective action.